Do I have TOO MANY antivirus, antispyware, etc

[Guest]

I used to be internet-free. Now I have been on-line for a little over a year
and I never had any anti-anything. My computer started getting retarted and I
downloaded and installed the EZ anti-everything offered with my ISP. It
seemed to only slow things down and didn't protect me from the Win32/sober
something-or-another that sent me like 300 e-mails a day. So I went to the
store and bought Norton Anti-virus, Webroot's Spy Sweeper, and installed
Microsoft's Anti-spyware. I got rid of about 30 viruses and a trojan dropper
and some ad stuff. Everything was working fine...for about 3 months. Now my
computer is retarted again and I ran the Windows Live Safety Center Scan,
which detected and deleted yet another virus. None of the others found it. I
am so confused. Please tell me what I am doing wrong or what I should do.
Thanks!!!

 

[Lanwench [MVP - Exchange]]

In

I used to be internet-free. Now I have been on-line for a little over
a year and I never had any anti-anything. My computer started getting
retarted and I downloaded and installed the EZ anti-everything
offered with my ISP. It seemed to only slow things down and didn't
protect me from the Win32/sober something-or-another that sent me
like 300 e-mails a day. So I went to the store and bought Norton
Anti-virus, Webroot's Spy Sweeper, and installed Microsoft's
Anti-spyware. I got rid of about 30 viruses and a trojan dropper and
some ad stuff. Everything was working fine...for about 3 months. Now
my computer is retarted again and I ran the Windows Live Safety
Center Scan, which detected and deleted yet another virus. None of
the others found it. I am so confused. Please tell me what I am doing
wrong or what I should do. Thanks!!!

Is your NAV updating itself regularly/automatically? Running in your system
tray? Running regular scheduled scans? Remember, some AV will catch stuff
that others can't, etc. You can also try a free online scan at
http://housecall.antivirus.com (among others).

Is your firewall enabled (or are you behind another firewall)?
Is Windows Update running automatically to download patches?
Got SP2 installed?

http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx

You might want to take a look at your computer use habits if you're getting
this stuff repeatedly - and note that a good newsgroup for issues such as
yours is microsoft.public.security.homeusers.

 

[Steven L Umbach]

Unfortunately viruses pop up so often [several a day or variants] that there
is no single anti virus package that can detect and remove everything but
most quality applications come close BUT it is very important that you
update "definitions" for your malware and spyware detection and removal
programs often - maybe even daily for viruses. Most applications can do this
automatically but you can check the date of the last update within the
application. You also should be scanning for malware and spyware while in
Safe Mode which often allows the application to remove malware or spyware
that it can not in regular startup mode. I use one antvirus program and one
spyware program though if I think I have a problem I will try other spyware
programs and maybe a command line antivirus program such as Sysclean that is
free from Trend Micro. See the link below from Microsoft on the basics of
protecting your computer/network which also has links to great articles for
beginners on viruses and spyware. A firewall is also a must if you are not
using one and you should refrain from browsing the internet with a user
account that is also a local administrator. --- Steve

http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx
--- Protect Your PC

 

[David H. Lipman]

From: "nursing major needs help" <[email protected]>

| I used to be internet-free. Now I have been on-line for a little over a year
| and I never had any anti-anything. My computer started getting retarted and I
| downloaded and installed the EZ anti-everything offered with my ISP. It
| seemed to only slow things down and didn't protect me from the Win32/sober
| something-or-another that sent me like 300 e-mails a day. So I went to the
| store and bought Norton Anti-virus, Webroot's Spy Sweeper, and installed
| Microsoft's Anti-spyware. I got rid of about 30 viruses and a trojan dropper
| and some ad stuff. Everything was working fine...for about 3 months. Now my
| computer is retarted again and I ran the Windows Live Safety Center Scan,
| which detected and deleted yet another virus. None of the others found it. I
| am so confused. Please tell me what I am doing wrong or what I should do.
| Thanks!!!


There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

If you had asked in an anti virus News Group first you would have been directed to use
Kaspersky or NOD32 where NOD32 is a little lighter on resources than Kaspersky.

You would have NOT been directed to NAV.

In addition, Windows Live Safety Center Scan sucks. It is a Beta and tests show that it has
one of the lowest catch rate of any anti virus in the Industry. You are lucky it caught
what it caught but it is possible that also missed something !

To back up you installed AV application, I suggest the use of the following tool. It
provides the "On Demand" scanners for; McAfee, Sophos, Trend Micro and Kaspersky. None of
which have to pre-exist on the PC.

Receipt of of email laden with viruses will not be stopped by anti virus, it will just
protect you from infection once the signature for that virus is installed. To stop the
receipt of 300 emails created by the Sober worm or other types, use anti spam utilities and
email based rules. Find the common denominator of the email based worm that is deifferent
from normal mail and have the email application spam rule delete the email.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Guest]

Thank You to all of you for your advice...
To Lanwench-
My NAV updates auto & runs a complete scan once a day. It has never detected
any spyware or threats on this computer, although it did pick up the sober
worm on my laptop (the 1st day I bought the laptop and installed NAV).
The only firewall I have is whatever my Linksys router provides for my
wireless stuff and the windows firewall. I used to have EZ firewall, but it
accepted all kinds of stuff as trusted things--like adware and BHO's.
(Microsoft anti spyware removed those--no more surf sidekick!). Right now I
am thinking about uninstalling webroot's spysweeper because it is holding
2200 files hostage in quarantine and when I try to restore them (per their
advice) (it thinks it is a root kit masked something) it stops responding and
I get nowhere.
Windows updates itself automatically.
Got SP2.

