Boot Sector Virus proves challenging – and yet not challenging

So, a repeat client of mine came across the good ‘ol Sinowal virus. (read about it here). He switched over to a different antivirus, one provided by his ISP, namely F-secure. F-Secure began popping up alerts that he had this boot record virus.

(before F-Secure, he was using Avast! antivirus. Oh, how far Avast has fallen…. It used to be my favorite)

Not knowing what to do for sure, he called The Restore Store. Before calling me, he called the ISP, since they were the ones providing the A/V that detected it. They said he was hosed and it was serious. I concurred.

I had read a lengthy article a while ago about the nature of this virus, Sinowal, aka mebroot.

F-Secure wasn’t offering to remove the MBR virus, only indicating that it was there. I did some research and, after doing a thorough backup, began to apply the tools commonly used to deal with this virus.

The problem was, nothing was detecting it. F-Secure was adamant it was there, but “official” sinowal hunting mbr scanning tools were saying everything was fine.

Was it a false positive? Doubtful, F-Secure is a good outfit, but still…

I booted to a recovery console and used “fixboot” and “fixmbr” to no avail. Thinking it was a false positive even more.

Growing frustrated I disabled F-Secure and installed Avira. Avira immediately hit on it and I now had corroboration.  Avira did not offer to remove it.

Since Microsoft Security Essentials is my favorite A/V at the moment I removed Avira and installed that. A quick scan by MSE revealed sinowal as well.

Good!

And, MSE offered to remove it. BONUS!

I removed the sucker and uninstalled MSE. I rebooted the machine and F-Secure, which was still there, did not indicate the virus was back.

I am now proceeding to do a thorough hard drive scan to make sure the drive is sound, as it is an older machine. Then, I will “nuke and pave” and do a clean install of windows. I have my DBAN cd out, ready to go. Probably not necessary, I may not use it…

I think I’ll be putting on MSE, the customer can put on F-Secure if he wishes, but for me MSE earned it’s keep again today.

Side note: I had the pleasure of removing Norton 360 along with a truckload of viruses that were on a system today, restoring the simple ability of accessing the internet. I’ve also had the pleasure of removing various abominations from McAfee this week as well.

The feel of the system after simply removing McAfee is analogous to driving a small truck after just having been towing an overloaded trailer with it. It feels light, sporty, responsive, like a whole new machine ready to spring into action with the slightest touch… It’s exhilirating. Almost a high for me. Am I becoming addicted to removing norton and mcafee? Hmmm…..

Never assume an intelligent customer will not make stupid mistakes

So, I provided a new computer to a public service agency when their old one died. This particular agency is one of the top 3 jobs which all young boys want to be when they grow up.

So, the “chief” of this public department was installing microsoft office on this new computer, which I had taken great pains to get prepared for them as much as possible. They had special software that ran the database for their department, transferred all reports, updates, put in the old HD in case I missed something, delivered, set up, so on, so on.

But, they hadn’t provided THEIR copy of ms office, and hey, how hard can it be. The ever resourceful “chief” of this department eagerly volunteered to install it himself, once he dug it out of wherever it was that they couldn’t find at the time I was building it.

So I get a call today while I was out, and returned his call when I got back. He was attempting to install “office” but something didn’t look right. When I called him back, he said “hey, I put in the key it asked for and it seems to be taking off” “Ok, no problem, if you get stuck just give me a call” “Ok, I’ll do that.”

Fast forward 30 minutes. He calls, and says he finished installing “office”, but now office isn’t showing up anywhere and it’s now asking him to register windows. I’m stunned, so I head over.

As it turns out, the shiny holographic disk he was using to install “office” was actually the shiny holographic disk for “windows” and he had just wiped out his freshly set up computer. Ouch!

Luckily he didn’t format anything. I had him up and running again in about 1.5 hours, but as the disk was sp2 there will be some updating to do.

When he realized what he had done, he adamantly proclaimed that I will be doing everything 100% from now on, and not him. We both lol’d.

Digital Photocopiers Loaded With Secrets

Your Office Copy Machine Might Digitally Store Thousands of Documents That Get Passed on at Resale

By Armen Keteyian
//

At a warehouse in New Jersey, 6,000 used copy machines sit ready to be sold. CBS News chief investigative correspondent Armen Keteyian reports almost every one of them holds a secret.

Nearly every digital copier built since 2002 contains a hard drive – like the one on your personal computer – storing an image of every document copied, scanned, or emailed by the machine.

In the process, it’s turned an office staple into a digital time-bomb packed with highly-personal or sensitive data.

