Where can I go to purposely infect a machine for testing? 1

[jbrackett]

I am setting up a test box for an eval of the network version of Pest Patrol and am looking to REALLY test the software. I have a test box that I want to load up with adware & spyware, but only by going to websites that our surf control box will allow. That excludes porn, mp3, and casino sites.

Am looking for suggestions of where I can visit to really load up on spyware/adware/hijackers.

[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]

 

[bfralia]

I'm doing some of the same stuff you're doing using McAfee 8.0i. So far no complaints. I tried some of the warez sites and didn't have any luck downloading anything. Guess I'm to chicken to click yes to everything.

Using McAfee's e-Policy Orchestrator I get reports back that it's stopping a lot of Adware. It's still catching a lot or virus's.

We're kind hearted people and let some of our users occasionally bring in problem computers from home. After removing 190+ virii and 300+ adware/spyware items this computer according to AVG, Ad-Aware and Spybot, was clean.

Every 10 minutes several random explorer windows opened up with Explorer closed. I loaded and updated 8.0i and it found six virus/spyware items and removed them. Popups gone, no weird processes, we're going to let her take it home tonight. Before 8.0i we'd about decided a reload was the way to go.

It's easier to let our users find the sites for us then do it ourselves.

 

[bfralia]

Oh yeah, one 8.0i comment: It's really made for blocking stuff before it infects a computer rather than cleaning after the fact. It's deployed across four continents now and I'm seeing all kinds of scumware being blocked before it can infect.

If you start with an infected computer, it wont clean gator or some other stuff but will sure keep it from installing if it's not already there.

I've installed on a couple of computers, cleaned with Ad-Aware and Spybot then further cleaned with 8.0i. Those computers are staying clean! They've been a major peoblem being brought to their knees by adware.

 

[Silmarillion]

jbrackett,

I am definitely interested in what both you and bfralia are doing. I am seriously considering PestPatrol, but have had concerns about the product being as how they are in transition to another company (CA). We use CA eTrust AV V6.0 for our right now, and are quite happy with it. I have used their AV since back in the days when it was still a Cheyenne product (along with ARCserve and FAXserve), as well as the home version that was free for a year or so. I have minimal problems with it over the years - it seems to have a small footprint and have relatively little performance impact. I know we are behind on the current product, they are at V7.1 now. I have used 7.0 at home as a test and didn't find any big differences from 6.0. I have the V7.1 media on order (open license), so I will try that as well.

I am not sure what their direction is with PestPatrol. From what tech support says, there should be a version update in November, which I assume will be mainly to roll it into the eTrust family. It would be nice if they rolled it into a combined product with the antivirus - I kind of wonder if that is where they are heading to compete with McAfee and Norton. The McAfee Enterprise V8.0i sounds like a good integrated solution, but I guess I am somewhat skeptical on their ability to catch everything. Their info page on it says it picks up the top 200 malware threats. bfralia seems to be happy with it - would be nice to see if anyone has compared the two (as I see you posted on another thread :>).

bfralia - what size of company are you looking after? We are only about 50 users, so I don't have the resources to test / learn / implement some of the enterprise products. PestPatrol seems to be relatively cheap (at least for now) - sounds like about $17 CDN / seat for 25 licenses (might be even cheaper for over 25) from Insight Canada. Is the ePolicy Orchestrator a separate bought product, or is it included? I see they talk about ProtectionPilot for SMB - have you had any experience with that? I am a big fan of centralized management for this stuff.

We have also used the Exchange option for eTrust AV from CA, but the big beef I have with that is that I cannot just delete virus-laden e-mails as they are detected. The users (including me) still have to deal with all the e-mails pouring in on a daily basis that are just virus e-mails. I briefly looked at GFI's MailSecurity (we use their MailEssentials for anti-spam and I am quite happy with the company and the product), but it sounds like you have to run it in SMTP Gateway mode to be able to delete infected e-mails. I would prefer running it in VSAPI mode, as then integration with Exchange is tighter and there are some additional features available. Maybe it is possible to run both? Sorry, just thinking out loud...might be a topic for another thread.

jbrackett - as far as using up space on the thread, bring it on! I would rather see a useful discussion in one place than have to hunt all over the net for peer opinions on products.

