Malware removal - How effective?

Discussion in 'polls' started by rerun2, Jan 25, 2005.

?

Malware removal - How effective?

  1. Good

    6 vote(s)
    22.2%
  2. Could use improvement

    13 vote(s)
    48.1%
  3. Considering the threats, not much can be done

    4 vote(s)
    14.8%
  4. Poor

    4 vote(s)
    14.8%
Thread Status:
Not open for further replies.
  1. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Short story, feel free to skip...
    Today I encountered another heavily infected computer. This time with ibistoolbar, vx2, and a host of other nasties. No CWS to my surprise and relief though :rolleyes: . Went through with adaware, spybot, ewido, microsoft antispyware, hijackthis, pocketkillbox, safe mode, apt, regedit, etc etc. I was able to get rid of everything except for wintools. Most (if not all) the scanners I used detected it. But none could remove it. Couldn't delete it in safe mode, couldn't delete it with pocketkillbox, couldn't delete it after hijackthis, can't delete or change the registry values (it will just refill them in) etc etc. I was thinking of trying one of those bootdisks when I stumbled upon the symantec huntbar removal utility http://securityresponse.symantec.com/avcenter/venc/data/adware.huntbar.html . Having had luck with the symantec virtumundo removal utility I gave this one a try as well. It deleted three registry values but at the end of the scan said it did not find any instances of huntbar. I rebooted into safe mode and to my surprise there were no strange processes running in task manager. I then easily deleted the wintools folder. Prevention would have saved a lot of work, but a computer with good security measures already in place is quite difficult to find now a days.

    My poll question
    So I am wondering how would you rate the removal techniques used in scanners? To me it seems like they are lacking against some of the latest adware threats. Having been overly familiar with cws, virtumundo, vx2, and now ibistoolbar, some of them seem to employ similar "protection methods" that make it difficult to remove by scanners. If there was a way to generically remove these types of threats, I think it could possibly make this gap closer. What are your thoughts?

    Note: I am not speaking of prevention, detection, etc. My poll is directed towards malware scanners and how effective you feel their removal methods are.
     
  2. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    Problems seem to include: the fact that you often have to use more than one tool to remove all malware (ad-aware, spybot, etc.). The fact that sometimes when you remove malware, the computer still tries to load the malware at start up and alerts you with an error message.

    Jimbob
     
  3. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    I find hjt still one of the best solutions there is.

    cheers
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Not very effective in my experience, many of the new spyware - malware are very hard to remove and require manual deletion which is very time consuming and requires some expert knowledge. It can take far longer to clean a system than it does to re-install but re-install is sometimes out of the question when the machine holds important and un backed up data.
    I doubt whether generic deletion methods would be possible as the overhead of such a cpmplex tool would be crippling.
    Prevention is still the best answer starting with user education, another very complex and time consuming task.

    Pilli
     
  5. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Nicely spoken Pili ;)
     
  6. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    I agree Pilli. In fact prevention is one of the more difficult aspects of security. As security in of itself is reactive in nature. But to keep it simple I rather not really argue the point of prevention vs removal after the fact in this poll, I hope that is understandable :) . I think many of us would prefer prevention heh.

    Do you think this would be possible if more vendors implemented malware specific plugin use for their scanners? For example Ad-Aware has the vx2 plugin but is not very effective.
     
  7. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    In order to acurately answer your question....I would first need to know what you consider malware. While I see references to adware\spyware programs....I see no mention of Anti-virus\trojan programs. So my question is....what is your understanding\definition of malware ?
     
  8. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    good question Bubba, I would like to know myself
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Woo there are many sides to that coin!
    Signatures can be rebased fairly easily by malware writers hence the ever growing number of signatures for things such as Viruses, Trojans, CWS, LOP,com and VX2 etc. etc. Where will it end? Heuristics can play a big part in reducing risk but can lead to false positives. Generic unpackers might help with some of the more dangerous malware.
    Lets look how the layers of defence have grown over the past few years for personal users.
    Anti-virus and Anti Trojan came alog first, then firewalls mainly as a result of BroadBand being widely disseminated, then Add blockers, parental control, cookie coppers and much more recently registry protection, Anti-Spyware add to that the latest tools like System Safety Monitor, ProcessGuard & Prex-X. Where will it end?
    We are being overloaded with numerous tools specialising in catching, stopping and removing numerous threats.

