Hi all,

I spent several hours last week cleaning up a machine for a friend (who barely uses the computer) that was protected by Trend Micro. Just a few ordinary trojans. Minor stuff compared to today ...

When a friend of mine was complaining about some annoying popups. I thought I could clean it in a hurry and get on with watching some DVDs. In this case, the machine was protected by Norton AV and Internet Security and MS Anti-Spyware. My friend who has been in computers (like myself) for about 35 years was very confident of his system, only when I installed some of my favorite AVs/ATs and ran some preliminary scans the following was found:

1) Ewido: Found over 200 dlls, exes, and related files that were in the trojan category including keyloggers.

2) TDS-3 found another 150 entries (I had to delete them one-by-one). They looked similar in nature to the ones that Ewido found but in different folders.

3) Cleaned tons of stuff using HijackThis

4) After all this, installed the latest version of KAV 5 Personal MP3 Beta with extended databases and right away KAV found five trojans trying to execute which I killed (system restore has been turned off)

When I left, the KAV scan was still going. Not sure what it will find, but I plan to run NOD32 and BitDefender to see what they find. What a giant, colossal mess. If I told my friend a week ago that he needs more protection, he said he would never have listened. Tomorrow he is coming over to check out ProcessGuard, RegDefend, and KAV running on my machine along with Ewido. Let's say, he is one of those "motivated" users that I was talking about in the ProcessGuard thread.

Nite everyone ... it's 1:00am and I am pooped.

Rich

Good job there rich! :)

I for one have been studying Trojan behaviours for 15 hours now *yawn*

Hi Firecat,

I forgot to give honorable mention to RegSeeker for cleaning up hundreds of entries from the registry that these trojans implanted. My friend didn't think the system would restart - but I had confidence in RegSeeker. 8) All I can say is that I left my friend in a state of shock. It was a "rude awakening".

Have a good night sleep. I headed in the same direction. :)

Rich

{QUOTE-> Hi Firecat,

I forgot to give honorable mention to RegSeeker for cleaning up hundreds of entries from the registry that these trojans implanted. My friend didn't think the system would restart - but I had confidence in RegSeeker. 8) All I can say is that I left my friend in a state of shock. It was a "rude awakening".

Have a good night sleep. I headed in the same direction. :)

Rich <-QUOTE}
I will go to sleep in an hour or so at the maximum.....

RegSeeker's always been nice. I've always kept my registry clean without it, but its good to have it around. It did wonders on my neighbour's PC, and the free eScan did the rest ;)

Forgot to mention ... he had his new laptop for only one month. :o Before he was running Win2000. Welcome to the world of XP.

Rich

Such people really need raw detection force. Give him KAV or McAfee :P
I'd also try to add NOD32 next to those if possible to extend strong signature/generic detections with heuristics for latest threats.

Totally agree.

I will be meeting with him tomorrow and basically propose KAV, ProcessGuard, and RegDefend. Up until a week ago, I would consider this sufficient but when BitDefender's online scan found some genuine malware of the reasonably annoying sort that KAV's scan missed, I became a believer in backup AV for KAV (the BitDefender online scanner may be good enough). I also think NOD32 is a good backup for heuristic detection but I will leave it up to him. My own opinion is that the truly malicious stuff will be stopped by KAV, ProcessGuard, and RegDefend and other things can be picked up as required by Ewido (free is probably enough), Ad-aware, and BitDefender online.

He is definitely "open" to suggestions as of today. ;)

Rich

Were you able to find the source(s) of these infections?

And if you haven't already done so, it may also be worthwhile to give him some general tips on how to remain protected online.

{QUOTE-> Totally agree.

I will be meeting with him tomorrow and basically propose KAV, ProcessGuard, and RegDefend. Up until a week ago, I would consider this sufficient but when BitDefender's online scan found some genuine malware of the reasonably annoying sort that KAV's scan missed, I became a believer in backup AV for KAV (the BitDefender online scanner may be good enough). I also think NOD32 is a good backup for heuristic detection but I will leave it up to him. My own opinion is that the truly malicious stuff will be stopped by KAV, ProcessGuard, and RegDefend and other things can be picked up as required by Ewido (free is probably enough), Ad-aware, and BitDefender online.

He is definitely "open" to suggestions as of today. ;)

Rich <-QUOTE}

Personally I think you should retitle this thread to - Marketing for Diamond CS, KAV,Ghost Security- My new past time. :))

But then again , I suppose I do the same when cleaning up computers, though I generally recommend freeware stuff first since its general sufficient. But I won't hold back if I'm asked what I use.

people like that, one thing to do and thats to install firefox, delete all ie icons, give firefox an ie icon

alternatively turn off activex in ie

Hi Billy and Tahoma,

Yep, I installed FireFox right quick. Will have to install SpywareBlaster. I also gave him some pointers on safe hex surfing - though he already figured it out. What he was surprised at was how easily the trojans penetrated the software he had. He thought that even Norton was overkill. Live and learn.

He may have to use IE once in a while. I find, for example, when I want to use one of the online virus scanners (e.g. KAV, BitDefender, or McAfee), I still have to resort to IE and ActiveX. I think these may be the only times I use IE nowadays. Most sites seem to be testing their software for FireFox compatibility.

Pollmaster - you can also put me on your ignore list. This forum is not a boxing ring. It is a discussion forum.

Rich

{QUOTE-> Hi Billy and Tahoma,


Pollmaster - you can also put me on your ignore list. This forum is not a boxing ring. It is a discussion forum.

Rich <-QUOTE}

Hi Rich, yes, this is a discussion forum, and I didn't mean to offend you, just stating my opinion. If you think my little joke about "marketing" is too much, I apologise.

I hope you are not one of those people who like to talk about free speech and discussion until the moment someone posts a contradictory opinion.

Hi Pollmaster,

I am not the least offended. If you are looking for a discussion, that is why I am here.

The primary purpose of this thread is to highlight the fact that within the last two weeks, two of my friends have been badly burned by nasty trojans (in one case the total effects are not clear) and both were using highly rated AV products and firewalls. In both cases, my friends thought that they were extremely well protected - based upon the advice that they were getting. Clearly they were not nearly as well protected as they thought or desired.

