Can you really 100% clean a compromised machine 100% of the time without wiping it?

[Leythos]

Most of us the worked on computers for a living have run across many
compromised computers with many different types of malware.

As people post with compromised machines we direct them to all of the
tools that we know about in an effort to help them regain use of their
machines in a malware free mode, or at least enough access to backup
their documents and files to restore later.

What is really at question is the ability of the current tools we have
to clean 100% of the malware 100% of the time in the current and future
environment for a givem machine at a given instant.

This thread is not personal, about anyone's skills, about any
individual, it's only about cleaning malware off machines to the point
that we could state that 100% of all malware, known and unknown, is
removed from the machine at the moment you finish cleaning it.

Do you feel 100% certain that your tools and skills can clean a
compromised machine, 100% of the time, without any malware, known or
unknow, remaining on the machine - 100% of the time?

Since I don't believe that any one can actually say "YES" without
limitations, then how do we help all of these clueless users ensure
their machines are clean?

We all know that you can wipe/reboot/install from clean disks, in a
clean environment, and the machine will be clean at that moment.

We all know that it takes between 30~90 minutes to restore a machine
from scratch (depending on the method, quicker for ghost images), and
that it's time consuming to get everything back to normal for customers.

We all know that no one wants to wipe/reinstall as it means lots of
extra work.

Now, we also know that removing the malware can take hours in some
cases, most takes less. For some malware you have to boot to the
recovery console and manually remove it.

So, it comes down to this - clean their system enough to save files to
CD/DVD, then wipe it to ensure that the malware is 100% removed and the
system is clean enough to be certified as clean.

While most of us will just clean a machine and reboot it several times,
check the registry, tasks, netstat, etc.... then run the malware removal
tools several times, etc... It just means that we're willing to take the
level of risk for not having to put the time in to ensure that the
system is 100% certified clean, which means we don't really want to
reinstall everything again

I know that some will claim they can perfectly clean a machine, but, if
you're really that sure you can clean 100% of malware, 100% of the time,
now and in the future, of known and unknown malware, without a
wipe/reinstall, then I think you're just fooling yourself.

Again, are we assuming that by providing "reactionary" tools and methods
that don't wipe/reinstall, that we're doing visitors to this group (and
others) justice and actually providing them with a 100% clean platform
to continue with?

 

[R. McCarty]

I don't believe there is a "Hard-&-Fast" rule about clean-up. Lot's
of times I encounter a setup that was originally an OEM, upgraded
to XP. Because the user doesn't have the source media or want to
restore the Factory state - I have to clean it up.
The key is to tighten up the Security enough to protect the customer
from themselves (usually Teenage children). If customers agree I'll
take an image of the Clean (or Cleanest) state and teach them how
to recover. This means that I migrate data stores to their own disk
partition, to facilitate recovery without data loss.
Many times a fresh install is warranted, because the customer has
tried to resolve it themselves. A big percentage of the problems will
likely be due to Registry cleanup.
The key point to make to customers is that Cleanup isn't sufficient,
they have to have real-time protection and learn things about EULAs
and that Free software isn't always a good bargain.
I never "Certify" a machine is 100% free of Malware. What I do
state to them is that based on current tools/knowledge it is as free
of those things as can be reasonably done without incurring too much
cost or my time.
PC Cleanup is a good income generator. However, re-visiting the
same machine time and time again doesn't reflect well on my business
practices.

 

[Guest]

All detection tools are all "reactionary" if that's even a word. Most of
the malware that can be found are probably the same pieces that are in wide
distribution and can be removed. The problem lies in that one or two pieces
of malware you didn't know you had for a month or two because there's wasn't
anything watching for them yet. In my opinion, you have to take a step back
and ask yourself the difference between what you know and what you don't, and
what risk you are willing to mitigate as a result of the unknown. To me, the
risk of the unknown is too great and therefore I put the system back to a
known-good state: reimage.

