One of my co-workers has a Win2K box that has some kind of malware on it. I have run 3 windows malware detectors on it and none of them find it. A fourth simply causes the machine to be unacceptably slow. I have loaded a SuSE 9.3 dual boot config on it. Is there a SuSE 9.3 tool for searching thru his C: drive for windows malware? If not, is there something I can download and attempt fixing his machine with? Greg
Greg Freemyer wrote:
One of my co-workers has a Win2K box that has some kind of malware on it. I have run 3 windows malware detectors on it and none of them find it. A fourth simply causes the machine to be unacceptably slow.
I have loaded a SuSE 9.3 dual boot config on it. Is there a SuSE 9.3 tool for searching thru his C: drive for windows malware?
If not, is there something I can download and attempt fixing his machine with?
Greg
What are the Windows utils you've tried? Have you tried: AdAware http://www.lavasoftusa.com/software/adaware/ Crapcleaner http://www.ccleaner.com/ Spybot http://www.safer-networking.org/en/index.html and maybe a decent antivirus util like: http://www.avast.com/ Of course you could always just convince him to use SuSE :-) No more probs with spyware, malware, adware etc. C.
On Tue, 2005-08-09 at 16:14 +0200, Clayton wrote:
Greg Freemyer wrote:
One of my co-workers has a Win2K box that has some kind of malware on it. I have run 3 windows malware detectors on it and none of them find it. A fourth simply causes the machine to be unacceptably slow.
I have loaded a SuSE 9.3 dual boot config on it. Is there a SuSE 9.3 tool for searching thru his C: drive for windows malware?
If not, is there something I can download and attempt fixing his machine with?
Greg
What are the Windows utils you've tried? Have you tried: AdAware http://www.lavasoftusa.com/software/adaware/
Crapcleaner http://www.ccleaner.com/
Spybot http://www.safer-networking.org/en/index.html
and maybe a decent antivirus util like: http://www.avast.com/
Of course you could always just convince him to use SuSE :-) No more probs with spyware, malware, adware etc.
C.
You might want to take a look at http://www.ultimatebootcd.com/ and see if anything there might help. It does have many tools. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 "The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge
Ken Schneider wrote:
On Tue, 2005-08-09 at 16:14 +0200, Clayton wrote:
Greg Freemyer wrote:
One of my co-workers has a Win2K box that has some kind of malware on it. I have run 3 windows malware detectors on it and none of them find it. A fourth simply causes the machine to be unacceptably slow.
I have loaded a SuSE 9.3 dual boot config on it. Is there a SuSE 9.3 tool for searching thru his C: drive for windows malware?
If not, is there something I can download and attempt fixing his machine with?
Greg
What are the Windows utils you've tried? Have you tried: AdAware http://www.lavasoftusa.com/software/adaware/
Crapcleaner http://www.ccleaner.com/
Spybot http://www.safer-networking.org/en/index.html
and maybe a decent antivirus util like: http://www.avast.com/
Of course you could always just convince him to use SuSE :-) No more probs with spyware, malware, adware etc.
C.
You might want to take a look at http://www.ultimatebootcd.com/ and see if anything there might help. It does have many tools.
Be sure to check for failed cpu fans. I have had it happen several times that the cpu fan fails and the cpu protects itself from heat failure by halting until it cools enought to resume. This only takes a few milliseconds and the effect is that the system seems to run very slooow! Bob
Thanks to all,
This turned out to be a very off-topic thread, dispite my hopes for a
Linux solution.
I think I finally killed the windows malware with CWShredder from
Trend Micro. Note that it is a single purpose malware killer and only
targets variants of CWS (Cool Web Search).
Things that failed to kill it include:
Ad-Aware, Spybot Search and Destroy, X-Cleaner, Gargoyle,
TrojanHunter, HijackThis.
And Spyware Doctor would not even run on the infected machine.
Thanks again
Greg
On 8/9/05, Robert A. Rawlinson
Ken Schneider wrote:
On Tue, 2005-08-09 at 16:14 +0200, Clayton wrote:
Greg Freemyer wrote:
One of my co-workers has a Win2K box that has some kind of malware on it. I have run 3 windows malware detectors on it and none of them find it. A fourth simply causes the machine to be unacceptably slow.
