If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Virus scans and safe mode
Still learning. Was reading post below and is it better to check for
virues, spyware et when in safe mode ?. Allso seen somewhere to open or unhide system hidden files as something bad may be hideing there. Not sure how to do this and sure do not want to goof something up. Windows 96 SE, Avast, Zone alarm, and Spysweeper. |
#2
|
|||
|
|||
Scanning (anti-virus, anti-malware tools) in Safe Mode (with Show Hidden
Files enabled) may prove helpful in certain situations. As a general rule of thumb, however, scanning in a Windows (normal) boot is the way to start. How to: Restart in Safe Mode http://service1.symantec.com/SUPPORT...01052409420406 Enable Show Hidden Files http://service1.symantec.com/SUPPORT...02092715262339 Run a full system AV scan in safe mode (Steps 1-3) http://aumha.org/forum/viewtopic.php?t=5878 Reconfigure Ad-aware SE v1.05 (core) for full scan http://aumha.org/forum/viewtopic.php?t=5877 -- ~Robear Dyer (PA Bear) MS MVP-Windows (IE/OE) Earl wrote: Still learning. Was reading post below and is it better to check for virues, spyware et when in safe mode ?. Allso seen somewhere to open or unhide system hidden files as something bad may be hideing there. Not sure how to do this and sure do not want to goof something up. Windows 96 SE, Avast, Zone alarm, and Spysweeper. |
#3
|
|||
|
|||
Thanks for help. Very usefull.
|
#4
|
|||
|
|||
YW, Earl. Happy Hollydaze.
-- ~PA Bear Earl wrote: Thanks for help. Very usefull. |
#5
|
|||
|
|||
On Fri, 24 Dec 2004 19:10:29 -0500, "PA Bear"
Scanning (anti-virus, anti-malware tools) in Safe Mode (with Show Hidden Files enabled) may prove helpful in certain situations. As a general rule of thumb, however, scanning in a Windows (normal) boot is the way to start. I disagree completely, especially for traditional malware (viruses, worms, trojans). Unlike commercial malware, these don't have to pretend to be legitimate software, and there is no limit on how aggressive or malicious they can be. The state chart: Detection Cleaning Formal Safe Maybe Hosted Maybe Maybe Informal Maybe Maybe The values of "maybe" range from "is usually OK, so far so good with currently known malware" to "quite a few malware can render this unsafe". The highest-risk activity is informal cleaning attempts. I should clarify what "formal", "informal" and "hosted" are :-) "Formal" is where you run no code from the ?infected system at all. You don't boot off the HD, you don't run any driver code off the HD, your av (antivirus) is not run from the HD, and the OS you used is smart enough not to "put things in its mouse" (like a drooling toddler) when it operates on the infected file system. "Informal" is where you break the above rules to some extent, from using a CD-booted OS that runs a hostile \Autorun.inf when "exploring" the infected C:, to the sheer madness of booting the infected system, connecting to the Internet, navigating to an av web site via potential malware re-direction, then trying an "online scan" of the whole PC. I use the term "semi-formal" where one ASSumes the malware requires code you aren't running during the scanning process; chasing a Word virus in Windows but not running Word, or chasing most modern (Windows-dependent) malware after booting the HD into DOS mode. "Hosted" is where you drop an ?infected HD into another PC and scan it from there. This is at least semi-formal, but there's the added risk that dropping the ball could infect the host system. There's also non-malware risks posed by (and to) the host system, if the OS inappropriately "integrates" the HD. WinME and NT are risky here. "Passive" malware infection is where malware content is present on the system, but has never been interpreted or run. For example; you receive an emaul attackment, but it hasn't spoofed the email app into running itself, and you haven't "opened" it yet. "Active" malware infection is where malware content has been run, and therefore one has to consider risks of counter-attack. Typically, the malware will be active whenever the HD's OS is running. Most modern malware do defend themselves against av; some also defend against firewall and other defensive tools such as Regedit or MSConfig, but at present there are few that take punitive/destructive measures. Windows-based av is a good "goalie of last resort"; after all other defences have failed or been bypassed, it's supposed to catch malware before it runs, when that material is "opened". If you suspect active malware, then your Windows-based av has failed, as has everything else you normally do to protect yourself. You have to assume the active malware can defend itself against that av, and consider it could react destructively to attempts to kill it. So IMO you need something stronger than a friendly bobby-on-the-beat to tackle active malware. You need a take-no-prisoners SWAT team. (good tips snipped) ---------- ----- ---- --- -- - - - - Proverbs Unscrolled #31 "Mary and me on the beach.JPG .pif" ---------- ----- ---- --- -- - - - - |
#6
|
|||
|
|||
Inline:
cquirke (MVP Win9x) wrote: On Fri, 24 Dec 2004 19:10:29 -0500, "PA Bear" Scanning (anti-virus, anti-malware tools) in Safe Mode (with Show Hidden Files enabled) may prove helpful in certain situations. As a general rule of thumb, however, scanning in a Windows (normal) boot is the way to start. I disagree completely, especially for traditional malware (viruses, worms, trojans). snip Disagree with what? The benefits of scanning for malware in Safe Mode in certain situations? The benefits of scanning for malware in normal (Windows) mode? Windows-based av is a good "goalie of last resort"; after all other defences have failed or been bypassed, it's supposed to catch malware before it runs, when that material is "opened". If you suspect active malware, then your Windows-based av has failed, as has everything else you normally do to protect yourself. You have to assume the active malware can defend itself against that av, and consider it could react destructively to attempts to kill it. Chris, not all malware are Trojans or Trojan-like, not all AV apps include definitions for Trojan-like malware, and no AV app that /does/ include such definitions can protect against or identify the very newest ones or very newest variants. -- ~Robear |
