Cleaning up for Friends - My new pastime

Hi Ssk,

In retrospect this would be O.K, but at the time everything is a black box. We certainly didn't know the extent of the problem until we began actually running the tests. Remember, he did have Norton AV and Security Suite running so neither of us thought it would be anywhere near this bad when I began looking at it. He also needed to know what types of trojans and was he really penetrated. The results, unfortunately are inconclusive.

It is the nature of this kind of problem that nothing is really known until the work is completed. Of course, if it was a simple game machine, a complete restore would be a no-brainer. This was not the case.

Rich

 

I know, Rich
Been there as well

Since that, I'm a lot more carefull about who I help...

 

rofl. I consider this whole thing a learning experience for myself as well as my friend. Thanks for you empathy SSK.

Rich

 

Darn it, you are giving away all our secrets....

 

How is this available for free?

From McAfee's website:

In the link you provide above, you must accept the above terms acknowledging you have a current PrimeSupport agreement.

I appreciate you can access the site and download the command line scanner and updates, but I'm not sure this really makes it free to use, legally. Perhaps someone could clarify this please?

Ned

 

I'm looking for more specific details on how it got in, not what it does.

 

Apparently, Norton didn't detect these instances of malware in either real-time or on-demand and therefore the malware were able to install themselves very nicely (as they are designed to do), set up home, start logging all keystroke inpu, and begin to dial back to their friends overseas. Whether or not data was actually transmitted back is not known.If you are looking for specific details of how the malware got through, I would suggest you contact Symantec/Norton who, presumably, understands its products' design much better than I do. Maybe they didn't have enough money to employe engineers who can do what DiamondCS, Ewido, and Kaspersky were able to do - that is, detect the malware.

Rich

 

You can also get the McAfee command line scanner by downloading the superDAT update and running "sdat[####].exe /e", this will extract the files to the directory the sdat file is in, including scan.exe, which you can then run. Since the other listed above uses beta sigs, this might be a more reliable option.

Hitman Pro uses this and automatically runs the scan for you. If you already have another virusscanner you may have to disable it, however. NOD32 detects scan.exe as prob unknown script virus. edit: going to the Hitman Pro website, they do also mention that you should have this agreement before using, and reffers you to this page for details: http://www.mcafeesecurity.com/us/support/technical_support/overview.asp

Disclaimer: Using the sdat file this way without having a license for the may not be legal without a license/PrimeSupport Agreement. Even if it is legal to use it this way, you should still purchase a license if you plan to use their scanner. With the very cheap deals around, it shouldn't be hard to find one at a price you can justify for your intended usage.

 

If you are going to persist in this anti-Norton diatribe, then you should send me [or another person who can test] some samples to look at. You didn't send Symantec any samples either. So stop posting bullshit comments like this .. P.S. this is [by my count] the third thread you have gone on about this incident, don't you think you've gotten enough mileage out of it? If it will make you feel any better, I'll publicly confess, NAV Sucks, it can't detect a damn thing nor prevent malware from freely flowing into the system ..

 

Symantec is in general ok,but every time one week too late. C'mon,you can't use weekly updates in these days even if you release 7x much signatures they can be 7 days too late and you have full PC of garbage.
They have(and even use) incrimental updates,so i really don't understand their point. But they can update daily their huge stand-alone updaters,while small (few KB) auto-updates are left at 1 week inteval. Stupid logic.

 

Right attitude. Don't give up. If your still could been more familiar with the Finnish "Sauna", your could be invincible with the accelerating steam it offers to you. I love that power of yours!

Best regards,
Firefighter!

 

Hi Randy,

If someone asks me if I would recommend Norton, I would say absolutely not. What possible reason do I have to recommend Norton? It was terrible for me, for my son's machine, and it was terrible for my friend. I don't think that is a good enough reason to recommend it to anyone.

But if you think Norton is a good product, as others do, then I hope you keep recommending it. This world is big enough for many AVs depending up tastes and experiences. I personally am only interested in relating my experiences to others so that they can make informed choices. Norton AV is definitely one product I would never recommend.