    The costs to business worlwide are unimaginable let alone the time wasted by personal users but it will only get better once business and governments have had enough and throw lots more money at the problem, IMHO the unfortunate side effect of this will be less freedom for everyone

    So no, I do not know the answer. Nobody owns the Internet it is like a lawless state and reflects the basic rule of life - Survival of the fittest.

    I find it very sad. Pilli
     
    Last edited: Jan 26, 2005
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    -------------
     
    Last edited: Jan 26, 2005
  11. Terryala

    Terryala Rest in Peace

    Joined:
    Sep 2, 2003
    Posts:
    60
    Have to agree with Bubba. So many types of Malware are out there. We seem to use the term "Malware" for all nasties and no one Program/Scanner seem to cover them all. End up as has been posted haveing to use several to make your Computer safe or clean.

    It kinda boils down in the end to the people that do HJT logs and help others one on one to get rid of nasties. We see them using several programs to clean up a computer.

    So I guess my answer is there is no one program/scanner that does it all. Like all here I wish there was and if there was that people would use it. The main problem is getting people that are using the internet to keep there Computer clean by using things like A/Vs and Firewalls for a start.

    Grand Dad
     
  12. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Interesting Terryala, one program to cover them all...that would be some kind of generic, behaviour detection program cause another solution for this I don't think it is possible. a signature based scanner is kind of outdated allready...

    I rather personally depend on four different tools to catch them then a one for all (and mostly all for one) utility...

    generic/behaviour detection is the only way to go, at the end it will be better for the company who made it I guess, no more signature updating everyday...and that is profitable ;)
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    To a certain extent that is what NOD32's Advanced heuristics, SSM, PG & Prev-X are doing but none yet cover all :) Prevention is far, far better than cure. :D
     
  14. Terryala

    Terryala Rest in Peace

    Joined:
    Sep 2, 2003
    Posts:
    60
    Hi Infinity. Agree it sounds like a large task to create such a all in one program. But as has been mentioned in this tread when large companies get tired of losing money do to network down time (Dollars lost) because of the nasties something might be done. I think we see a trend towards something like that with A/V and Firewall developers coming out with Suites. Agree not a cure all.

    But until then like you I run several programs as I guess we ( Some, Well maybe a few) all do to try and stay ahead of the problem.

    Grand Dad
     
  15. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    I don't believe in suites and I think they will loose the purpose they want to be aiming at...I don't know one suite that offers decent protection for all types of malware. and then again, I rather have four different apps then one large suite cause the downsides on having such a suite is just tooo big at the end, at least on my behalf it is, maybe for someone else it could be different.

    maybe in the future they will be upgrading their programs to a more generic way of detection, heuristics is one way (and nod rules in this segment), the way pg and ssm works is another way...

    maybe one day a combination of tds-3, pg3 and port explorer will come out and we could have that tool we are mentioning.

    but then the firewall part and antispyware part would be missing so that wouldn't be a complete suite.

    maybe I am wrong here, just don't like the idea. that is all.
     
  16. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    add to this 'fictive program' the advanced heuristics of NOD32 and I'll buy you six pack :D
     
  17. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    I would define malware as including adware, spyware, worms, trojans, virii, etc. Some people define it as "malicious software designed specifically to damage or disrupt a system." But I am sure loop holes can be used in such a general definition, so that is why I tried to stay away from explaining it too much. But hopefully you get the idea. Either way I do not think this is the largest point in this particular poll.

    I specifically mentioned adware/spyware scanners because I thought it would make a good example for this poll. But I did intend to include anti-virus and anti-trojan scanners as well when creating the poll (thus the use of the term malware). I just did not mean to include programs like firewalls, system firewalls, etc as they are not really "scanners."

    It is up to the anti-malware vendor whether they want to add detection for a specific threat. But once they have added detection, do you think it is possible for further development and research on how to disable the protection employed by the threat so that it can be removed more easily in the future? It seems to me that most scanners can detect the exe files, dll files, and registry entries associated with a certain type of malware, but just needs to disable the protection used by the malware long enough so that it can delete them. Is this possible with the various kinds of threats out there or is this just beyond the limitation of the scanner and be hindered by the resources available?

    Thank you everyone for participating. It is much appreciated.
     
