how do I get infested?

[igothacked888]

Hello all,

I do full scan using latest updated Malwarebytes this weekend about few days ago.. Found NOTHING wrong with it at all.. My computer is Windows XP Pro and I have it LOCKED DOWN (meaning I don't use admin profile, admin profile has long password, and I'm using only the "User" level with no admin privileges..) Two other people share this home computer, they are mostly computer illiterate and do NOT know my admin password..

Suffice it to say, this morning everything was working as normal, and tonight I come home to find this extremely nasty "SecurityTool" virus, could not get rid of it.. (can't even open regedit or notepad, the whole thing just takes control and comes to the forfront again..) so I had to do a complete reformat..

My question is, if just two days ago I did complete full scan with Malwarebytes (and I'm thinking Malwarebytes can find "securitytool" virus..) and I have my computer LOCKED DOWN with no admin or even power user privileges how did this virus find its way on my computer? How does it have rights to install itself and hijack my XP system?

Anyone?

[noknojon]

Welcome igothijacked -

You have now found that there is almost no such thing as a safe site on the internet these days -

Our quickest link to remove this infection is listed below -

http://forums.malwarebytes.org/index.php?s...st&p=178790

You may want it now -

Thank You -

[igothacked888]

Welcome igothijacked -

Our quickest link to remove this infection is listed below -

http://forums.malwarebytes.org/index.php?s...st&p=178790

You may want it now -

Thank You -

Thanks, but I want also to know HOW can this happen?

The really funny/strange thing is, I set my AT&T 2wire network to as secure as possible, I have also set the freaking Windows XP firewall to block all unknown and DO not allow exceptions..

I am 100% sure my Windows user account is locked down with only bare minimum user privileges (no admin) and the default admin account is chained with a STRONG password.. No one else knows this password.

How can this happened?!?!?!

[mountaintree16]

Do you use an AntiVirus too?

[igothacked888]

MsquhxDgzwg

[mountaintree16]

A limited account in XP can sometimes break updates to an AntiVirus and you have to manually install Windows Updates via the Admin account if you normally use a limited account.

Have you been making sure (via admin account) that your AntiVirus updates at least once a day and making sure once a month that your critical updates for XP are being downloaded and installed?

[mountaintree16]

And also, in order to use MBAM, you need to download it, install it, and update it on the Admin account in order for it to install and update.

Then you should scan from each account (admin first).

Also, unfortunately, limited accounts are not fool-proof; you can still become infected.

Do you keep programs such as Adobe Reader, Flash, etc... fully patched and up to date? Those can be pathways to infections as well.

[igothacked888]

A limited account in XP can sometimes break updates to an AntiVirus and you have to manually install Windows Updates via the Admin account if you normally use a limited account.

Have you been making sure (via admin account) that your AntiVirus updates at least once a day and making sure once a month that your critical updates for XP are being downloaded and installed?

Well other than a manual scan with Malwarebytes every week I don't use active antivirus software at all. Infact I don't have any programs running in the system tray or constantly pinging home to update itself (no google update, no windows update, no automatic anything...)

How can this virus just work its way ONTO my system and compromise it so badly when I am always in USER mode (NO ADMIN AT ALL)? Is there a backdoor to Windows XP that we don't know about? How is this POSSIBLE?!?

[mountaintree16]

I don't use active antivirus software at all.

That's your first problem

There are several FREE antivirus programs out there that I can link you to

Nope, no backdoor in XP that allows this.. you've allowed your system online with no AntiVirus protection, and the limited account isn't impenetrable to infection, unfortunately.

[igothacked888]

That's your first problem

There are several FREE antivirus programs out there that I can link you to

Nope, no backdoor in XP that allows this.. you've allowed your system online with no AntiVirus protection, and the limited account isn't impenetrable to infection, unfortunately.

When I set my account to "user" mode with no poweruser or admin access privileges I can't even change the system time, I can't even install any programs or access the program files/ windows/ system32 directories to make any changes to any files..