PS - The remove button doesn't work on the PC I have problems with, and neither does the manual procedure they sent me, so we will see what else they come up with.

 

[devastator]

To test for spyware and other pop ups go to where everyone seems to browse to,

http://www.ebaumsworld.com/

I use pestpatrol corp edition 5 for a 50 user network and i am very happy with it. Real time protection and centrally administered and updated is a nice option, vs the free ones where you have to run around to update and logon as all the users for each machine to protect them, like Spyblaster and Spybot. I schedule it for every Friday at lunch to run a scan on each pc in the network. Overall it is a good product though now that CA is buying them I hope they don't change it to much. I don't use anything from CA, never liked their software, but wouldn't stop using it because of the name.


Drew

 

[jbrackett]

Okay, sorry it has taken so long to get back to you folks. Things are going insane here at work. Below are the results of my testing on the original, purposely infected, test machine. Some of the beginning is already posted above, but the whole enchilada shown together gives a better idea of my procedures. This covers one of the 25 machines I am testing, but it is also the only one that I feel is a realtively thorough test. I will post additional results as I get them finished up.

I have also sent this and more to my Computer Associates Rep for him to pass on to their tech support. I'll let you know if there are any replies.
_________________________________

9-16-04

Test box (TS-DC-0001) is a rebuilt test server - 863 MHz processor, 512 MB RAM, running Server 2003. It has McAfee VScan Enterprise 7.0 managed through an ePO 3.0 agent. Up to date on Critical Updates, as well. Machine is freshly rebuilt from a newly formatted drive to eliminate any chance of old contamination.

Disabled ActiveX security settings in IE. Checked on Spybot S&D's restricted site list for some relatively innocuous sounding site names. Visited Gator.com & downloaded their free "software". Visited "0008k.com" (Boy was THAT one a mistake! Turned out to be an adult site. I'm sure I got red flagged in surf control on that one .) Visited "igetnet.com", 1800search.com", "accessthefuture.net", "ace-webmaster.com", "acemedic.com", and "hotbar.com". Clicked several search links on each site while watching my processes in taskmanager. Processor on the machine fluctuated between 2% and 100% during those visits.

Went to Pest Patrol test server & opened PPManagement Console, ran scan on the test machine & found 9 "pests", two of which were actually detections of UltraVNC, which I installed to run the test box remotely. The rest were nothing more than tracking cookies. Decided to leave the machine online overnight and checked it again this morning. Opened IE again & surfed to some of the same sites, clicking various links and bouncing around. Checked PP console and found several more cookies, of course, but nothing else.

Why is it our users have NO trouble completely hosing a pc accidentally, and I can't do it when I'm TRYING to?


9-17-04

Test 1 (TS-DC-0001) – the machine I built out intending to intentionally infest with spyware and hijackers. As stated above, I’ve had trouble finding a site with which I can “catch” anything other than basic adware or tracking cookies.


9-20-04

Went to a WareZ site trying to infect computer. Third one I tried wanted to load a special "downloader" tool. I ran it and my processes shot through the roof. Continued running for a few minutes and the machine prompted me to reboot. Rebooted and checked the system and found Wintools, DyFuCa, BlazeFind, and several others.

Let me point out that Pest Patrol's Active Protection was already enabled on the machine. This seems to indicate that a user's actions can override the Active Protection agent. Anyone else had any experience with this?

Went to the Pest Patrol Management Console and forced a scan with the delete option selected. This cleaned all but one of the hijackers (ISTBar).

Repeated scans yield the same results. ISTBar is buried in the registry & Pest Patrol evidently cannot clean it. I don’t really understand this, as it tells me exactly where it is in the report. Anyone have any insight into this?

