(Scumware) Should we trust Cleaners or not?

Discussion in 'Bloody Computers' started by NotmeChief, Jan 20, 2008.

Welcome to the Navy Net aka Rum Ration

The UK's largest and busiest UNofficial RN website.

The heart of the site is the forum area, including:

  1. We have all been infested with malware and all have at least some Adware present on our computers at this very moment. There are a lot of programs available for download to clean these up and to increase the speed of our PCs, some are free and some cost money.

    Which ones are genuine and which ones not?

    I would never recommend those that do a scan for free and then charge to download the cleaner. These invariably give false positives when the scan is done telling you that you have umpteen viruses and worms and countless other nasties. These positives are part of the program with the intention to harass and frighten and to coerce you into paying for the cleaning download. Never trust them.


    You can’t clean a compromised system by using a virus scanner. To tell you the truth, a fully compromised system can’t be trusted. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it, (rootkit).

    If you can guarantee that the only thing that compromised the system was a particular virus or worm and you know that this virus has no back doors associated with it, and the vulnerability used by the virus was not available remotely, then a virus scanner can be used to clean the system.
    For example, the vast majority of e-mail worms rely on a user opening an attachment. In this particular case, it is possible that the only infection on the system is the one that came from the attachment containing the worm. However, if the vulnerability used by the worm was available remotely without user action, then you can’t guarantee that the worm was the only thing that used that vulnerability. It is entirely possible that something else used the same vulnerability. In this case, you can’t just patch the system.


    For those using Windows, ensure that the automatic updates is enabled, or if you don't want that, then make sure you visit the Microsoft Update site Microsoft Updates often. Microsoft issues a vunerability remover every first Thursday of the month, use it before you get a problem.

    You can’t clean a compromised system by using some “vulnerability remover.†Let’s say you had a system hit by Blaster. A number of vendors published vulnerability removers for Blaster. Can you trust a system that had Blaster after the tool is run? I wouldn’t. If the system was vulnerable to Blaster, it was also vulnerable to a number of other attacks. Can you guarantee that none of those have been run against it? I didn’t think so.

    You can’t clean a compromised system by patching it. Patching only removes the vulnerability. Upon getting into your system, the attacker probably ensured that there were several other ways to get back in.

    You can’t clean a compromised system by removing the back doors. You can never guarantee that you found all the back doors the attacker put in. The fact that you can’t find any more may only mean you don’t know where to look, or that the system is so compromised that what you are seeing is not actually what is there.

    You can’t clean a compromised system by reinstalling the operating system over the existing installation. Again, the attacker may very well have tools in place that tell the installer lies. If that happens, the installer may not actually remove the compromised files. In addition, the attacker may also have put back doors in non-operating system components.

    You can’t trust the event logs on a compromised system. Upon gaining full access to a system, it is simple for an attacker to modify the event logs on that system to cover any tracks. If you rely on the event logs to tell you what has been done to your system, you may just be reading what the attacker wants you to read.

    The only guaranteed way to clean a compromised system is to flatten and rebuild. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

    If you use your PC for Banking, Business, Important things and surfing, then you are vunerable. You should never use a Business PC for general surfing, buy another one for that.

    For the rest of us, just ensure you have taken precautions, (not condoms), and update what we have installed regularly.

    Who to trust.

    Only trust programs from recognised vendors and coders or as recommended by well known and recognised computer magazines.

    A few very trusted names for antivirus to remember are:

    Aladdin Knowledge Systems
    Alwil Software
    Authentium Inc
    Computer Associates International Inc
    Dr Web Ltd
    FRISK Software International
    F-Secure CorpGFI Software Ltd
    HAURI Inc
    Kaspersky Lab
    McAfee Inc
    Microsoft Corporation
    MicroWorld Technologies Inc
    Panda Software
    Proland Software
    Sybari Software Inc
    Trend Micro Inc

    For malware.

    Internet Security - Kaspersky
    Lavasoft - Adaware
    Safer Networking - Spybot Search & Destroy.

    This list is not exhaustive.

    There is one thing to bear in mind if you are contemplating Symantec Norton.

    Norton contains 'Spyware' and Spybot search and destroy will pick this up.

    Symantec advise the removal of Spybot for this very reason and to hide the fact that Norton contains spyware.

    Do Not Remove Spybot, or at least install it again after installing Norton.


    Linux has vunerablilities just like Windows, these may be different vunerabilities, but they are there all the same.

    The advantage at present with Linux is it's low take up, so it is not newsworthy or profitable to attack it. There are attacks frequently though so just be aware of that.
    It is becoming more popular and some big businesses are taking it up, especially for servers, so it will come under attack more often as it gains in popularity.