All malware and viri will always be one step ahead of the detection and
removal systems because the detection systems are "effect" while successful
infection is "cause". Then you have to wonder if the tools that are out
there have properly taken into account all of the things that a piece of
malware does - after all it's still possible to miss something performing a
diff of a clean system vs infected. The only people that know exactly how a
piece of software runs are the people that wrote the software. Mix that up
with the view that "there's no such thing as perfect software, but there is
such a thing as software with the bugs that no one has found" and you really
can't guarantee anything past a successfully applied image/reinstallation in
an isolated environment.

I consider myself fairly adept at removing malware using a handful of tools
in concert but if I have been working on a system for more than 15 minutes, I
just refresh it.

 

[David H. Lipman]

From: "Steven Bendis" <[email protected]>

| All detection tools are all "reactionary" if that's even a word. Most of
| the malware that can be found are probably the same pieces that are in wide
| distribution and can be removed. The problem lies in that one or two pieces
| of malware you didn't know you had for a month or two because there's wasn't
| anything watching for them yet. In my opinion, you have to take a step back
| and ask yourself the difference between what you know and what you don't, and
| what risk you are willing to mitigate as a result of the unknown. To me, the
| risk of the unknown is too great and therefore I put the system back to a
| known-good state: reimage.
|
| All malware and viri will always be one step ahead of the detection and
| removal systems because the detection systems are "effect" while successful
| infection is "cause". Then you have to wonder if the tools that are out
| there have properly taken into account all of the things that a piece of
| malware does - after all it's still possible to miss something performing a
| diff of a clean system vs infected. The only people that know exactly how a
| piece of software runs are the people that wrote the software. Mix that up
| with the view that "there's no such thing as perfect software, but there is
| such a thing as software with the bugs that no one has found" and you really
| can't guarantee anything past a successfully applied image/reinstallation in
| an isolated environment.
|
| I consider myself fairly adept at removing malware using a handful of tools
| in concert but if I have been working on a system for more than 15 minutes, I
| just refresh it.
|

Steven:

There is no such terminology as 'viri' or 'virii'. The plural of virus is viruses.
http://spl.haxial.net/viruses.html
http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-virus.html

Additionally viruses are malware but not all malware are viruses. There are viral malware
such as true viruses and Internet worms and non-viral malware such as; adware, spyware,
browser hijackers, browser helper objects, trojans, etc.

BTW: It takes more than fifteens minutes to run a full anti virus scan or anti malware scan
on the vast majority of platforms therefore your decision time is way too short.

 

[Sharon F]

What is really at question is the ability of the current tools we have
to clean 100% of the malware 100% of the time in the current and future
environment for a givem machine at a given instant.

My feelings: flatten and rebuild.

Since many users don't have regular backups, interim repairs may be needed
to grab those "important files" first. Then flatten and rebuild. Why?

Sophistication levels of malware have risen to a point that a "100%" clean
rating is challenging to achieve. Viruses, trojans, worms, ADS
exploitations, rootkits - and many capable of morphing when removal is
attempted. A behavior which in turn causes removal tactics to become more
sophisticated than "run this and run that." Booting with Bart's PE or
Knoppix or similar is needed to do cleaning from "outside" of the infected
space.

There's also the issues of "hands on" vs "long distance" cleanup. If we had
the system right in front of us, we might easily see more that needed to be
cleaned than what is reported in the "long distance" newsgroup situation.
Nowadays, how can truly accurate advice be given without a hands on viewing
of the system?

I guess that's the point you're getting at and if that's the case, I agree.

Also as you point out -- if on our own systems, we probably approach the
situation differently. I know that if I had the time, I would enjoy
spending some hours on the forensics. If no time, would seriously consider
creating an image of the muckup and "playing" with it later. But in either
case would still "restore" my everyday working setup from an image known to
be "good." My choice and certainly the choice of anyone posting here for
help with their malware problems? Which leads me to...

I also do not want to take anything away from the truly gifted folks in
these newsgroups who tackle some of these issues. If the user has reported
their problems early and accurately - chances of recovery are reasonably
good. Even if they end with "I gave up and reinstalled everything," the
threads are an *excellent* education and I always hope that the original
poster learns why all possible steps to avoid malware to begin with should
be implemented.

