Cleaning up for Friends - My new pastime

Pollmaster,

We're actually on the same page, but I didn't state things well myself and focused only on safe (s,h)ex since the double entendre's didn't work otherwise .

I like the stronger resource light products myself and will consciously trade coverage for a lowered resource footprint within reason and make up the balance myself.

I also agree, any reasonable product should work fine for the vast majority of users. Further, even the strongest product can fail if the user does not know how to respond to alerts or if it is misconfigured. Installing what I would consider to be a very strong collection of software is perhaps not even half of the battle to be waged in a given case. The other part, as you note, is on the usage side - usage of the internet and usage of the applications.

To bring us full circle, condoms do a lot, but they are not a total solution in the other domain. The same comment applies to PC's - unfortunately we are not always masters of our own domain

Blue

 

Hi Blue,

Things happen.

In general, my philosophy is an once of prevention is worth a pound of detection. Once something is on a machine, then it is extremely difficult to clear a machine and call it clean.

So for my part, I always recommend people to adopt reasonable surfing habits (e.g., and can't possibly tell them to avoid Google), install the best AV/AT that they can afford and use, and put in place prevention (pro-active) software that allows them to control what is actually executing on their machine (this is pretty basic).

In this way they are able to prevent "accidents", from occurring as opposed to waiting for accidents to occur and then trying to clean up the mess. That is basically why I clear my front walk of ice during the winter.

Rich

 

This is just a suggestion...

I fix computers (hardware and software issues) in my spare time, though mostly virus and spyware issues. Obviously, the more programs you install on someone's system just to "see what the other programs left behind" the more junk your going to leave behind in the registry and so on.

What I do is run virus scans directly from a CD-ROM or USB key using the McAfee VirusScan Command Line program which is available for free. It is very thorough and has around 127,000+ virus definitions at this point in time. You don't even have to install anything. I just create a folder named "Scan" and extract it in there. Everything is run from the command line, and you can find the command line arguments by typing "scan.exe /?" and pressing Enter.

Here is an example of a thorough scan with it:

scan.exe /ADL /ALL /ANALYZE /CLEAN /MIME /PROGRAM /UNZIP /WINMEM

Or you can create detailed reports by adding:

/HTML filename.html

I've cleaned many computers with this and once in a while have tested it's efficiency afterwards by installing an antivirus program and it has never left anything behind.

http://vil.nai.com/vil/virus-4d.asp
win_betaengdat.zip (command line scanner)
win_netware_betadat.zip (definition updates, usually every hour or so)


Like I said, just a suggestion...

 

Thanks Dave. I didn't know about this alternative. McAfee is very good and reliable. I am going to check it out right quick. Thanks again.

Rich

 

And most of all, extremely convenient and quick. Besides, if I installed antivirus software on other's computers then not only would I be going against software licence agreements, but I also wouldn't get much more business in the future because then they would not got their systems infected again and need my assistance. What I do is completely clean their systems and provide them with lots of informative links on free antivirus, free firewalls, and security configuration information and so on. Therefore, if they don't take the time to learn from what I have provided them with and they get infected again... well, more business for me. LOL

Anyways, give it a try for sure. There are lots of command line arguments that you can use and you can learn about each of them by "scan.exe /?".

 

Hi Dave,

I did try it out. Very clean and straightforward. However, it did give four false positives on some A2 (A squared) files which I will report to McAfee. I do not recall McAfee's online scan giving the same false positives, but it may be a recent development with A2's latest Personal release.

But, I understand FP's, so this does not bother me the bit. The basic approach is very sound and convenient. Thanks for the heads up.

Rich

 

Try running it without the "/ANALYZE" to remove the heuristic scanning option. Then run it again and see if you still get those false positives. Keep in mind those are Beta DAT files, but I have never had a problem with them. The command line scanner itself is the 4.4.0.0 engine and it is not a beta, it is the real thing packaged in there. Just a hint, you can download the QA DAT files from http://www.networkassociates.com/us/downloads/updates/dat.asp and use them instead with this same command line scanner. I personally prefer the Beta DAT files because that is what the McAfee techs actually use themselves and I find them to be quite solid.

 

Thanks Dave. I will give those files a try with heuristics off. I get the same type of FPs when I run with any heuristics engine, which is why they don't bother me. If we want the scanner to take its "best guess", then it will so I figure FPs are just part of the guessing game.

I agree with your judgement concerning using the beta, because it gives the best idea of what the internal engineers are looking at at any moment. And since I am comfortable with running with potential FPs, then I think it is a good way to go. I don't turn on the Clean option, until I am satisfied it is a real trojan.

Thanks again.

Rich

 

Very smart choice, I also do the same.

McAfee VirusScan Command Line really has so many different options that you can use. You can even setup a shortcut on the desktop or in the Quick Launch tray and add the command line arguments at the end of the "Target:" section.

What I do is create one "option" type file.
- Create a text file called "scan.txt" in the Scan folder
- Have 1 line in the text file "/AD /ALL /ANALYZE /PROGRAM /UNZIP" etc.
- Run "scan.exe /LOAD scan.txt"

Then when I am cleaning other people's computers I don't have to remember which command line arguments were my favorite to use.

