How do I protect my tech from this bug?
September 9, 2010 11:45 AM   Subscribe

How do I prevent Antivir/SecuritySuite infections?

Last week I had to spend an hour or so cleaning the SecuritySuite virus from my netbook. This is the fourth time I've had to remove it from a household computer, and it gets more frustrating each time. My antivirus programs don't seem to help at all. More annoyingly, I can't figure out where the virus is coming from. Here are my past infections.

1. HP Desktop, Windows 7, AVG Free, Firefox/Opera. Runs uTorrent, light downloading and gaming. Even more fun, because it won't reboot into safemode unless you do a hard restart.
2. Asus eeePC, Windows XP, AGV Free, Firefox/Opera. No torrents, extremely minimal downloading.
3. Asus desktop, Windows 7, AVG Free, Opera. No torrents, moderate downloading.
4. Asus eeePC, Windows XP, now with Avira, Opera, Firefox. Still no torrents, no downloading at all.

I'm really stumped as to how I'm even getting these infections, but alas, my CompSci learnings are in programming and not networking. Mostly, I just want to know how to prevent future infections. Is there an antivirus out there that will stop this thing before it starts? Or is my only option to keep the removal tool on my desktop so I can run it in safe mode after I'm infected?
posted by specialagentwebb to Technology (13 answers total) 1 user marked this as a favorite
Best answer: Firefox + popups Enabled + Adblock Plus

might even consider NoScript too.
posted by royalsong at 11:55 AM on September 9, 2010

The Web is full of evil! After my second virus infection in 90 days, the tech told me to dump free anti-virus programs and rely on Microsoft Security Essentials. I've had no problems. Do run a full scan weekly.
posted by Carol Anne at 11:55 AM on September 9, 2010 [1 favorite]

Best answer: There is no foolproof protection. There's a pretty large number of infection vectors. That being said, here's my personal deployment and I haven't gotten it thus far on any machines I've been in control of:

Windows 7, Microsoft Security Essentials, an edited hosts file from MVPS, using Firefox with Adblock Plus, and setting my DNS providers to OpenDNS. This isn't perfect by any means, but it has worked thus far. It avoids several different types of redirection that are happening with hacked sites and shifty ad providers. Coupling this with smart browsing habits is about as good as you'll get without aggressive firewalling and limiting user accounts to the point of annoyingness.
posted by Phyltre at 11:56 AM on September 9, 2010 [1 favorite]

and by popups Enabled I meant Firefox's native popup blocker is enabled.

Tools -> Options -> Content -> Checkmark by Block pop-up windows
posted by royalsong at 12:04 PM on September 9, 2010

Are you sure you're completely getting rid of it? I think I contracted that on my work computer and it took them several tries to get to the point where it wasn't reinstalling itself from some murky depths of my system.
posted by Jugwine at 12:04 PM on September 9, 2010 [1 favorite]

SecuritySuite is NOT a virus. It's spyware. Unfortunately there's a difference, which means most anti-virus programs won't do much for you.

Use an anti-spyware program in addition to your antivirus. Spybot Search and Destroy is free and should work. If you're already infected, Malwarebytes can usually remove most spyware/adware programs.

Other things you can do:
- Change your user account so it isn't an administrator. (In the Control Panel -> User Accounts)
- Do you have Limeware installed? Get rid of it now.
- Dump AVG Free and use Microsoft Security Essentials, it's been much better at detecting viruses in torrents for me.
posted by blue_beetle at 12:06 PM on September 9, 2010

Response by poster: blue_beetle: "SecuritySuite is NOT a virus. It's spyware. Unfortunately there's a difference, which means most anti-virus programs won't do much for you."

Sorry, should have been more specific. I generally use "virus" to refer to anything that I didn't choose to install and is interfering with my computer use. In addition, AVG and Avira both have antispyware/antimalware/antiscareware capabilities (or so they claim). I'm also sure that I'm not getting re-installs, since it's popped up on several machines. The only p2p program I have is utorrent on the first desktop.

Security Essentials + Adblock sounds like a good combo for me.

Additional question: Is it possible/likely that the computers are somehow spreading Antivir to each other, since they're all on the same network?
posted by specialagentwebb at 12:14 PM on September 9, 2010

I've gotten this on my computer I believe 3 times over the course of the past year. I have Microsoft Security Essentials turned on, and run Firefox with the Java blocker (haven't added Adblocker yet). Once it happened while I was viewing an Acrobat document, once on the website Tastespotting, and once while browsing facebook. I feel like I have very safe browsing habits so it's beyond frustrating.

