68 variations of downloader.agent found on my computer!

[Detlev Dreyer]

It depends on the environment of the user. For a home user, there is
no need to seek professional help, if the user can help themselves. I
have never, in my years, had to do a flatline nor advise one to do so
under these conditions.

Well, like Ron said - for a company it's economic to rebuild a system
from scratch rather than spending time for searching the cause of a
problem. For a home user, it's an absolutely no-no to flatten the system
if this is not really necessary. In fact, *all* of my countless home
systems (desktop systems, notebooks) still run with their original
Windows installation the oldest one since 1996. BTW, upgrading from XP
Home to XP Pro doesn't count as a re-installation. During many years
posting to newsgroups, there were very few cases only advising to do a
flatline as the last resort.

However, things look completely different when there are security issues
involved. I personally would never ever resume working with a system
that was infected with 68 (found) trojans. Therefore, there is no reason
for me to give a different advice here other than flatlining the system
and rebuilding from scratch. Beyond this, the user should change his
behaviour completely since catching at least 68 trojans is not easy to
manage. Otherwise, the next infection will be just a matter of days.

 

[Leythos]

I have
never, in my years, had to do a flatline nor advise one to do so under these
conditions.

Kelly, with all due respect, then I can only say that you've never
encountered a system that was compromised and had it combined with a
user that didn't understand the basics that we (professionals) do/would.

Taking a compromised system, one with 8 dialers, various pop-ups,
various ad delivery systems, etc... Running AV products, cleaners,
hacking the registry, and then being sure it's clean enough for our uses
is one thing, but, if you were asked to sign your house over as
insurance that the machine was clean when returned, I'm willing to bet
that you would rather wipe/reinstall then do that.

With a typical home users, once they are infected, they have very little
clue that they got infected at the start. For the ones on dial-up, the
ones that get a $700 phone bill, are you going to assure them that you
cleaned the system with your skills or are you going to tell them about
the disclaimer part - the one that states that the machine was cleaned
of all "known" viruses, trojans, worms, dialers, and spyware.

If you really believe that you can personally clean a system once it's
compromised, without any chance of being wrong, then you don't belong in
this business.

 

[David Candy]

It's not that hard to clean a machine. There are only a limted number of vectors. If one checks each vector and examines each entry then one can know. But on most idiot's machines it takes longer than reinstalling. The point I'd make is why try for 100% clean. For my sister's family as long as it works at an ok speed. This is because they will start to infect themselves at a high rate as soon as you clean it. So I don't bother anymore. I let the 13yo restore.

 

[Detlev Dreyer]

Kelly, with all due respect, then I can only say that you've never
encountered a system that was compromised and had it combined with
a user that didn't understand the basics that we (professionals)
do/would.

Well, one of my business scopes is "Information Security Advisor"
for a huge, international company. I didn't mention that since this
didn't matter by now. However, in face of all the skills, I can only
*assume* that my own home systems are not compromised to the best of
my knowledge - but I wouldn't sign off any guarantee. This is especially
true due to the kids' frequent LAN parties, plugging other computers
into the home network as well.

 

[Leythos]

It's not that hard to clean a machine. There are only a limted number of vectors. If one checks each vector and examines each entry then one can know. But on most idiot's machines it takes longer than reinstalling. The point I'd make is why try for 100% clean. For my sister's family as long as it works at an ok speed. This is because they will start to infect themselves at a high rate as soon as you clean it. So I don't bother anymore. I let the 13yo restore.

While it's not hard to clean a machine, there are many things that we,
as professionals, can do to help decrease the likelihood of
reinfestation for the average home user.

In order to be sure the machine is clean, it must be wiped and
reinstalled in a secure environment. Once it's installed, patched, av
software installed, user accounts limited, etc....

Then is selecting a method for Browsing and Email that won't allow the
user to reinfect their system without doing at least some of the work
and knowing about it. I start by removing access to IE and Outlook/OE,
installing FireFox and ThunderBird. IE is still on the machine, but only
the admin user can get to it. With these two little changes I've managed
to take home users that were reinfecting their machines in a matter of
hours/days to a point where many months later they are still clean.

Your comment "The point I'd make is why try for 100% clean." is not
acceptable or a good way of thinking. A professional will clean the
system, be able to certify it's clean, and will then determine a course
of action that limits the reinfection of the machine while still
allowing the users to perform their daily tasks. Sure, I could
understand if it was a system owned by someone you didn't like, but to
not ensure that the machine is clean often impacts people outside of the
compromised computer - as evidenced by the probes my firewalls report
every few seconds.

If you don't care about cleaning the machine to 100% certainty they why
clean it at all. I would rather wipe/reinstall and then add in the
security needed than to have to second guess compromised systems. It's
also a lot quicker to reinstall and secure a machine than it is to keep
being nagged by the users about something happening they don't
understand due to only be 90% cleaned.

 

[Leythos]

Well, one of my business scopes is "Information Security Advisor"
for a huge, international company. I didn't mention that since this
didn't matter by now. However, in face of all the skills, I can only
*assume* that my own home systems are not compromised to the best of
my knowledge - but I wouldn't sign off any guarantee. This is especially
true due to the kids' frequent LAN parties, plugging other computers
into the home network as well.

Well, we do the same work then - I manage clients all over the USA and
in one foreign location. None of them have been compromised to-date.
When I encounter a client that asks me to fix their personal machine, or
the friend of the business owner, I'm expected to "Clean" the machine at
the same level I would my own (or their company) machines.

