I'm a freaking, man. I'm a freaking. :wall:

I have AVG 9.0 installed but my machine keeps getting redirected from a Google search to all these other useless "search sites' instead of the place I wanted straight through Google. And I'm getting ****** off.

I tried to get superantispyware but after I finally make it to the site and click on the free download, Google pops up saying the site is busted or something like that.

I used to run Ad-Aware and Spybot and AVG but this machine gets flipped around so much I don't know where that stuff went, and I think I had an AVG vs. Ad-Aware problem as well.

Happy to hear all suggestions. Thanks. :sunny:

Use another computer to get the software., using a USB stick.

Also, once you computer is fine, make sure your USB stick is clean, so you don't spread your virsuses and other things to peoples machines.

Also, if you got anything important backed up, you could always schelude a re-format and install.

SUPERantispyware
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

Free and good.

SUPERantispyware
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

Free and good.

GRRRRR! :tnt:

Google, in its infinite wisdom, has decided, reapetedly, that the DL page for that program is corrupt and closes it. Even when I use the Yahoo search engine and click to DL the file, Google, in it's infinite ****** wisdom, still decides that the page is corrupt and still closes it. I remember this happended the last time as well months ago.

I;m going to get mad and even.

What browser are you using?

Stop using IE. IE is garbage.

Install Firefox, then install the Noscript and Adblock Plus plugins.

As in the other thread, my parent's desktop got fried by viruses recently, and then their laptop came under attack.

In both cases they used IE as their main browser. I heavily recommend Firefox 3.5 with Adblock plus and no script. I've used it since I made this computer and had no viruses.

Also, Antivir works well; it was right after my brother removed it from the start up processes that the desktop got infected. I use Spybot Search and Destroy as well.


Google, in its infinite wisdom, has decided, reapetedly, that the DL page for that program is corrupt and closes it.

It's not google, it's the virus, most likely.

CR

It's not google, it's the virus, most likely.
Yup, the virus/malware has probably hijacked your Hosts file (http://en.wikipedia.org/wiki/Hosts_file).

Avast and spybot search and destroy. You really don't need more...

GRRRRR! :tnt:

Google, in its infinite wisdom, has decided, reapetedly, that the DL page for that program is corrupt and closes it. Even when I use the Yahoo search engine and click to DL the file, Google, in it's infinite ****** wisdom, still decides that the page is corrupt and still closes it. I remember this happended the last time as well months ago.

I;m going to get mad and even.

Care to explain why you blame all your problems on Google?

Care to explain why you blame all your problems on Google?

Because it's convenient and Google is easy to spell.

Yup, the virus/malware has probably hijacked your Hosts file (http://en.wikipedia.org/wiki/Hosts_file).

You just might be right. (You usually are.) Whatever is friggin' with my riggin' is not letting me DL superantispyware or update Ad-Aware or Spybot. I appear to be in the clutches of an evil madman.

Since our learned and most excellent members suggest a browser other than IE, which is of course what I use, how does one safely - meaning without killing myself or my software - change from IE to Firefox?

And is it easy to change over, or does it require a brain? Cause, you know...

And is it easy to change over
Yep.

http://www.mozilla.com/en-US/firefox/personal.html

Download. It'll ask if you want copy your bookmarks etc, tick yes, install. Search for the add-ons Noscript and Ad-Block. Safety. :2thumbsup:

Yeah, thats a nasty one. Do it quick.

I had that problem earlier in the year, wouldnt let me access C drive (had to go into explorer, [delete your recycle bin in C:\ base]) or any antivirus stuff. I ended up reformatting.

Well, I am Firefoxed. :2thumbsup:

Not that it helps, I'm still kazood up the wazoo and can't seem to update or install any new anti-virus stuff or Google straight to a page without running into endless useless search engine pages.

In any event, this is beyond what I'm prepared to deal with. This machine is a crazy conglomeration of my woman's French programs and my English ones, as well as having been subjected to my kids various live chat programs and online games, so I think it's time for The Big Flush. I was going to do it anyway, but this situation just seems to beg for it.

Aside from whether I should re-install XP or go for the newer W7, since I'm going to backup my stuff on an external HD, re-install some form of Win and then retrive my stuff, what is the ultimate Must have list of stuff I should install prior to retrieving my old stuff off the external HD (and inspecting it with)?

I'm guessing:

AVG 9.0 Free
Superantispyware
Spybot

Any other programs I should have or steps I should take?

Thanks for the help. :sunny:

I would definitely move to Win7.

Be careful, a virus (possibly the one you have) did the rounds through external USB devices, infected them, then everything they touched.

Be careful, a virus (possibly the one you have) did the rounds through external USB devices, infected them, then everything they touched.