Given that Norton AV and Internet Security was insufficient in one case, and Trend Micro insufficient in the other case, it clearly shows that "basic" protection (whether it be paid or freeware) is not sufficient to guard users to the extent that they wish to be guarded. However, it is clear from my experiences with my friends, that it often takes incidents such as these to convince them that much higher level of protection is necessary and that they need to make changes somewhere. Safe hex surfing is not sufficient. One of my friends barely uses the Web and had a couple of nasty trojans.

Given the state of the situation, I clearly suggest to my friends to put security packages in place that have the highest level of competency with overlap. I also try to keep it within the system's and user's capabilities and desires. For this reason, I almost always recommend KAV nowadays because it is highly competent across a broad range of malware classes (viruses, spys, trojans, worms, etc.). In my own experiences, it is almost unbeatable.

But I do not entirely put my trust in KAV, so I also suggest guarding against unauthorized program execution and registry updates, which overlap each other as well as KAV. For this reason I highly recommend ProcessGuard and RegDefend. Of course there has to be a firewall, and since I am most used to ZoneAlarm Pro, this is what I recommend. I also recommend a router for additional blocking. Both of my friends were more than happy to finally get FireFox on their system.

On top of these, I highly recommend freeware products such as Ad-aware, SpywareBlaster, ccleaner, RegSeeker. Other information products I recommend include HijackThis, Port Explorer, Process Explorer, and FileMon but this is usually beyond what most of my friends are willing to take on.

I also have backup trojan scanners. I find TDS-3 and Ewido extremely useful when cleaning machines. But again this is beyond what my friends are willing to take on.

I try to be pragmatic about what I recommend. I also want to make sure that I do not leave my friends "open" to further attacks. They are my friends, and these kind of "thefts" that can occur are worse than even normal thefts that they are use to. After all - they are my friends. :)

I am sure you and others have your own set of recommendations. Everyone is different in this respect.

Rich

Rich, nice to see you are not one of those people I was referring to.

I personally believe though that it is not necessary to pay for all the best quality security software products, if what you want is a basic level of security that can stand up to the typical malware in the wild out there.

Almost none of my friends are interested in computer security so I personally prefer to recommend the freebie stuff first and equip them with basic security tips and go from there. Only if this is not sufficient , then i might point them to higher quality products that cost $$.

In all the cases I'm aware of, so far, none of them have had problems, once I put in place the freebie defenses and teach them how to update them.

I would also point out that even with a nearly perfect defense setup as your favoured configuration, it is possible for a user to foul up and get infected.
The problem of course is that the user will typically blame his software and switch to another antivirus, which inevitably fails and.... So the problem is most often the user, not the software.

On the other hand, someone who practises safehex (plus hardening of OS), will find that practially any antivirus is sufficient.

{QUOTE-> Safe hex surfing is not sufficient. One of my friends barely uses the Web and had a couple of nasty trojans. <-QUOTE}

Have you attempted to ascertain how this happened? Unpatched OS, downloaded cracked software etc, are other reasons for this failure.

The problem with relying with software, even the best is that they might fail, so it's best to avoid overrelying on them in the first place.

of course Rich you can point out that they haven't failed you yet, but it's unclear if that's because you are careful or it's the software.

And of course, i have computers at work that run nothing but Trend, and I have no problems with them, so it leads me to wonder what the difference is between your friends and me :)

Hi Pollmaster,

"If anything can go wrong, it will." - Murphy's Law

At least that what seems to be continually happening to my friends. The particularly nefarious aspect of trojans, is that when things go wrong, the user may not necessarily know about it.

Take my two friends for example. In all probability (based upon the work that I did), they were infected by really nasty trojans/keyloggers way before they actually became aware that something was wrong with their system. What happened in both cases was that some dinky piece of malware began to really annoy them. Pop-ups, etc. This caused them to complain to me and ask me to help them get rid of these little annoyances.

It was only when I employed the most extensive and competent anti-malware tools that I am personally aware of and capable of using, that all of the really nasty pieces of trojans were uncovered. It was quite by accident. Had the little stuff not made itself known, then the big stuff might have been happily keylogging for quite some time without anyone knowing (so there are some benefits to annoying adware ;) ).

Users of products such as ProcessGuard and RegDefend rely both on the proper design of the software as well as their own "smarts". Both of these products rely on users to take control of their PC and decide what will run and what will not. It also helps educate users on all of the things that are really running (or trying to run) on their system without them knowing it. A few months ago, a supposingly simple piece of software that I was going to installed was revealed by PG as trying to install a system service - with the purpose of trying to scan my full file system. Yikes! There is no telling what companies will do nowadays to make money for their "investors".

Mistakes can and will be made. That is why layering provides a "second chance" to correct a mistake. A seemingly innocuous program that is permitted to execute by PG can still be stopped from further penetrating the system by RegDefend. Of course a top-notch AV such as Kaspersky will probably stop any of this if it is detected in time. If a person makes several mistakes, then that is life. But I think the biggest mistake is to think that one will not be attacked by some fairly malicious piece of software and there is no need to be concerned. It is just happening far to often among the people I know for anyone of us to ignore the issue.

Since I began deploying a reasonably strong security setup on my son's system (which as always being attacked) and my own, we have been pretty clean. For how long - hopefully much longer than those who do not employ a strong defense. But who really knows?

Where do these attacks come from? Who knows? Who knows when they happened and how long they were there? The problem with having porous protection (I use to use Norton and was attacked many times) is that no one really knows. It is best to have the best and then do one's best. It is so much better than trying to clean machines - and "hoping" that they are really clean.

Rich

{QUOTE-> Such people really need raw detection force. Give him KAV or McAfee :P
I'd also try to add NOD32 next to those if possible to extend strong signature/generic detections with heuristics for latest threats. <-QUOTE}
i like the word raw protectoin force............. ;D

I think few things he need first is a proper broswer like Opera or firefox. ( Coz i bet he is running IE )
2nd is a decent AV. ( Not saying Norton is not ) but for his usuage i think RAW protection force is needed ;D Wahahaaaa ( KAV , Mcafee, F- Secure )

Than may be Spysweeper or M$ Antispyware..........