So how is it possible that virus install itself? Does virus have root access somehow?!?! So if a virus can gain admin access even on a locked account then does that mean it is possible to make a program that can do things on locked account that has equal power of admin account?!

What happened to rings of execution privileges? What is the point of admin/user account differentiation if the security can be bypassed so easily?

[mountaintree16]

I gotta go for now, but I'll leave you with these links:

http://users.telenet.be/bluepatchy/miekiem...prevention.html

http://security.gt500.org/Wiki.jsp?page=Prevention

http://miekiemoes.blogspot.com/2008/06/top...nt-want-to.html

http://miekiemoes.blogspot.com/2008/08/i-d...use-i-have.html

[mountaintree16]

In short, there are PLENTY of ways to bypass it.

You also have NO AntiVirus, which is your first problem

You're infected, you need to read and do the following, and you need to get an antivirus too, which your helper can assist you with.

We don't work on Malware removal in the general forums.

Please read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

Please note that it may take 48 hours or more for you to receive a response in the malware removal forum, as it is often busy at times. Please do not reply to your own post asking for help unless its been more than 48 hours since you originally posted, as this can make it appear as though you are being helped and take longer for you to get help.

If you are unable to do all or any of the steps in the link to the directions above, just post your problem into the forum I gave you a link to anyway and someone will be able to assist you.

Also, when replying, please use the "ADD REPLY" button or erase what the person you are replying to said, as this makes the forum easier to read.

Thank you

[DragonBoy]

When I set my account to "user" mode with no poweruser or admin access privileges I can't even change the system time, I can't even install any programs or access the program files/ windows/ system32 directories to make any changes to any files..

So how is it possible that virus install itself? Does virus have root access somehow?!?! So if a virus can gain admin access even on a locked account then does that mean it is possible to make a program that can do things on locked account that has equal power of admin account?!

What happened to rings of execution privileges? What is the point of admin/user account differentiation if the security can be bypassed so easily?

You do understand that all a virus has to do is be run once to be infected. Using a normal user does not protect you having a program run through an exploit in Adobe Reader, Adobe Flash or any number of exploitable programs. The fact you had no anti-virus program to prevent the launch of the viral file should concern you.

[noknojon]

Any YouTube show such as the one you left can carry 100 infections - Any active site can carry many infections - Even a PDF file can be infected -

You need a good antivirus (at least MSE free or Avira free) as well as installed access to a Good malware remover (like Malwarebytes) -

Thank You -

PS - I hope you are now using the link I left at the top to remove this as soon as you can -

[GT500]

When I set my account to "user" mode with no poweruser or admin access privileges I can't even change the system time, I can't even install any programs or access the program files/ windows/ system32 directories to make any changes to any files..

So how is it possible that virus install itself? Does virus have root access somehow?!?! So if a virus can gain admin access even on a locked account then does that mean it is possible to make a program that can do things on locked account that has equal power of admin account?!

What happened to rings of execution privileges? What is the point of admin/user account differentiation if the security can be bypassed so easily?

I hate to burst your bubble, but Windows is not in the least bit secure. If it was, then companies like ours would not need to exist. There are these things called "security vulnerabilities" that allow malicious software to do as they please on your computer. Here are a few unpatched ones that you may want to take a look at:

• Microsoft Windows "KiTrap0D" Privilege Escalation Vulnerability
  
• Windows XP Internet Connection Firewall Bypass Weakness
  
• Windows XP Malicious Folder Automatic Code Execution Vulnerability
  
• Microsoft HTML Help Control Privilege Escalation Vulnerability
  
• Microsoft Windows TCP Packet Information Disclosure
  
• Windows XP admin downgrade problem
  

So, not only are there security vulnerabilities in Windows XP that allow malicious software to obtain admin privileges without your knowledge, but there is also a vulnerability where downgrading an account from Administrator to Limited User does not remove all of it's previous rights.

Please note that just because you cannot do something, that does not mean that malicious software cannot do it. That's why it's called 'malicious'.

To see a more complete list of security vulnerability reports, click here.