 

[Galen]

In Leythos <[email protected]> had this to say:

My reply is at the bottom of your sent message:

I know that some will claim they can perfectly clean a machine, but,
if you're really that sure you can clean 100% of malware, 100% of the
time, now and in the future, of known and unknown malware, without a
wipe/reinstall, then I think you're just fooling yourself.

I snipped a lot to respond just to this portion. There's no such thing, in
my opinion, as being 100% certain that your system is clean if it's ever
been online or out of your sight. When I speak to people, or respond in
newsgroups or forums, I tend to say "if you're 99.9% certain your system is
free from malware _____" or something akin to that. It makes me laugh almost
every time I see someone post saying, "I know I don't have any viruses or
spyware." That just makes me smile because, well, it tells me that they have
too much false confidence and it reminds me of why I post as often as I do.
The truth is that there's no such thing as being completely secure and, as
you touch on, prevention is key to maintaining a clean system and even then
it's not enough. That being said, security is a process and not an
application; It's a fine line between knowing what the security implications
are and deciding if the actions you take are worth the dangers or deciding
if the ends justify the means. "Does the objective warrant the risk?"

--
Galen - MS MVP - Windows (Shell/User & IE)
http://dts-l.org/

Please note that if you're reading this in a browser and the domain is
not owned by Microsoft then this work is being used without permission.

Access MS Newsgroups :
http://kgiii.info/windows/all/general/msnewsgroups.html

 

[Steven L Umbach]

Of course you can not be sure any computer is 100 percent clean,
particularly with the advent of root kits. We also can not guarantee that a
computer that is 100 percent clean will remain clean once the user connects
to the internet or access new media on their computer such as cdrom/DVD, USB
drive etc. So it all boils down to managing risk meaning what expense is a
computer user willing to spend in time or funds to clean their computer and
to what degree that makes them comfortable and almost always the easy and
cheap way prevails as long as computer performance becomes acceptable. Of
course many users do not even realize their computer is infected with
malware and may not even care that much until performance is affected
noticeably. For the vast majority of users antivirus programs and spyware
removal and detection programs seem to be adequate to clean their computer
to a level that is OK with them particularly since no one can guarantee they
won't have a problem in the future again possibly in short order. Anyone who
uses such tools would be advised to inform owner that a best effort has been
done to clean the computer and not tell them that their computer is 100
percent clean/secure. I also advise users to make sure their SS# and other
sensitive information is not stored on any documents on their computer as I
consider identity theft to be a huge concern and if someone has your SS#
they can find out just about anything about you.

While you are correct that the time it takes to install the operating system
is not that long but it can take a lot longer install and configure the
latest service pack, numerous security updates, possibly do some routine
hardening, and all the applications a user had on their computer. I have
advised more that a few people to do a pristine install on a very messed up
computer but they are extremely hesitant which is why the detection and
removal programs are so popular and the preferred method as far as the user
is concerned. I am not sure of the reasons they resist a pristine install
but my guess is that some of the reasons are they fear loss of data, they
lost or do not have the operating install disk, they lost or do not have the
application install disks, they have downloaded and installed so much stuff
from the internet they fear they would not remember all they have done to
get their computer back to the way they like it, or they fear their
personalized settings, which can be a lot of settings, will not be
stored. --- Steve

 

[Guest]

Dave,

Why you've turned this into a linguistics lesson for your superiority
complex is really unknown and unnecessary, but I thank you for your effort.
If that's what makes you feel better, so be it.

The point I was trying to make was that there's just too much out there to
say that any kind of detection and removal methods are 100%, and that
dropping back to a known-good point is a better solution (IMHO) than screwing
around with a system for an hour or two. Since that was the only thing you
didn't feel necessary to pick at in my post, either I got my point across or
you really didn't read it.