Test 1 (TS-DC-0001) Final results –

Having run repeated scans, I have found that while PP has no problem finding pests on the machine, & supposedly has no problems removing them, but they seem to keep coming back, suggesting that PP is not truly getting rid of the source of the problem. Additionally, I would point out that this is AFTER having enabled Pest Patrol’s Active Protection option on the computer.

On 9-20-04, among 40 pests that were detected and deleted from the computer, were:

2004/09/20-11:26:57 (TS-DC-0001) TrojanDropper.Win32.Delf.z Dropper Process terminated

2004/09/20-13:13:05 (TS-DC-0001) TrojanClicker.Win32.Delf.r Dialer Deleted

2004/09/20-13:13:05 (TS-DC-0001) TrojanDropper.Win32.Delf.z Dropper Deleted

Most of the pests were cleaned, but a scan on 9-22-04 showed the following:

2004/09/22-11:35:47 (TS-DC-0001) TrojanDropper.Win32.Delf.z Dropper Deleted

Another scan the following Monday:

2004/09/27-08:53:35 (TS-DC-0001) TrojanDropper.Win32.Delf.z Dropper Deleted

As you can see, despite repeated scans in which Delf is deleted, it keeps returning. The machine stays clean until after reboot, at which time it reestablishes itself. This seems to indicate that there is a registry entry that reloads the application.

Loaded HiJack This to examine registry startups, IE settings, and BHOs for spyware & hijackers. HJT log found:

O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
This line is “doxdesk.com” a parasite / Transponder.

O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
“eXact Advertising” Parasite.

O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
“eXact Advertising” Parasite.

O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
“eXact Advertising” Parasite.

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
Web Rebates is a known adware program that is pretty tenacious in that it writes itself into the registry in several locations, runs repeated processes in the task manager, and loads executables in the system32 directory of the computer.

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -

http://public.windupdates.com/get_f...4424f05e9add:133fa6db93b1a3bc33dac6d5a5648475

“BlazeFind "Windupdates" targeted advertising

While Pest Patrol found a considerable amount of adware / spyware and other pests on the computer, it also left a considerable amount behind.


9-28-04

Scanned, but did not clean with HJT.

Ran Spybot Search & Destroy. SBSD found:

MediaPlex: Tracking cookie (Internet Explorer: administrator) (Cookie, fixed)

Alexa Related: Link (Replace file, fixed)
C:\WINDOWS\Web\related.htm


BFast: Tracking cookie (Internet Explorer: administrator) (Cookie, fixed)

Cool

http://WWWSearch:

Tracking cookie (Internet Explorer: administrator) (Cookie, fixed)

Cool

http://WWWSearch:

Tracking cookie (Internet Explorer: administrator) (Cookie, fixed)

DoubleClick: Tracking cookie (Internet Explorer: administrator) (Cookie, fixed)

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-8915387-1868962325-1446904402-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DyFuCA.InternetOptimizer: Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WSEM Update

HitBox: Tracking cookie (Internet Explorer: administrator) (Cookie, fixed)

HitBox: Tracking cookie (Internet Explorer: administrator) (Cookie, fixed)

HitBox: Tracking cookie (Internet Explorer: administrator) (Cookie, fixed)

n-Case: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-8915387-1868962325-1446904402-500\Software\180solutions

n-Case: Autorun settings (rodarab) (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rodarab

SexList: Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-8915387-1868962325-1446904402-500\Software\Microsoft\Internet Explorer\URLSearchHooks\_{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

SexList: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-8915387-1868962325-1446904402-500\Software\Avenue Media

VX2/f: Web page (File, fixed)

Ran another Pest Patrol scan after this. PP showed system clean. Rebooted & ran another PP Scan. This time the machine shows clean even after a reboot.

Ran HJT. Log includes the following:

O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
localNrd.dll Parasite MX-Targeting

O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
nvms.dll Parasite eXact Advertising

O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
mscb.dll Parasite eXact Advertising

O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
msbe.dll Parasite eXact Advertising

O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
Adware – removable through Add / Remove Programs only

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
Here it is again!

