Security Compromised

[wannabgeek]

Hi
Hope you can ps help me here! Yesterday i got a warning from spyblaster telling me my ie security settings have been changed I can only put this down to me uninstalling Spybots 'Teatime', A2 & MSantispy! The reason i got rid of them was because i purchased spy sweeper (supposedly a lot better) and i wanted just 1 dedicated prog running at startup monitoring everything instead of 3 as to avoid conficts! But now i think its back fired on me! Is there a site/prog to test spysweeper to see if its working ok?
Ps i also have; Adaware se/Spybot/Ewido (free)/CCleaner/CWShredder & of course a FW and AV progs

[peterb]

What aspect of your security settings have changed? You could have a look at www.grc.com although that won't necessarily give you much info about spyware/adware that is already installed on your system.

[wannabgeek]

Hi Sinse the last post my Norton AV will not protect my PC ie Auto protect off,email scanning off and i cannot turn it on! I have scanned the pc but nothing found! Any ideas!

Ps also tried removing spysweeper & Ewido guards ans resetting ie back yo defaults but i still cannot get Norton to protect! I am wondering if it was a prog (xpsafe) that i installed recently i have also reset it back to the state before it was installed but that dont work! I might have to do a clean install

[peterb]

Have you re-installed Norton?

[Paul Adams]

Download & run Rootkit Revealer - your system may appear unresponsive for a couple of minutes while it runs as it has to dig deep.

Run Trend Micro Housecall on your system, see what it says.

And I would reiterate what peterb said - have you tried a reinstall of Norton?

[wannabgeek]

Hi thaks for replying!
I have uninstalled Norton and installed a new AV (etrust) for a few minutes that too was unprotected but now seems ok,i am just running all tests/scans as i am now worried i have viruses due to the unsecured settings! Thanks for the Rootkit i will run asap. I think i have conflicts with the new progs installed (Ewido, spysweeper) and cause they both have guards at startup they was conflicting and maybe because prior to there instalation i had also removed MSas, and got rid of the 'teatimer' as that too was a ie setting protector! But for the life of me i dont know why Norton got unprotected and why i now have an extra setting in 'Internet options/ security' called 'Your computer' which has a restriction icon just like the one on 'Restricted zone' ! Sorry to go on!

Ps since lowered the new icons settings and now the icon is 'ie with 2 keys' Never seen that before!

EDIT: Re ROOTKIT; What will it tell me?

[peterb]

Download & run Rootkit Revealer - your system may appear unresponsive for a couple of minutes while it runs as it has to dig deep.

30 minutes later - and it's still running!

[Xaneden]

Your best bet would be to reinstall Windows, and then install just 1 AV and one Anti-Spyware. Your Mesh probably has a reinstallation CD, which gives you a fresh, factory setting installation of Windows.

[Paul Adams]

Re ROOTKIT; What will it tell me?

Rootkit Revealer dumps the raw contents of the registry hives and compares it to what the Windows APIs report (e.g. viewing with RegEdit).
If there is a discrepancy then it can indicate some keys are being hidden by a rooted set of APIs - so they become invisible to AV & trojan scanners.
Same kind of principle for files hidden on your disk and processes running in memory - the APIs are intercepted and the results modified so regular processes can't see these nasty things lurking on the system.

This is the principle that Sony used to hide their DRM software, which is why there was a massive uproar - they silently installed the equivalent of a rootkit on your system just by putting a CD in.

Hopefully Rootkit Revealer will find nothing - if it reports anything odd then post the results here.

[peterb]

Full re-install really shhould be a last resort. Running one type of scanner though is a good idea to avoid conflicts. Running Trend's housecall (described by Paul) should check if your system is clean.

[Moby-Dick]

how exactly do you think Shileds UP! will help ?

it is a complete waste of time , its just a very rudementry port scanner that has been proven not to find trojans.

take everythin you read on grc.com with a large pinch of salt , most of it is Self Publicism for the sites owner.

grcsucks.com

[peterb]

how exactly do you think Shileds UP! will help ?

it is a complete waste of time , its just a very rudementry port scanner that has been proven not to find trojans.

take everythin you read on grc.com with a large pinch of salt , most of it is Self Publicism for the sites owner.

grcsucks.com

I did say that it wouldn't help find spyware (or other malware) but it does give some assurance that there is some protection that malware that attacks open ports can be stopped - but of course gives no assurance that protection against 'legitimately' imported malware (ie through e mail, suspect web sites, FTP etc) is in place. Read the grcsucks site with interest!

[wannabgeek]

Hi paul sorry for late reply
Below is the results of rootkits scan. There are also 4 new lines without a GREEN TICK in spybots WINSOCK LSP's Would these results have compromised my credit card details/PAYPAL etc as now i'm too scared to even check

HKLM\SOFTWARE\Classes\webcal\URL Protocol 13-2-05 19:53 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Sonic Desktop Software\Common\LibraryFilesFolder 25-6-05 20:20 87 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Me\Local Settings\Temp\~DF651.tmp 2-1-06 13:10 16.00 KB Hidden from Windows API.
C:\Documents and Settings\Me\Local Settings\Temp\~DF662.tmp 2-1-06 13:10 512 bytes Hidden from Windows API.
C:\Documents and Settings\Me\Local Settings\Temporary Internet Files\Content.IE5\85M7OHM7\CAV2SV75.HTM 2-1-06 13:11 1.15 KB Hidden from Windows API.

[Paul Adams]

HKLM\SOFTWARE\Classes\webcal\URL Protocol 13-2-05 19:53 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Sonic Desktop Software\Common\LibraryFilesFolder 25-6-05 20:20 87 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Me\Local Settings\Temp\~DF651.tmp 2-1-06 13:10 16.00 KB Hidden from Windows API.
C:\Documents and Settings\Me\Local Settings\Temp\~DF662.tmp 2-1-06 13:10 512 bytes Hidden from Windows API.
C:\Documents and Settings\Me\Local Settings\Temporary Internet Files\Content.IE5\85M7OHM7\CAV2SV75.HTM 2-1-06 13:11 1.15 KB Hidden from Windows API.

The first appears to be a common false positive according to posts on Rootkit Revealer's forum.

The second looks a like a registry corruption, it is a reference to an app's folder not an executable so I would assume is benign (to fix this I would remove the "Sonic Desktop Software" and check again - if still present then delete the key HKLM\SOFTWARE\Sonic Desktop Software\Common\LibraryFilesFolder).

3 files hidden from the OS, though 1 is too small to be of signifance I think (512 bytes) so the other 2 may be false alarms too.
What you could try to do is 1 of the following:
1. Clean out all temporary files and rescan
2. Delete the user profile for "Me"

To clean the temp folders:
- reboot the machine to release all file locks
- go into IE - Tools/Internet Options:
-- click "Delete Cookies"
-- click "Delete Files" (check "all offline content")
-- click "Clear History"
- enter the following command at the Start/Run prompt (including quotes):
"%userprofile%\Local Settings\Temp"
This should open an Explorer window with the ceontents if the user's temp folder - delete all the contents you can in here.

To delete the user profile for "Me" entirely:
- login as a different user with admin privileges
- right-click My Computer, click Properties
- go to the Advanced tab, click the middle "Settings" button (User Profiles)
- select the profile for "Me" and click Delete
- log back in as "Me" and you will get a default profile again

[wannabgeek]

Well it looks as if i have got the JPG Virus!