To Mr. Umbach-
I will try to run spyware in safe mode. I did it once with NAV and Webroot
and never picked up anything. At this point I just am not sure if I should
uninstall what I have now and switch to ONE thing. What do you think?
P.S. How do I browse the internet NOT as the administrator? I use the
internet to download notes from school, check my school email and do research
for different case studies and care plans. OH...and eBay, of course.
Sorry if I am using the inappropriate place for my questions.

To Mr. Lipman-
This is probably true about Windows Live. It took about 2 1/2 hours to scan
my computer and none of them ever take more than 30 or 45 min to do a
complete scan. I have them scan everything.
My e-mails are down to about 3 or 4 a day now. I know my "IP address has
been logged" and "my password" is there and every person in my addressbook
has a "new address" and "Paris Hilton"....sick of seeing her name. I've never
opened the emails. They get stomped and deleted my somebody.
I can try as you suggest..sounds complicated though. Can't be any harder
than saving a life? right? Thank you for the detailed instructions.
Anything else I should know before I try?

Thanks Again

From: "nursing major needs help" <[email protected]>

| I used to be internet-free. Now I have been on-line for a little over a year
| and I never had any anti-anything. My computer started getting retarted and I
| downloaded and installed the EZ anti-everything offered with my ISP. It
| seemed to only slow things down and didn't protect me from the Win32/sober
| something-or-another that sent me like 300 e-mails a day. So I went to the
| store and bought Norton Anti-virus, Webroot's Spy Sweeper, and installed
| Microsoft's Anti-spyware. I got rid of about 30 viruses and a trojan dropper
| and some ad stuff. Everything was working fine...for about 3 months. Now my
| computer is retarted again and I ran the Windows Live Safety Center Scan,
| which detected and deleted yet another virus. None of the others found it. I
| am so confused. Please tell me what I am doing wrong or what I should do.
| Thanks!!!


There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

If you had asked in an anti virus News Group first you would have been directed to use
Kaspersky or NOD32 where NOD32 is a little lighter on resources than Kaspersky.

You would have NOT been directed to NAV.

In addition, Windows Live Safety Center Scan sucks. It is a Beta and tests show that it has
one of the lowest catch rate of any anti virus in the Industry. You are lucky it caught
what it caught but it is possible that also missed something !

To back up you installed AV application, I suggest the use of the following tool. It
provides the "On Demand" scanners for; McAfee, Sophos, Trend Micro and Kaspersky. None of
which have to pre-exist on the PC.

Receipt of of email laden with viruses will not be stopped by anti virus, it will just
protect you from infection once the signature for that virus is installed. To stop the
receipt of 300 emails created by the Sober worm or other types, use anti spam utilities and
email based rules. Find the common denominator of the email based worm that is deifferent
from normal mail and have the email application spam rule delete the email.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[cquirke (MVP Windows shell/user)]

On Mon, 9 Jan 2006 01:41:02 -0800, nursing major needs help

I used to be internet-free. Now I have been on-line for a little over a year
and I never had any anti-anything. My computer started getting retarted and I
downloaded and installed the EZ anti-everything offered with my ISP. It
seemed to only slow things down and didn't protect me from the Win32/sober
something-or-another that sent me like 300 e-mails a day. So I went to the
store and bought Norton Anti-virus, Webroot's Spy Sweeper, and installed
Microsoft's Anti-spyware. I got rid of about 30 viruses and a trojan dropper
and some ad stuff. Everything was working fine...for about 3 months. Now my
computer is retarted again and I ran the Windows Live Safety Center Scan,
which detected and deleted yet another virus. None of the others found it. I
am so confused. Please tell me what I am doing wrong or what I should do.

Your problems are:

1) You never formally cleaned up your system after finally getting av

2) You are relying on av (antivirus) to keep you safe


On (1); you are pretty much doomed as soon as you take a
standard-install Windows XP system online without any firewall or
antivirus, if the Service Pack level of XP is older than SP2.

A "Service Pack" is basically a vast collection of bugfixes, almost
constituting a re-write of the Operating System (OS), and Windows XP
have had two of these to date.

So once you wised up, you needed to first formally scan for and remove
all active malware. You didn't do this; what you did was install
various antivirus (av) from the infected OS and hope these would be
able to sort things out. This sometimes works, but personally I
wouldn't expect it to, and would unsurprised when it doesn't.

Once malware infects the system, it generally runs as soon as the
system does. So it is in a position to disable antivirus and other
defence apps, foil attempts to update these, and so on.

To tackle malware that is already on the system, you should scan and
remove these while the infected OS is not running. This should be as
easy to do today as it was in the DOS days of booting a diskette and
then running an av on another diskette, but it isn't, because MS does
not provide the tools from which an av can be formally run.

Fortunately, someone else does - in the form of Bart PE - but it's a
bit of a mission setting this up, and a bigger mission setting up your
av tools etc. to work from it. Probably best to find a tech with a
clue about such matters (if you hear "just re-install Windows", then
spit out the frog bones and keep looking!).


On (2), your firewall is the first defense, and your antivirus is the
"goalie of last resort". Between these, should range your other
defenses; patches to repair the endless stream of software defects,
risk management to avoid some stupid risks the OS may take "for you",
a smarter choice of edge-facing applications, and "safe hex", i.e. the
skill to know what constitutes hi-risk and to avoid such things.

If the av unexpectedly pops up saying it "caught" something, don't
feel happy your av is working. Feel worried that some malware got
close enough to take a shot, and releived that the av caught it...
this time. NO av will ever catch anything, so the fact that the av
caught something now, implies it may have already missed other stuff!