I recommend you download and learn from the official product guide:
http://www.uni-konstanz.de/ZE/RZ/Antivirus/TVD/SB/O-Dok/en/E4400WPG.PDF

 

Thanks for the additional tips and link Dave. It is very useful.

Cya around,
Rich

 

richrf,

just for curiosity, did you scan the systems with Trend or Norton before using the other programs?

Regards

 

Hi,

Norton was the AV that was already installed on the system allong with Norton Internet Security. The laptop is about one month old.

The first thing I did was load FireFox. He ran Ad-aware which found lots of little spyware but the problems did not go away, which is why is talked to me.

I turned System Restore off and I then ran Hijackthis, checked each entry with Google and then removed all questionable entries.

I then scanned with Ewido Free. It was the easiest to download and scan with, so it got things going quick. It found about 200 different malware files (I am not sure how many were related to each other). I deleted those files and ran RegSeeker. I then ran the trial version of TDS-3 with the latest updates. It also found about 150 entries which I had to delete one by one because there is not mass delete in TDS-3 (at least as far as I can tell). I then ran Regseeker again.

By this time, I was able to get a trial copy of KAV 5.0 MP3 beta downloaded and installed it after turning off Norton. Immediately it trapped three programs which were identified as trojans and I killed them using KAV. I ran KAV but did not see the results since it was getting late. The next morning my friend told me that it found at least 100 additional files and he deleted them, but I think these may have been Ewido's quarantined files. So I do not know if KAV picked up additional infected files that TDS-3 and Ewido might have missed.

At this point, it appears that the machine is clean (but who really knows). I am going to use Port Explorer and Filemon to do some additional inspection. I may try out McAfee's or NOD32 on the system. After that, we will probably install ProcessGuard and RegDefend.

That is where we stand right now. He is pretty happy, but still getting over the shock of what happened.

Rich

 

Norton could be the AV that is installed on the system, but with new signature if you make a complete scan to the system with Norton maybe it can find more malware...

Moreover, it's very bad that Norton left all that threats to be installed in the system...

I don't like Norton, mainly because of is resources, but I thought that it had a better detection...

 

Hi VaMPiRiC_CRoW,

My friend had performed a complete scan using Norton prior to talking to me. That is why he was so shocked to see the other products identify so much malware. I won't repeat the words he used.

I was a long time user of Norton up until about 2 years ago. I was attacked pretty bad, and that is what motivated me to find better security tools.

Rich

 

Resuming: A very big company with a bad product in general...

 

Hi all,

My friend, who had the problems with Norton all of the trojans came over tonight and I showed him ProcessGuard and RegDefend on my computer. Far from being "clueless", my friend has over 35 years working on system support of large mainframe computing systems (the type that run very large banking systems). He took one look at ProcessGuard and RegDefend and without any hesitation (he understood right away what they were doing), said that he wanted to purchase them for his machine. We will be installing them tomorrow.

Going forward he will have KAV, because KAV did find all of the trojans that Norton missed, as well as ProcessGuard and RegDefend.

Rich

 

This seems like when some person started to have some health problems, and after going to the doctor, tries to make all the things that always would make, but didn't know...

 

Thank God, finally a voice of reason.

Rich

I'm somehow less impressed by people who tell me they are "attacked"
left and right, but when asked for details, only silence ... It's hard to assess if these are real attacks or not, or merely a overly sensitive security app.

Occasionally I find some trojans in my firefox cache , but they are totally inert and harmless, I suppose this is considered an attack to you?

 

Why clean a badly infected machine? The best practice is to salvage the data, make sure that is clean, then format and reinstall Windows.

 

Pollmaster.

I have given all of the details many times. There were many trojans on the machine. I cannot tell if the dialer(s) were being blocked in all situations. Information was scarce about the trojans even though I did many lookups in different virus encyclopedias. One apparently was called Agent.bc. It looks like it was using ADS and bmps to hide some stuff. Yesterday I had to use HijackThis ADDSPY to clean up lots of trojan remnants that were being detected by KAV.


Rich

 

Hi Diver,

Not clear how to salvage the data without trying to clean the data itself. As it turns out, the trojans were all over the place including in ADS that were attached to BMPs. However, that would have been the final measure, but we would still have had to determine if anything was transported over with the data. He of course also wanted to know the extent of the trojan penetration, if at all possible, so we went about find all traces. Unfortunately, we came up with an indefinite situaiton.

Rich

 

Well VaMPiRiC_CRoW, this was as close to a terminal case as I had ever seen. The machine had every conceivable problem on it - except maybe a rootkit. It looks clean now. I gave him some good "lifestyle" advice and hopefully it all works out.

Next patient please!

Rich

 

Hi Rich,

I commend your dedication to helping people. But you must get a life. LOL

Best Regards,

Jaws

 

Hi Jaws,

Yes. He is my best friend and he was in a jam. So I helped him out. But it was quite an effort. Messed up at tennis this weekend because of it. I don't know what to do in the future. I hate to tell friends to wipe their disk clean .. but I don't want to do this every week. See no evil .. hear no evil ..

Now for some sleep.

Rich

 

Let them copy important data to CD / DVD's. Let them bring these backups to you, so you can scan them on your machine.
In the mean time, let them reinstall Windows. Only thing left for you to do is to secure the new setup, and give them the cleaned data back