spyware strikes again, can it be stopped

27 Oct 2008 7:54 PM

Chris

Hello,

Today one of my users became infected with rs32net.exe a trojan dropper
spyware program. What is very frustrating is that my network and the cpu
have up to date virus / spyware security products from well known vendors
mcafee , symantec.

This one seems to operate similar to Windows Antivirus 2008 and 2009 , big
system warning message in the task bar that looks legit and if you click it,
your sunk and it seems to damage system restore points so you can't roll back
to a previous day. I've seen Windows antivirus 2008 and the 2009 version on
a couple of home systems and never been able to sucessfully "clean" the
machines even with all the help out there on how to do it.

It doesn't seem like these types of infections can be stopped? Can anything
be done to prevent these types of attacks. If you disable javascript, then
doesn't that break AJAX sites. Even with UAC most users will just click ok
to give elevated privligies. Are these caused by problems with IE? Does
anyone have any ideas? I've had it with these things, and if the security
companies that offer software / hardware and services that are supposed to
protect us , can't get the job done, then what do we do?

11 Nov 2008 3:49 PM

kbits.net

Yes I've worked with them for years myself. The AV programs can not remove
all this stuff because a lot of it is smart spyware that changes randomly and
the virus writers are constantly making changes as well.

As far as removing the stuff do not rely solely on AV programs to do that.
They often remove the infection but not the "infector". The infector may
still reside on the machine and reinfect later. Learn to manually locate and
disable this stuff. That is what I do. There is a lot of material on how do
that. It is actually less time consuming and more effective than beating a
machine to death with hours of AV scans by multiple vendors.

One big problem is that regardless of the security in place if the user
clicks the right link, and they will, they initiate the spyware installation.
Which brings us to the second big problem.

A second big problem is that most users are on XP and using admin accounts.
I always set clients up with a "Family" account which is a LUA. I instruct
parents their kids are to use that account only. This reduces a lot of
infections.

And the fact is that Vista is the most secure OS in history although I hate
the non-sensical interface. It has very few infections compared to XP. I
worked help desk at Verizon for 4 months. I saw very few calls for Vista
infections. They were mostly Vista config issues because of the screwy
interface. Most of the malware calls were on XP and most of the calls were
malware.

Hope this helps

ris" wrote:

Show quoteHide quote

> Hello,
>
> Today one of my users became infected with rs32net.exe a trojan dropper
> spyware program. What is very frustrating is that my network and the cpu
> have up to date virus / spyware security products from well known vendors
> mcafee , symantec.
>
> This one seems to operate similar to Windows Antivirus 2008 and 2009 , big
> system warning message in the task bar that looks legit and if you click it,
> your sunk and it seems to damage system restore points so you can't roll back
> to a previous day. I've seen Windows antivirus 2008 and the 2009 version on
> a couple of home systems and never been able to sucessfully "clean" the
> machines even with all the help out there on how to do it.
>
> It doesn't seem like these types of infections can be stopped? Can anything
> be done to prevent these types of attacks. If you disable javascript, then
> doesn't that break AJAX sites. Even with UAC most users will just click ok
> to give elevated privligies. Are these caused by problems with IE? Does
> anyone have any ideas? I've had it with these things, and if the security
> companies that offer software / hardware and services that are supposed to
> protect us , can't get the job done, then what do we do?