I have loaded a SuSE 9.3 dual boot config on it. Is there a SuSE 9.3 tool for searching thru his C: drive for windows malware?
If not, is there something I can download and attempt fixing his machine with?
Greg
What are the Windows utils you've tried? Have you tried: AdAware http://www.lavasoftusa.com/software/adaware/
Crapcleaner http://www.ccleaner.com/
Spybot http://www.safer-networking.org/en/index.html
and maybe a decent antivirus util like: http://www.avast.com/
Of course you could always just convince him to use SuSE :-) No more probs with spyware, malware, adware etc.
C.
You might want to take a look at http://www.ultimatebootcd.com/ and see if anything there might help. It does have many tools.
Be sure to check for failed cpu fans. I have had it happen several times that the cpu fan fails and the cpu protects itself from heat failure by halting until it cools enought to resume. This only takes a few milliseconds and the effect is that the system seems to run very slooow! Bob
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-- Greg Freemyer The Norcross Group Forensics for the 21st Century
On Tue, 2005-08-09 at 15:08, Greg Freemyer wrote:
Thanks to all,
This turned out to be a very off-topic thread, dispite my hopes for a Linux solution.
I think I finally killed the windows malware with CWShredder from Trend Micro. Note that it is a single purpose malware killer and only targets variants of CWS (Cool Web Search).
Suggestion after your yearly clean reinstall of windows, Symmantic's Norton System works, OOo and everything else on TheOpenCD.org backup your registry. Then under knoppix or Suse you can restore a clean copy. As i remember this should all fit on a single partition about 5gig so that with a DVD burner you could make a dd of the entire partition for ghosting when you get infected. then your covered without additional investment in M$ third party ware. -- ___ _ _ _ ____ _ _ _ | | | | [__ | | | |___ |_|_| ___] | \/
Greg Freemyer wrote:
One of my co-workers has a Win2K box that has some kind of malware on it. I have run 3 windows malware detectors on it and none of them find it. A fourth simply causes the machine to be unacceptably slow.
I have loaded a SuSE 9.3 dual boot config on it. Is there a SuSE 9.3 tool for searching thru his C: drive for windows malware?
If not, is there something I can download and attempt fixing his machine with?
Yes. Download and install SuSE. ;-) http://www.opensuse.org
I have to fix windoze machines for $$$ sometimes. I support all of them here at work. You can eliminate all ad-ware spy-ware mal-ware with 1.) Windows Update 2.) Spybot S&D 3.) Ad-aware SE personal 4.) Hijackthis If you could get hijackthis to work from wine looking at the windows reg, I think it would do what you want. B-) On Tuesday 09 August 2005 07:57 am, Greg Freemyer wrote:
One of my co-workers has a Win2K box that has some kind of malware on it. I have run 3 windows malware detectors on it and none of them find it. A fourth simply causes the machine to be unacceptably slow.
I have loaded a SuSE 9.3 dual boot config on it. Is there a SuSE 9.3 tool for searching thru his C: drive for windows malware?
If not, is there something I can download and attempt fixing his machine with?
Greg
On Tuesday 09 August 2005 09:24 am, Brad Bourn wrote:
I have to fix windoze machines for $$$ sometimes.
I support all of them here at work.
You can eliminate all ad-ware spy-ware mal-ware with
1.) Windows Update 2.) Spybot S&D 3.) Ad-aware SE personal 4.) Hijackthis
Oh, ya. And not to mention the FREE anti-virus that has a native linux version also for commercial servers (I use them on our servers) is www.grisoft.com. They hide the free version pretty good, but it is there (start by clicking the "products" on the left panel, then choose "free version") B-)
On Tue, 2005-08-09 at 09:34 -0600, Brad Bourn wrote:
On Tuesday 09 August 2005 09:24 am, Brad Bourn wrote:
I have to fix windoze machines for $$$ sometimes.
I support all of them here at work.
