Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Preventing Registry changes and file permission changes


  • Please log in to reply
7 replies to this topic

#1 johnny_fever

johnny_fever

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 02 April 2012 - 05:27 PM

Hello,

I am going to nuke my computer and re install. I was infected with a malware virus of the most nasty sort. Complete recovery was not possible.
It dug in deep and totally hosed everything.

I am running Windows XP professional on an Athlon X2 dual core processor and 2 gigs ram.

The virus was downloaded by my youngest son who wanted to play the old game "duke nukem". If your old you will remember this game. It was my fault because I told him about it...LOL

The file finished the download from explorer and without any action on my part immediately delivered the payload.

The payload was:
Erased all desktop icons
Erased programs list and removed all system icons in the start menu
disabled task manager
Erased/disabled my home network on the infected machine
Hide ALL files...every single one
Corrupted video drivers.
Made extensive changes to the registry.
Total browser hijack - redirects from any search on firefox, chrome and explorer.
Prevents any tool such as Rkill from working....disabled any command line commands like "netstat"
Attempts to initiate outgoing hidden connection to random ip addresses.
Consumes system resources....explorer crashed due to over 300 mb of memory use.
Delays or chokes out any FTP upload.
Displays fake windows warning messages like "thank you" and "xyz is corrupted" etc.


I would like to know how to prevent ANY changes to the registry and prevent any ADMIN changes to the system such as file permissions.

Is it possible to lock the registry down?

Is it best to log on as a simple user versus logging in as the Admin account?


The point - is it possible to stop a payload from executing by locking the registry down?

I have now installed
registry mechanic paid but older version.
Superanti spyware free
Maleware bytes paid
AVG free

Can someone advise me on the best way to lock this down so a payload can not be executed without a human approving any changes.

Edited by johnny_fever, 02 April 2012 - 05:32 PM.


BC AdBot (Login to Remove)

 


#2 allman71

allman71

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Statesville, NC
  • Local time:01:12 PM

Posted 02 April 2012 - 06:58 PM

Yes, use the simple user. The admin account lets all kind of changes happen. You will need to run as an administrator when you want to install something.

I would definitely not let anyone use the admin account except the owner.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:12 PM

Posted 02 April 2012 - 08:48 PM

As stated above the limited user account is a good idea. Alos when you download save to the desktop. Scan that file with your MBAM and AVG prior to openening.

install SpywareBlaster

Some excellent info from our quietman7
Note the 'disabling Autorun' below.

Tips to protect yourself against malware and reduce the potential for re-infection:

Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, uTorrent). They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Porn sites can lead to the Trojan.Mebroot MBR rootkit and other dangerous malware. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.Beware of Rogue Security software as they are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware. For more specific information on how these types of rogue programs and infections install themselves, read:Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend you disable Autorun asap as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun
How to Maximize the Malware Protection of Your Removable Drives

Other security reading resources:Browser Security resources:Finally, if you need to replace your anti-virus, firewall or need a reliable anti-malware scanner please refer to:

I (we at BC) are not big fans or Registry cleaners . registry mechanic
We keep finding they do more harm then good.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:12 PM

Posted 03 April 2012 - 07:15 AM

Don't disable UAC in Vista or Windows 7 and use Limited User Accounts in Windows XP.

This is what Microsoft has to say about the User Account Control:

...When an administrator logs on to a computer running Windows Vista, the user is assigned two separate access tokens. Access tokens, which contain a user's group membership and authorization and access control data, are used by Windows to control what resources and tasks the user can access. Before Windows Vista, an administrator account received only one access token, which included data to grant the user access to all Windows resources. This access control model did not include any failsafe checks to ensure that users truly wanted to perform a task that required their administrative access token. As a result, malicious software could install on users' computers without notifying the users. (This is sometimes referred to as "silent" installation.)

Even more damaging, because the user is an administrator, the malicious software could use the administrator's access control data to infect core operating system files and, in some instances, to become nearly impossible to remove...To help prevent malicious software from silently installing and causing computer-wide infection, Microsoft developed the UAC feature...

