Virus scans and safe mode

Still learning. Was reading post below and is it better to check for
virues, spyware et when in safe mode ?. Allso seen somewhere to open
or unhide system hidden files as something bad may be hideing there. Not
sure how to do this and sure do not want to goof something up. Windows
96 SE, Avast, Zone alarm, and Spysweeper.

Scanning (anti-virus, anti-malware tools) in Safe Mode (with Show Hidden
Files enabled) may prove helpful in certain situations. As a general rule
of thumb, however, scanning in a Windows (normal) boot is the way to start.

How to:

Restart in Safe Mode
http://service1.symantec.com/SUPPORT...01052409420406

Enable Show Hidden Files
http://service1.symantec.com/SUPPORT...02092715262339

Run a full system AV scan in safe mode (Steps 1-3)
http://aumha.org/forum/viewtopic.php?t=5878

Reconfigure Ad-aware SE v1.05 (core) for full scan
http://aumha.org/forum/viewtopic.php?t=5877
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE)


Earl wrote:
Still learning. Was reading post below and is it better to check for
virues, spyware et when in safe mode ?. Allso seen somewhere to open
or unhide system hidden files as something bad may be hideing there. Not
sure how to do this and sure do not want to goof something up. Windows
96 SE, Avast, Zone alarm, and Spysweeper.

Thanks for help. Very usefull.

YW, Earl. Happy Hollydaze.
--
~PA Bear

Earl wrote:
Thanks for help. Very usefull.

On Fri, 24 Dec 2004 19:10:29 -0500, "PA Bear"

Scanning (anti-virus, anti-malware tools) in Safe Mode (with Show Hidden
Files enabled) may prove helpful in certain situations. As a general rule
of thumb, however, scanning in a Windows (normal) boot is the way to start.

I disagree completely, especially for traditional malware (viruses,
worms, trojans). Unlike commercial malware, these don't have to
pretend to be legitimate software, and there is no limit on how
aggressive or malicious they can be. The state chart:

Detection Cleaning

Formal Safe Maybe
Hosted Maybe Maybe
Informal Maybe Maybe

The values of "maybe" range from "is usually OK, so far so good with
currently known malware" to "quite a few malware can render this
unsafe". The highest-risk activity is informal cleaning attempts.

I should clarify what "formal", "informal" and "hosted" are :-)

"Formal" is where you run no code from the ?infected system at all.
You don't boot off the HD, you don't run any driver code off the HD,
your av (antivirus) is not run from the HD, and the OS you used is
smart enough not to "put things in its mouse" (like a drooling
toddler) when it operates on the infected file system.

"Informal" is where you break the above rules to some extent, from
using a CD-booted OS that runs a hostile \Autorun.inf when "exploring"
the infected C:, to the sheer madness of booting the infected system,
connecting to the Internet, navigating to an av web site via potential
malware re-direction, then trying an "online scan" of the whole PC.

I use the term "semi-formal" where one ASSumes the malware requires
code you aren't running during the scanning process; chasing a Word
virus in Windows but not running Word, or chasing most modern
(Windows-dependent) malware after booting the HD into DOS mode.

"Hosted" is where you drop an ?infected HD into another PC and scan it
from there. This is at least semi-formal, but there's the added risk
that dropping the ball could infect the host system. There's also
non-malware risks posed by (and to) the host system, if the OS
inappropriately "integrates" the HD. WinME and NT are risky here.


"Passive" malware infection is where malware content is present on the
system, but has never been interpreted or run. For example; you
receive an emaul attackment, but it hasn't spoofed the email app into
running itself, and you haven't "opened" it yet.

"Active" malware infection is where malware content has been run, and
therefore one has to consider risks of counter-attack. Typically, the
malware will be active whenever the HD's OS is running. Most modern
malware do defend themselves against av; some also defend against
firewall and other defensive tools such as Regedit or MSConfig, but at
present there are few that take punitive/destructive measures.


Windows-based av is a good "goalie of last resort"; after all other
defences have failed or been bypassed, it's supposed to catch malware
before it runs, when that material is "opened".

If you suspect active malware, then your Windows-based av has failed,
as has everything else you normally do to protect yourself. You have
to assume the active malware can defend itself against that av, and
consider it could react destructively to attempts to kill it.

So IMO you need something stronger than a friendly bobby-on-the-beat
to tackle active malware. You need a take-no-prisoners SWAT team.

(good tips snipped)



---------- ----- ---- --- -- - - - -
Proverbs Unscrolled #31
"Mary and me on the beach.JPG .pif"
---------- ----- ---- --- -- - - - -

Inline:

cquirke (MVP Win9x) wrote:
On Fri, 24 Dec 2004 19:10:29 -0500, "PA Bear"

Scanning (anti-virus, anti-malware tools) in Safe Mode (with Show Hidden
Files enabled) may prove helpful in certain situations. As a general
rule of thumb, however, scanning in a Windows (normal) boot is the way
to start.

