General discussion

XP OS hijacked

I setup 2 identical computers for a client. XP Pro, Office 2003, PC Tools virus and firewall, and Lytec medical. One computer has the Lytec database and printer and the second computer shares the database and printer. I got a call that the second computer won't print.

I found that someone installed showmo and shopper review in IE and some type of local temperature software for the sys tray.

IE will go to most sites but not microsoft update nor any virus or firewall sites. The PC tools update process is blocked from reaching its site. The OS can't see the other computer on the network nor see the printer share. The first computer does not see the second computer.

Also, all the restore point on the second computer a gone and someone is able to log on to the second computer from the internet.

I'd like to find out what got installed to cause this level of problems. I've got 2 choices. Remove whatever is on the second computer or create an image of the first computer and put it on the second computer. If I have to go the second route, is there any information I need to get from the registry to get Office to work after I put the first computer's imagine on the second computer.

Thanks for any tips,

Michael

Discussion is locked
Follow
Reply to: XP OS hijacked
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: XP OS hijacked
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
It's called malware

It's called malware, and it's pretty much an unavoidable part of life if you're using Internet Explorer, so get ready for a lot more of these calls. AV programs won't generally touch them, and firewalls won't block them.

So you have a choice. You can add to the mix about a half dozen malware remover programs and try to train the users of the systems to run these at least once a week, or you can just tell people to use a browser like Firefox or really anything that ISN'T Internet Explorer. You also need to beat into their heads why it is a BAD idea to download a bunch of toolbars and other crap for browsers. And after you do THAT, you need to make sure that people keep installing the security updates MS releases about every month, sometimes more frequent.

No offense, but this really sounds like it's out of your depth, considering you didn't account for any of this in the initial build. You may want to head over to the security forum to get some tips. Like how PC Tools is generally rated pretty low in AV testing, and the XP firewall is perfectly sufficient for your needs. All you really need to do is keep automated probes at bay. The whole idea of outbound filtering is completely overrated, and outside of providing an early warning to malware, does NOTHING to increase security. I'll provide my list of tips, which you could probably adapt to your builds pretty easily.

TIPS FOR A PROBLEM FREE COMPUTING EXPERIENCE
============================================

The more of these suggestions you follow, the fewer problems you should have. They won't solve any existing problems you have, but if you follow them all you should be able to avoid virtually all problems in the future.

Things you should NOT do
--------------------------------
1: Use Internet Explorer (1)
2: Use any browser based on Internet Explorer (e.g. Maxathon and MSN Explorer)
3: Use Outlook or Outlook Express (2)
4: Open email attachments you haven't manually scanned with your virus scanner
5: Open email attachments you were not expecting, no matter who they appear to be from
6: Respond to spam messages, including using unsubscribe links
7: Visit questionable websites (e.g. porn, warez, hacking)
8: Poke unnecessary holes in your firewall by clicking "Allow" every time some program requests access to the Internet (3)
9: Click directly on links in email messages
10: Use file sharing or P2P programs
11: Use pirated programs

Things you SHOULD do
-----------------------------
1: Use a non-IE or IE based browser (4)
2: Always have an up to date virus scanner running (5)
3: Always have a firewall running (6)
4: Install all the latest security updates (7)(Cool(9)
5: Delete all unsolicited emails containing attachments without reading
6: Manually scan all email attachments with your virus scanner, regardless of whether it's supposed to be done automatically
7: Copy and paste URLs from email messages into your web browser
8: Inspect links copied and pasted into your web browser to ensure they don't seem to contain a second/different address
9: Establish a regular backup regimen (10)(11)
10: Make regular checks of your backup media to ensure it is still good (12)

Being a considerate Internet user & other online tips
----------------------------------------------------------------
1: Do not send attachments in emails (13)(14)
2: Do not use stationary or any other kind of special formatting in emails (13)
3: Do not TYPE IN ALL CAPS (15)
4: Avoid texting speak or "l33t speak" (16)
5: Do not poke sleeping bears (17)
6: Do not use registry cleaners/fixers/optimizers (1Cool(19)