The reasons an av will not catch everything, are:

a) Some malware are not considered "viruses"

"If it's not a 'virus', then it's not our problem", is the attitude of
the traditional av vendor. Such non-viral malware may include bots
that may be dropped from hostile web sites etc. be spammed to you via
email, or enter the system as downloaded "media" files via Kazaa and
similar file sharing applications. In particular, commercial malware
("spyware") is very likely to be missed by av, although some av have
recently developed pretensions and ambitions in this regard.

b) Malware may be too new to be detected

More to the point; a malware that did not exist at the time you last
updated the av,is VERY likely to be missed by av. As malware can go
global within a few minutes, and as av vendors need time to get
samples, assess these, and then code, test and distribute a fix, it
will always lag behind the latest malware.

MS's whole approach is to avoid getting malware in the first place.
They advise the following approach:
- patch defects in the OS, etc. (Windows Update)
- enable the built-in firewall, or install an add-on firewall
- install an av and KEEP IT UP TO DATE

That's all well and good, but it isn't really enough because you still
need to be smart enough not to take dumb risks, and you also need to
ensure the OS isn't taking dumb risks on your behalf.

Massively and less massively dumb risks include...

Using any pre-SP2 version of Windows XP as-is

Out of the box, the original Windows XP and XP SP1 will be attacked
and infected or crashed within minutes of connecting to the Internet,
without you doing anything at all. This is because:
- XP is designed to be a "network client"
- as such, it waves services such as LSASS and RPC at the 'net
- both these were defective before SP2, allowing immediate attack
- XP has a firewall, but it was turned OFF by duuhfault before SP2

Connecting to the Internet without a firewall

See above. XP has a very compitent firewall, but it doesn't work if
it is not enabled. It is enabled by default (i.e. without you having
to scratch around in network properties, Advanced etc. to turn it on)
in XP SP2, and SP2 also has the RPC and LSASS defects fixed. With
earlier SP1 and original XP "Gold", you have to download and apply
patches for these detects, and without a firewall on, you haven't a
hope of getting that right before being attacked.

Having File and Print Sharing (F&PS) bound to the Internet

File and Print Sharing allows any shared resource to be accessed via
the network it is bound to. You do NOT want to bind this to the
Internet, but certain configurations are likely to do this. The
firewall can be used to block this unwanted functionality.

Full-sharing the whole hard drive

If you share (allow network access to) certain locations, then malware
can simply drop itself into place in such a way that the next time
Windows starts, it will run the malware automatically. Yet Windows XP
uses hidden admin shares that do exactly this in XP Pro, and these may
be exposed if you use a non-blank account password. You may have no
wish to bother with a password at all, and may use a weak one just to
keep Tasks running. Any weak password (say, under 15 characters,
containing guessable words, etc.) can be brute-forced quite quickly.

Clicking on every piece of junk that is sent to you

It doesn't matter if it's "from someone you know" - if the message
text is non-specific and makes no specific reference to all attached
files, you should assume they are malware, sent by a malware running
on the sender's PC that acted outside that user's intent.

Clicking on stuff without knowing what it will do

In the old DOS days, "data" was safe to "view" (read) while "programs"
or "code" were not safe to run. You would look at the file name
extension, and if it was .EXE, .COM or .BAT, you would NOT run the
file because you'd know it was code. Today, there are so many file
types it is hard to know which are data and which are code, and due to
design and code defects, "data" files can get to run as code.
Nevertheless you should attempt to become familiar with file types, so
that you know what "opening" a file can do in terms of risk.

Hiding file name extensions

This is a duuuhfault setting you have to manually change in Windows,
so that you can see the file name extensions mentioned above. Else
you have NO idea what will happen if you were to "open" a file - the
word "open" tells you absolutely NOTHING about the risk level!

Connecting to broadband without a router

A "router" is a device that hides your PC's address from the Internet,
so that you are less likely to be attacked directly. If on ADSL, you
want an ADSL router - not some half-assed USB "ADSL modem".

Running without a resident antivirus

Because it's so difficult to know what level of risk files post to the
system, plus there's a risk the system will automatically take risks
"for you", it's become mandatory for all but the geekiest of us to run
a resident av (antivirus) underfoot.

Failing to keep your antivirus up to date

It doesn't matter what av you use, and personally "Norton" would be my
last choice. Rather use one of several free av, such as AVG, Avast or
AntiVir, and crucially keep it up to date (daily updates at least).

Failing to keep your edge-facing software updated

Software that faces the edge includes Windows and the Internet
Explorer and Outlook Express components bound into this. The easiest
way to keep this updated is via Windows Update, preferably via the
Automatic Update facility - but first, you must be firewalled!

If you use Firefiox instead of Internet Explorer, then that has to be
kept updated as well (note; "as well", not "instead of" keeping
Windows and IE updated!). FireFox is easy to update; it's small, and
you just download and install the new versions as they are released,
which used to happen once a month - same as Windows itself.

If you use Sun Java, then that must be updated as well, and there's a
wrinkle; you have to first manually uninstall the old version of Sun's
JRE (Java Runtime Engine) via Add/Remove Programs before installing
the new bug-fixed version. If you don't have Java, don't get it

Other edge-facing software include email apps, media players such as
Winamp, archivers such as WinZip and WinRar, file viewers such as
Adobe (Acrobat) Reader, etc. There have been recent defects in Adobe
Reader, and WinAmp gets up-versioned quite often too.

If this all sounds like a PITA, well... it is. Most folks lose the
battle and get malware'd to some extent, but the more careful and
clueful you are, the better will be your mileage.