No wonder why we need faster hardware and memory for newbie computer :P

Hi iwod,

Yep, I put Firefox on his system. I told him to use Thunderbird instead of outlook.

In so far as his backup for KAV, I think protection software (i.e., software that prevents malware from installing) such as PG and RegDefend are better bets than additional detection software (i.e. software that attempts to detect and remove already installed malware), simply because in my experiences so far KAV pretty much catches everything that MS AS and Spysweeper catches. (Others may have different experiences).

If I was to suggest any additional detection software it would probably be Ewido or TDS-3 which I believe actually adds value over and above KAV. There have been cases where I have found CounterSpy to pick up minor pieces of "tracking cookies" that everything else misses, but I am not sure it is worth it for most users. They could simply clear cookies if they wanted to.

It is kind of odd that we need such a complicated architecture in order to support browsing. I am quite convinced that the problem lies in the fact that MS left many "windows" open in the Windows operating system so they can keep track of what customers are doing (e.g. the Update process), and in so doing have made the same "windows of opportunity" available to other, less friendly visitors. A better OS for browsing the Internet can be built (some point to Linux), and I am sure over time it will be embraced.

Rich

Actually if he only browse internet, watch DVD such simple function i recommand getting a Mac mini or imac G5.

I agree with the situation. it is getting complicated to simply surf safely. AV, AT , AS, and who knows what else is coming.

{QUOTE-> AV, AT , AS, and who knows what else is coming. <-QUOTE}

Anti-Riskware (AR)
Anti-PolyEngine (APE)
Anti-Constructor (AC)
Anti-HackTool (AHT)

;D;D;D:o:o;)

{QUOTE-> Hi Pollmaster,

It was only when I employed the most extensive and competent anti-malware tools that I am personally aware of and capable of using, that all of the really nasty pieces of trojans were uncovered. It was quite by accident. Had the little stuff not made itself known, then the big stuff might have been happily keylogging for quite some time without anyone knowing (so there are some benefits to annoying adware ;) ).

<-QUOTE}

I'm afraid, Your friends seems to be of the extremely clueless types, in such cases, I'm wondering if anything is sufficient to protect them. Another thing to note, when scanning computers, I always distinguish between copies of malware sitting around unexecuted and those that are running. At any time, if you scan some of my computers, you might see copies of Sober sitting in my email folders. But does that mean I was attacked and penetrated? Clearly not.

{QUOTE->
But I think the biggest mistake is to think that one will not be attacked by some fairly malicious piece of software and there is no need to be concerned. It is just happening far to often among the people I know for anyone of us to ignore the issue.
<-QUOTE}

Perhaps, but another big mistake is to assume that everyone has to run the same exact security setup as oneself, without taking into account the value of the data placed. It is foolish to work oneself up to a state of paranoia just because you find that your clueless friends hasnt being practising safe hex and as a result got infected.

{QUOTE->
Since I began deploying a reasonably strong security setup on my son's system (which as always being attacked) and my own, we have been pretty clean. For how long - hopefully much longer than those who do not employ a strong defense. But who really knows?
<-QUOTE}

Who really knows if it's the software that is making a difference, or if it's safe hex? Rich I think you underestimate the power of safe hex.


{QUOTE->
Where do these attacks come from? Who knows? Who knows when they happened and how long they were there? The problem with having porous protection (I use to use Norton and was attacked many times) is that no one really knows. It is best to have the best and then do one's best. It is so much better than trying to clean machines - and "hoping" that they are really clean.

Rich <-QUOTE}

How would you define an attack? I get hordes of virus infected mail a day, I don't consider those attacks, except in a very trival sense.

{QUOTE-> Who really knows if it's the software that is making a difference, or if it's safe hex? Rich I think you underestimate the power of safe hex. <-QUOTE}Pollmaster,

As with any regime of safe (h,s)ex, it's easy to get caught up in the heat of the moment, so to speak, in which all good intentions give way to more primal forces. An errant click here or there as excitement mounts, and the double entendre's increasingly fly about, and before you know it, you are sunk.

The psychology for both cases is the same, as can be the unfortunate outcome.

Blue

Hi Pollmaster,

Are you suggesting abstinence? Otherwise there is no way to avoid problems nowadays. A few weeks ago I was browsing google with a quite harmless search and I was attacked. Paranoia? Clueless? The way you describe people is interesting.

"How would you define an attack? I get hordes of virus infected mail a day, I don't consider those attacks, except in a very trival sense."

Actually, these are real "attacks". You must be getting these confused with Prevx's definition. ;D

Rich

{QUOTE-> Hi Pollmaster,

Are you suggesting abstinence? Otherwise there is no way to avoid problems nowadays. A few weeks ago I was browsing google with a quite harmless search and I was attacked. Paranoia? Clueless? The way you describe people is interesting.
<-QUOTE}

Details please. It's easy to throw around the word "attack".....

{QUOTE->
"How would you define an attack? I get hordes of virus infected mail a day, I don't consider those attacks, except in a very trival sense."

Actually, these are real "attacks". You must be getting these confused with Prevx's definition. ;D

Rich <-QUOTE}

I'm starting to see why you are so paranoid. If you are foolish enough to open such attachments, KAV as good as it is, isn't going to save you.

I've seen enough reports of people who open obviously dangerous attachments merely because their AV cleared it.

If you think such users can be protected with Any AV whatever the reputation, you are sadly mistaken.

{QUOTE-> Pollmaster,

As with any regime of safe (h,s)ex, it's easy to get caught up in the heat of the moment, so to speak, in which all good intentions give way to more primal forces. An errant click here or there as excitement mounts, and the double entendre's increasingly fly about, and before you know it, you are sunk.

The psychology for both cases is the same, as can be the unfortunate outcome.

Blue <-QUOTE}

You mistake my intent Bluezannetti.

No one is arguing that one should rely ONLY on safe hex. On the other hand, safe hex plus any reasonable product (including trend) should be reasonably ok.

The way Rich acts, it seems like if one does not run KAV+PG+Regdefend (or whatever he defines as the best), one is doomed to be infected. Don't get me wrong they are all excellent products that I use and recommend, but I wouldn't presume that just because someone doesn't use these products (or whatever is favoured by the 'expert' ), that person would be irresponsible and getting attacked is a matter of time.