Offline tips and suggestions
----------------------------------------------------------------
1: Avoid buying Acer, HP. Compaq, Gateway, and eMachines computers (20)(21)(22)(23)
2: Avoid sub-$500 systems that aren't netbooks or part of some limited time price promotion (24)

Notes
--------

(1) Sadly sometimes this is unavoidable, so only use IE when the site absolutely will not work with any other browser and you cannot get that information/service anywhere else, and only use IE for that one specific site.
(2) Outlook and Outlook Express are very insecure, and basically invite spam. The jury is still out on Vista's Windows Mail, but given Microsoft's history with email programs, extreme caution is advised. Possible replacements include Mozilla Thunderbird, Eudora, The Bat, and dozens of others.
(3) When it doubt over whether or not to allow some program, use Google to find out what it is and whether or not it needs access to the Internet. Otherwise, denying access is the safest course of action, since you can always change the rule later.
(4) On Windows your options include: Mozilla Firefox, Seamonkey, Opera, Flock, Chrome, and Safari. I would personally recommend Firefox with the NoScript extension for added security, but it the important thing is to pick one and use it instead of IE.
(5) AVG Free and Avast are available if you need a decent free virus scanner
(6) XP/Vista's firewall is probably good enough for 99% of all Windows users, but other options include ZoneAlarm, Outpost Firewall, and Comodo. If you have a router with a firewall built into it, there is no need for any of the aforementioned firewalls to be running.
(7) Microsoft's usual system is to release security updates every second Tuesday of the month.
(Cool Use of Windows Update on Windows operating systems prior to Windows Vista requires Internet Explorer, and is thus a valid exception to the "No IE" rule.
(9) Service packs should ALWAYS be installed. They frequently contain security updates that will ONLY be found in that service pack.
(10) You can go with a full fledged backup program, or simply copying important files onto a CD/DVD/Flash drive.
(11) I'd recommend a tiered backup system. For example, you might have 5 rewritable DVDs, and every day you burn your backup onto a new disc. On the 6th day, you erase the disc for Day #1 for your backup, and so on so that you have multiple backups should one disc ever go bad.
(12) Replace rewritable CDs and DVDs approximately every 3-6 months.
(13) These dramatically increase the size of email messages (2-3X minimum) and clog up email servers already straining to cope with the flood of spam pouring in daily.
(14) If you want to share photos with friends/family, upload them to some photo sharing site like Flickr or Google's Picasa Web and then send people a link to that particular photo gallery.
(15) This is considered to be the same as SHOUTING and many people find it to be hard to read along with highly annoying.
(16) Unless the goal is to make yourself look like a pre-adolescent girl, or someone overcompensating for their gross inadequacies, and you don't want people to take you seriously.
(17) Most REAL hackers are quite content to leave you alone unless you make them take notice of you. No dinky little software firewall or consumer grade router is going to keep them out of your system. So do not go to some hacker website or chat room and start shooting your mouth off unless you're prepared to accept the consequences
(1Cool Most of these programs are scams, and sell you something you don't need. Most of them report non-issues in an attempt to boost the number of "issues". Sometimes using these programs can lead to a non-functioning computer.
(19) The Windows registry is not some mystical black box of untapped performance tweaks for Windows, that will lead to untold improvements in system performance. Most of the tweaks will lead to very modest performance gains of 1-2% tops, and probably less than 10% all combined. There is also a good chance that you will render your system unbootable if you make a mistake when editing. Registry default settings are set that way for a reason. Just do yourself a favor, and forget you ever heard of the Windows registry unless you are a computer programmer/debugger and your job requires knowledge of the registry.
(20) Acer now owns Gateway and eMachines
(21) HP owns Compaq
(22) Hardware failures seem far more common with these brands than can be considered normal
(23) These companies use cheap labor in Asian countries were working conditions are often what would be considered sweat shops, and are run by brutal dictatorships, which you are supporting by buying from these companies
(24) If you just do some simple math, and realize that the cost of individual components like the CPU are around 25-33% of the total retail cost of the system, and everyone involved in the making and selling of the system is looking to make a profit, how much money can they possibly be making on each system. And if you're only making a few pennies on every system, how much quality control do you really think is going to go into the manufacturing process?