But if I scan everything I intend to reload (before reloading of course) with Spybot, Superantiyaddah-yaddah, and AVG 9, do ya think that will clear things out?

Not sure.

:shame:

Just avoid backing up executables or configuration files. If you stick to things like documents, photos, ect, you're probably safer. Still- scanning them can't hurt. :shrug:

I would suggest getting an Ubuntu live-boot CD, booting from that, then inserting and formatting a USB (with gparted, it's fairly straightforward), before copying over whatever files you want to keep. For scanning, you can use either Avast! or ClamAV, they may even happen to be in the repositories.

All files with the extensions .jpg, .jpeg, .png, .gif, .mp3, .ogg, .mp4, .wma, .avi and .mkv are safe to copy over without scanning. I am not quite sure about .pdf - probably safe. .doc, .xls and .ppt, as well as any other Office files are possible to infect with various rather nasty scripts - either scan those, or open them in OpenOffice and save as .html (and hope that the translation borks the malware). .exes can generally be assumed to be infected, so I'd advise not taking those at all, even if scans show them as clean.

EDIT: Oh, and if your computer can run it, go for Win7.

Thank you, all. :sunny:

All files with the extensions .jpg, .jpeg, .png, .gif, .mp3, .ogg, .mp4, .wma, .avi and .mkv are safe to copy over without scanning. I am not quite sure about .pdf - probably safe. .doc, .xls and .ppt, as well as any other Office files are possible to infect with various rather nasty scripts - either scan those, or open them in OpenOffice and save as .html (and hope that the translation borks the malware). .exes can generally be assumed to be infected, so I'd advise not taking those at all, even if scans show them as clean.

I do not know where you got that idea from. But in short: it is wrong. First of all: many of those are container formats (thus: containing fairly arbitrary data by design). Secondly some of these formats (e.g. GIF) are actually a relatively well-known attack factor: these formats can act as a mask for download scripts for instance.

But even if the other 2 arguments are not a concern: by design a file on an NTFS partition contains an *arbitrary* amount of *arbitrary* data streams. You can access them socket-style: \\path\to\file:streamId. So it is the easiest thing in the world for a piece of malware to simply attach another, arbitrary data stream to given data.

This is the actual reason why it would indeed be a bad thing to copy DLL's or EXE files. Not because those file formats themselves are so insecure (indeed, these formats take more data-integrity precautions than most; embedding checksums for instance) but because these formats contain executable code -- which combined with the NTFS idea of a file means that it becomes possible to inject *executable* code in other files. A decent AV kit should check for such attached data streams though.

So what, be it freeware or payware, is the uber-anti-virus/spyware program?

Out of interest, how does this site (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html) look to you?

Out of interest, how does this site (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html) look to you?

6 on 6 good.

At least that's something.

I do not know where you got that idea from. But in short: it is wrong. First of all: many of those are container formats (thus: containing fairly arbitrary data by design). Secondly some of these formats (e.g. GIF) are actually a relatively well-known attack factor: these formats can act as a mask for download scripts for instance.

But even if the other 2 arguments are not a concern: by design a file on an NTFS partition contains an *arbitrary* amount of *arbitrary* data streams. You can access them socket-style: \\path\to\file:streamId. So it is the easiest thing in the world for a piece of malware to simply attach another, arbitrary data stream to given data.

This is the actual reason why it would indeed be a bad thing to copy DLL's or EXE files. Not because those file formats themselves are so insecure (indeed, these formats take more data-integrity precautions than most; embedding checksums for instance) but because these formats contain executable code -- which combined with the NTFS idea of a file means that it becomes possible to inject *executable* code in other files. A decent AV kit should check for such attached data streams though.

The fact they are container formats - and thus they are supposed to contain arbitrary data - is a reason to consider them safe. They are not supposed to be executed under any conditions. A viewer that runs any sort of script from a .gif is highly insecure and should not be used, period.

I didn't know about the NTFS data streams (and I still see very little point in such a function), but what would trigger those streams? Are they opened at the same time as the main file (in which case, they can do as much damage as the file itself - thus, in the case of a .dll or .exe, lots, but none as a plain text), or must they be called separately? And, if they must indeed be called separately, what would call them on a freshly installed system?

EDIT: And would copying the files over to the tmpfs, before moving them over to a FAT32 not get rid of these streams? Does FAT32 even support them?

Sevis,

Sounds like you have the tech-stuff down cold. What's the best anti-everything setup to have, freeware and/or payware, in your opinion?

