Study: Anti-adware misses most malware

[IronWolf]

I log onto the internet. After anywhere from 2 minutes to 30+ minutes, I receive a warning that “Generic Host Process for Win32 Services has encountered a problem and needs to close.” Then I get a dialog box that warns “This system is shutting down…This shutdown was initiated by NT AUTHORITY/SYSTEM…Windows must now restart because the Remote Procedure Call (RPTC) service terminated unexpectedly.”

Mmmmm, do you use a firewall at all when you connect to the Internet? Have you done all of the Windows Updates to keep Windows up to date? It sounds an awful lot like a hit from Blaster Worm to me (or one of its variants). That used to crash the RPC service (because it was exploiting a flaw in it) and cause the system to shutdown. I am sure it is still floating around out there.

FWIW, if you've been connecting to the Internet without a firewall it's probably not really your computer anymore....

 

[XCorvis]

I log onto the internet. After anywhere from 2 minutes to 30+ minutes, I receive a warning that “Generic Host Process for Win32 Services has encountered a problem and needs to close.” Then I get a dialog box that warns “This system is shutting down…This shutdown was initiated by NT AUTHORITY/SYSTEM…Windows must now restart because the Remote Procedure Call (RPTC) service terminated unexpectedly.”

Two main things cause this - viruses, and a dumb firewall bug.

Odds are it's a virus- download and run Stinger. It's a stand alone virus cleaner. http://download.nai.com/products/mcafee-avert/stinger.exe

If stinger finds nothing, try turning on your Windows firewall. In XP, go to Control Panel, Network Connections, Right click on your network connection, select properties, click on the Advanced tab, click on the settings button (in the firewall section) and turn it on. Depending on version and service pack, that process may be slightly different.

If you're using winxp pro and the RPC Shutdown window comes up, go to start, run and type: "shutdown -a" to abort the shutdown. This also works with win2k pro, I think, but not the home versions of anything.

You might also want to boot into safe mode. As the computer boots up tap F8 every half second or so until you see a boot menu or you see windows is actually starting. Safe mode will help stinger to clean out the viruses easier, and you might have an easier time turning on the firewall because the RPC shutdown shouldn't happen in safe mode.

 

[Andre]

FWIW, if you've been connecting to the Internet without a firewall it's probably not really your computer anymore....

Ain't it the truth...

Two main things cause this - viruses, and a dumb firewall bug.

Odds are it's a virus- download and run Stinger. It's a stand alone virus cleaner. http://download.nai.com/products/mc...ert/stinger.exe

If stinger finds nothing, try turning on your Windows firewall. In XP, go to Control Panel, Network Connections, Right click on your network connection, select properties, click on the Advanced tab, click on the settings button (in the firewall section) and turn it on. Depending on version and service pack, that process may be slightly different.

If you're using winxp pro and the RPC Shutdown window comes up, go to start, run and type: "shutdown -a" to abort the shutdown. This also works with win2k pro, I think, but not the home versions of anything.

You might also want to boot into safe mode. As the computer boots up tap F8 every half second or so until you see a boot menu or you see windows is actually starting. Safe mode will help stinger to clean out the viruses easier, and you might have an easier time turning on the firewall because the RPC shutdown shouldn't happen in safe mode.

I'm running McAfee AV and Firewall. Still, I'll give Stinger a try and see if that fixes things. Thanks for the info!

 

[Rackhir]

Yep so that once Linux gets up to 40% or so of market share all the script kiddies will start focusing on it too.

While it is true that Linux and other OS have been spared the spread of viruses and zombie software, by virtue of their market share. Microsoft has made a number of design decisions over the years in windows that make it fundamentally insecure and easier to exploit flaws in. In large part they've done this to give their software like IE and Office advantages over other software, to help extend their monoply.

To give you a basic example in, OSX if any software is going to be installed, a dialogue box pops up asking you if you want to install it. Windows does not do this and much malware is installed automatically through IE as a result, because Microsoft wanted to make it IE more integrated into the OS.

Microsoft also ships a lot of services on by default, that are used in exploits, but really aren't useful to individual users. This seems to be as a result of their practice of "Security By Obscurity". In other words, if we don't admit or tell people there is a problem then it will remain secure. This has been well proven to be the stupidest approach to security possible.

 

[LcKedovan]

Anyone know if it's bad practice to run two anti-spyware programs simlutaneously? For example, I run SpySubtract (in theory it is stopping spyware before it gets installed). Could I (and should I) also run the Microsoft one with "real-time protection"?

Eric, fwiw with the late reply, running two anti-spyware programs is considered a best-practice at this stage of the game. GIANT (now the MS one) was considered one of the best durin it's time. There is an interesting comparison of some tests on http://spywarewarrior.com/ as well as up to the date info.

Interesting statistic. Any Windows machine not running XP SP2 with firewall enabled lasts an average 5 minutes on the internet before being pwn3d. Linux/Unix just doesn't have the market share to attract this kind of attention yet but there have been plenty of Trojans created and released into the open source community lately.


-W.

 

[Darth K'Trava]

You almost made me spill my soda on that, Wonko. As an appliance parts manager, I can tell you that Maytag is the WORST appliance on the market and those repair guys are working on their appliances all the time to the tune of $500 to $1,000 for each repair (hence the reason why they have a class action lawsuit against them). Don't believe the hype

I will have to check out the other bot killers out there, though I don't think I want to do the real-time deal. Even though it might catch the things right then and there, I think I will be ok without it.

Maybe that's why we've bought Kenmore's. But I think the washer is a Maytag. No probs out of any of them. ::knocks on wood::

I went, found out the site these things (adware), come from and input the web addy in my "restricted sites" list. That killed seeing a -load of things with one called "ibis toolbar" which put LOTs of crap on my comp. Bastards. I find a web addy for it, I'm gonna block it!