---------- ----- ---- --- -- - - - -

Don't pay malware vendors - boycott Sony

 

[Steven L Umbach]

Running in Safe Mode is always recommended if you believe you have
malware/spyware as many times that is the only way they can be removed. I
would suggest that you have only one antivirus program installed that
automatically keeps itself current with updates and does scheduled full
system scans such at least weekly but it is fine two have two or more
spyware detection and removal programs particularly if they are not using
resources on your computer all the time. For instance I use AdAware SE and
it does nothing until I start it. Others such as Microsoft AntiSpyware can
be configured to always monitor your computer and it is up to the individual
user if they want or need that or not. Your antivirus program should be
configured to monitor the computer all the time and also scan all emails and
software you download.

You can and should create a regular [may also be called limited] user
account to logon to that you use for internet browsing and for any time that
you do not need administrator powers such as for installing applications.
The problem is that a lot of malware needs you to logged on as an
administrator to be installed because they write to the \windows folder, etc
and you therefore can reduce the threat of malware infection if you are not
browsing the internet as an administrator. You should also give your built
administrator account a hard to guess password and write it down and store
it in a couple safe places and use hard to guess passwords for any user
account that is also an administrator. You can use Control Panel/user
accounts to change user accounts or create user accounts in XP Home and XP
Pro and also use lusrmgr.msc in XP Pro. --- Steve

 

[Guest]

Thanks to all of you. The info is very helpful. I will try an dlet you know
how it goes.

 

[cquirke (MVP Windows shell/user)]

On Mon, 9 Jan 2006 19:39:52 -0600, "Steven L Umbach"

Running in Safe Mode is always recommended if you believe you have
malware/spyware as many times that is the only way they can be removed.

I'd put it a little more pessimistically than that; some malware can't
be safely and/or effectively tackled in Safe Mode, even Safe Mode
Command Only. The reason is because while Safe Mode suppresses some
intergration points, and Safe Command Only some more, neither
suppresses ALL such intrusion points. Plus, you're running the same
code base, so if the code base itself is infected, so is "Safe".

I would suggest that you have only one antivirus program installed that
automatically keeps itself current with updates
Agreed

and does scheduled full system scans such at least weekly

Nah, that's just kicking sand in the malware's face and just asking
for a strikeback. If the av missed the malware and allowed it to go
resident, it's not that likely to catch and kill it later - even if it
has been subsequently updated. Most likely the malware will kill the
av and/or its updatability assoon as it goes active.

I do scheduled scans, but only of a subtree through which incoming
material is routed, before that material goes active. This strategy
works best if you avoid apps that hide incoming content, as most email
apps do (they hide attachments in mailboxes - Eudora is one that does
not). I don't try scanning "the whole system" from Windows, though.

I may prefer to use a different av, or a tier of such av, for this
"on-demand" scheduled scan, as that meshes better than using the same
av for everything. Else the only advantage the on-demand scan would
have, is a possibly more up-to-date signature database than the av had
at the time the malware first arrived and was created as a file.

but it is fine two have two or more spyware detection and removal
programs particularly if they are not using resources on your computer
all the time. I use AdAware SE and it does nothing until I start it.

That's what I mean by "on-demand" vs. "resident" or "on-access".

You can and should create a regular [may also be called limited] user
account to logon to that you use for internet browsing and for any time that
you do not need administrator powers such as for installing applications.

I haven't been a big fan of that, myself. I prefer to avoid the
perils of NTFS, and I don't have much faith in band-aids such as
account rights - especially if limiting these rights also destroys
other possibly more effective controls. Given a choice between a
limited account that hides file name extensions and "hidden" files,
and an admin account that doesn't lie to me, I'd pick the latter.

If you do a lot of malware clean-up, and especially if you offer this
as a paid-for service, then you really should get into formal scanning
tools such as Bart CDR-booted scanning - instead of hoping the malware
you are chasing is too stupid to integrate into Safe Mode and is
non-malicious enough not to defend itself against removal.

---------- ----- ---- --- -- - - - -

Don't pay malware vendors - boycott Sony

 

[David H. Lipman]

From: "cquirke (MVP Windows shell/user)" <[email protected]>

| On Mon, 9 Jan 2006 19:39:52 -0600, "Steven L Umbach"
||
| I'd put it a little more pessimistically than that; some malware can't
| be safely and/or effectively tackled in Safe Mode, even Safe Mode
| Command Only. The reason is because while Safe Mode suppresses some
| intergration points, and Safe Command Only some more, neither
| suppresses ALL such intrusion points. Plus, you're running the same
| code base, so if the code base itself is infected, so is "Safe".
|

Those that make it difficult will load in safe mode via the following Registry entries...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

The Backdoor.Haxdoor Trojan does this such as...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\avpe32.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\avpx64.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\avpe64.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\avpe32.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\avpx64.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\avpe64.sys


Luckily only a small percentage of malware take advantage of the above.

 

[Steven L Umbach]

Thanks for the comments but my advice was meant for a novice or average
computer user which I believe the original poster to be and meant to be kept
somewhat simple, effective, and understandable. -- Steve

On Mon, 9 Jan 2006 19:39:52 -0600, "Steven L Umbach"

Running in Safe Mode is always recommended if you believe you have
malware/spyware as many times that is the only way they can be removed.

I'd put it a little more pessimistically than that; some malware can't
be safely and/or effectively tackled in Safe Mode, even Safe Mode
Command Only. The reason is because while Safe Mode suppresses some
intergration points, and Safe Command Only some more, neither
suppresses ALL such intrusion points. Plus, you're running the same
code base, so if the code base itself is infected, so is "Safe".

I would suggest that you have only one antivirus program installed that
automatically keeps itself current with updates
Agreed

and does scheduled full system scans such at least weekly

Nah, that's just kicking sand in the malware's face and just asking
for a strikeback. If the av missed the malware and allowed it to go
resident, it's not that likely to catch and kill it later - even if it
has been subsequently updated. Most likely the malware will kill the
av and/or its updatability assoon as it goes active.