Beirut,

That's actually not really my field of specialisation, seeing as I've using things other than Windows for some time now. My general setup whenever I install XP to play games or whatnot is:

Avast!
Firefox

Adblock
NoScript
CookieSafe

No flash


I am behind a router, which acts as a firewall, and I've not had any viruses with it for quite a while - however, this is with very sane browsing. Whether such a system could hold up to a stress-test is hard to say.

There is a method that I intend to try out next time I install, which works by "freezing" your files into the state they are, and only allowing the changes you want to actually be saved. For instance, any changes to .exe files can immediately be considered bad - those files just aren't meant to be modified.

Avast!
Firefox

Adblock
NoScript
CookieSafe

No flash


Apart from CookieSafe, this is pretty much my set up. No flash is a bit annoying, but it has its uses. I can't imagine why people still use IE, let alone look at me like I'm a freak when I suggest Firefox.

The fact they are container formats - and thus they are supposed to contain arbitrary data - is a reason to consider them safe. They are not supposed to be executed under any conditions. A viewer that runs any sort of script from a .gif is highly insecure and should not be used, period.

Actually the container formats often do contain arbitrary code (DVD menu's are scripts) or can serve as attack vector for such (MP3's can trigger download of ‘album art’ and such). In fact this is why Microsoft Office documents can be a potential risk: these too are container formats and can play ‘host’ to VB script.

The problem with the GIF is that it's data format is pretty much the same as an ASCII text file. So is a batch script. Windows trusts that what you download is a GIF file. Perhaps unfounded... :juggle:


I didn't know about the NTFS data streams (and I still see very little point in such a function),

The point probably was/is that you can attach meta data to a file stream. But anyways...


but what would trigger those streams? Are they opened at the same time as the main file (in which case, they can do as much damage as the file itself - thus, in the case of a .dll or .exe, lots, but none as a plain text), or must they be called separately? And, if they must indeed be called separately, what would call them on a freshly installed system?

... As I said the streams can be specifically opened. The problem is not *that* there are streams; but the problem is that by default Windows has a laissez-faire attitude towards what is executable and what is not; which is why the batch script as GIF file trick works in the first place (e.g. try to execute your average GIF file under a Unix environment and you will probably find it complains about not being permitted to execute the file).

Now about the streams they can be specifically looked up by a program (and modern [decent] AV kit should scan for streams). The reason why DLL files in particular are a danger is that they tend to be loaded early and by ‘trusted’ programs. E.g. your Microsoft Office will load riched.dll (a library for the Office rich text editor), so any malware that wants to load its main (malevolent) payload would simply attempt to inject this into such a DLL file. Now its payload can be effectively obscured because the malware can simply wait until Word, Excel or similar is loaded.

The ‘classic’ example of this would be the User32.dll file which is loaded during log-on since it contains user-account handling code. Again AV makers learned this lessons the hard way in the early days of NTFS.


EDIT: And would copying the files over to the tmpfs, before moving them over to a FAT32 not get rid of these streams? Does FAT32 even support them?

Streams are not supported by FAT32 but you may simply end up with a bunch of files if you try to copy an NTFS file that contains more than just 1 stream: I am not sure, I've never had a reason to try that. :shrug:

At any rate we are veering off into the realm of the academical arguments. My point is that you cannot trust a file based on (false) assumptions on the file type.

To review my original description:


Safe:

.jpg
.jpeg
.png
.gif
.mp3
.ogg
.mp4
.wma
.avi
.mkv
.pdf (?)

Unsafe:

.doc
.xls
.ppt
.exe


I haven't considered the album-art download script. Whether those can be dangerous is a good question - are they really file-side? I was assuming the player searched using the meta-data available within a trusted resource... MS Office documents, I most certainly agree, should not be copied. As to DVD-menus - I don't remember any of the file types I listed supporting it. WMA and MP4, maybe? Never liked those...


The problem with the GIF is that it's data format is pretty much the same as an ASCII text file. So is a batch script. Windows trusts that what you download is a GIF file. Perhaps unfounded...
I'll test this later (giving an executable a .gif extension) - do you perhaps mean the hidden extension "feature" in Explorer? Whoever thought that thing up deserves no compassion. :furious3:


The problem is not *that* there are streams; but the problem is that by default Windows has a laissez-faire attitude towards what is executable and what is not;


The reason why DLL files in particular are a danger is that they tend to be loaded early and by ‘trusted’ programs. E.g. your Microsoft Office will load riched.dll (a library for the Office rich text editor), so any malware that wants to load its main (malevolent) payload would simply attempt to inject this into such a DLL file.

I didn't mention .dll files due to those being unnecessary for an average user to transfer between computers, but they certainly fall in the same category. However, if I understand this correctly, the injection would have to be in the main file (riched.dll, not riched.dll:malware.dll), making streams irrelevant to that specific case.

