Newbie to viruses

  • Thread starter Thread starter Frank Booth Snr
  • Start date Start date
F

Frank Booth Snr

I have a PC with no antivirus software loaded so far, and no problems that
I'm aware of. I'm considering buying AVS, but there's one thing I don't
understand. As well as detecting viruses is such software supposed to remove
them when asked. I read all sorts of suggested solutions to users' problems
involving messing with the registry, recording logs etc. Yet should this be
necessary if the AVS is doing its intended job? What are the facts about
this?

Also with Windows XP, I read that you are supposed to turn off <system
restore>, and run PC in <safe mode> when scanning and fixing. Is this true?
 
From: "Frank Booth Snr" <[email protected]>

| I have a PC with no antivirus software loaded so far, and no problems that
| I'm aware of. I'm considering buying AVS, but there's one thing I don't
| understand. As well as detecting viruses is such software supposed to remove
| them when asked. I read all sorts of suggested solutions to users' problems
| involving messing with the registry, recording logs etc. Yet should this be
| necessary if the AVS is doing its intended job? What are the facts about
| this?
|
| Also with Windows XP, I read that you are supposed to turn off <system
restore>> , and run PC in <safe mode> when scanning and fixing. Is this true?
|

The settings the AV software will vary from package to package and between vendors. Some
will quarantine automatically and others have the option to quarantine, ask or clean/delete.
AV software can only protect against known infectors. That is for infectors the AV software
has a signature for. Based upon the software it can be enbled to perform heuristic
detection. That means if it walks like a duck and squaks like a duck then it must be a
duck. However, the rate of False Positives declarations may be increased through the use of
Heuristic detection. You may get infected with something today and not have a signature for
until tomorrow. Once infected it could be easy to remove or it could an involved process
depending on what it is or what it does.

With WinXP and WinME (both have a System Restore cache) there are two scools of thought.
1. Disable the System Restore cache then run a scanner in Safe Mode. Upon completion
re-enable the System Restore cache and then create a new restore point.

2. Don not disable the System Restore cache prior running a scanner in Safe Mode. Upon
completion if the PC was found to be infected and is now clean and the PC is running OK,
then disable the System Restore cache. Then re-enable the System Restore cache and then
create a new restore point.

I have been providing a set of instructions based upon #1 above but I am re-evaluating the
idea and may start providing instructions based upon #2.

The whole idea of flushing the System Restore cache is to remove the possibility of
re-infection.

HTH
 
Frank Booth Snr said:
I have a PC with no antivirus software loaded so far, and no problems that
I'm aware of. I'm considering buying AVS, but there's one thing I don't
understand. As well as detecting viruses is such software supposed to
remove
them when asked. I read all sorts of suggested solutions to users'
problems
involving messing with the registry, recording logs etc. Yet should this
be
necessary if the AVS is doing its intended job? What are the facts about
this?
Click to expand...


Firstly I wouldn't advertise your E-mail address and tell people that you
have no protection against.... I guess the generic term is Malware but
Viruses if you prefer ( I do).

Anti-virus Software generally either; Fixes, Quarantines or Deletes infected
files, the older the Virus then usually the easier it is to remove the
problem by one of the above methods.
Also with Windows XP, I read that you are supposed to turn off <system
restore>, and run PC in <safe mode> when scanning and fixing. Is this
true?

This is usually the advice given when dealing with a Virus that cannot be
removed in the standard way but some Virus files cannot be deleted even in
Safe Mode.
Click to expand...

My steps would be...

1) Scan normally.

if that fails

2) Scan in Safe Mode

if that fails

3) I'd remove the drive and delete the file from another Computer...


.......

A trick I used in Win98 with a stubborn virus file was to boot into Dos and
save a blank page as the infected file ( in effect overwriting it with
nothing). Then booting into Windows in safemode and deleting it.

Although I'm sure others would have a short cut... it worked !!!

Cheers

David.
 
David said:
Firstly I wouldn't advertise your E-mail address and tell people that you
have no protection against.... I guess the generic term is Malware but
Viruses if you prefer ( I do).
Click to expand...
Are you sure you can see my real email address. I can't.
Anti-virus Software generally either; Fixes, Quarantines or Deletes infected
files, the older the Virus then usually the easier it is to remove the
problem by one of the above methods.


My steps would be...

1) Scan normally.

if that fails
Click to expand...
If what fails; the scan or the fix? I presume you mean the latter.
2) Scan in Safe Mode

if that fails
As previous?

3) I'd remove the drive and delete the file from another Computer...
Click to expand...
Why would another PC have any more success? If the file can't be deleted is
that because one cannot alter its attributes, because the virus protects the
offending file(s). Could you not delete the file from console recovery
(Windows XP) or DOS (Windows 9X)?
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frank Booth Snr wrote:
[snip]
Also with Windows XP, I read that you are supposed to turn off <system
restore>, and run PC in <safe mode> when scanning and fixing. Is this true?
Click to expand...