If you’re in the identity theft business it seems this would be a pot of gold.

Read the rest here.

And more here.

Still more here.

Malware Registry Entry Points:

Most trojans, worms, backdoors, and such make sure they will be run after a reboot by introducing autorun keys and values into the Windows registry. Some of these registry locations are better documented than others and some are more commonly used than others. One of the first steps to take when doing forensic analysis is to check the most obvious places in the registry for modifications.

What are the most commonly used registry launchpoints then? We wanted to find out so we picked a collection of several thousand samples of malware and checked which launchpoints they were using. The results are presented in the diagram below. It should be noted that some of the samples used multiple launchpoints.

Read the rest here:

AVprofit: Rogue AV + Zeus = $

An amazing article about how the “bad guys” are making some serious coin with malware…

The presence of rogue anti-virus products, also known as scareware, on a Microsoft Windows computer is often just the most visible symptom of a more serious and insidious system-wide infection. To understand why, it helps to take a peek inside some of the more popular rogue anti-virus distribution networks that are paying people to peddle scareware alongside far more invasive threats.

Read the rest of this here.

malware botnets have the largest “cloud”

Who’s got the biggest cloud in the tech universe? Google? Pretty big, but no. Amazon? Lots and lots of servers, but not even close. Microsoft? They’re just getting started.

Household names all, but their capacity pales to that of the biggest cloud on the planet, the network of computers controlled by the Conficker computer worm. Conficker controls 6.4 million computer systems in 230 countries, more than 18 million CPUs and 28 terabits per second of bandwidth, said Rodney Joffe, senior vice president and senior technologist at the infrastructure services firm Neustar.

Read the rest here.

Ripping on the mainstream security software

Back Story, for you bored people out there- I used to subscribe to the “Langa Letter” by Fred Langa. He merged with Windows Secrets a few years ago. I got THIS in a e-newsletter: http://windowssecrets.com/2010/03/18/01 saying how awesome the various internet security suites are, including McAfee.

I was “horrified” to say the least.  These people are supposed to be competent??!?

So, I replied with THIS:

I have to ask, don’t be offended – how much did McAfee pay you to say their software was worth more than the $0.50 CD it’s written on? I routinely fix computers by removing the atrocity that is all things McAfee. McAfee has been worthless since I first had the misfortune of encountering it in 1999….

Norton is only slightly better than McAfee because the entry level Antivirus doesn’t immediately mess up systems. However, the Internet Security product and 360 product are horrible, I have personally fixed mysterious network issues and poor system performance on more systems than I can remember – by simply removing it.

The computing professionals that are in the trenches day to day know first hand that Norton and McAfee “security” products look good on paper but don’t stack up when the rubber hits the road.

To which THEY replied:

Thanks for the e-mail, I’ve shared it with the editorial team.

Best wishes,

Stephanie Small
Research Director
WindowsSecrets.com
Editor@WindowsSecrets.com

So, since I have the same exact discussion nearly every day, I went onto CNET and posted THIS as a review for Norton Internet Security 2010.  I plan to do this more often, until they reply, as per this post.

I am a computing professional. I repair them, build them, network them, and virus removal is my specialty. I have personally FIXED many many computers by REMOVING NORTON INTERNET SECURITY 2010 and earlier. Norton Internet Security (and 360) is WORTHLESS JUNK. Your system might be protected at first, but after a few mon…ths the hackers will figure it out and you will have only a false sense of security.Norton 2009 worked well until the middle of the year, then it was laughably worthless – I was fixing 4 or 5 computers AT ONCE all with Norton 2009 and all with really bad malware infections.

People pay good money for this junk, and then pay me to fix their computers – by removing viruses this software DOES NOT STOP. I also charge them to remove the junk norton software because when it breaks, it breaks your network connection.

I’ve had people bring in their computers because their ISP told them their network card was broken. No, they had norton 2010 and it was broken. I removed Norton, fixed the network stack, removed the viruses (malware) and they were good to go. SHAMEFUL.

Microsoft Security Essentials is FREE and it works better than this junk. I am telling everyone I know this information.

I tell people that MSE is free, works better and WON’T break their computers, and they look at me stunned. THEY DIDN’T KNOW they could have good protection for FREE. They know now, and now you do too.

The rogue security software (fake antivirus like Antivirus 360 or Internet Security 2010) is a rampant problem. You can get these rogues no matter what, some (or most) CANNOT be stopped.

If there is a burden on the user to be careful, AS WELL AS a certain amount of chance, why pay for security when you can be in the same boat and NOT break your computer, for free?

Follow

Get every new post delivered to your Inbox.