You can eliminate all ad-ware spy-ware mal-ware with
1.) Windows Update 2.) Spybot S&D 3.) Ad-aware SE personal 4.) Hijackthis
Oh, ya. And not to mention the FREE anti-virus that has a native linux version also for commercial servers (I use them on our servers) is www.grisoft.com. They hide the free version pretty good, but it is there (start by clicking the "products" on the left panel, then choose "free version")
Or take the direct link: http://free.grisoft.com/doc/1 Dave
On Tuesday 09 August 2005 9:57 am, Greg Freemyer wrote:
One of my co-workers has a Win2K box that has some kind of malware on it. I have run 3 windows malware detectors on it and none of them find it. A fourth simply causes the machine to be unacceptably slow.
I have loaded a SuSE 9.3 dual boot config on it. Is there a SuSE 9.3 tool for searching thru his C: drive for windows malware?
If not, is there something I can download and attempt fixing his machine with?
Greg
Hi Greg, I have unwillingly become a de facto 'expert' at cleaning up that other OS, to the extent that it /can/ be cleaned up. It is next to impossible to secure since a number of FQDNs and IPs are compiled into the code. Monitoring the system frequently with tcpview and process explorer from sysinternals.com will confirm this, if you have any doubts. Also very important is the boot-logging cousin to tcpview (I've forgotten the name) which records network activity that occurs before the firewall is turned on. *Don't skip.* Your best-case solution is to keep SuSE on that box, have him use it for everything related to the Internet (as a start) and physically disconnect that system from the network when he needs to run a Win32 application. Hopefully, he'll eventually migrate on his own after he sees how neat SuSE is. If disconnecting 'doze from the network isn't feasible, at a bare minimum you need to install *all* of the following utilities and check for updates twice a week (if they're not automatic): ZoneAlarm - *absolutely nothing* gets server access outside the trusted zone Spybot Search & Destroy - don't just run the installer and scan, either. This complex software is chock full of very effective goodies. Take the tutorial and spend the time needed to study every menu. Be sure to manually clear the 'ignore products' list, otherwise, new.net and a few others will *not* be cleaned from the system. Also be certain to install (and update thereafter) the supplied hosts file, which will block known malware servers. AdAware - this one is OK to just install and scan. Note: unless you want to contribute and buy the pay version, you can ignore the 'click to learn about this update' button and it will then let you download the current definitions for the installed free version. Spywareblaster - this one just gets installed; no scans, just 'blocking bits' placed in the appropriate places to prevent identified malware from installing itself. TrojanHunter - the free 30 day trial will download a current definitions file and clean the system. *Don't skip* I strongly recommend buying the annual license for this one. It's worth it if you *have* to run that other OS. Grisoft's AVG Free - this is a great free antivirus package that's pretty much self-maintaining. Of course, you frequently need to reboot after the automatic program and definitions file updates. What else is new? ;-) Manual Intervention: - HKLM/software/Microsoft/Windows/Current Version/Run - HKLM/software/Microsoft/Windows/Current Version/Run Once - HKLM/software/Microsoft/Windows/Current Version/Run Services - HKCU/software/Microsoft/Windows/Current Version/Run - HKCU/software/Microsoft/Windows/Current Version/Run Once - HKCU/software/Microsoft/Windows/Current Version/Run Services Verify the system isn't loading in debugging mode (run -> msconfig; set to normal booting) and *then* inspect these registry locations for unusual entries, i.e. executables living where they shouldn't, particularly in any temporary directories. A few other notes: - There are some utilities out there, crap cleaner and hijack this! being two, that if *not* used extremely judiciously can irrevocably damage the installed OS. *If* you install and run the utilities I listed above on a regular basis, it is less likely that you will need these other 'worst-case' utilities. Save them for the very last in case the system catches a bug that is so new it's being overlooked by the others. - Switch him over to Firefox and Thunderbird. The rationale should be self-explanatory. OK, there you have my two cents. Good luck! - Carl
participants (9)
-
Brad Bourn -
Carl E. Hartung -
Carl William Spitzer IV -
Clayton -
Dave Barton -
Greg Freemyer -
James Knott -
Ken Schneider -
Robert A. Rawlinson