System Restore is a feature of Windows XP whereby Windows periodically
takes backup copies of various critical system files (creating a "System
Restore Point"), for example device drivers and programs that Windows needs
to function.

If a virus was to infect one of these files and Windows subsequently copies
the file during the creation of a System Restore Point, the virus would
also be copied. As the folder where System Restore Points are held is set
to prevent access to it apart from by Windows itself, some anti-virus
products cannot scan and hence clean any viruses that might be sitting in
the System Restore folder.


Scanning in Safe Mode has a strong advantage to it, as in Safe Mode very
few programs are run at start-up, hence potential viruses don't often get a
chance to start.

This helps prevents a virus:

* rendering any anti-virus programs inoperable
* altering Windows to stop the virus being detected
* replacing any files that are removed by an anti-virus scan
* propagating further
* performing any other undesirable actions (such as destroying the contents
of your hard disk)

I would advise that the computer is left switched off until you have
obtained an anti-virus product and installed it, and as soon as it is
installed have it update it's anti-virus files.

Running a computer without adequate anti-virus protection or firewall is
extremely reckless, not only due to the threat it poses to your computer,
but also that of others including friends and family members if their email
addresses are present on your computer.

Regards,


Adam Piggott,
Proprietor,
Proactive Services (Computing).

- --
Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCimh27uRVdtPsXDkRAhpOAKCBPp4eMO7nqN79WYnFEefH+oORUACeML4l
V1bnqh3npjg3MzXvvtp+8Uw=
=wcCt
-----END PGP SIGNATURE-----
 
The reason connecting to another PC works is that many of the features that
stop the Virus from being deleted are Operating System related, so clearly
with a different Operating system booting the PC, the offending file is
treated as just a file on a different Hard Drive and can be deleted; in
other words it isn't considered as being part of the OS.

Also the Primary Drive is not infected either, although I'd only do this on
a machine with up to date Virus Protection.

Cheers

David.
 
Frank said:
I have a PC with no antivirus software loaded so far, and no problems that
I'm aware of. I'm considering buying AVS, but there's one thing I don't
understand. As well as detecting viruses is such software supposed to remove
them when asked. I read all sorts of suggested solutions to users' problems
involving messing with the registry, recording logs etc. Yet should this be
necessary if the AVS is doing its intended job? What are the facts about
this?
Click to expand...

the job of the scanners (the best case scenario) is to *prevent*
infection... they are not always the best choice for removing an
infection...

further - often what is being detected is not a virus but some other
form of malware, or the directions for cleanup include repairing damage
from payloads that are beyond the scope of what a general purpose
anti-virus product and are better suited to a dedicated removal tool for
that particular virus/malware/whatever...
Also with Windows XP, I read that you are supposed to turn off <system
restore>, and run PC in <safe mode> when scanning and fixing. Is this true?
Click to expand...

yes... safe mode to mitigate (but unfortunately not necessarily
completely avoid) the possibility of the virus being active when the
cleaning process is taking place (which can cause problems)... disabling
system restore because of the possibility that it may be storing a copy
of what you're trying to remove and there's no way to selectively remove
things from system restore (disabling flushes it entirely)...
 
I have a PC with no antivirus software loaded so far, and no problems that
I'm aware of. I'm considering buying AVS, but there's one thing I don't
understand. As well as detecting viruses is such software supposed to remove
them when asked. I read all sorts of suggested solutions to users' problems
involving messing with the registry, recording logs etc. Yet should this be
necessary if the AVS is doing its intended job? What are the facts about
this?

Also with Windows XP, I read that you are supposed to turn off <system
restore>, and run PC in <safe mode> when scanning and fixing. Is this true?
Click to expand...
(1) If you know what you're doing, you probably don't need any
av software. I don't bother at home, and I'm Manchester Uni's
av "expert". Trouble is, "knowing what you're doing" isn't
trivial.
Never open attachments in the mailer.
Never open attachemtns you don't totally trust the sender of.
Don't accept html mail.
Disable javascript and vbscript in mail and webpages.
Don't go to "funny" websites: never clikc on a link in an email
directly, copy and paste it into your browser so you get to see
what it really looks like. Use a browser that's safer then IE.
etc
etc
etc

(2) If for any reason the av doesn't stop the malware getting
in (inability to monitor method of entry; it arrives before the
update that incluses detection, etc), then the av may not be
able to clean it automatically as malware has ways to hide or
stitch itself into the system so that it can't be deleted in
normal running

(3) When cleaning up, you use Safe Mode as far less stuff loads
at startup, so isn't stitched into the running system, so can
be cleaned. Sometimes you need Safe Mode With Command Prompt to
get even lower, and then you want the commandline version of
your scanner. You disable System Restore so that it doesn't
"helpfully" re-instate malware that managed to convince Windows
it's an essential part of the system. On the other hand, if you
do get hit, it can be worth trying System Restore to just roll
back to when the system was OK: then a cleanup from normal
Windows mode ought to sort things out.
 