Rich

 

Correct, you are expected to have a current "PrimeSupport" agreement in order to download those quality approved DAT files. However, the Beta DAT files that I posted a link for in post#28 are free to use but have not yet been quality approved. Personally, I prefer the Beta DAT files and use them on a daily basis and have never had any issues with them. Only the most recent virus signatures in those Beta DAT files have not been quality approved and would most likely go through that process the following day or two.

- Dave

 

I don't use ANY of those products and NEVER get infected (NO spyware, adware, trojans, keyloggers or viruses).

There are MANY routes to a more secure pc, and a lot of them are completely free, and work VERY well for myself and those I know.

Kav+Pg+Rd is NOT the only way to a more secure pc, and I don't feel it is the best way either IMO.

 

But you're still using the comand line scanning engine with those beta DATS, and presumably that falls under licence restrictions too?

Like you, I appreciate the power and convenience of the McAfee command line scanner and would like to be able to recommend it to others, but I just can't see that it is legal to do so.

Ned

 

That said, disclaimer added. It's kinda hard to not justify buying a copy of something you use regularly anyway.

 

How did they install is the question. An exploit? user executed? What?

It isn't so much a anti-Norton diatribe as marketing for KAV, DiamondCS and Ewido. After all he bashes Trend too and I bet AVG,AVAST and everything else he doesn't use.

 

Hi all,

"If something can happen, it will" - Murphy's Law

The thesis that one good AV is sufficient, is greatly lacking in my opinion. Far too many holes that can and will be penetrated. It is for this reason, that several months ago I adopted a standard "layered" approach that is often suggested here on Wider's.

The suggestion that Norton's suite, Trend Micro's suite, or any other suite can protect someone on the Internet proved to be quite false in my experiences - many times over. In my opinion, all of these products minimally require an anti-trojan (e.g. Ewido, BOClean, TDS-3, TrojanHunter) and anti-spyware (e.g. Counterspy, Ad-aware). In fact, based upon my cleaning experiences, these "good" AVs, probabably require more than one of each class of software, because once malware gets on a machine, it is extremely difficult to get it off.

The best approach, in my opinion, is not to settle for second (or third) best. It is to completely stop the malware from ever getting on the system to begin with. For this reason, I only recommend what I consider the most comprehensive anti-malware software that is available. I don't recommend what is "free" or "good", because I do not believe that these products are sufficient.

I feel quite comfortable recommend Kaspersky's AV products (sans ADS), as well as McAfee (with daily updates). I do not believe either of these are sufficient, because there is no layering per se. For this reason, I recommend pro-active protection to assist in keeping the door shut on malware. These products include ProcessGuard and RegDefend. I do not recommend Prevx because the company includes behavior monitoring software in their free version. A trend that I do not support. I do not recommend SSM at this time because I feel it is too unstable and is still in beta.

I also run WormGuard to protect me from the "scripting" hole that exists in Windows. There are other products on the market that protect against scripting such as Script Defender and Script Sentry but I have not used any of them extensively so I personally cannot recommend them, though others certainly have.

Beyond this, I personally have all of the ATs that I have mentioned previously. They are all excellent ATs, but they so far appear to be redundant in an environment that is proactively defended. However, Ewido free is available as an on-demand scanner and I wholeheartedly recommend it. And if someone is looking to see whether their machine is clean, I would certainly recommend trialing products like TDS-3 and TrojanHunter. Someone may decided to run one of these products in real-time, for added protection.

When I was a child, maybe 3 years old, I was taught by my parents, never to leave the front door open. Not 80% open, not 90% open. It is to be locked shut. And when someone rings the bell or knocks on the door, I should ask first before opening it. 50 years later, this advice still holds true.

Rich

 

Rich, you excel at nice long speeches and lectures which say nothing. Would be impressive if you backed it up with technical details.

 

In my experience with NAV I was generally,but not soley limited to once a week updates. During periods of high virus activity I received up to three updates per week via Liveupdate which I found to be problem free by the way.