I disagree completely, especially for traditional malware (viruses,
worms, trojans).
snip

Disagree with what? The benefits of scanning for malware in Safe Mode in
certain situations? The benefits of scanning for malware in normal
(Windows) mode?

Windows-based av is a good "goalie of last resort"; after all other
defences have failed or been bypassed, it's supposed to catch malware
before it runs, when that material is "opened".

If you suspect active malware, then your Windows-based av has failed,
as has everything else you normally do to protect yourself. You have
to assume the active malware can defend itself against that av, and
consider it could react destructively to attempts to kill it.

Chris, not all malware are Trojans or Trojan-like, not all AV apps include
definitions for Trojan-like malware, and no AV app that /does/ include such
definitions can protect against or identify the very newest ones or very
newest variants.
--
~Robear

On Sun, 26 Dec 2004 17:11:46 -0500, "PA Bear"
cquirke (MVP Win9x) wrote:
On Fri, 24 Dec 2004 19:10:29 -0500, "PA Bear"

Scanning (anti-virus, anti-malware tools) in Safe Mode (with Show Hidden
Files enabled) may prove helpful in certain situations. As a general
rule of thumb, however, scanning in a Windows (normal) boot is the way
to start.

I disagree completely, especially for traditional malware (viruses,
worms, trojans).

Disagree with what? The benefits of scanning for malware in Safe Mode in
certain situations? The benefits of scanning for malware in normal
(Windows) mode?

Sorry, I wasn't at all clear, was I?

The bit I disagree with is scanning informally, i.e. looking for
unknown malware in normal Windows mode, where it's most likely the
malware will be running at the time. I consider that risky.

I do agree that Safe mode is helpful at times, and that one should
show hidden files (and I'd always unhide file name extensions!)

Windows-based av is a good "goalie of last resort"; after all other
defences have failed or been bypassed, it's supposed to catch malware
before it runs, when that material is "opened".

If you suspect active malware, then your Windows-based av has failed,
as has everything else you normally do to protect yourself. You have
to assume the active malware can defend itself against that av, and
consider it could react destructively to attempts to kill it.

Chris, not all malware are Trojans or Trojan-like, not all AV apps include
definitions for Trojan-like malware, and no AV app that /does/ include such
definitions can protect against or identify the very newest ones or very
newest variants.

I'm thinking in terms of that first approach, when you don't know
whether you will find traditional malware such as viruses, trojans or
worms, or commercial malware, or both.

Traditional malware are the most likely to take destructive action, as
well as hide from informal scanning, so that's why I'd like to make
sure they are not present before doing anything else.

These days, commercial malware is so common that we almost forget
about the really bad guys. Circumstances prone to "catching"
commercial malware are also likely to expose the system to traditional
malware too, so IMO one should always exclude that, and early.

I do agree that the av you might use to look for traditional malware
isn't going to detect commercial malware, or quite a few trojans, for
that matter. So yes, you'd still be using tools dedicated to those,
and those tools typically have to be run informally.

While "safe mode" isn't, it's currently the best once can do with
commercial malware (unless you can get these tools to run effectively
from a Bart boot, including having them operate on the HD
installation's registry). But I've found one has to use not only Safe
Mode, but specifically Safe Mode Command Prompt Only, when tackling
commercial malware on XP systems. Else the tools often fail to fix
the cm, as the latter's gone active via Explorer integration.


As I mentioned in an elist response to you, I'm interested in your
logic in advocating normal Windows instead of Safe Mode as the
starting point - is this to ensure one starts cleanup from the
most-likely-used user account, to avoid "orphaned" settings?



---------- ----- ---- --- -- - - - -
Proverbs Unscrolled #37
"Build it and they will come and break it"
---------- ----- ---- --- -- - - - -

cquirke (MVP Win9x) wrote:
snip
As I mentioned in an elist response to you, I'm interested in your
logic in advocating normal Windows instead of Safe Mode as the
starting point - is this to ensure one starts cleanup from the
most-likely-used user account, to avoid "orphaned" settings?

Keep in mind that my frame of reference is in helping others via forum posts
and that asking some of these clueless users to do something in Safe Mode
right off the bat will send them running to the hills. w First I want to
see if they can follow (or have followed) directions. (You'd be
surprised...)

Some (simple) 'hijackware' can be effectively ID'ed and removed in normal
(Windows) mode with the assistance of CWShredder, Ad-aware and Spybot. When
a user is having problems even running these tools (whether such problems
are caused by the hijackware or by PBUAK), running them in Safe Mode often
helps.

There are times when a HijackThis (HT) log generated in Safe Mode will
reveal problems (e.g., O4 - ...C:\Windows\System32\filename.dll) but where
the log may not show the hidden files (which experience has taught us are
lurking in there somewhere) causing 'filename.dll' to be created and
present. In such cases, HT will reveal more if run in Safe Mode after
enabling Show Hidden Files.