Pollmaster,

I don't know how you can label people, such as myself and my friends, as clueless and paranoid, without ever meeting them.

In any case, a week ago they were in general following advice such as the one that you normally suggest and they ended up with unusable machines. I have given them different advice to follow and hopefully this helps them minimize their problems going forward.

Rich

{QUOTE-> You mistake my intent Bluezannetti.

No one is arguing that one should rely ONLY on safe hex. On the other hand, safe hex plus any reasonable product (including trend) should be reasonably ok. <-QUOTE}Pollmaster,

We're actually on the same page, but I didn't state things well myself and focused only on safe (s,h)ex since the double entendre's didn't work otherwise :).

I like the stronger resource light products myself and will consciously trade coverage for a lowered resource footprint within reason and make up the balance myself.

I also agree, any reasonable product should work fine for the vast majority of users. Further, even the strongest product can fail if the user does not know how to respond to alerts or if it is misconfigured. Installing what I would consider to be a very strong collection of software is perhaps not even half of the battle to be waged in a given case. The other part, as you note, is on the usage side - usage of the internet and usage of the applications.

To bring us full circle, condoms do a lot, but they are not a total solution in the other domain. The same comment applies to PC's - unfortunately we are not always masters of our own domain :)

Blue

Hi Blue,

Things happen. ;)

In general, my philosophy is an once of prevention is worth a pound of detection. Once something is on a machine, then it is extremely difficult to clear a machine and call it clean.

So for my part, I always recommend people to adopt reasonable surfing habits (e.g., and can't possibly tell them to avoid Google), install the best AV/AT that they can afford and use, and put in place prevention (pro-active) software that allows them to control what is actually executing on their machine (this is pretty basic).

In this way they are able to prevent "accidents", from occurring as opposed to waiting for accidents to occur and then trying to clean up the mess. That is basically why I clear my front walk of ice during the winter. :)

Rich

This is just a suggestion...

I fix computers (hardware and software issues) in my spare time, though mostly virus and spyware issues. Obviously, the more programs you install on someone's system just to "see what the other programs left behind" the more junk your going to leave behind in the registry and so on.

What I do is run virus scans directly from a CD-ROM or USB key using the McAfee VirusScan Command Line program which is available for free. It is very thorough and has around 127,000+ virus definitions at this point in time. You don't even have to install anything. I just create a folder named "Scan" and extract it in there. Everything is run from the command line, and you can find the command line arguments by typing "scan.exe /?" and pressing Enter.

Here is an example of a thorough scan with it:

scan.exe /ADL /ALL /ANALYZE /CLEAN /MIME /PROGRAM /UNZIP /WINMEM

Or you can create detailed reports by adding:

/HTML filename.html

I've cleaned many computers with this and once in a while have tested it's efficiency afterwards by installing an antivirus program and it has never left anything behind.

http://vil.nai.com/vil/virus-4d.asp
win_betaengdat.zip (command line scanner)
win_netware_betadat.zip (definition updates, usually every hour or so)


Like I said, just a suggestion...

Thanks Dave. I didn't know about this alternative. McAfee is very good and reliable. I am going to check it out right quick. Thanks again.

Rich

{QUOTE-> Thanks Dave. I didn't know about this alternative. McAfee is very good and reliable. I am going to check it out right quick. Thanks again.

Rich <-QUOTE}

And most of all, extremely convenient and quick. Besides, if I installed antivirus software on other's computers then not only would I be going against software licence agreements, but I also wouldn't get much more business in the future because then they would not got their systems infected again and need my assistance. What I do is completely clean their systems and provide them with lots of informative links on free antivirus, free firewalls, and security configuration information and so on. Therefore, if they don't take the time to learn from what I have provided them with and they get infected again... well, more business for me. LOL

Anyways, give it a try for sure. There are lots of command line arguments that you can use and you can learn about each of them by "scan.exe /?".

Hi Dave,

I did try it out. Very clean and straightforward. However, it did give four false positives on some A2 (A squared) files which I will report to McAfee. I do not recall McAfee's online scan giving the same false positives, but it may be a recent development with A2's latest Personal release.

But, I understand FP's, so this does not bother me the bit. The basic approach is very sound and convenient. Thanks for the heads up.

Rich

{QUOTE-> Hi Dave,

I did try it out. Very clean and straightforward. However, it did give four false positives on some A2 (A squared) files which I will report to McAfee. I do not recall McAfee's online scan giving the same false positives, but it may be a recent development with A2's latest Personal release.

But, I understand FP's, so this does not bother me the bit. The basic approach is very sound and convenient. Thanks for the heads up.

Rich <-QUOTE}

Try running it without the "/ANALYZE" to remove the heuristic scanning option. Then run it again and see if you still get those false positives. Keep in mind those are Beta DAT files, but I have never had a problem with them. The command line scanner itself is the 4.4.0.0 engine and it is not a beta, it is the real thing packaged in there. Just a hint, you can download the QA DAT files from http://www.networkassociates.com/us/downloads/updates/dat.asp and use them instead with this same command line scanner. I personally prefer the Beta DAT files because that is what the McAfee techs actually use themselves and I find them to be quite solid.

Thanks Dave. I will give those files a try with heuristics off. I get the same type of FPs when I run with any heuristics engine, which is why they don't bother me. If we want the scanner to take its "best guess", then it will so I figure FPs are just part of the guessing game.

I agree with your judgement concerning using the beta, because it gives the best idea of what the internal engineers are looking at at any moment. And since I am comfortable with running with potential FPs, then I think it is a good way to go. I don't turn on the Clean option, until I am satisfied it is a real trojan.

Thanks again.

Rich

{QUOTE->
I don't turn on the Clean option, until I am satisfied it is a real trojan.
<-QUOTE}

Very smart choice, I also do the same.

McAfee VirusScan Command Line really has so many different options that you can use. You can even setup a shortcut on the desktop or in the Quick Launch tray and add the command line arguments at the end of the "Target:" section.