  18. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Sure it is.....now those folks wishing to vote understand what you are meaning concerning....Malware removal - How effective?....and that you are meaning Anti-virus,trojan,adware,spyware.

    I personally feel most all major players as far as Anti-malware vendors are concerned have their hands full today and do their darndest in staying on the heels....if not one step ahead via heuristics....in helping us squash the scumbags of the world.
     
  19. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I do believe it is a full time job trying to stay ahead of the malware out there. most of the program writers deserve some credit instead of complaints about they didn't detect or clean a certain piece of malware. especially the free program writers.

    bigc
     
  20. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    ***Malware or not malware, that is the question...

    We live with bacteriums (stomach...) which are not could be considered as dangerous because they're not pathogenic and don't menace the integrity of our health.

    It's the same for a computer: some adware/spyware can live on our system without real danger.
    But is it a reason to tolerate them?
    And why should we worry about it?Why become hypocondriac about a machine?

    ***No need to study medecine or pharmacy to think like Hyppocrate:better prevent than cure!

    Security of computers is like a funny war game.

    And Attack have always a litlle advantage against Defense:the best hacking's methods are often a mix of well knowns techniques and personal's research.

    Exploit and vulnerability are discoverd each day...

    Consequently, All kinds of scaners (signatures, behaviour, heuristic) are often behind time against new malwares (Sasser for instance).

    That's why i believe more on the approach or an Infection System Prevention like ProcessGuard, Viguard or AbtrusuionProtector.

    The best method-on my own opinion-is to vaccinate or immunize the system and finaly, to maintain it "always" safe, or as healthy as possible.

    This kind of approach is interesting for many securty editors:panda for example has included the "TruePrevent" technology in the last version of the AV Suite.

    But even with the absolute soft, the problem will always be between the chair and the keyboard.
    The user have to educate himself about security.Even if it's just concerned a machine which is not more important than a television or a diswasher.

    Best Regards
     
  21. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Thanks again for all the replys, and yes anti-malware vendors in many cases do deserve a lot more credit than they are given.

    You are right classification can be a real "iffy" subject, that is why i did not want to get into it too much in this thread. As it can be an entirely new topic of its own. But usually adware/spyware that are detected, are done so for a reason where it actually does harm to the computer or invades the users privacy.

    Adware/spyware however is a big problem and in many cases can be directly related to instability, performance degradation, legitimate programs not working correctly, windows error messages, etc. Even downloaders which are relatively harmless (by themselves) can download other malicious programs with a much higher level payload. And considering how big a part computers have played in our daily lives and work, it can effect productivity.

    Prevention is important but one must also consider about removal. Especially when the preventive measures have failed. This is why I would prefer to concentrate on this issue alone for the subject of this thread, even if I do recognize the importance of prevention and programs like PG and SSM.
     
  22. KERANO

    KERANO Guest

    We can call them all with one word - PARASITES

    Panda Internet Security 2005 trying to cover all these threats but not very sucesfull :(
    Panda lacks in definitions but we should take a look from diferent acpect like involving new technology or features and they are no1 in that way.

    - They first started to use ONLINE scanner
    - They first started to add spyware-adware detection than any other AV vendor
    - They second started to sale Internet Security with integrated firewall protection (Pc-chillin was first)
    - Adding of registry monitor
    - TryPrevent new way of active heuristic scanning
    - Newbie interface very easy to use...

    They just need f-secure definitions to be TOP3 product.

    In my expirience I always saw Panda brings something new than for a year another companies starting to use that too...

    (correct me if im wrong)
     
  23. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    These hard to kill PARASITES all require restart in safe mode. If you automate the procedures required since the PARASITES have already protected themselves they can just remove the cleaning script before it completes. Until there's a way to block infection in the first place (I bet nobody running AdAware SE Plus with AdWatch got infected without knowing about it first) there's no automatic removal procedure available because of the nature of the beast. It has got to be a manual removal. Your pre-infection protection can be automatic and will only protect you if it is.

    Did that make sense or should I re-word it?
     
  24. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Well, computer security is something that's evolving everyday. You never know what may happen the next moment.
    How tight can security get? Extremely tight.
     
  25. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    No, that makes perfect sense :)

    However, even safe mode has not been very helpful against some of the more advanced threats.

    But I too wonder how much of a decrease there would be in infection rate with AdWatch in place. Thank you for contributing.
     
Loading...
Thread Status:
Not open for further replies.