Frank Booth Snr said:
I have a PC with no antivirus software loaded so far, and no problems that
I'm aware of. I'm considering buying AVS, but there's one thing I don't
understand. As well as detecting viruses is such software supposed to remove
them when asked. I read all sorts of suggested solutions to users' problems
involving messing with the registry, recording logs etc. Yet should this be
necessary if the AVS is doing its intended job? What are the facts about
this?
Click to expand...

The AVs 'intended' job is 'detection' for the purpose of helping users
in preventing furtherance of the malware. 99.9% of users wouldn't know
how to recognize malware by looking at its code - we need AV software
for that. We shouldn't need AV scanning software to tell us not to
execute unasked-for programs from strangers as it is obviously not a
good idea.

Given the fact that some malware will get through your defenses, it is
nice to have software that is capable of 'identifying' and 'removing'
malware that has already gotten a foothold on your system - we need
removal utilities for that. Since the AV scanner already scans for
detection is seemed reasonable to add the 'identification' and 'removal'
utility to the 'detection' scanner, but one should not expect
'identification' and 'removal' for all things the scanner is capable of
'detecting' - especially since not all affects of having malware run on
your system are reversible using a removal utility.
Also with Windows XP, I read that you are supposed to turn off <system
restore>, and run PC in <safe mode> when scanning and fixing. Is this
Click to expand...
true?

When a removal utility 'deletes' an executable, an active 'system
restore' feature (file change monitoring) will save a copy in the
restore folder - and maybe even automatically restore it to the system
on reboot if it is a system file. Turning off the restore feature helps
to avoid reinstating the malware after removal. Safe mode is a halfway
measure - halfway toward a 'clean boot' which would "really" ensure no
component of the malware is running while you are trying to detect or
remove it.
 
Dave Budd said:
(1) If you know what you're doing, you probably don't need any
av software. I don't bother at home, and I'm Manchester Uni's
av "expert". Trouble is, "knowing what you're doing" isn't
trivial.
Never open attachments in the mailer.
Never open attachemtns you don't totally trust the sender of.
Don't accept html mail.
Disable javascript and vbscript in mail and webpages.
Don't go to "funny" websites: never clikc on a link in an email
directly, copy and paste it into your browser so you get to see
what it really looks like. Use a browser that's safer then IE.
etc
etc
etc

(2) If for any reason the av doesn't stop the malware getting
in (inability to monitor method of entry; it arrives before the
update that incluses detection, etc), then the av may not be
able to clean it automatically as malware has ways to hide or
stitch itself into the system so that it can't be deleted in
normal running

(3) When cleaning up, you use Safe Mode as far less stuff loads
at startup, so isn't stitched into the running system, so can
be cleaned. Sometimes you need Safe Mode With Command Prompt to
get even lower, and then you want the commandline version of
your scanner. You disable System Restore so that it doesn't
"helpfully" re-instate malware that managed to convince Windows
it's an essential part of the system. On the other hand, if you
do get hit, it can be worth trying System Restore to just roll
back to when the system was OK: then a cleanup from normal
Windows mode ought to sort things out.
Click to expand...
Thanks for a comprehensive answer. Like yourself, I don't run AVS, because I
think it's a con, and exists primarily to pump fear into users who don't
install it or have the latest update. So far I have managed to avoid trouble
using some of the preventative advice you outline. I'm not sure how you
disable javascript and vbscript in OE, but I think I know how to do it in
IE. Does this simultaneously do it for OE too? Presumably this would prevent
graphics from functioning properly (if at at all), and would probably
prevent me from online activity, gaming, banking etc. I believe a decent
firewall to prevent intruders is more important than AVS, because at least
the problems there are caused by outsiders, and not caused by one's own
doing or ignorance. The one exception is a 'boot virus' and my BIOS is
enabled to detect this, if it works properly. Any other virus and it will
be "format/re-install" time for me.

The ironic thing is that those who go to great lengths to install and update
their AVS, always seem to be the victims of malware, especially those with
Windows XP as an os, as so many of these posts prove. I have an earlier
Windows os, which I generally find is pretty stable, consumes far less
memory and works a lot faster. I think there's a message in there somewhere.
 
install it or have the latest update. So far I have managed to avoid trouble
using some of the preventative advice you outline. I'm not sure how you
disable javascript and vbscript in OE, but I think I know how to do it in
IE. Does this simultaneously do it for OE too? Presumably this would prevent
Click to expand...

The best answer is: Don't use OE. It's unmitigated shite quite
apart from its lack of security
The ironic thing is that those who go to great lengths to install and update
their AVS, always seem to be the victims of malware, especially those with
Click to expand...

I find this not to be the case. I have a constituency of
approximately 45000 users, and it;s the ones who can't be arsed
that have all the trouble. The rest have an occasional niggle.
 
Back
Top