I do scheduled scans, but only of a subtree through which incoming
material is routed, before that material goes active. This strategy
works best if you avoid apps that hide incoming content, as most email
apps do (they hide attachments in mailboxes - Eudora is one that does
not). I don't try scanning "the whole system" from Windows, though.

I may prefer to use a different av, or a tier of such av, for this
"on-demand" scheduled scan, as that meshes better than using the same
av for everything. Else the only advantage the on-demand scan would
have, is a possibly more up-to-date signature database than the av had
at the time the malware first arrived and was created as a file.

but it is fine two have two or more spyware detection and removal
programs particularly if they are not using resources on your computer
all the time. I use AdAware SE and it does nothing until I start it.

That's what I mean by "on-demand" vs. "resident" or "on-access".

You can and should create a regular [may also be called limited] user
account to logon to that you use for internet browsing and for any time
that
you do not need administrator powers such as for installing applications.

I haven't been a big fan of that, myself. I prefer to avoid the
perils of NTFS, and I don't have much faith in band-aids such as
account rights - especially if limiting these rights also destroys
other possibly more effective controls. Given a choice between a
limited account that hides file name extensions and "hidden" files,
and an admin account that doesn't lie to me, I'd pick the latter.

If you do a lot of malware clean-up, and especially if you offer this
as a paid-for service, then you really should get into formal scanning
tools such as Bart CDR-booted scanning - instead of hoping the malware
you are chasing is too stupid to integrate into Safe Mode and is
non-malicious enough not to defend itself against removal.

---------- ----- ---- --- -- - - - -

Don't pay malware vendors - boycott Sony

---------- ----- ---- --- -- - - - -

 

[Guest]

I think all of yall's advice is wonderful. I've printed out the info and it
looks like it may take me a while to sort it all out. I thought my NAV
updateded itself automatically, but I don't think it is. I think it thinks it
does, however.
I am a novice user when it comes to all this IT stuff, but as a trained
professional, I am quite experienced in critical thinking and easily
trainable.
Some of your comments I understand, some I don't. I will have to take in a
deep breath and do one thing at a time. I do realize, however, there is
definately a problem in my computer.
I am open to any suggestions, and take each one in, as you all know much
more than I.
I can't begin to thank you all enough, again.

Thanks for the comments but my advice was meant for a novice or average
computer user which I believe the original poster to be and meant to be kept
somewhat simple, effective, and understandable. -- Steve

On Mon, 9 Jan 2006 19:39:52 -0600, "Steven L Umbach"

Running in Safe Mode is always recommended if you believe you have
malware/spyware as many times that is the only way they can be removed.

I'd put it a little more pessimistically than that; some malware can't
be safely and/or effectively tackled in Safe Mode, even Safe Mode
Command Only. The reason is because while Safe Mode suppresses some
intergration points, and Safe Command Only some more, neither
suppresses ALL such intrusion points. Plus, you're running the same
code base, so if the code base itself is infected, so is "Safe".

I would suggest that you have only one antivirus program installed that
automatically keeps itself current with updates
Agreed

and does scheduled full system scans such at least weekly

Nah, that's just kicking sand in the malware's face and just asking
for a strikeback. If the av missed the malware and allowed it to go
resident, it's not that likely to catch and kill it later - even if it
has been subsequently updated. Most likely the malware will kill the
av and/or its updatability assoon as it goes active.

I do scheduled scans, but only of a subtree through which incoming
material is routed, before that material goes active. This strategy
works best if you avoid apps that hide incoming content, as most email
apps do (they hide attachments in mailboxes - Eudora is one that does
not). I don't try scanning "the whole system" from Windows, though.

I may prefer to use a different av, or a tier of such av, for this
"on-demand" scheduled scan, as that meshes better than using the same
av for everything. Else the only advantage the on-demand scan would
have, is a possibly more up-to-date signature database than the av had
at the time the malware first arrived and was created as a file.

but it is fine two have two or more spyware detection and removal
programs particularly if they are not using resources on your computer
all the time. I use AdAware SE and it does nothing until I start it.

That's what I mean by "on-demand" vs. "resident" or "on-access".

You can and should create a regular [may also be called limited] user
account to logon to that you use for internet browsing and for any time
that
you do not need administrator powers such as for installing applications.

I haven't been a big fan of that, myself. I prefer to avoid the
perils of NTFS, and I don't have much faith in band-aids such as
account rights - especially if limiting these rights also destroys
other possibly more effective controls. Given a choice between a
limited account that hides file name extensions and "hidden" files,
and an admin account that doesn't lie to me, I'd pick the latter.

If you do a lot of malware clean-up, and especially if you offer this
as a paid-for service, then you really should get into formal scanning
tools such as Bart CDR-booted scanning - instead of hoping the malware
you are chasing is too stupid to integrate into Safe Mode and is
non-malicious enough not to defend itself against removal.

---------- ----- ---- --- -- - - - -

Don't pay malware vendors - boycott Sony

---------- ----- ---- --- -- - - - -

 

[Guest]

P.S. I have about 50 processes running when I look at task manager. Is it
time for me to call the GEEK SQUAD and just trust those teeny-boppers to fix
my stuff?

I think all of yall's advice is wonderful. I've printed out the info and it
looks like it may take me a while to sort it all out. I thought my NAV
updateded itself automatically, but I don't think it is. I think it thinks it
does, however.
I am a novice user when it comes to all this IT stuff, but as a trained
professional, I am quite experienced in critical thinking and easily
trainable.
Some of your comments I understand, some I don't. I will have to take in a
deep breath and do one thing at a time. I do realize, however, there is
definately a problem in my computer.
I am open to any suggestions, and take each one in, as you all know much
more than I.
I can't begin to thank you all enough, again.