User Account Control Step-by-Step Guide


...Windows Vista will allow users to run with the least privileges needed to perform a task such as running an application or installing new software. Using the least possible privilege to perform a task limits the damage that a mistake or malicious software can inflict on a computer, but because many Windows applications assume that users have administrative privileges, Microsoft says it must balance security and reliability with application compatibility...

User Account Control to Limit Vista Exploits


For a more technical explanation about UAC and security, read:However, you should also read:
Related reading resources:

The virus was downloaded by my youngest son who wanted to play the old game "duke nukem"

In many cases gaming sites are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. They can lead to other sites containing malware which you can inadvertently download without knowledge. Users visiting such sites may encounter innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. For these reasons gaming sites can put you at risk to fraud, phishing and theft of personal data. Even if the gaming site is a clean site, there is always the potential of some type of malware making its way there and then onto your system. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. In those cases, recovery is not possible and the only option is to reformat/reinstall the OS.

...Microsoft Security has issued a research report where it notifies that virus creators are continuously assaulting online video game players...a malicious family of software programs are seeking out popular online computer games such as World of Warcraft, Maple Story, Lineage and several others. According to Microsoft’s seventh Security Intelligence Report, cybercrooks use computer worm parasites for stealing confidential personal information from local computer users through online games, unsecured file sharing and removable disk drives...The most dangerous and prevalent malware involve Taterf and Conficker worms which have infected millions of computer systems worldwide...

Malware Makers Target Online Games to Spread Worms

Microsoft warned video game developers...that their PC games are now a target for criminals...Popular massively multiplayer online games, such as World of Warcraft, have created a market for valuable game identities...Using malware or software designed to infiltrate a computer system, hackers steal account information...

Microsoft warns game developers of cyber thieves

...Gaming sites are becoming a growth area for malware and other security threats. The newer threats are sophisticated and are designed to draw in unsuspecting users...

Game Sites Next Big Malware Target?

The design of online game architecture creates an open door for hackers...hackers and malware hoodlums go where the pickings are easy -- where the crowds gather. Thus, Internet security experts warn game players that they face a greater risk of attack playing games online because few protections exist....traditional firewall and antimalware software applications can't see any intrusions. Game players have no defenses...Online gaming sites are a major distribution vehicle for malware....

MMO Security: Are Players Getting Played?

...Moral of the story?
1. Do not allow online games
2. Block ports used by online games
3. Block sites related to these online games
4. Educate your users...

online game + online trade = Trojan Spy

Security researchers...poked around in World of Warcraft and other online games, finding vulnerabilities and exploiting the system using online bots and rootkit-like techniques to evade detection...Some Trojan Web sites have done what they can do to collect gamers' authentication information so they can loot their characters (and) accounts.

Real Flaws in Virtual Worlds: Exploiting Online Games

...a very significant release for Gamers everywhere with the addition of a variety of password stealers directly targeting Online games. The main targets are mostly based in Eastern Asia (Lineage Online, Legend Of Mir, ZT Online just to name a few), but World of Warcraft and Valve’s Steam client are high on the hit-list too...

Taterf – all your drives are belong to me!

Using gaming sites is almost a guaranteed way to get yourself infected!!
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 johnny_fever

johnny_fever
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 03 April 2012 - 03:14 PM

Thank you guys for responding so quickly!

I completed the re install. My system is up and running with all updates and security software installed.

I have been carefully studying and reading the links posted all the replies.

I few questions:

My network is at home. There are three other computers on the home network

My computer
Wife computer
Kid computer (yikes...this is scary)
Daughter laptop (wireless connection)

I did all these steps from this article that "boopme" posted
http://www.malwarehelp.org/malware-prevention-hardening-windows-security1.html

One of those steps was disabling simple file sharing which I did

I have a portable 1.5 TB hard drive connected by USB to MY COMPUTER. These files need to be shared. Some are business and some are family files.

Wife needs access to some folders but ONLY the wife.

Kid needs access to only one folder and should not have access to any other folders (thats the music folder)


I can't figure out how to add a computer on the network so that the computer will ONLY have access to the folders I specify on that hard drive.

I shared a folder like this
foldername>properties>>sharing>>permissions

In the group panel only "everyone" is showing. I checked full control. This allowed wife to access and change the files. Ok so it works but...

I dont want "everyone" having access....only the wife...to certain folders that is.