  2. Just like to add to this very informative post.

    For those that like to download everything or you are unsure if it's legit or not, compare it to this websites listings... :thumright:

    Dodgy Programs
  3. Very good post NmC, lets keep it topped up with good info for all to see :) As a Sticky
  4. Excellent advice, but may I add a couple of points?
    1. You can clean a system using a virus scanner, you just have to do it from outside the system, as many of the worst trojans will run a hidden process which suppresses the installed anti-virus. An external command line scanner (such as Clam AV) will usually clean them out.
    2. A good Process viewer (I use Daphne) will show hidden processes and allow you to kill them which often re-enables the installed anti-virus software
    3. There is a resurgence of boot sector viruses which will linger in the boot block to come back after a reinstall. Most BIOS setup programs have the option to make the CMOS write only, it is sensible to do this. Reformatting will not necessarily get rid of one of these as a normal reformat does not reset the master boot record, only the partition table. Running Fdisk /MBR usually does the trick.
    4. Always back up data you want to keep. I prefer to use a separate partition to keep data on, but still back it up anyway. Data recovery is expensive.
    5. Remember, if you've found a virus, scan again, there will almost invariably be another one hiding under the first one, and another and another.
    6. A good packet sniffer (I use Ethereal) can tell you if you're compromised by recording all the outgoing and incoming connections from your PC.

    NMC is bang on in the assertion that you can't trust a compromised system, but sometimes you have to get the system working in order to recover important files - this happens a lot when people don't back up their stuff. The points I have made above are (with the exception of 3) aimed at those who must, for whatever reason, rescue their computer. It's cheaper, safer and less hassle to zap it and start again.
  5. Thanks Quantum. Of course there are a million other things to consider in the naughty world of hacks, not the less that virus writers are getting more sophisticated and a darn sight more clever as they progress.
    We can't go too deep into it as we will end up with a book the size of war and piece.

    It is always a good idea to scans from outside or even to go into safe mode (F8) to do scans, but not a lot have the time or inclination to do even that, and the likes of Adaware won't scan in safe mode.

    There are some good measures that can virtually eliminate attacks all together. When testing for Microsoft, I allowed a pc online with just Vista and no protection for three months. The system was locked down so tight that I never had a single invasion. Unfortunately, Symantec complaind that Vista locked them out of the kernal and threatened MS with an Anti-competitive sues if they did not let their Norton into the kernal. Of course, MS had to capitulate, and there was the first compromise of Windows Vista.

    I also need to mention that backups can also be compromised by decent self replicating scumware, so should not be taken that they will be 100% clean if you have had an attack.

    Also it is very rare for a boot sector bug to survive format and reinstall. What the format does not invalidate, the setup usually gets.
  6. It's certainly coming up in the world.

    Unfortunately the download mirrors include 'brothersoft.com' which has dozens of fake/scam malware programs so one of the other mirrors should be used to download from.

    Malwarebytes is looking into the use of brothersoft.com as a mirror for downloading it's products.
  7. :eek:mfg: ...Are you sure???!!!
  8. Nice one thingy - the name itself is a virus.
  9. Simple Rule of Thumb... "There's no such thing as a free lunch".
  10. Simple Rule of Thumb... "There's no such thing as a free lunch".
  11. For those who are experiencing slow down, it is usually due to the junk left over from websites, defunct cookies and broken/no longer required links within the registry.

    Probably the most respected cleaner of computer junk is Ccleaner. Tick 'all' the boxes except the bottom one 'Wipe Free Space' as that can take some time. You can, of course, tick that one if you are off for a cuppa.

    When the cleaner has done it's work, click on the 'Registry' icon on the left and give the registry a good clean as well. I have never had to use the save registry to backup, it only gets stuff no longer of any use.

    When you have done cleaning up your drive, it's time to tidy it up using Defraggler which is from the same company and both are free.
  12. Ran cleaner no problem then started defraggler and even though I use the vista defrag weekly its now 8 hours and still only 58% complete, so who is wrong?
  13. Chaps , check out Vipre.com a fair dinkum anti V thing it does work. without reporting back to the CIA or FBI on your activities.
    Not that you old gueezers present a threat any more than I.
    Unlike Nortons or other US based programs that will do this shit.
    Sure it will cost you but very little worth a go check it out
    Seems pretty cool
  14. Ermm - an old thread BTW and if seeking advice on this subject RR would not appear to be the first place most folk would look.

    After all, look back at what happened to NMC & his poor relatives ... .... . ..

    Meanwhile, welcome to the site.

  15. (granny)

    (granny) Book Reviewer

    I've pressed 'tranlate' but still seems like a foreign language to me.
  16. Good info on this thread...many thanks

    Fancy doing a similar thing on Backups?

    I had Acronis and it made life so much easier, but have had to reformat the box 2 days ago due to gremlins

    Before I lad up again, are there any better ones?

Share This Page