#7
|
|||
|
|||
On Sun, 26 Dec 2004 17:11:46 -0500, "PA Bear"
cquirke (MVP Win9x) wrote: On Fri, 24 Dec 2004 19:10:29 -0500, "PA Bear" Scanning (anti-virus, anti-malware tools) in Safe Mode (with Show Hidden Files enabled) may prove helpful in certain situations. As a general rule of thumb, however, scanning in a Windows (normal) boot is the way to start. I disagree completely, especially for traditional malware (viruses, worms, trojans). Disagree with what? The benefits of scanning for malware in Safe Mode in certain situations? The benefits of scanning for malware in normal (Windows) mode? Sorry, I wasn't at all clear, was I? The bit I disagree with is scanning informally, i.e. looking for unknown malware in normal Windows mode, where it's most likely the malware will be running at the time. I consider that risky. I do agree that Safe mode is helpful at times, and that one should show hidden files (and I'd always unhide file name extensions!) Windows-based av is a good "goalie of last resort"; after all other defences have failed or been bypassed, it's supposed to catch malware before it runs, when that material is "opened". If you suspect active malware, then your Windows-based av has failed, as has everything else you normally do to protect yourself. You have to assume the active malware can defend itself against that av, and consider it could react destructively to attempts to kill it. Chris, not all malware are Trojans or Trojan-like, not all AV apps include definitions for Trojan-like malware, and no AV app that /does/ include such definitions can protect against or identify the very newest ones or very newest variants. I'm thinking in terms of that first approach, when you don't know whether you will find traditional malware such as viruses, trojans or worms, or commercial malware, or both. Traditional malware are the most likely to take destructive action, as well as hide from informal scanning, so that's why I'd like to make sure they are not present before doing anything else. These days, commercial malware is so common that we almost forget about the really bad guys. Circumstances prone to "catching" commercial malware are also likely to expose the system to traditional malware too, so IMO one should always exclude that, and early. I do agree that the av you might use to look for traditional malware isn't going to detect commercial malware, or quite a few trojans, for that matter. So yes, you'd still be using tools dedicated to those, and those tools typically have to be run informally. While "safe mode" isn't, it's currently the best once can do with commercial malware (unless you can get these tools to run effectively from a Bart boot, including having them operate on the HD installation's registry). But I've found one has to use not only Safe Mode, but specifically Safe Mode Command Prompt Only, when tackling commercial malware on XP systems. Else the tools often fail to fix the cm, as the latter's gone active via Explorer integration. As I mentioned in an elist response to you, I'm interested in your logic in advocating normal Windows instead of Safe Mode as the starting point - is this to ensure one starts cleanup from the most-likely-used user account, to avoid "orphaned" settings? ---------- ----- ---- --- -- - - - - Proverbs Unscrolled #37 "Build it and they will come and break it" ---------- ----- ---- --- -- - - - - |
#8
|
|||
|
|||
cquirke (MVP Win9x) wrote:
snip As I mentioned in an elist response to you, I'm interested in your logic in advocating normal Windows instead of Safe Mode as the starting point - is this to ensure one starts cleanup from the most-likely-used user account, to avoid "orphaned" settings? Keep in mind that my frame of reference is in helping others via forum posts and that asking some of these clueless users to do something in Safe Mode right off the bat will send them running to the hills. w First I want to see if they can follow (or have followed) directions. (You'd be surprised...) Some (simple) 'hijackware' can be effectively ID'ed and removed in normal (Windows) mode with the assistance of CWShredder, Ad-aware and Spybot. When a user is having problems even running these tools (whether such problems are caused by the hijackware or by PBUAK), running them in Safe Mode often helps. There are times when a HijackThis (HT) log generated in Safe Mode will reveal problems (e.g., O4 - ...C:\Windows\System32\filename.dll) but where the log may not show the hidden files (which experience has taught us are lurking in there somewhere) causing 'filename.dll' to be created and present. In such cases, HT will reveal more if run in Safe Mode after enabling Show Hidden Files. Similarly, full system AV scans often will not find (or be able to fix) infections when run in normal mode. In such cases, scanning in Safe Mode/ShowHiddenFiles environment is required. You will find thousands of Symantec pages where the Removal instructions include this and where there is more to do than scanning with NAV, in normal or Safe Mode, to remove the parasite(s). Hang out in http://forums.spywareinfo.com/, http://castlecops.com/forum67.html, or http://forum.aumha.org/viewforum.php?f=30 for a while (or even take "ownership" of a few threads). You're sure to learn a lot, very quickly, Chris. -- ~Robear |