What I do is create one "option" type file.
- Create a text file called "scan.txt" in the Scan folder
- Have 1 line in the text file "/AD /ALL /ANALYZE /PROGRAM /UNZIP" etc.
- Run "scan.exe /LOAD scan.txt"

Then when I am cleaning other people's computers I don't have to remember which command line arguments were my favorite to use.

I recommend you download and learn from the official product guide:
http://www.uni-konstanz.de/ZE/RZ/Antivirus/TVD/SB/O-Dok/en/E4400WPG.PDF

Thanks for the additional tips and link Dave. It is very useful.

Cya around,
Rich

richrf,

just for curiosity, did you scan the systems with Trend or Norton before using the other programs?

Regards

Hi,

Norton was the AV that was already installed on the system allong with Norton Internet Security. The laptop is about one month old.

The first thing I did was load FireFox. He ran Ad-aware which found lots of little spyware but the problems did not go away, which is why is talked to me.

I turned System Restore off and I then ran Hijackthis, checked each entry with Google and then removed all questionable entries.

I then scanned with Ewido Free. It was the easiest to download and scan with, so it got things going quick. It found about 200 different malware files (I am not sure how many were related to each other). I deleted those files and ran RegSeeker. I then ran the trial version of TDS-3 with the latest updates. It also found about 150 entries which I had to delete one by one because there is not mass delete in TDS-3 (at least as far as I can tell). I then ran Regseeker again.

By this time, I was able to get a trial copy of KAV 5.0 MP3 beta downloaded and installed it after turning off Norton. Immediately it trapped three programs which were identified as trojans and I killed them using KAV. I ran KAV but did not see the results since it was getting late. The next morning my friend told me that it found at least 100 additional files and he deleted them, but I think these may have been Ewido's quarantined files. So I do not know if KAV picked up additional infected files that TDS-3 and Ewido might have missed.

At this point, it appears that the machine is clean (but who really knows). I am going to use Port Explorer and Filemon to do some additional inspection. I may try out McAfee's or NOD32 on the system. After that, we will probably install ProcessGuard and RegDefend.

That is where we stand right now. He is pretty happy, but still getting over the shock of what happened. :)

Rich

Norton could be the AV that is installed on the system, but with new signature if you make a complete scan to the system with Norton maybe it can find more malware...

Moreover, it's very bad that Norton left all that threats to be installed in the system...

I don't like Norton, mainly because of is resources, but I thought that it had a better detection...

Hi VaMPiRiC_CRoW,

My friend had performed a complete scan using Norton prior to talking to me. That is why he was so shocked to see the other products identify so much malware. I won't repeat the words he used.

I was a long time user of Norton up until about 2 years ago. I was attacked pretty bad, and that is what motivated me to find better security tools.

Rich

Resuming: A very big company with a bad product in general...

Hi all,

My friend, who had the problems with Norton all of the trojans came over tonight and I showed him ProcessGuard and RegDefend on my computer. Far from being "clueless", my friend has over 35 years working on system support of large mainframe computing systems (the type that run very large banking systems). He took one look at ProcessGuard and RegDefend and without any hesitation (he understood right away what they were doing), said that he wanted to purchase them for his machine. We will be installing them tomorrow.

Going forward he will have KAV, because KAV did find all of the trojans that Norton missed, as well as ProcessGuard and RegDefend.

Rich

This seems like when some person started to have some health problems, and after going to the doctor, tries to make all the things that always would make, but didn't know... ;)

{QUOTE-> Pollmaster,

We're actually on the same page, but I didn't state things well myself and focused only on safe (s,h)ex since the double entendre's didn't work otherwise :).

I like the stronger resource light products myself and will consciously trade coverage for a lowered resource footprint within reason and make up the balance myself.

I also agree, any reasonable product should work fine for the vast majority of users. Further, even the strongest product can fail if the user does not know how to respond to alerts or if it is misconfigured. Installing what I would consider to be a very strong collection of software is perhaps not even half of the battle to be waged in a given case. The other part, as you note, is on the usage side - usage of the internet and usage of the applications.

To bring us full circle, condoms do a lot, but they are not a total solution in the other domain. The same comment applies to PC's - unfortunately we are not always masters of our own domain :)

Blue <-QUOTE}

Thank God, finally a voice of reason.

Rich

I'm somehow less impressed by people who tell me they are "attacked"
left and right, but when asked for details, only silence ... It's hard to assess if these are real attacks or not, or merely a overly sensitive security app.

Occasionally I find some trojans in my firefox cache , but they are totally inert and harmless, I suppose this is considered an attack to you?

Why clean a badly infected machine? The best practice is to salvage the data, make sure that is clean, then format and reinstall Windows.

Pollmaster.

I have given all of the details many times. There were many trojans on the machine. I cannot tell if the dialer(s) were being blocked in all situations. Information was scarce about the trojans even though I did many lookups in different virus encyclopedias. One apparently was called Agent.bc. It looks like it was using ADS and bmps to hide some stuff. Yesterday I had to use HijackThis ADDSPY to clean up lots of trojan remnants that were being detected by KAV.


Rich

Hi Diver,

Not clear how to salvage the data without trying to clean the data itself. As it turns out, the trojans were all over the place including in ADS that were attached to BMPs. However, that would have been the final measure, but we would still have had to determine if anything was transported over with the data. He of course also wanted to know the extent of the trojan penetration, if at all possible, so we went about find all traces. Unfortunately, we came up with an indefinite situaiton.

Rich

Well VaMPiRiC_CRoW, this was as close to a terminal case as I had ever seen. The machine had every conceivable problem on it - except maybe a rootkit. It looks clean now. I gave him some good "lifestyle" advice and hopefully it all works out.

Next patient please!

Rich

Hi Rich,

I commend your dedication to helping people. But you must get a life. LOL

Best Regards,

Jaws

Hi Jaws,

Yes. He is my best friend and he was in a jam. So I helped him out. But it was quite an effort. Messed up at tennis this weekend because of it. ::) I don't know what to do in the future. I hate to tell friends to wipe their disk clean .. but I don't want to do this every week. See no evil .. hear no evil ..

Now for some sleep.