 

This proactive stuff is all well and good, but it generally relies on the user and the choices they make. For example. Regdefend - Something wants to change the registry so Regdefend asks you if it's ok and tells you what it wants to change. The user says yes or no. Doesn't ProcessGuard do something similar but with files and running processes? It all leaves the opportunity for the user to select the wrong response. "Damn, maybe i should have clicked no as my pc is acting very much like it's being owned". I don't use these two products so maybe i have a misconception that a user could mess things up by selecting the wrong choice. Please enlighten me if i have misinterpreted this possibility with both of these proactive application's.

muf

 

As usual....we have threads from time to time that remain active and most of them are very imformative....as this one is....minus the dribble.

Let's keep the personal attacks to ourselves....and let this imformative thread procede.

Thanks,
Bubba

 

Exactly the point. PG offers close to zero protection against classical trojans that trick the user into installing them because they think it is something useful. If you already decided to install something which happens to be malware, PG isn't going to help.

That said PG is useful in the following cases

1) Some exploit causes an autoexecution/installation of malware, PG hopefully for notice it starting up and alert you.

Realistically speaking this is a rather small possibility if your system is fully patched, except in the case of zero days.

2) if said trusted process tries to start another, but again ,whether to allow or disallow this is iffy, unless you know what you are doing.

3) When trusted proggie starts to install global hooks or install drivers and you think it's shouldn't. Yet another area, where the user has to have the expertise to decide if this program should or should not do this.

Maybe most users of PG are expert enough to decide if proggie x should be allowed to install drivers and hooks, but I certainly don't have the expertise.

4) process termination.

I personally think Regdefend might actually be easier to use for most people, because it's easier to understand what exactly regdefend is blocking - essentially autostarts via registry.

It's basically just a souped up winpatrol/startupmonitor, which are getting pretty popular.

 

Thanks for clearing that up. I wasn't too sure but had an idea from what i had read. They are mainly for knowledgeable users then but are still open to the user making a bad judgement. Making the wrong choice would be pretty much like a false positive where a none proactive application would remove it after the event. There's no infallible protection even with proactive measures. Suppose proactive would in theory be better, but then again unless you know what you are doing you could end up trashing your pc completely if you kill/block the wrong thing. Food for thought and consideration once i make the leap to XP, although the saying "If it aint broke, don't fix it" springs to mind. Might just stick with what i already have.

muf

 

Hi Muf,

Actually, ProcessGuard is pretty easy to get use to, and I think far superior to "signature" protection, which basically asks the user to "figure things out" after the fact. Anyone, who has ever had to "stop a program" vs. "cleaning up after malware" can attest to this.

What normally happens with PG is this:

1) The user puts it in learning mode and all applications that are normally used are given their necessary permission.

2) From time to time, updates are required, maybe to a security program or the operating system. When these update programs run, the user can either give them permission, if they recognize them or don't give them permission and research them. My friend, who just had PG installed, quickly learned how to look up the programs using google.

3) If something unusal pops up out of nowhere, maybe while browsing, then the user only has to deny permission until the program is researched. Usually, the AV will trap it first (as is usual), but sometimes something unexpected does happen (a program may request a global hook) and the user just denies it until there is a chance to research it.

The only time there may be issues, is when Windows Update runs. I just turn PG off until it is over. Between trying to clean a machine, and somehow making sure a machine is really clean (something that is almost impossible nowadays), and learning the simple aspects of PG (how to answer yes and no), I far, far prefer ProcessGuard and RegDefend. There is nothing like keeping "roaches" out of the home. Once they are in, it is almost impossible to exterminate completely.

The configuration is very simple:

1) A top AV
2) ProcessGuard
3) RegDefend
4) WormGuard

Far, far easier than running anti-trojans and anti-spyware, and answering all the questions that these products might pose. (How many machines have been damaged by false positives, or inability to completely clean a machine). Believe me, life has been very simple once I installed PG and RegDefend along with Kaspersky.

Rich