Systems that I inspect and end up having to remove malware from are usually
Windows 2000 and are already running the latest anti-virus software with
up-to-date DATs so running a sweep for viruses is usually a waste of time.
I've seen "mousebm.exe" running next to Symantec AntiVirus 9.0.3.1 with all
of its components updated and Symantec does nothing about the nasty process
until I use pskill on it. THEN Symantec catches it. That is an example of a
machine that would take less than 15 minutes to decide it has been
compromised beyond further need to troubleshoot: if the current anti-virus
DATs aren't stopping intrusion of mousebm, what other unknown things have
made their way on this system and for how long? I have a lot of
remote/dial-in systems which occasionally pick up an interesting mix of
malware and you just have to decide what's really worth your time, the user's
time and the risk.

“Mal†is the French word for “badâ€. As in malformed, malnourished, etc.
Therefore malware can be used to reference any kind of software which has a
negative impact. But since you're so exacting in all things, I imagine
you've taken all of this into account anyway.

TTYL,

- S

 

[Mike Hall \(MS-MVP\)]

I always try to clean a system before resorting to a re-format.. I also try
to educate people to carry out a damage limitation program at least weekly..
that's all it will ever be is a damage limitation exercise, but surely
better that than just to rely on people waiting how long before they do
something about the state of their systems?..

Looking for 100% clean is a waste of time, as it is expecting 100% of
anything, but the aim is to get as close to 100% as possible, isn't it?

At what point do people reformat?.. 95% bad, 80% bad.. 50% even, or do we
just suggest a weekly cycle to eliminate the chances of the kids seeing porn
popups, or credit card info being sent out of the back door?..

 

[David H. Lipman]

From: "Steven Bendis" <[email protected]>

| Dave,
|
| Why you've turned this into a linguistics lesson for your superiority
| complex is really unknown and unnecessary, but I thank you for your effort.
| If that's what makes you feel better, so be it.
|
| The point I was trying to make was that there's just too much out there to
| say that any kind of detection and removal methods are 100%, and that
| dropping back to a known-good point is a better solution (IMHO) than screwing
| around with a system for an hour or two. Since that was the only thing you
| didn't feel necessary to pick at in my post, either I got my point across or
| you really didn't read it.
|
| Systems that I inspect and end up having to remove malware from are usually
| Windows 2000 and are already running the latest anti-virus software with
| up-to-date DATs so running a sweep for viruses is usually a waste of time.
| I've seen "mousebm.exe" running next to Symantec AntiVirus 9.0.3.1 with all
| of its components updated and Symantec does nothing about the nasty process
| until I use pskill on it. THEN Symantec catches it. That is an example of a
| machine that would take less than 15 minutes to decide it has been
| compromised beyond further need to troubleshoot: if the current anti-virus
| DATs aren't stopping intrusion of mousebm, what other unknown things have
| made their way on this system and for how long? I have a lot of
| remote/dial-in systems which occasionally pick up an interesting mix of
| malware and you just have to decide what's really worth your time, the user's
| time and the risk.
|
| “Mal” is the French word for “bad”. As in malformed, malnourished, etc.
| Therefore malware can be used to reference any kind of software which has a
| negative impact. But since you're so exacting in all things, I imagine
| you've taken all of this into account anyway.
|
| TTYL,
|
| - S
|

The use of the term virii is done by script kiddies and the unknowing. You aren't the first
I have corrected nor the last. It isn't about a superiority complex. It is about setting
the record straight since this terminology is so often used and this thread will be read by
many.

Mal (as in bad) is actually Latin. Like in the term malaria which was Italian for Bad Air
which was thought to be the cause of the malady due to swamp gas around Venice. Italian and
French have their roots in Latin.

Since I have been studying computer infectors for almost 2 decades I do my best to inform
and enlighten the unknowing as targeting infectors is a specialty of mine. Your statement
"...running a sweep for viruses is usually a waste of time." is a fallacy. The fact is an
infector can slip though when there are no signatures present on a computer and only a full
scan using the installed AV scanners and alternate AV scanners may detect them. This is
borne out by all the News Group postings I have read and responded to over the years by
those infected requesting assistance. Based upon that fact I have written the Multi AV
Scanning Tool which incorporates the AV scanners of; Trend Micro, Sophos, McAfee and
Kaspersky. You would be surprised what one scanner may catch what another scan may miss.
Hence the tool has four scanners that have been programmed to use Heuristic scanning and to
be very aggressive.