Similarly, full system AV scans often will not find (or be able to fix)
infections when run in normal mode. In such cases, scanning in Safe
Mode/ShowHiddenFiles environment is required. You will find thousands of
Symantec pages where the Removal instructions include this and where there
is more to do than scanning with NAV, in normal or Safe Mode, to remove the
parasite(s).

Hang out in http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html, or
http://forum.aumha.org/viewforum.php?f=30 for a while (or even take
"ownership" of a few threads). You're sure to learn a lot, very quickly,
Chris.
--
~Robear

On Mon, 27 Dec 2004 20:42:36 -0500, "PA Bear"
cquirke (MVP Win9x) wrote:

As I mentioned in an elist response to you, I'm interested in your
logic in advocating normal Windows instead of Safe Mode as the
starting point - is this to ensure one starts cleanup from the
most-likely-used user account, to avoid "orphaned" settings?

Keep in mind that my frame of reference is in helping others via forum posts
and that asking some of these clueless users to do something in Safe Mode
right off the bat will send them running to the hills. w

Yep. It's a bit of a horse-and-water situation, and my approach has
always been to aim for complete advice even if that requires them to
"grow into". I always worry that if I choose basic advice A over
intermediate advice B, and it causes hard-core problem C, the users
who could not understand B will be helpless in the face of C.

In the end, it's Darwin take the hindmost - but one advantage of B
over A is that a user who could understand A but not B, may think they
have the whole story with A but know there's still stuff to ask about
B before they dive in and start swimming.

Some (simple) 'hijackware' can be effectively ID'ed and removed in normal
(Windows) mode with the assistance of CWShredder, Ad-aware and Spybot.

It's the "traditional" malware (viruses, trojans and worms) I'd be
more worried about, and I'd want to exclude them first. OTOH, if you
are *only* using anti-cm tools, and not av, there may be less risk of
provoking retaliation from traditional malware.

When a user is having problems even running these tools (whether such
problems are caused by the hijackware or by PBUAK), running them in
Safe Mode often helps.

Sometimes you may need to specify Safe Mode Command Prompt Only, as
often cm will integrate into IE in ways that get the cm running
whenever Windows Explorer is used as well. Lately, most cases that
need Safe have needed to avoid Explorer as the shell, too.

There are times when a HijackThis (HT) log generated in Safe Mode will
reveal problems (e.g., O4 - ...C:\Windows\System32\filename.dll) but where
the log may not show the hidden files (which experience has taught us are
lurking in there somewhere) causing 'filename.dll' to be created and
present. In such cases, HT will reveal more if run in Safe Mode after
enabling Show Hidden Files.

Does Show Hidden Files limit what HT can report?

Similarly, full system AV scans often will not find (or be able to fix)
infections when run in normal mode. In such cases, scanning in Safe
Mode/ShowHiddenFiles environment is required.

Even there, a trad malware may be able to strike down the av. What
worries me more than detection failure, is retaliation.

Hang out in http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html, or
http://forum.aumha.org/viewforum.php?f=30 for a while (or even take
"ownership" of a few threads). You're sure to learn a lot, very quickly,
Chris.

Ah, so many forums... I do 7 usenet groups (including alt.comp.virus
and the excellent comp.risks), 27 MS newsgroups, and 3 private elists,
and that swamps me as it is. Practical hands-on with malware of the
day is all very well, but you also have to prepare for the shoe that
hasn't dropped yet. The future often differs from the past :-p

I'm not a big fan of web UIs that spend over half the screen area on
fluff, but the last two don't look bad. What sort of post volumes are
involved? I may start with Aumha, for personal reasons ;-)



---------- ----- ---- --- -- - - - -
"He's such a character!"
' Yeah - CHAR(0) '
---------- ----- ---- --- -- - - - -

cquirke (MVP Win9x) wrote:
snippage
There are times when a HijackThis (HT) log generated in Safe Mode will
reveal problems (e.g., O4 - ...C:\Windows\System32\filename.dll) but
where
the log may not show the hidden files (which experience has taught us are
lurking in there somewhere) causing 'filename.dll' to be created and
present. In such cases, HT will reveal more if run in Safe Mode after
enabling Show Hidden Files.

Does Show Hidden Files limit what HT can report?

No.

Hang out in http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html, or
http://forum.aumha.org/viewforum.php?f=30 for a while (or even take
"ownership" of a few threads). You're sure to learn a lot, very quickly,
Chris.

I'm not a big fan of web UIs that spend over half the screen area on
fluff, but the last two don't look bad. What sort of post volumes are
involved? I may start with Aumha, for personal reasons ;-)

Prior to late November, we prolly saw an average of 2 or 3 new posts a day
to Aumha's HT forum. After the LA Times article on spyware and Aumha Forums
was published on 27 Nov-04, posts increased to 10-15 a day (and the clueless
factor has increased proportionately). I'm sure you could be a big help in
most of the other forums there, too.

I've found it interesting that as overall posts to MS newsgroups have
decreased in recent months (coincidental with having to log in to a Passport
account to be able to post to 'web-news'), posts to Aumha and other forums
have increased.
--
~Robear