[Sartori]

I have another suggestion for you along with getting yourself a good antivirus program: MSE for the free side and ESET for the paid side...

Use Firefox with the No Script and Ad Block add-ons.

[GT500]

Use Firefox with the No Script and Ad Block add-ons.

Not a bad idea, but don't assume 100% security with that. Security vulnerabilities have been found in the past in even the way browsers display images. Let us never forget the PNG (Portable Network Graphics) Deflate Heap Corruption Vulnerability, that allowed not only overwriting heap memory, but execution of code as well. Even more secure browsers like Opera have had security vulnerabilities found in how they handle images, although I would have to do some extra checking to see if any browser has ever had one that was as bad as the PNG bug in IE.

Twas the night before Christmas, and deep in IE

A creature was stirring, a vulnerability

MS02-066 was posted on the website with care

In hopes that Team eEye would not see it there

But the engineers weren't nestled all snug in their beds,

No, PNG images danced in their heads

And Riley at his computer, with Drew's and my backing

Had just settled down for a little PNG cracking

When rendering an image, we saw IE shatter

And with just a glance we knew what was the matter

Away into SoftICE we flew in a flash

Tore open the core dumps, and threw RFC 1951 in the trash

The bug in the thick of the poorly-written code

Caused an AV exception when the image tried to load

Then what in our wondering eyes should we see

But our data overwriting all of heap memory

With heap management structures all hijacked so quick

We knew in a moment we could exploit this $#!%

More rapid than eagles our malicious pic came --

The hardest part of this exploit was choosing its name

Derek Soeder

Software Engineer

eEye Digital Security

Technically speaking, Opera with scripts and plugins disabled is more secure than Firefox with NoScript, and there are NoScript-like User JavaScripts that you can get for Opera. It might be a better idea, from a security standpoint, to go that way than to embrace The Fox. Although, in the end, either one is better off than Internet Explorer.

[DarkSnakeKobra]

You proably should use layered security. Layered security is where you have other programs to try to limit the possiblity of getting an infection with other active protection or just addons for your browser to strengthen your security. Here is an example.

Microsoft Security Essentials-Antivirus

Malwarebytes' Pro-Antimalware

SpywareBlaster-Blocks active x based spyware in IE

HostsMan-Monitors host files which can block infected sites or ads.

WinPatrol-Monitors for system changes

Online Armor-Firewall that gives you more control and options then Windows Firewall

[GT500]

Microsoft Security Essentials-Antivirus

Malwarebytes' Pro-Antimalware

SpywareBlaster-Blocks active x based spyware in IE

HostsMan-Monitors host files which can block infected sites or ads.

WinPatrol-Monitors for system changes

Online Armor-Firewall that gives you more control and options then Windows Firewall

That's actually a rather good list there. I don't normally recommend firewalls, but not everyone has a good router with NAT, so a software firewall will help those people out a little bit at least.

[Blaze]

When I set my account to "user" mode with no poweruser or admin access privileges I can't even change the system time, I can't even install any programs or access the program files/ windows/ system32 directories to make any changes to any files..

So how is it possible that virus install itself? Does virus have root access somehow?!?! So if a virus can gain admin access even on a locked account then does that mean it is possible to make a program that can do things on locked account that has equal power of admin account?!

What happened to rings of execution privileges? What is the point of admin/user account differentiation if the security can be bypassed so easily?

Problem is that, with infections like Security Tool, there can be a rootkit installed on your system.

Basically you have 2 types of rootkits, OS mode & kernel mode. It does not matter that much for rootkits how many privileges you have.

I'm not going into further detail, but more information is available here: http://en.wikipedia.org/wiki/Rootkit

Also, you should keep an eye on the Windows Updates.

I agree with the other members. You should have installed an Antivirus and, like Buttons / GT500 stated, a software firewall with more options.

And, Spywareblaster comes in handy for extra browser protection. (ActiveX protection etc)

Malwarebytes' protection module would normally have blocked the Security Tool rogueware.

Hope this helps