 

[Kerry Brown]

Most of us the worked on computers for a living have run across many
compromised computers with many different types of malware.

As people post with compromised machines we direct them to all of the
tools that we know about in an effort to help them regain use of their
machines in a malware free mode, or at least enough access to backup
their documents and files to restore later.

What is really at question is the ability of the current tools we have
to clean 100% of the malware 100% of the time in the current and future
environment for a givem machine at a given instant.

This thread is not personal, about anyone's skills, about any
individual, it's only about cleaning malware off machines to the point
that we could state that 100% of all malware, known and unknown, is
removed from the machine at the moment you finish cleaning it.

Do you feel 100% certain that your tools and skills can clean a
compromised machine, 100% of the time, without any malware, known or
unknow, remaining on the machine - 100% of the time?

Since I don't believe that any one can actually say "YES" without
limitations, then how do we help all of these clueless users ensure
their machines are clean?

We all know that you can wipe/reboot/install from clean disks, in a
clean environment, and the machine will be clean at that moment.

We all know that it takes between 30~90 minutes to restore a machine
from scratch (depending on the method, quicker for ghost images), and
that it's time consuming to get everything back to normal for customers.

We all know that no one wants to wipe/reinstall as it means lots of
extra work.

Now, we also know that removing the malware can take hours in some
cases, most takes less. For some malware you have to boot to the
recovery console and manually remove it.

So, it comes down to this - clean their system enough to save files to
CD/DVD, then wipe it to ensure that the malware is 100% removed and the
system is clean enough to be certified as clean.

While most of us will just clean a machine and reboot it several times,
check the registry, tasks, netstat, etc.... then run the malware removal
tools several times, etc... It just means that we're willing to take the
level of risk for not having to put the time in to ensure that the
system is 100% certified clean, which means we don't really want to
reinstall everything again

I know that some will claim they can perfectly clean a machine, but, if
you're really that sure you can clean 100% of malware, 100% of the time,
now and in the future, of known and unknown malware, without a
wipe/reinstall, then I think you're just fooling yourself.

Again, are we assuming that by providing "reactionary" tools and methods
that don't wipe/reinstall, that we're doing visitors to this group (and
others) justice and actually providing them with a 100% clean platform
to continue with?

I leave it up to the customer. An estimate for "cleaning" the system, an
estimate for a clean install, and an estimate for backing up the data, clean
install, restore the data. Around 90% go for the cleanup only even when I
explain the dangers. It is a matter of price and convenience. Most of them
have the original disks for Windows and their programs. In many cases I sold
them to them so I know they have them. They just have no idea where they are
and are too lazy to look for them. I have found that getting a system as
clean as possible and then setting up good security works in most cases. The
only returns are either incredibly gullible people (i.e they will click on
anything) or they have teenagers they are unwilling to force to use the
security or face consequences.

Kerry

 

[Guest]

Hello All:

Cleaning up systems has become 75% of my business. Mostly due to
Adware/Spyware/Hijackers. I charge by the hour and if my efforts are
becoming futile after about an hour, I begin to lobby my client for an FFR
Fdisk/Format/Reinstall. The only way to be 100% confident in your work is
that method. Of course you always have the person that as soon as a system
is cleaned up goes right back to downloading filesharing software or visits
porn sites and has a reinfestation a week after the system was completely
clean. This vicious circle is frustrating for the customer but good for
business.

BTW if anyone has a good utility for removing surf side kick it has been a
reall pain for me lately and my common tools are no longer effective.

 

[Aquafina]

Email me at (e-mail address removed) I may have something that works.
Remove the XXX to reply.

