On Tuesday 09 August 2005 9:57 am, Greg Freemyer wrote:
One of my co-workers has a Win2K box that has some kind of malware on it. I have run 3 windows malware detectors on it and none of them find it. A fourth simply causes the machine to be unacceptably slow.
I have loaded a SuSE 9.3 dual boot config on it. Is there a SuSE 9.3 tool for searching thru his C: drive for windows malware?
If not, is there something I can download and attempt fixing his machine with?
Greg
Hi Greg, I have unwillingly become a de facto 'expert' at cleaning up that other OS, to the extent that it /can/ be cleaned up. It is next to impossible to secure since a number of FQDNs and IPs are compiled into the code. Monitoring the system frequently with tcpview and process explorer from sysinternals.com will confirm this, if you have any doubts. Also very important is the boot-logging cousin to tcpview (I've forgotten the name) which records network activity that occurs before the firewall is turned on. *Don't skip.* Your best-case solution is to keep SuSE on that box, have him use it for everything related to the Internet (as a start) and physically disconnect that system from the network when he needs to run a Win32 application. Hopefully, he'll eventually migrate on his own after he sees how neat SuSE is. If disconnecting 'doze from the network isn't feasible, at a bare minimum you need to install *all* of the following utilities and check for updates twice a week (if they're not automatic): ZoneAlarm - *absolutely nothing* gets server access outside the trusted zone Spybot Search & Destroy - don't just run the installer and scan, either. This complex software is chock full of very effective goodies. Take the tutorial and spend the time needed to study every menu. Be sure to manually clear the 'ignore products' list, otherwise, new.net and a few others will *not* be cleaned from the system. Also be certain to install (and update thereafter) the supplied hosts file, which will block known malware servers. AdAware - this one is OK to just install and scan. Note: unless you want to contribute and buy the pay version, you can ignore the 'click to learn about this update' button and it will then let you download the current definitions for the installed free version. Spywareblaster - this one just gets installed; no scans, just 'blocking bits' placed in the appropriate places to prevent identified malware from installing itself. TrojanHunter - the free 30 day trial will download a current definitions file and clean the system. *Don't skip* I strongly recommend buying the annual license for this one. It's worth it if you *have* to run that other OS. Grisoft's AVG Free - this is a great free antivirus package that's pretty much self-maintaining. Of course, you frequently need to reboot after the automatic program and definitions file updates. What else is new? ;-) Manual Intervention: - HKLM/software/Microsoft/Windows/Current Version/Run - HKLM/software/Microsoft/Windows/Current Version/Run Once - HKLM/software/Microsoft/Windows/Current Version/Run Services - HKCU/software/Microsoft/Windows/Current Version/Run - HKCU/software/Microsoft/Windows/Current Version/Run Once - HKCU/software/Microsoft/Windows/Current Version/Run Services Verify the system isn't loading in debugging mode (run -> msconfig; set to normal booting) and *then* inspect these registry locations for unusual entries, i.e. executables living where they shouldn't, particularly in any temporary directories. A few other notes: - There are some utilities out there, crap cleaner and hijack this! being two, that if *not* used extremely judiciously can irrevocably damage the installed OS. *If* you install and run the utilities I listed above on a regular basis, it is less likely that you will need these other 'worst-case' utilities. Save them for the very last in case the system catches a bug that is so new it's being overlooked by the others. - Switch him over to Firefox and Thunderbird. The rationale should be self-explanatory. OK, there you have my two cents. Good luck! - Carl