- Collapse -
I know it's malware.

I did 20 years in systems consulting, some with banks but have been out of it for 6 years. This office environment was just 3 users over 50 using 2 office applications and the medical billing. It looks like the problem occurred when the doctor hired a teen to do some typing for him and they download something for IE, and the doctor is cheap which explains the pc tools.

What was surprising to me is how much control this malware has. I got a MSCE on it now and will lock it down once it's clean.

Now if I could only get the doctor to back up.

- Collapse -
Mention HIPPA

Mention HIPPA to them, and how malware on the system could easily compromise patient data, and constitute a HIPPA violation. Any health care provider who wants to keep their job lives in fear of running afoul of that law. Also mention how THEY are responsible for the actions of anyone working under them. So if they hire some kid to do the grunt work, and the kid screws up, it's still their license on the line. That should go a long ways to helping them to see reason. You just have to where to apply the pressure.

And if you need something to help push them over the edge, have them estimate how much money they would stand to lose if they lost some or all of their patient records due to a computer crash.

If the guy's cheap, he's likely going to respond to financial threats more than anything. You can go on and on all day long with the rational arguments based on logic, and they'll just tune you out. Start making it real to them, and suddenly you swear you can see the lightbulb go off over their head.

- Collapse -
He understands.

He understands. It's a tough situation. You have hackers on one side and the government working to bankrupt you on the other.

Jimmy, this is 10 year old software that basically does appointments. The big issues is that medicare still requires him to use hyper terminal over dial up to put in claims. The government lives in the third world. But all this is irrelevant.

My big question is what the hell took over this computer. I like to keep my clients systems tight. This is the first time a client has had something breach their computers protection. This thing owns the OS.

I don't need child like rules for how to run a network or legal crap. If you think HIPAA is hard, try getting an SEC clearance for inside information.

What I simply want to know is what is out there that is so well designed that it can control every move this computer makes.

- Collapse -
Simple

Simple... All security tools are reactive instead of proactive, and you left a number of rather large gaps in its security coverage. That makes it pretty easy to drop in a trojan or rootkit which can be used to slave the system to a botnet.

Just from what you've said you allowed the use of Internet Explorer, the AV program used consistently ranks pretty low on VB100 testing, which doesn't really bode well for the quality of it's firewall software.

There's no info about whether security updates were regularly applied, if the user(s) of the system simply clicked "Allow" every time some prompt from the firewall came up, and you haven't (yet?) done any kind of postmortem to figure out if any "unauthorized" programs had been installed aside from the IE toolbar you noted.

Any one of these gaps in the security coverage could lead to total system compromise by any number of different types of malware.

There are new threats coming out pretty much daily, and even with some of the top tier AV programs, there's usually a couple of days gap between the time a new threat appears and a countermeasure is in place. Using a second rate AV program just increases that gap by an unknown amount of time. There is absolutely no way of knowing what it is this time, and if you wiped the system clean and redeployed it, it could be something completely different the next time.

At the end of the day, I just hope this guy is better at whatever kind of medicine he practices then he is dealing with computer issues. I also wonder exactly what it is you're hoping to get here. There's no way we can just divine exactly which one of tens of thousands of possible threats affected this particular system. It could even be a couple of different threats that coincidentally appear to be working in concert. You keep getting upset because no one can answer your impossible question, and it just makes me wonder what the ultimate goal was of posting. Because the possibilities seem to be that you were just looking to vent and/or get sympathy... But then you wouldn't really keep responding as you have... Or you're not quite as good a system builder as you think. In which case, you're mistakenly assuming that because you haven't heard about it, your other systems have not been compromised. It might just be the other people haven't noticed the problem, or just assume it's "normal". Or finally, you're just looking for people to be in awe of your apparent skill at figuring things out so far. Given the average skill level of the CNet reader, that would certainly seem plausible, and it would explain you getting upset when someone gives you a perfunctory answer.

CNET Forums