What usually works is to reboot in safe mode, run rkill, run ccleaner, then run malwarebytes. Lately I've been running Spyware Doctore as well as MS Security Essentials and haven't had any problems, knock on a giant piece of wood. It really is the most annoying thing ever.
posted by Bella Sebastian at 12:46 PM on September 9, 2010

Best answer: I spend a fair amount of time dealing with these things on (sadly, under-secured) business PCs.

In recent years I've found traditional definition-based anti-virus to be essentially useless, whether paid or free. There's just too much lag time between new variations of malware coming out and being analyzed by the vendors. Also, straight-up executables don't seem to be a common vector nowadays. Although you would still want AV on your torrenting PC!

What works is software that monitors and blocks registry changes. Kaspersky can do this, but the downside is clicking through a million popups every time Google Toolbar or whatever wants to update.

Outside of that, you want to close up as many security holes as possible and generally minimize the attack surface of your PC. What I would recommend:
- Use Automatic Updates to install Windows security updates. Critical updates are released monthly (at least!).
- Make sure your browsers are up to date. (Including IE, even if it isn't your primary).
- Make sure Adobe Flash is up to date. It is the devil, but you're stuck with it.
- Uninstall Acrobat Reader entirely, it is also the devil. If you need to, install it once a year to full in tax forms or whatever. For the rest of the year, Foxit Reader is nice.
- Use a non-admin account if possible (may be tricky with gaming, though).

Tedious, I know.

(I'm also interested in Phyltre's OpenDNS suggestion, and the general endorsement of Security Essentials...)
posted by a young man in spats at 1:18 PM on September 9, 2010

Best answer: The issue is usually Acrobat. Either patch your version FULLY, or simply remove it and use a simpler, more secure PDF reader (Foxit?). Every version of Acrobat past like 7 is vulnerable to a PDF exploit if its not fully patched. Even a 0x0 embedded PDF can infect your machine.

We have ~400 workstations and were getting 5-10 infections a week. A mandatory Acrobat update policy has dropped that to less than one a month.
posted by SirStan at 4:41 PM on September 9, 2010

According to Brian Krebs' research the biggest infection vectors are Java's webstart vulnerabilities, flash vulnerabilities, and Adobe Reader vulnerabilities. All of these need to be at their newest versions. Or you can use Foxit reader instead of Adobe Reader and uninstall Java unless you need it.

There are really just basic fixes. The real solution is not to use an admin account when using your computer. Create a limited user account and use that. Use runas to run programs as administrator. There are a lot of limited user tutorials on the net to explain this process to you.

Alternatively, you could run as an admin but do a runas and run Firefox as a limited user. This is what I do on machines I must run as an admin on. Its pretty simple to do. Create a new user called Firefoxuser. Make sure he is not a member of the administrators group. Now shift-right-click on the firefox icon, select runas, and put in the firefoxuser username and password. Ta da! No more web based exploits.

Lastly, it may be that you've only been infected once and your removal tools aren't properly removing the infections. You'll need to wipe and reinstall windows. I'd also be worried about how you use your computer. That's a lot of infections. Are you torrenting cracked software? I find that most installers for cracked software are really trojans.
posted by damn dirty ape at 4:50 PM on September 9, 2010

Yes, the current real vectors for the fake antivirus fun are java and flash and acrobat. Flashblock, java when you need it, and PDF-Xchange for your pdf viewer.

These are not truly "spyware" either, as many install the TDSS rootkit variants, which are just as much virii/trojans as the nastiest stuff you can pick up anywhere. They do occasionally keylog, they do occasionally phone home, and they will steal information----but that are not "only" spyware.

And no, Malwarebytes, nor SecurityEssentials, nor Spybot will *truly* clear the infections, even when used in concert. Additional tools and techniques are absolutely required.

My little IT firm fights these bastards all the time, I'm very, very well acquainted with the variants as they pop up, and have repeatedly recovered systems that FreakSquad or others have charged $200 for and failed to fully clear.

But DDA is right, a heavy wipe and reinstall is ideal (certainly, CERTAINLY fastest)----however really you should dban the drive while you're in there, as I've recently been experiencing variants that infect the MBR.
posted by TomMelee at 7:22 AM on September 10, 2010

I should add that for your porn/warez/keygen playing, I suggest running a VM and maintaining a known safe snapshot, and/or sandboxing anything you're not confident in.

(I'd also like to point out that because facebook does not walled-garden their apps, there are a LOT of NASTY ones that do a lot of DEVIL stuff beyond just the normal data mining that they all do. Try Facebook Purity and/or block every app that comes down the line.)
posted by TomMelee at 7:26 AM on September 10, 2010

« Older Krakow by night, alone   |   Ho's before bro's? Newer »
This thread is closed to new comments.