I also have teenagers, which like to play games, and have no issues with
them running LAN parties - that's what a simple NAT router is for, even
behind my home firewall (Firebox II) I still have segments setup with
small NAT routers for "unknown" systems and such - security is not
something I just say "well, it's good enough".

If you wouldn't sign a paper stating that the machine is clean, then why
bother telling someone it's clean or why bother only cleaning it "mostly
clean"?

When people post to this group with obviously compromised systems,
telling them to clean it is about the same as telling fat people to eat
less. They don't care enough to learn BEFORE it happens, they don't care
about why it happened, and most don't care about how to prevent it if it
means they have to buy something or do a little work. It's easier for
the ignorant types to just reinstall, patch, get behind a NAT box, and
stop using IE/Outlook/OE, and also run at least a cheap AV product.
Telling them they can clean their systems is like telling them they
should not have got infected in the first place, it's in one ear and out
the other before it registers, and they don't have the skills to do
either.

 

[Detlev Dreyer]

Well, we do the same work then - I manage clients all over the USA and
in one foreign location. None of them have been compromised to-date.
When I encounter a client that asks me to fix their personal machine,
or the friend of the business owner, I'm expected to "Clean" the
machine at the same level I would my own (or their company) machines.

Well, the cleaning of compromised machines (if any) is the job of the
functional IT professionells over here. My function in this field is to
avoid any incidents if possible (strategy and coaching), generally
spoken.

I also have teenagers, which like to play games, and have no issues
with them running LAN parties

Same here by now. Anyway, whenever the kids encounter a problem, first
thing they do is turning off the firewall/s, at least on a trial basis.
Applying policies at home is pretty useless since my son has admin
rights of course and meanwhile, he fixes problems even faster than me.

If you wouldn't sign a paper stating that the machine is clean, then
why bother telling someone it's clean or why bother only cleaning it
"mostly clean"?

Well, maybe I was not clear enough. Sure, I have no problem to sign
that a machine is clean for the moment. However, some hours later the
situation *may* have changed despite all measures of precaution while
I'm in the office. To a lesser extend, I could guarantee from afar that
a severely compromised system (68 trojans at least) is 100% clean by
bricolage instead of flatlining and rebuilding from scratch.

 

[Leythos]

To a lesser extend, I could guarantee from afar that
a severely compromised system (68 trojans at least) is 100% clean by
bricolage instead of flatlining and rebuilding from scratch.

I'm not personally willing to take the risk that a machine is totally
clean using normal cleaning methods. Even though I might clean a machine
for my own use and have no problem monitoring it to see that it was
properly cleaned, I'm not about to clean a machine and give it back to a
ignorant user and tell them that it's 100% clean when returned. It's not
that I don't trust myself, it's that I'm smart enough to know that I may
not catch the next thing being thrown at us before someone else
identifies it.

 

[Alexander Grigoriev]

Man,
Change your account permissions to "Limited User". Never install any "free
screen savers", "free smileys", etc. Make sure your system drive is
formatted as NTFS.
The malware is only able to get hold on your system if you run as an user
with Administrator privileges.

 

[Detlev Dreyer]

I'm not personally willing to take the risk that a machine is totally
clean using normal cleaning methods. Even though I might clean a
machine for my own use and have no problem monitoring it to see that
it was properly cleaned,

ACK. I know many people carrying their system to professionals in order
to *remove* viruses/worms/trojans. Usually, they don't ask me in this
case because they know that I tend to wipe compromised systems. In all
cases, their systems were flattened and rebuilt from scratch when
picking up - the only difference was that they had to pay for that.

 

[Leythos]

ACK. I know many people carrying their system to professionals in order
to *remove* viruses/worms/trojans. Usually, they don't ask me in this
case because they know that I tend to wipe compromised systems. In all
cases, their systems were flattened and rebuilt from scratch when
picking up - the only difference was that they had to pay for that.

I'm with you, when it comes to my reputation or signature, it's always
been better to return a cleaned machine than a hopefully cleaned
machine.

 

[David Candy]

Be my guest to support my niece in future.

 

[Kelly]

Kelly, with all due respect, then I can only say that you've never

encountered a system that was compromised and had it combined with a
user that didn't understand the basics that we (professionals) do/would.

Yes, I have, hundreds of time. And again, a format was not needed!

If you really believe that you can personally clean a system once it's
compromised, without any chance of being wrong, then you don't belong in
this business.

Yes, I can and do.

--
Happy Holidays,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

 

[Richard Urban]

Kelly,

I read most of your posts/opinions, and respect them - A LOT!

But here you are dead wrong.

If I bought you a compromised computer to repair, and had a $1000.00 penalty
clause that I forced upon you for "non performance", you would be a fool to
guarantee that the system was clean - unless you flattened the system and
started fresh! There is just no way, given the complexity of today's
operating systems that you can know "for certain".

Sorry, but these are just the facts!

--

Regards:

Richard Urban

aka Crusty (-: Old B@stard

If you knew half as much as you think you know,
You'd realize you didn't know what you thought you knew!

Kelly, with all due respect, then I can only say that you've never
encountered a system that was compromised and had it combined with a
user that didn't understand the basics that we (professionals) do/would.

Yes, I have, hundreds of time. And again, a format was not needed!

If you really believe that you can personally clean a system once it's
compromised, without any chance of being wrong, then you don't belong in
this business.

Yes, I can and do.

--
Happy Holidays,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com