#9
|
|||
|
|||
On Mon, 27 Dec 2004 20:42:36 -0500, "PA Bear"
cquirke (MVP Win9x) wrote: As I mentioned in an elist response to you, I'm interested in your logic in advocating normal Windows instead of Safe Mode as the starting point - is this to ensure one starts cleanup from the most-likely-used user account, to avoid "orphaned" settings? Keep in mind that my frame of reference is in helping others via forum posts and that asking some of these clueless users to do something in Safe Mode right off the bat will send them running to the hills. w Yep. It's a bit of a horse-and-water situation, and my approach has always been to aim for complete advice even if that requires them to "grow into". I always worry that if I choose basic advice A over intermediate advice B, and it causes hard-core problem C, the users who could not understand B will be helpless in the face of C. In the end, it's Darwin take the hindmost - but one advantage of B over A is that a user who could understand A but not B, may think they have the whole story with A but know there's still stuff to ask about B before they dive in and start swimming. Some (simple) 'hijackware' can be effectively ID'ed and removed in normal (Windows) mode with the assistance of CWShredder, Ad-aware and Spybot. It's the "traditional" malware (viruses, trojans and worms) I'd be more worried about, and I'd want to exclude them first. OTOH, if you are *only* using anti-cm tools, and not av, there may be less risk of provoking retaliation from traditional malware. When a user is having problems even running these tools (whether such problems are caused by the hijackware or by PBUAK), running them in Safe Mode often helps. Sometimes you may need to specify Safe Mode Command Prompt Only, as often cm will integrate into IE in ways that get the cm running whenever Windows Explorer is used as well. Lately, most cases that need Safe have needed to avoid Explorer as the shell, too. There are times when a HijackThis (HT) log generated in Safe Mode will reveal problems (e.g., O4 - ...C:\Windows\System32\filename.dll) but where the log may not show the hidden files (which experience has taught us are lurking in there somewhere) causing 'filename.dll' to be created and present. In such cases, HT will reveal more if run in Safe Mode after enabling Show Hidden Files. Does Show Hidden Files limit what HT can report? Similarly, full system AV scans often will not find (or be able to fix) infections when run in normal mode. In such cases, scanning in Safe Mode/ShowHiddenFiles environment is required. Even there, a trad malware may be able to strike down the av. What worries me more than detection failure, is retaliation. Hang out in http://forums.spywareinfo.com/, http://castlecops.com/forum67.html, or http://forum.aumha.org/viewforum.php?f=30 for a while (or even take "ownership" of a few threads). You're sure to learn a lot, very quickly, Chris. Ah, so many forums... I do 7 usenet groups (including alt.comp.virus and the excellent comp.risks), 27 MS newsgroups, and 3 private elists, and that swamps me as it is. Practical hands-on with malware of the day is all very well, but you also have to prepare for the shoe that hasn't dropped yet. The future often differs from the past :-p I'm not a big fan of web UIs that spend over half the screen area on fluff, but the last two don't look bad. What sort of post volumes are involved? I may start with Aumha, for personal reasons ;-) ---------- ----- ---- --- -- - - - - "He's such a character!" ' Yeah - CHAR(0) ' ---------- ----- ---- --- -- - - - - |
#10
|
|||
|
|||
cquirke (MVP Win9x) wrote:
snippage There are times when a HijackThis (HT) log generated in Safe Mode will reveal problems (e.g., O4 - ...C:\Windows\System32\filename.dll) but where the log may not show the hidden files (which experience has taught us are lurking in there somewhere) causing 'filename.dll' to be created and present. In such cases, HT will reveal more if run in Safe Mode after enabling Show Hidden Files. Does Show Hidden Files limit what HT can report? No. Hang out in http://forums.spywareinfo.com/, http://castlecops.com/forum67.html, or http://forum.aumha.org/viewforum.php?f=30 for a while (or even take "ownership" of a few threads). You're sure to learn a lot, very quickly, Chris. I'm not a big fan of web UIs that spend over half the screen area on fluff, but the last two don't look bad. What sort of post volumes are involved? I may start with Aumha, for personal reasons ;-) Prior to late November, we prolly saw an average of 2 or 3 new posts a day to Aumha's HT forum. After the LA Times article on spyware and Aumha Forums was published on 27 Nov-04, posts increased to 10-15 a day (and the clueless factor has increased proportionately). I'm sure you could be a big help in most of the other forums there, too. I've found it interesting that as overall posts to MS newsgroups have decreased in recent months (coincidental with having to log in to a Passport account to be able to post to 'web-news'), posts to Aumha and other forums have increased. -- ~Robear |
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
msconfig & Safe Mode problems | Brad | General | 4 | October 19th 04 09:07 PM |
Explorer causes error and can't load at startup | Chris Shorb | General | 12 | October 4th 04 08:23 PM |
Sandbox.a virus | Rick | Internet | 1 | August 2nd 04 12:16 AM |
No safe mode! No nothing! | Sally | General | 15 | June 19th 04 10:16 PM |
Safe mode defrag | DarkN00b | General | 8 | June 14th 04 02:59 AM |