Also, I looked it up, and copying a stream over to a filesystem that does not support it (or generally doing anything with it with a program that is unaware of it) will destroy it.


At any rate we are veering off into the realm of the academical arguments. My point is that you cannot trust a file based on (false) assumptions on the file type.
Indeed we have, but I truly am curious how wrong my advice was. To adjust it, Beirut: Make sure that the files you copy contain what you expect them to contain (are valid images, music, etc.) and that their extension really is what you expect it to be. If you're unsure, Linux (and Unix, probably) has a "file" command, which allows you to check what type a file is, detecting it even if the extension is wrong/missing. If you don't mind spending time on it, also check the metadata - I'll check if there's an easy way to do that.

Indeed we have, but I truly am curious how wrong my advice was. To adjust it, Beirut: Make sure that the files you copy contain what you expect them to contain (are valid images, music, etc.) and that their extension really is what you expect it to be. If you're unsure, Linux (and Unix, probably) has a "file" command, which allows you to check what type a file is, detecting it even if the extension is wrong/missing. If you don't mind spending time on it, also check the metadata - I'll check if there's an easy way to do that.

Though I am an unqualified genius, I am also a bear of very little brain. The easy way, for me, is always the best way.

I'll probably have to re-install XP for at least a few months. Don't think I have Win7 cash right now, not with kids and Christmas three-weeks away.

I guess the best I can do is reload, stuff in as much anti-everything as I can, scan everything I want to put back in and use my router(!), which I have not been using of late, and sure as shoot, "of late" is when this machine got bombed.

I'm still curious if it's worth paying for a "better" anti-virus or is the free stuff just as good.

I'll test this later (giving an executable a .gif extension) - do you perhaps mean the hidden extension "feature" in Explorer? Whoever thought that thing up deserves no compassion. :furious3:

Try this:
(On a Unix like system, e.g. Linux)

Open GIMP or similar editor. Create a 1x1 px file
Save As GIF (e.g. test.gif)
Include the following comment while exporting:

; echo "Hello, $USER: how do you like your GIF?";

Run as:


sh test.gif 2>/dev/null


Now imagine doing a similar thing but instead of including POSIX sh compatible code like that; include some DOS code such as
; del *.*; and naming your file test.gif.bat.

An unwary user can be easily tricked like that: a legitimate GIF picture can double as host for a malicious payload via this double extension trick; which when opened via explorer (double click) would typically result an inexplicable DOS prompt; a bunch of errors in it and much more room on your hard disk. The reason is shells don't abort scripts on error.

The real problem is of course that GIF files and other such containers can be used to inject pretty much arbitrary data. And that by design parsers must *ignore* such data if they do not understand it -- this is essentially the deal with forward-compatibility. And that some OS'es *cough* Windows *cough* have no sensible defaults.

I've not got GIMP on me at the moment, so I'll test that later.

As I said - it's the hidden extension. In this case, on Unix, "test" is the name and "gif" the extension, while on Windows, "test.gif" is the name and "bat" the extension. The program is not parsed by whatever image viewer you have - it's sent right into cmd.exe, which will of course be quite dangerous. Would having the first example (in Unix, in a graphical environment), named "test.gif.sh", double-clicked, do anything else? I rather doubt it.

The problem, I would say, is file browsers sometimes hiding extensions, and users not doing anything about it. Checking the (entire) file for possibly dangerous strings and limiting the use of those would take quite a while and have no difference on the typical (used-as-intended) experience.

However, this post has gotten me curious as to how long it would take for 'cat /dev/urandom | grep "; rm -rf /;"' to give us something... Probably too long to wait, the chance per character is 256^-11 (=2^-88, which is around (10^-24)/256).

However, this post has gotten me curious as to how long it would take for 'cat /dev/urandom | grep "; rm -rf /;"' to give us something... Probably too long to wait, the chance per character is 256^-11 (=2^-88, which is around (10^-24)/256).

You know, the nerd in me needs a cigarette after reading posts like that.

:sweatdrop: Ah feel faint...

But you guys know your stuff. I DL-ed Avast and a few minutes later a little screen pops up and says "Dingwad! You have a rootkit messing with your rig." It even warned me I was being attacked. Wild little program.

A scan and a few clicks later and things are much better.

Thanks, y'all. :sunny:

A scan and a few clicks later and things are much better.

Thanks, y'all. :sunny:

:beam:

What we love to hear.

Even if they completely lost me towards the end...

It involves trying to run a destructive command from a randomly generated number.

It involves trying to run a destructive command from a randomly generated number.

For some reason that makes me think of my woman telling me to do something around the house.

I don't intend to actually run it, simply see how long it takes for it to pop up... :)