 

[David H. Lipman]

From: "MidwestTech" <[email protected]>

| Hello All:
|
| Cleaning up systems has become 75% of my business. Mostly due to
| Adware/Spyware/Hijackers. I charge by the hour and if my efforts are
| becoming futile after about an hour, I begin to lobby my client for an FFR
| Fdisk/Format/Reinstall. The only way to be 100% confident in your work is
| that method. Of course you always have the person that as soon as a system
| is cleaned up goes right back to downloading filesharing software or visits
| porn sites and has a reinfestation a week after the system was completely
| clean. This vicious circle is frustrating for the customer but good for
| business.
|
| BTW if anyone has a good utility for removing surf side kick it has been a
| reall pain for me lately and my common tools are no longer effective.


You have been responded to by a News group Troll that presently goes by the name "Aquafina"
but is most well known as PCBUTTS1. He is asking you to email him becuause the chances are
very high that what he has to offer was a stolen piece of code. Any ethical anti malware
respondeer would provide you the information you need in the News Group thread so all
readers of the thread can benefit.

The following URL provides a set of instructions for removing "surf side kick"
http://labs.paretologic.com/spyware.aspx?remove=SurfSideKick

 

[Leythos]

Email me at (e-mail address removed) I may have something that works.
Remove the XXX to reply.

Butts (water head) is a troll and hosts files against vendors permission
- he's been caught stealing other people's code and has resorted to
passwording his site so that people can't see all the files he's stolen
or is hosting improperly.

Nothing he has on his site is his own work, it's all from other vendors,
and can be safely downloaded directly from those vendors.

You should not download software from a hack that changes his nickname
to hide from the respectable people in these groups. Just search for
PCBUTTS1 on google to see what you're getting into with him.

 

[Leythos]

I leave it up to the customer. An estimate for "cleaning" the system, an
estimate for a clean install, and an estimate for backing up the data, clean
install, restore the data. Around 90% go for the cleanup only even when I
explain the dangers.

Thanks for the explanation of how you approach it. I give them a little
different choice, mainly in how I explain it:

1) Remove things we can detect with a couple tools and anything we can
find manually. No guarantee that the machine is 100% clean, but it will
be clean of what can be found. Absolutely no certification.

2) Certified as clean and no malware installed - complete rebuild with
the original installation CD's and then updated with the latest service
packs.

3) Remove known/detectable malware, but salvage as much data as
possible, cleaning data as much as possible. Wipe/reinstall OS and
updates and then restore cleaned data. No certification for this one.

It is a matter of price and convenience.

Yep, I agree, if you explain it as though they can "get by" for the less
clean system and can just pay you again when it comes back because the
tools/methods didn't remove it, they start looking at return costs
instead of immediate costs.

[snip] I have found that getting a system as
clean as possible and then setting up good security works in most cases. The
only returns are either incredibly gullible people (i.e they will click on
anything) or they have teenagers they are unwilling to force to use the
security or face consequences.

We do the same, always educate, protect, install at least NAT or a PFW,
and we leave them with a normal User level account with instructions to
not use the Admin account except for QuickBooks or installation of
software.

 

[Kerry Brown]

I leave it up to the customer. An estimate for "cleaning" the system, an
estimate for a clean install, and an estimate for backing up the data,
clean
install, restore the data. Around 90% go for the cleanup only even when I
explain the dangers.

Thanks for the explanation of how you approach it. I give them a little
different choice, mainly in how I explain it:

1) Remove things we can detect with a couple tools and anything we can
find manually. No guarantee that the machine is 100% clean, but it will
be clean of what can be found. Absolutely no certification.

2) Certified as clean and no malware installed - complete rebuild with
the original installation CD's and then updated with the latest service
packs.

3) Remove known/detectable malware, but salvage as much data as
possible, cleaning data as much as possible. Wipe/reinstall OS and
updates and then restore cleaned data. No certification for this one.

It is a matter of price and convenience.

Yep, I agree, if you explain it as though they can "get by" for the less
clean system and can just pay you again when it comes back because the
tools/methods didn't remove it, they start looking at return costs
instead of immediate costs.

[snip] I have found that getting a system as
clean as possible and then setting up good security works in most cases.
The
only returns are either incredibly gullible people (i.e they will click
on
anything) or they have teenagers they are unwilling to force to use the
security or face consequences.