Rich

{QUOTE-> Hi Jaws,

Yes. He is my best friend and he was in a jam. So I helped him out. But it was quite an effort. Messed up at tennis this weekend because of it. ::) I don't know what to do in the future. I hate to tell friends to wipe their disk clean .. but I don't want to do this every week. See no evil .. hear no evil ..

Now for some sleep.

Rich <-QUOTE}

Let them copy important data to CD / DVD's. Let them bring these backups to you, so you can scan them on your machine.
In the mean time, let them reinstall Windows. Only thing left for you to do is to secure the new setup, and give them the cleaned data back ;D

Hi Ssk,

In retrospect this would be O.K, but at the time everything is a black box. We certainly didn't know the extent of the problem until we began actually running the tests. Remember, he did have Norton AV and Security Suite running so neither of us thought it would be anywhere near this bad when I began looking at it. He also needed to know what types of trojans and was he really penetrated. The results, unfortunately are inconclusive.

It is the nature of this kind of problem that nothing is really known until the work is completed. Of course, if it was a simple game machine, a complete restore would be a no-brainer. This was not the case.

Rich

I know, Rich ;D
Been there as well ;D

Since that, I'm a lot more carefull about who I help...

rofl. :D I consider this whole thing a learning experience for myself as well as my friend. ;) Thanks for you empathy SSK.

Rich

{QUOTE-> And most of all, extremely convenient and quick. Besides, if I installed antivirus software on other's computers then not only would I be going against software licence agreements, but I also wouldn't get much more business in the future because then they would not got their systems infected again and need my assistance. What I do is completely clean their systems and provide them with lots of informative links on free antivirus, free firewalls, and security configuration information and so on. Therefore, if they don't take the time to learn from what I have provided them with and they get infected again... well, more business for me. LOL

Anyways, give it a try for sure. There are lots of command line arguments that you can use and you can learn about each of them by "scan.exe /?". <-QUOTE}

Darn it, you are giving away all our secrets....

{QUOTE->
What I do is run virus scans directly from a CD-ROM or USB key using the McAfee VirusScan Command Line program which is available for free. <-QUOTE}

How is this available for free?

From McAfee's website:

{QUOTE-> Important: Customers must have a current PrimeSupport agreement in order to be entitled to download product updates and upgrades,including engine and DAT updates for both subscription and perpetually licensed software. For any questions, please contact Customer Service. <-QUOTE}

In the link you provide (http://www.networkassociates.com/us/downloads/updates/dat.asp) above, you must accept the above terms acknowledging you have a current PrimeSupport agreement.

I appreciate you can access the site and download the command line scanner and updates, but I'm not sure this really makes it free to use, legally. Perhaps someone could clarify this please?

Ned

{QUOTE-> Hi Diver,

Not clear how to salvage the data without trying to clean the data itself. As it turns out, the trojans were all over the place including in ADS that were attached to BMPs. However, that would have been the final measure, but we would still have had to determine if anything was transported over with the data. He of course also wanted to know the extent of the trojan penetration, if at all possible, so we went about find all traces. Unfortunately, we came up with an indefinite situaiton.

Rich <-QUOTE}

I'm looking for more specific details on how it got in, not what it does.

Apparently, Norton didn't detect these instances of malware in either real-time or on-demand and therefore the malware were able to install themselves very nicely (as they are designed to do), set up home, start logging all keystroke inpu, and begin to dial back to their friends overseas. Whether or not data was actually transmitted back is not known.If you are looking for specific details of how the malware got through, I would suggest you contact Symantec/Norton who, presumably, understands its products' design much better than I do. Maybe they didn't have enough money to employe engineers who can do what DiamondCS, Ewido, and Kaspersky were able to do - that is, detect the malware.

Rich

You can also get the McAfee command line scanner by downloading the superDAT update and running "sdat[####].exe /e", this will extract the files to the directory the sdat file is in, including scan.exe, which you can then run. Since the other listed above uses beta sigs, this might be a more reliable option.

Hitman Pro uses this and automatically runs the scan for you. If you already have another virusscanner you may have to disable it, however. NOD32 detects scan.exe as prob unknown script virus. edit: going to the Hitman Pro website, they do also mention that you should have this agreement before using, and reffers you to this page for details: http://www.mcafeesecurity.com/us/support/technical_support/overview.asp

Disclaimer: Using the sdat file this way without having a license for the may not be legal without a license/PrimeSupport Agreement. Even if it is legal to use it this way, you should still purchase a license if you plan to use their scanner. With the very cheap deals around, it shouldn't be hard to find one at a price you can justify for your intended usage.

{QUOTE-> Whether or not data was actually transmitted back is not known.If you are looking for specific details of how the malware got through, I would suggest you contact Symantec/Norton who, presumably, understands its products' design much better than I do. Maybe they didn't have enough money to employe engineers who can do what DiamondCS, Ewido, and Kaspersky were able to do - that is, detect the malware. Rich <-QUOTE}If you are going to persist in this anti-Norton diatribe, then you should send me [or another person who can test] some samples to look at. You didn't send Symantec any samples either. So stop posting bullshit comments like this .. P.S. this is [by my count] the third thread you have gone on about this incident, don't you think you've gotten enough mileage out of it? If it will make you feel any better, I'll publicly confess, NAV Sucks, it can't detect a damn thing nor prevent malware from freely flowing into the system ..

Symantec is in general ok,but every time one week too late. C'mon,you can't use weekly updates in these days ::) even if you release 7x much signatures they can be 7 days too late and you have full PC of garbage.
They have(and even use) incrimental updates,so i really don't understand their point. But they can update daily their huge stand-alone updaters,while small (few KB) auto-updates are left at 1 week inteval. Stupid logic.

{QUOTE-> So stop posting bullshit comments like this .. P.S. this is [by my count] the third thread you have gone on about this incident, don't you think you've gotten enough mileage out of it? If it will make you feel any better, I'll publicly confess, NAV Sucks, it can't detect a damn thing nor prevent malware from freely flowing into the system .. <-QUOTE}Right attitude. Don't give up. If your still could been more familiar with the Finnish "Sauna", your could be invincible with the accelerating steam it offers to you. I love that power of yours! ;D

Best regards,
Firefighter!