Thanks for the comments but my advice was meant for a novice or average
computer user which I believe the original poster to be and meant to be kept
somewhat simple, effective, and understandable. -- Steve

On Mon, 9 Jan 2006 19:39:52 -0600, "Steven L Umbach"

Running in Safe Mode is always recommended if you believe you have
malware/spyware as many times that is the only way they can be removed.

I'd put it a little more pessimistically than that; some malware can't
be safely and/or effectively tackled in Safe Mode, even Safe Mode
Command Only. The reason is because while Safe Mode suppresses some
intergration points, and Safe Command Only some more, neither
suppresses ALL such intrusion points. Plus, you're running the same
code base, so if the code base itself is infected, so is "Safe".

I would suggest that you have only one antivirus program installed that
automatically keeps itself current with updates

Agreed

and does scheduled full system scans such at least weekly

Nah, that's just kicking sand in the malware's face and just asking
for a strikeback. If the av missed the malware and allowed it to go
resident, it's not that likely to catch and kill it later - even if it
has been subsequently updated. Most likely the malware will kill the
av and/or its updatability assoon as it goes active.

I do scheduled scans, but only of a subtree through which incoming
material is routed, before that material goes active. This strategy
works best if you avoid apps that hide incoming content, as most email
apps do (they hide attachments in mailboxes - Eudora is one that does
not). I don't try scanning "the whole system" from Windows, though.

I may prefer to use a different av, or a tier of such av, for this
"on-demand" scheduled scan, as that meshes better than using the same
av for everything. Else the only advantage the on-demand scan would
have, is a possibly more up-to-date signature database than the av had
at the time the malware first arrived and was created as a file.

but it is fine two have two or more spyware detection and removal
programs particularly if they are not using resources on your computer
all the time. I use AdAware SE and it does nothing until I start it.

That's what I mean by "on-demand" vs. "resident" or "on-access".

You can and should create a regular [may also be called limited] user
account to logon to that you use for internet browsing and for any time
that
you do not need administrator powers such as for installing applications.

I haven't been a big fan of that, myself. I prefer to avoid the
perils of NTFS, and I don't have much faith in band-aids such as
account rights - especially if limiting these rights also destroys
other possibly more effective controls. Given a choice between a
limited account that hides file name extensions and "hidden" files,
and an admin account that doesn't lie to me, I'd pick the latter.

If you do a lot of malware clean-up, and especially if you offer this
as a paid-for service, then you really should get into formal scanning
tools such as Bart CDR-booted scanning - instead of hoping the malware
you are chasing is too stupid to integrate into Safe Mode and is
non-malicious enough not to defend itself against removal.



---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
---------- ----- ---- --- -- - - - -

 

[Steven L Umbach]

That may or may not be a problem. It is not unusual to see a lot of
processes running on your computer. What may help is to download Process
Explorer from SysInternals that can help you better determine what the
processes are also showing the publisher name for the executable that the
process uses which can help you figure out what is going on. If a process
that maps to an executable has no publisher name associated with it that
should raise a red flag but does not always mean it is malware or spyware.
You can also use Task Manger/performance to see what how much CPU percent
and memory is being used by your computer. CPU use can spike up to 100
percent but normally should not stay there and you like to see a good amount
of available physical memory. I would not worry about the amount of
processes if your computer appears to be clean and performs well.

http://www.sysinternals.com/Utilities/ProcessExplorer.html --- Process
Explorer

What I do see however on users computers is that they have a boatload of
startup programs which can be a cause numerous running processes and may
lead to sluggish performance. It seems like most applications want to keep
something running on your computer whether you are using the program or not
but you should be able to configure the application to not run anything at
startup. You can use Autoruns from SysInternals to see all your startup
programs and services but pay special attention to the logon tab and you can
disable a program form starting there if you want to try such. You could
take your computer to those teeny boppers but my guess is they just scan for
spyware and viruses which you can do yourself. If you feel that you need to
have your operating system reinstalled to a pristine state you may want to
take it to someone who knows what they are doing if you do not feel
comfortable doing it yourself but we could point you to some links on how to
do that also. --- Steve

http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns

P.S. I have about 50 processes running when I look at task manager. Is it
time for me to call the GEEK SQUAD and just trust those teeny-boppers to
fix
my stuff?

I think all of yall's advice is wonderful. I've printed out the info and
it
looks like it may take me a while to sort it all out. I thought my NAV
updateded itself automatically, but I don't think it is. I think it
thinks it
does, however.
I am a novice user when it comes to all this IT stuff, but as a trained
professional, I am quite experienced in critical thinking and easily
trainable.
Some of your comments I understand, some I don't. I will have to take in
a
deep breath and do one thing at a time. I do realize, however, there is
definately a problem in my computer.
I am open to any suggestions, and take each one in, as you all know much
more than I.
I can't begin to thank you all enough, again.

Thanks for the comments but my advice was meant for a novice or average
computer user which I believe the original poster to be and meant to be
kept
somewhat simple, effective, and understandable. -- Steve


in
message On Mon, 9 Jan 2006 19:39:52 -0600, "Steven L Umbach"

Running in Safe Mode is always recommended if you believe you have
malware/spyware as many times that is the only way they can be
removed.

I'd put it a little more pessimistically than that; some malware
can't
be safely and/or effectively tackled in Safe Mode, even Safe Mode
Command Only. The reason is because while Safe Mode suppresses some
intergration points, and Safe Command Only some more, neither
suppresses ALL such intrusion points. Plus, you're running the same
code base, so if the code base itself is infected, so is "Safe".

