What is the worst malware infection you had to clean?

funny you mention that
this is what Im doing right this second

 

Have had very good luck with as well.

 

Not worse, but weird.

I had a friend who was struggling with some mysterious infection that had a file U3SHLPDRIVER200.sys residing in the system folder.

Looking at the event logs he saw very weird behavior by Aol activeshield.

One moment the resident shield was detecting some PWS trojan, the very next line (a few seconds later), declared it clean, and then it detected a threat again the next line and so on for a couple of lines.

By the time I got to the computer, when i ran a on demand scan , it declared it clean. The guy who owned the computer tried googling the file name , got nothing. I recommended he upload it to virustotal etc and it was clean.

After 30 minute, I managed to figure it out. And we both felt very stupid.

 

to be more accurate Im trying to do
this with this, this and likely this, this, this & this but I needed this and this to do it on this
and Im not quite done

 

Think I got all that..... What you are saying is, you got a mess on your hands.

 

Computers will do that to you every time.

 

I've got one of those "this, and this, and..." lists, much of it being pri/sec oriented, but not so much with malware. Both too lazy and unwilling to list all of them as "this" links. If I could only find enough time to get it all done.

Things are changing too fast to rely on a static setup with users who aren't up to speed with the threats. Just keeping up is becoming a full time job for those who are interested in this kind of thing. For the average user, it just takes the fun out of a PC and the net. A lot of my clients use a PC for enjoyment, swapping jokes, e-mail with people they wouldn't normally take time to write to, silly pictures like the avatar one of them sent me.

Security software that is suitable for the average user isn't getting it done. It's not like it used to be. Malicious code is being developed and distributed faster than conventional security software can update. The items showing up in my Yahoo mailbox are enough to convince me of that. When I upload the infected material to VirusTotal within 24 hours of getting it, less than half of their scans show it to be malicious, including PrevX which is supposed to be an answer to this very problem. You can't assume that you will always be able to find and remove modern malware. I truly believe that we will see malware that is for all purposes, uncleanable by any normal methods very soon. When one mistake or missed detection can result in a nearly permanent back door, prevention is the only viable option, and any number of AVs combined will not get it done.

I've pretty much come to the conclusion that the only way I can really secure their PCs is with remote administration, enabling me to make or tighten firewall rules, SSM rules, system policies, and address problems or malware from my desktop, in a way that matches their particular usage habits. So far, I haven't found a remote administration app that fills my need. Anybody know of one that will allow me to administer an XP unit from a 98 box, with enough control to allow me to access apps like SSM or a rule based firewall and work with the rules, selectively install updates, make full system backups, etc? An app that would allow them to contact me directly through it would be sweet, but that's not a requirement.

I realize what I'm describing sounds a bit like PrevX, except for a couple of big differences.

1. The user is letting someone they know take care of their system instead of a company they've never seen except on a website.
2. What is or isn't permitted won't be strictly based on a whitelist or a set of detections, but would match the users needs and preferences. One can use IE6 while it's blocked on anothers who doesn't want it functional at all.
3. The user can contact the person responsible for their security directly instead of e-mailing a company or posting a message on a website.

The majority of my clients like the idea and are willing to let me set this up, if I can find an app I trust that will run on my 98 box. I don't trust NT systems enough to use one for this, not when I can't be certain that it couldn't be rootkitted and used against them. Any of you system administrators know of a remote administration app that fills my/their needs?
Rick

 

What is dial-a-fix?

thanks

 

Check it out here at Major Geeks. Handy little tool that you do not hear about much anymore with the proliferation of high-speed. Though I think there are certain times it would help even when not on dial-up. Have used it several times quit some time ago and it did correct the problem(s).

 

A number of fixes pulled together from MS knowledge articles and mvps.
DAF Wiki

edit : oops posted above freeware, repairs Windows problems - all in a nice little box, just tick the fix you need.

 

1. I spent very little time using Win98, I got into computers for the graphics and as soon as I found out Win98's memory support limitations I was immediately in W2K (so like a total of 4 months of W9X experience.)

2. can you run cygwin in 98? I employ it with openSSH and TightVNC / puTTy along with IP specific firewall rules and as necessary dynamic DNS, there is of course overhead with that level of encryption and considerable (and variable) latency with or without it. But Ive admin'd my brothers box 1500 miles and who knows how many possibly compromised nodes away. Not that TightVNC isnt pretty secure without encryption.

object lesson (from just the other day

 

Thanks ThunderZ, Meriadoc and Ice Czar.

 

I'm going back on Thursday to install Comodo firewall Pro and Avast to get rid of the rest of the Trojans.

 

Keep in mind that the Prevx1 VT scanner has no heuristics, which are responsible for adding over 7000 new "bads" to the community database per day. (In other words the heuristics do most of the work, it's the primary feature.)

 

The About:Blank homepage hijacker was probably the nastiest i ever tackled on a friends comp a few years back all thanks to CWS.



snowbound

 

So, Prevx VT scanner is only using the database?

 

Currently, yes. It's still pretty new. It doesn't support archives, either.

 

As a former Mod/HijackThis Specialist for Lavasoft Ad-Aware Forums i award that honor to an old nemisis named coolwebsearch. VX2 had their days and aggravations but CWS always tried something different to throw off either detection or made it difficult to completely eradicate.

Was a very impressive malware issuer IMO.

 

I hated undocumented CWS trojans garYOUrantTEEDoff
to screw your day trying to clean em up.

 

Do you know when these features (heuristics, archives support, etc) are going to be enabled?
Without heuristics, Prevx is getting very good results (CastleCops MIRT) at VirusTotal.
Thanks for the imput.