How do I add a computer to the groups? I tried the "Add" button for groups but it doesn't find the wife's computer.

please advise.

Thanks

#6 johnny_fever

johnny_fever
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:12 AM

Posted 03 April 2012 - 05:42 PM

Ok ...I think I found out how to set the access I want.

PLEASE tell me if I am doing it the wrong way!!

After reading this article
Windows XP Professional File Sharing

Which was linked from this article
Hardening Windows Security – Part 1

I was able to further understand how to set up groups and users and how to add permission to those users and groups.

I did not realize that a computer on the network can go to "My Network Places" and double click the computer they want to log on to.

I created several users on my computer(wife, kids, etc)and set a strong password of 10 characters for each user.

Then followed these instructions:
1. go to the folder you want to share
2. right click the folder
3. select "properties"
4. click "sharing tab"
5. click "permissions"
6. click "add" to the "group or user names"
7. Click "object types"
8. in the list check the "users" group only. Un check the others. and click "OK"
9. Click "advanced"
10. Click "find now"
11. Select the user or users you want to have access to the folder or file.
12. Click "OK"
13. You now see the user or users you added in the "share permissions" window
14. Select the user or users you added.
15. In the permissions window I checked "full control", "change", and "read"
16. click "OK" and the permissions are set.

Note - it works the same way for "groups" if you create any. I don't need to use groups as I am only concerned with 3 users so setting permissions for each one is simple enough. But "groups" could be of use in the future.

Now for the "wife" to access the shared folder on the external hard drive she has to log on to my computer by double clicking my computer name in "Network places"

She enters her user name and password.

She now sees ONLY the folders I specifically gave permissions for her to see. She can create, delete and move files from this folder.
I assume that allowing "full control" allows here to delete and move files where as if "Change" and "read" were only checked that she could not. She could only open and save the changes to a file.??

For the "Kid" user I set permissions the same way but only allowed read to the music folder so he can play the music but not delete. He does not have access to any other folder or files....hehehehhe yehawww. I feel a little safer.

I just did not know you could log on to another computer on your network if you know the user name and password of a user on that computer...hits self with dumb stick....further you dam sure better keep you admin password secret from the "kid"...little rug rats may log on while you are sleeping and peek at your "adult" stuff.....hehehe

So the solution was create users
Set permissions for each user
Then the "wife" or "kid" simply logs on to my computer through "network places" with their user name and password and presto the get access to the stuff I want them to see and NOT the stuff I don't

Now I have to figure out how to run as a simple "user" and still have access to all the programs I need. That will prob be my next series of questions.

Ok fellas If you read this far...did I do it right????

Thanks

note - I know you guys know all this stuff but I tried to explain my solutions so this thread might help someone else searching for the same issues.

#7 ichito

ichito

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:12 PM

Posted 17 April 2012 - 11:07 PM

"I would like to know how to prevent ANY changes to the registry and prevent any ADMIN changes to the system such as file permissions."
Of course all mentions before are important but for me the answer is simply and only one...try to play with some monitor of system like HIPS, behavioral blocker, registry monitor. On XP you can install e.g: Malware Defender, System Safety Monitor, All-Seeing Eye, NetChina, Mamutu, ThreatFire, Dynamic Security Agent, MJ Registry Watcher, SpyShelter Free, StormShield Personal...and many other :)

Edited by ichito, 17 April 2012 - 11:08 PM.

Vista: SpyShelter Firewall + Shadow Defender + Keriver 1-Click Free

XP SP3: Kerio 2.1.5 + SpyShelter Premium + NVT ExeRadar Pro + Shadow Defender + Keriver 1-Click Free


#8 4dude

4dude

  • Members
  • 578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 18 April 2012 - 04:42 AM

Im sorry you went thru this,im sure your didnt mean for it to occur and I hope your back in action soon :)


Is it possible to lock the registry down?


I always have wondered if by LOCKING the reg files it would stop any changes made?

system.dat
user.dat

Im on Win98se and i have always wondered this.. (I have one windows file locked already cause I dont want it changed w/o me knowing it (Win.ini))

What are the registry files called on XP??? (If anyone knows that is)
 
 

Edited by 4dude, 18 April 2012 - 04:43 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users