We do the same, always educate, protect, install at least NAT or a PFW,
and we leave them with a normal User level account with instructions to
not use the Admin account except for QuickBooks or installation of
software.

Had to laugh at Quickbooks. It is a pain, QB Pro is even worse.

I usually don't bother to set up limited accounts for home users. I find far
too many programs, mostly games, that won't run. Inevitably the next time I
see the computer they are using an administrator account. For business use
it's a different story.

I find the biggest culprit for re-infection is instant messaging and
teenagers. They refuse to believe that someone they have met on the Internet
would purposely try to infect them. They also believe that no one would ever
create a malicious add-on for MSN Messenger. The next biggest culprit is P2P
file sharing. It sometimes takes four or five trips to my shop before they
believe me that Kazaa is not safe.

Kerry

 

[David H. Lipman]

From: "Kerry Brown" <[email protected]*a*m>


| Had to laugh at Quickbooks. It is a pain, QB Pro is even worse.
|
| I usually don't bother to set up limited accounts for home users. I find far
| too many programs, mostly games, that won't run. Inevitably the next time I
| see the computer they are using an administrator account. For business use
| it's a different story.
|
| I find the biggest culprit for re-infection is instant messaging and
| teenagers. They refuse to believe that someone they have met on the Internet
| would purposely try to infect them. They also believe that no one would ever
| create a malicious add-on for MSN Messenger. The next biggest culprit is P2P
| file sharing. It sometimes takes four or five trips to my shop before they
| believe me that Kazaa is not safe.
|
| Kerry
|

While I agree with you on P2P and IM, I think you left out another important infection
vector, the Browser.

There are *so many* malicious web sites out there that install adware/spyware and Downloader
Trojans. Many use HTML and Java based Exploitation code and take advantage of users who
don't keep up with MS Critical Updates. Even with all Critical Updates installed Social
Enginerring is being used very well to get unwary, unsavvy, computer users to install the
malware. It is hard to teach Safe Hex to a newbie computer user who is in awe of the
Internet. They click on anything and everything with no thoughts of consequences. I won't
even blame IE.

Below is a McAfee log excerpt using Opera.

C:\Program Files\Opera\profile\cache4\opr000FY.htm Exploit-MhtRedir.gen
D:\temp\jar_cache8079.tmp Exploit-ByteVerify
D:\temp\jar_cache8080.tmp\JAR_CACHE8080.TMP JV/Shinwow
C:\Program Files\Opera\profile\cache4\opr000G0.jar\OPR000G0.JAR JV/Shinwow
C:\Program Files\Opera\profile\cache4\opr000G1.jar Exploit-ByteVerify

Below is a McAfee log excerpt using fireFox.

D:\temp\JavaCache\javapi\v1.0\jar\loaderadv669.jar-25c202f2-29886f34.zip\LOADERADV669.JAR-25
C202F2-29886F34.ZIP JV/Shinwow
D:\temp\JavaCache\javapi\v1.0\jar\java.jar-28679adb-596f9d19.zip\JAVA.JAR-28679ADB-596F9D19.
ZIP Exploit-ByteVerify
D:\temp\IE6\Temporary Internet Files\Content.IE5\FZ4HCZOS\sploit[1].anr Exploit-ANIfile
D:\temp\JavaCache\javapi\v1.0\jar\loaderadv669.jar-26f1a09b-464225cc.zip\LOADERADV669.JAR-26
F1A09B-464225CC.ZIP JV/Shinwow
D:\temp\JavaCache\javapi\v1.0\jar\java.jar-29973884-1c19679d.zip\JAVA.JAR-29973884-1C19679D.
ZIP Exploit-ByteVerify

I got, "The page cannot be displayed" in IE6 SP1 when going to this malicious site.

 

[Aquafina]

Stalker, a jealous stalker at that, that to resort to lies to try to prevent
the user from getting his system fixed. Can you fix it Leythos?

 

[Aquafina]

With all due respect David,which is very little, at lease you offered a
solution. That's much better than Leythos does. However the fix you supplied
does not work.