I would suggest that you have only one antivirus program installed
that
automatically keeps itself current with updates

Agreed

and does scheduled full system scans such at least weekly

Nah, that's just kicking sand in the malware's face and just asking
for a strikeback. If the av missed the malware and allowed it to go
resident, it's not that likely to catch and kill it later - even if
it
has been subsequently updated. Most likely the malware will kill the
av and/or its updatability assoon as it goes active.

I do scheduled scans, but only of a subtree through which incoming
material is routed, before that material goes active. This strategy
works best if you avoid apps that hide incoming content, as most
email
apps do (they hide attachments in mailboxes - Eudora is one that does
not). I don't try scanning "the whole system" from Windows, though.

I may prefer to use a different av, or a tier of such av, for this
"on-demand" scheduled scan, as that meshes better than using the same
av for everything. Else the only advantage the on-demand scan would
have, is a possibly more up-to-date signature database than the av
had
at the time the malware first arrived and was created as a file.

but it is fine two have two or more spyware detection and removal
programs particularly if they are not using resources on your
computer
all the time. I use AdAware SE and it does nothing until I start it.

That's what I mean by "on-demand" vs. "resident" or "on-access".

You can and should create a regular [may also be called limited] user
account to logon to that you use for internet browsing and for any
time
that
you do not need administrator powers such as for installing
applications.

I haven't been a big fan of that, myself. I prefer to avoid the
perils of NTFS, and I don't have much faith in band-aids such as
account rights - especially if limiting these rights also destroys
other possibly more effective controls. Given a choice between a
limited account that hides file name extensions and "hidden" files,
and an admin account that doesn't lie to me, I'd pick the latter.

If you do a lot of malware clean-up, and especially if you offer this
as a paid-for service, then you really should get into formal
scanning
tools such as Bart CDR-booted scanning - instead of hoping the
malware
you are chasing is too stupid to integrate into Safe Mode and is
non-malicious enough not to defend itself against removal.



---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
---------- ----- ---- --- -- - - - -

 

[cquirke (MVP Windows shell/user)]

From: "cquirke (MVP Windows shell/user)"

| I'd put it a little more pessimistically than that; some malware can't
| be safely and/or effectively tackled in Safe Mode, even Safe Mode
| Command Only. The reason is because while Safe Mode suppresses some
| intergration points, and Safe Command Only some more, neither
| suppresses ALL such intrusion points. Plus, you're running the same
| code base, so if the code base itself is infected, so is "Safe".

Those that make it difficult will load in safe mode via the following Registry entries...

Thanks - though those aren't the only ways...
- HKCR, both system- and user-wide
- traditional HKLM...Run or HKU...Run preceded with *
- "device drivers" and "services"
- screen saver (think long unattended scans)
- other shell integrations
- filespec "companions"
- intrafile infection
- internal surface exploits
....you can prolly think of others. In fact, "Safe"only really
suppresses (most of) the most obvious parts of the system's
integration opportunities, i.e. startup axis that MSConfig shows you.

---------- ----- ---- --- -- - - - -

Don't pay malware vendors - boycott Sony

 

[cquirke (MVP Windows shell/user)]

On Wed, 11 Jan 2006 22:18:59 -0600, "Steven L Umbach"

Thanks for the comments but my advice was meant for a novice or average
computer user which I believe the original poster to be and meant to be kept
somewhat simple, effective, and understandable.

You can't tailor the problem to the capabilities of the victim. Just
because a combination of (missing) MS tools and limited user skills
means only certain fairly weak approaches can be used, doesn't mean
that the malware you are after will only use weak methods.

Skip the "tuff stuff" by all means, but let it be known your advice
may not be effective and to post back if results suggest it didn't
work. I'd rather give tough-but-complete advice (so reader knows the
size of the story and can ask about what they realize they don't
understand) than give easy-but-partial advice (so reader doesn't look
further because they understand all they read, and think "that's it").

Strokes/folks, but...

-------------------- ----- ---- --- -- - - - -

Reality is that which, when you stop believing
in it, does not go away (PKD)

 

[jo_jo_jail]

I was following this post with a bit of interest... that is until the
computer savvy started giving advice!!!

I'm fairly computer savvy when it comes to certain things. I'm ok with
fixing driver issues, updating drivers, maintaining my computer
(defragging every once and a while), running adaware, etc.

But this is absolutely freaking ridiculous!! I have to use the
internet occasionally at work for research. We have firewalls and
virus scan by macafe and we all STILL get spyware.

Initial kneejerk reaction every time my computer locks up or is
disconnected from the server due to spyware:
1) People writing this garbage should be shot in the head.
2) Their bodies should be burned at stake.
3) The remaining pieces should be displayed on television for all to
see.

Spyware ALONE is the sole reason my computer freezes almost daily.
Once I run adaware, my computer does not lock up, Outlook functions
normally (instead of freezing), and everything is peachy once again.

This is vandalism, theft, and sometimes wanton desctruction of someone
else's property. Not only that, there's very little way for normal
guys like me to track these idiots down, because I would call and
harrass the hell out of them.

This is such a no brainer that congress needs to pass some laws with
some harsh penalties. Class action suits do NOTHING.

I thought about starting a web site to sell my computer's processing
power for $5/ms + an additional $0.30/byte of information they track,
then sending invoices to the companies that install the tracking
spyware on my computer. When they don't pay, I sue. Would probably be
a complete waste of time.

Congress is asleep at the freaking wheel on this one, and it's just
wrong.