Hi Randy,

If someone asks me if I would recommend Norton, I would say absolutely not. What possible reason do I have to recommend Norton? It was terrible for me, for my son's machine, and it was terrible for my friend. I don't think that is a good enough reason to recommend it to anyone.

But if you think Norton is a good product, as others do, then I hope you keep recommending it. This world is big enough for many AVs depending up tastes and experiences. I personally am only interested in relating my experiences to others so that they can make informed choices. Norton AV is definitely one product I would never recommend.

Rich

{QUOTE-> How is this available for free?

From McAfee's website:

In the link you provide (http://www.networkassociates.com/us/downloads/updates/dat.asp) above, you must accept the above terms acknowledging you have a current PrimeSupport agreement.

I appreciate you can access the site and download the command line scanner and updates, but I'm not sure this really makes it free to use, legally. Perhaps someone could clarify this please?

Ned <-QUOTE}

Correct, you are expected to have a current "PrimeSupport" agreement in order to download those quality approved DAT files. However, the Beta DAT files that I posted a link for in post#28 are free to use but have not yet been quality approved. Personally, I prefer the Beta DAT files and use them on a daily basis and have never had any issues with them. Only the most recent virus signatures in those Beta DAT files have not been quality approved and would most likely go through that process the following day or two.

- Dave

{QUOTE-> .

The way Rich acts, it seems like if one does not run KAV+PG+Regdefend (or whatever he defines as the best), one is doomed to be infected. Don't get me wrong they are all excellent products that I use and recommend, but I wouldn't presume that just because someone doesn't use these products (or whatever is favoured by the 'expert' ), that person would be irresponsible and getting attacked is a matter of time. <-QUOTE}


I don't use ANY of those products and NEVER get infected (NO spyware, adware, trojans, keyloggers or viruses). :)

There are MANY routes to a more secure pc, and a lot of them are completely free, and work VERY well for myself and those I know.

Kav+Pg+Rd is NOT the only way to a more secure pc, and I don't feel it is the best way either IMO. ;)

{QUOTE-> Correct, you are expected to have a current "PrimeSupport" agreement in order to download those quality approved DAT files. However, the Beta DAT files that I posted a link for in post#28 are free to use but have not yet been quality approved. Personally, I prefer the Beta DAT files and use them on a daily basis and have never had any issues with them. Only the most recent virus signatures in those Beta DAT files have not been quality approved and would most likely go through that process the following day or two.

- Dave <-QUOTE}

But you're still using the comand line scanning engine with those beta DATS, and presumably that falls under licence restrictions too?

Like you, I appreciate the power and convenience of the McAfee command line scanner and would like to be able to recommend it to others, but I just can't see that it is legal to do so.

Ned

That said, disclaimer added. It's kinda hard to not justify buying a copy of something you use regularly anyway.

{QUOTE-> Apparently, Norton didn't detect these instances of malware in either real-time or on-demand and therefore the malware were able to install themselves very nicely (as they are designed to do), [rest of cluess comments snipped out]

Rich <-QUOTE}

How did they install is the question. An exploit? user executed? What?

{QUOTE-> If you are going to persist in this anti-Norton diatribe, then you should send me [or another person who can test] some samples to look at. <-QUOTE}

It isn't so much a anti-Norton diatribe as marketing for KAV, DiamondCS and Ewido. After all he bashes Trend too and I bet AVG,AVAST and everything else he doesn't use. ;)

Hi all,

"If something can happen, it will" - Murphy's Law

The thesis that one good AV is sufficient, is greatly lacking in my opinion. Far too many holes that can and will be penetrated. It is for this reason, that several months ago I adopted a standard "layered" approach that is often suggested here on Wider's.

The suggestion that Norton's suite, Trend Micro's suite, or any other suite can protect someone on the Internet proved to be quite false in my experiences - many times over. In my opinion, all of these products minimally require an anti-trojan (e.g. Ewido, BOClean, TDS-3, TrojanHunter) and anti-spyware (e.g. Counterspy, Ad-aware). In fact, based upon my cleaning experiences, these "good" AVs, probabably require more than one of each class of software, because once malware gets on a machine, it is extremely difficult to get it off.

The best approach, in my opinion, is not to settle for second (or third) best. It is to completely stop the malware from ever getting on the system to begin with. For this reason, I only recommend what I consider the most comprehensive anti-malware software that is available. I don't recommend what is "free" or "good", because I do not believe that these products are sufficient.

I feel quite comfortable recommend Kaspersky's AV products (sans ADS), as well as McAfee (with daily updates). I do not believe either of these are sufficient, because there is no layering per se. For this reason, I recommend pro-active protection to assist in keeping the door shut on malware. These products include ProcessGuard and RegDefend. I do not recommend Prevx because the company includes behavior monitoring software in their free version. A trend that I do not support. I do not recommend SSM at this time because I feel it is too unstable and is still in beta.

I also run WormGuard to protect me from the "scripting" hole that exists in Windows. There are other products on the market that protect against scripting such as Script Defender and Script Sentry but I have not used any of them extensively so I personally cannot recommend them, though others certainly have.

Beyond this, I personally have all of the ATs that I have mentioned previously. They are all excellent ATs, but they so far appear to be redundant in an environment that is proactively defended. However, Ewido free is available as an on-demand scanner and I wholeheartedly recommend it. And if someone is looking to see whether their machine is clean, I would certainly recommend trialing products like TDS-3 and TrojanHunter. Someone may decided to run one of these products in real-time, for added protection.

When I was a child, maybe 3 years old, I was taught by my parents, never to leave the front door open. Not 80% open, not 90% open. It is to be locked shut. And when someone rings the bell or knocks on the door, I should ask first before opening it. 50 years later, this advice still holds true.

Rich

Rich, you excel at nice long speeches and lectures which say nothing. Would be impressive if you backed it up with technical details.

{QUOTE-> Symantec is in general ok,but every time one week too late. C'mon,you can't use weekly updates in these days ::) even if you release 7x much signatures they can be 7 days too late and you have full PC of garbage.
They have(and even use) incrimental updates,so i really don't understand their point. But they can update daily their huge stand-alone updaters,while small (few KB) auto-updates are left at 1 week inteval. Stupid logic. <-QUOTE}
In my experience with NAV I was generally,but not soley limited to once a week updates. During periods of high virus activity I received up to three updates per week via Liveupdate which I found to be problem free by the way.