Thanks for the comments but my advice was meant for a novice or average
computer user which I believe the original poster to be and meant to be kept
somewhat simple, effective, and understandable. -- Steve

On Mon, 9 Jan 2006 19:39:52 -0600, "Steven L Umbach"

Running in Safe Mode is always recommended if you believe you have
malware/spyware as many times that is the only way they can be removed.

I'd put it a little more pessimistically than that; some malware can't
be safely and/or effectively tackled in Safe Mode, even Safe Mode
Command Only. The reason is because while Safe Mode suppresses some
intergration points, and Safe Command Only some more, neither
suppresses ALL such intrusion points. Plus, you're running the same
code base, so if the code base itself is infected, so is "Safe".

I would suggest that you have only one antivirus program installed that
automatically keeps itself current with updates
Agreed

and does scheduled full system scans such at least weekly

Nah, that's just kicking sand in the malware's face and just asking
for a strikeback. If the av missed the malware and allowed it to go
resident, it's not that likely to catch and kill it later - even if it
has been subsequently updated. Most likely the malware will kill the
av and/or its updatability assoon as it goes active.

I do scheduled scans, but only of a subtree through which incoming
material is routed, before that material goes active. This strategy
works best if you avoid apps that hide incoming content, as most email
apps do (they hide attachments in mailboxes - Eudora is one that does
not). I don't try scanning "the whole system" from Windows, though.

I may prefer to use a different av, or a tier of such av, for this
"on-demand" scheduled scan, as that meshes better than using the same
av for everything. Else the only advantage the on-demand scan would
have, is a possibly more up-to-date signature database than the av had
at the time the malware first arrived and was created as a file.

but it is fine two have two or more spyware detection and removal
programs particularly if they are not using resources on your computer
all the time. I use AdAware SE and it does nothing until I start it.

That's what I mean by "on-demand" vs. "resident" or "on-access".

You can and should create a regular [may also be called limited] user
account to logon to that you use for internet browsing and for any time
that
you do not need administrator powers such as for installing applications.

I haven't been a big fan of that, myself. I prefer to avoid the
perils of NTFS, and I don't have much faith in band-aids such as
account rights - especially if limiting these rights also destroys
other possibly more effective controls. Given a choice between a
limited account that hides file name extensions and "hidden" files,
and an admin account that doesn't lie to me, I'd pick the latter.

If you do a lot of malware clean-up, and especially if you offer this
as a paid-for service, then you really should get into formal scanning
tools such as Bart CDR-booted scanning - instead of hoping the malware
you are chasing is too stupid to integrate into Safe Mode and is
non-malicious enough not to defend itself against removal.

---------- ----- ---- --- -- - - - -

Don't pay malware vendors - boycott Sony

---------- ----- ---- --- -- - - - -

 

[David H. Lipman]

From: <[email protected]>

| I was following this post with a bit of interest... that is until the
| computer savvy started giving advice!!!
|
| I'm fairly computer savvy when it comes to certain things. I'm ok with
| fixing driver issues, updating drivers, maintaining my computer
| (defragging every once and a while), running adaware, etc.
|
| But this is absolutely freaking ridiculous!! I have to use the
| internet occasionally at work for research. We have firewalls and
| virus scan by macafe and we all STILL get spyware.
|
| Initial kneejerk reaction every time my computer locks up or is
| disconnected from the server due to spyware:
| 1) People writing this garbage should be shot in the head.
| 2) Their bodies should be burned at stake.
| 3) The remaining pieces should be displayed on television for all to
| see.
|
| Spyware ALONE is the sole reason my computer freezes almost daily.
| Once I run adaware, my computer does not lock up, Outlook functions
| normally (instead of freezing), and everything is peachy once again.
|
| This is vandalism, theft, and sometimes wanton desctruction of someone
| else's property. Not only that, there's very little way for normal
| guys like me to track these idiots down, because I would call and
| harrass the hell out of them.
|
| This is such a no brainer that congress needs to pass some laws with
| some harsh penalties. Class action suits do NOTHING.
|
| I thought about starting a web site to sell my computer's processing
| power for $5/ms + an additional $0.30/byte of information they track,
| then sending invoices to the companies that install the tracking
| spyware on my computer. When they don't pay, I sue. Would probably be
| a complete waste of time.
|
| Congress is asleep at the freaking wheel on this one, and it's just
| wrong.
|

If you practice Safe Hex and take the right precuations, you won't get infected at all !

 

[Guest]

Still having problems, did everything suggested. The only remaining problem
now (I think) has to do with MS Works and Word (I know this is on another
site.)
In the interest of all, or anyone who is interested, XP PRO with Frontpage,
tried uninstall, reinstall, updated with MS, detect and repair, unchecked the
NAV box that deals with Word....
It takes over a minute to load and about that long to close.
Every time I open word, recovery wants me to save the files that it
"recovered".
Getting frustrated, thinking about buying a new computer.
Thanks for all the help, guys.

 

[David H. Lipman]

From: "nursing major needs help" <[email protected]>

| Still having problems, did everything suggested. The only remaining problem
| now (I think) has to do with MS Works and Word (I know this is on another
| site.)
| In the interest of all, or anyone who is interested, XP PRO with Frontpage,
| tried uninstall, reinstall, updated with MS, detect and repair, unchecked the
| NAV box that deals with Word....
| It takes over a minute to load and about that long to close.
| Every time I open word, recovery wants me to save the files that it
| "recovered".
| Getting frustrated, thinking about buying a new computer.
| Thanks for all the help, guys.
|

If you want to wast money -- go ahead. You don't buy a new car because you have a flat
tire.

In your case, a clean install of the OS and applications would make things better. The OS
is the tire that needs to be fixed.

That's an oversimlplification but I think it is demonstrative of the situation at hand.