This proactive stuff is all well and good, but it generally relies on the user and the choices they make. For example. Regdefend - Something wants to change the registry so Regdefend asks you if it's ok and tells you what it wants to change. The user says yes or no. Doesn't ProcessGuard do something similar but with files and running processes? It all leaves the opportunity for the user to select the wrong response. "Damn, maybe i should have clicked no as my pc is acting very much like it's being owned". I don't use these two products so maybe i have a misconception that a user could mess things up by selecting the wrong choice. Please enlighten me if i have misinterpreted this possibility with both of these proactive application's.

muf

{QUOTE-> you excel at nice long speeches and lectures which say nothing. Would be impressive if you backed it up with technical details. <-QUOTE}As usual....we have threads from time to time that remain active and most of them are very imformative....as this one is....minus the dribble.

Let's keep the personal attacks to ourselves....and let this imformative thread procede.

Thanks,
Bubba

{QUOTE-> This proactive stuff is all well and good, but it generally relies on the user and the choices they make. For example. Regdefend - Something wants to change the registry so Regdefend asks you if it's ok and tells you what it wants to change. The user says yes or no. Doesn't ProcessGuard do something similar but with files and running processes? It all leaves the opportunity for the user to select the wrong response. "Damn, maybe i should have clicked no as my pc is acting very much like it's being owned". I don't use these two products so maybe i have a misconception that a user could mess things up by selecting the wrong choice. Please enlighten me if i have misinterpreted this possibility with both of these proactive application's.

muf <-QUOTE}

Exactly the point. PG offers close to zero protection against classical trojans that trick the user into installing them because they think it is something useful. If you already decided to install something which happens to be malware, PG isn't going to help.

That said PG is useful in the following cases

1) Some exploit causes an autoexecution/installation of malware, PG hopefully for notice it starting up and alert you.

Realistically speaking this is a rather small possibility if your system is fully patched, except in the case of zero days.

2) if said trusted process tries to start another, but again ,whether to allow or disallow this is iffy, unless you know what you are doing.

3) When trusted proggie starts to install global hooks or install drivers and you think it's shouldn't. Yet another area, where the user has to have the expertise to decide if this program should or should not do this.

Maybe most users of PG are expert enough to decide if proggie x should be allowed to install drivers and hooks, but I certainly don't have the expertise.

4) process termination.

I personally think Regdefend might actually be easier to use for most people, because it's easier to understand what exactly regdefend is blocking - essentially autostarts via registry.

It's basically just a souped up winpatrol/startupmonitor, which are getting pretty popular.

Thanks for clearing that up. I wasn't too sure but had an idea from what i had read. They are mainly for knowledgeable users then but are still open to the user making a bad judgement. Making the wrong choice would be pretty much like a false positive where a none proactive application would remove it after the event. There's no infallible protection even with proactive measures. Suppose proactive would in theory be better, but then again unless you know what you are doing you could end up trashing your pc completely if you kill/block the wrong thing. Food for thought and consideration once i make the leap to XP, although the saying "If it aint broke, don't fix it" springs to mind. Might just stick with what i already have.

muf

Hi Muf,

Actually, ProcessGuard is pretty easy to get use to, and I think far superior to "signature" protection, which basically asks the user to "figure things out" after the fact. Anyone, who has ever had to "stop a program" vs. "cleaning up after malware" can attest to this.

What normally happens with PG is this:

1) The user puts it in learning mode and all applications that are normally used are given their necessary permission.

2) From time to time, updates are required, maybe to a security program or the operating system. When these update programs run, the user can either give them permission, if they recognize them or don't give them permission and research them. My friend, who just had PG installed, quickly learned how to look up the programs using google.

3) If something unusal pops up out of nowhere, maybe while browsing, then the user only has to deny permission until the program is researched. Usually, the AV will trap it first (as is usual), but sometimes something unexpected does happen (a program may request a global hook) and the user just denies it until there is a chance to research it.

The only time there may be issues, is when Windows Update runs. I just turn PG off until it is over. Between trying to clean a machine, and somehow making sure a machine is really clean (something that is almost impossible nowadays), and learning the simple aspects of PG (how to answer yes and no), I far, far prefer ProcessGuard and RegDefend. There is nothing like keeping "roaches" out of the home. Once they are in, it is almost impossible to exterminate completely.

The configuration is very simple:

1) A top AV
2) ProcessGuard
3) RegDefend
4) WormGuard

Far, far easier than running anti-trojans and anti-spyware, and answering all the questions that these products might pose. (How many machines have been damaged by false positives, or inability to completely clean a machine). Believe me, life has been very simple once I installed PG and RegDefend along with Kaspersky.

Rich

PG slowed my computer to a crawl, therefore I uninstalled it. Somehow I didnt like it much :-\

Hi Firecat,

On my XP system (2.5 GHz, 512MB), ProcessGuard barely shows itself. Of the security products that I have run, the biggest resource usage was MS AS, followed by BOClean (probably because of the PG conflict), followed by Ewido. I usually do not run the ATs in real-time anymore, so my system is basically dead unless I am doing something in FireFox. As I speak, I went into Windows Task Manager, and zero CPU is being used.

I think I noticed once on my machine that PG was usintg 99% or something like that. It was after (or during) a Windows Update and I had not turned off PG. The only other reason I can think of that PG caused the heavy resource usage, is if my some chance, it had pushed your virtual memory into a trashing condition - something I highly doubt.

Rich

Maybe its just that I need to reformat and start clean - this current installation of WinXP Home has been through three different soundcards, as well as two different AVs, plus some other hardware changes. I am pretty sure I cleaned out most of the unwanted stuff, but you never know what remains.....:-\

True. In my case, I did a complete reinstall (this was after the NAV disaster about a year or so ago) and after that I took a clean image copy using Image for DOS. Then I put my security products on including KAV and PG, and then I took another image copy. So my machine was pretty clean when I installed.

Rich