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -

http://public.windupdates.com/get_f...4424f05e9add:133fa6db93b1a3bc33dac6d5a5648475

Still here . . . “BlazeFind "Windupdates" targeted advertising

Uninstalled SyncroAd, then had HJT fix remaining entries.

Rebooted.

Pest Patrol Scan is clean.
SBSD scan is clean.
HJT log is clean.

Ran RegEdit search for “webrebates”. Found & deleted one registry entry.

Ran search for keyword “rebate” on local drives. Found two cookies & ten files already quarantined by Pest Patrol. Deleted quarantined files.

No further testing on this computer.

[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]

 

[devastator]

Good information.

Let us know what Pest Patrol says if anything. I haven't tried HJT but our systems say they are clean with PP, SBSD, and AWSE.

 

[devastator]

What PP will probably say. Found this on their support board.

There are several explanations as to why your PestPatrol software has not detected the same files as another scanning program.

1.  Your program or Scan strings may be out of date.  Please run PPUpdater to ensure you have the latest files and scan strings.  We provide weekly updates to keep you protected from the latest pests. 

2.  PestPatrol may not be configured to scan the same files as the other scanning program. Open the "Where to search" tab and select "All files" and "Thorough" options.

3.  PestPatrol may not be scanning all the pest categories.  By default, many categories are not included in a scan.  Open the "What to search for" tab and ensure all categories you wish to be scanned for are selected.

4.  You may have previously excluded that pest or its program files from being scanned. Open the "What to exclude" tab, ensure a directory has not been excluded from scanning that may contain pests.

5.  The files detected by the other products may not be specifically malicious programs, they may be tracks, logs and events that PestPatrol does not scan for. 

 6.  There may be a fault in the program.  Test the PestPatrol detection ability by using our test files. You may download any of the test files to a test directory, then scan it. PestPatrol should report these found on the Detected Log. (Ensure that the "What to Search for' tab has 'Misc' and 'Misc Doc'  enabled with a green tick). 

7.  The pests may be tracking cookies which will not be detected. PestPatrol does not detect simple tracking cookies as nearly all of these are not harmful in any way.  Only Spyware cookies are detected by PestPatrol.

8.  Not every company detects the same products.  The files being detected by another scanner may have been investigated by PestPatrol and have passed our rigorous matrix test.

http://pestpatrol.com/PestInfo/Scoring.asp

9.  The pest in question may be currently undergoing investigation or still be unknown to us. 

 

[jbrackett]

LOL! I hope they have more than that to offer.

1. PP checks for updates automatically when you start the console, and if it find them, informs you and asks if you want to install them. I have had this happen four times during the test period so far. Each time I have told it to update.
2. "Where to search" tab? Maybe this refers to an older version? Or am I just missing something?
3. Again, "Where to search"?
4. Only exclusions I set were for VNC.
5. I consider WebRebates a pretty serious pest.
6. Okay, just where are these freakin' tabs!?!
7. See #5 above.
8. See #5 above.
9. See #5 ab... oh forget it. <sigh>


BTW, I got a response for my CA rep. He's going to pass it on to tech support.

[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]

 

[devastator]

Yeah i didn't have time to write back yesterday but printed those instructions out and when i got into PP i couldn't find $hit! Don't know where any of that stuff is either.


Drew

 

[jbrackett]

Okay, here are the comments fro Pest Patrol tech support. I'll have to respond to him later, but I told you guys I'd let you know what I heard, so here goes...
______________________________
Comments From PestPatrol Technical Specialist:

Let me see if I can hit some of the major concerns that jump out at me in this note. Much of what he voices concerns over, have to do with detection and removal in comparison with other products. Unfortunately, for many of his tests, he has run our product before running that of our competition. I believe that he would find that the detections the other guys miss, and those that we find, would far exceed those he discovered that we had missed, by scanning in the order that he chose.



On one machine, he found that pests would be re-installed as fast as PestPatrol could delete them. In this instance, he was probably working with a re-installer that we had not identified. We collect log files from customers, and have the Digital Detective to assist with updating our dat files to address situations like this. Sometimes when you have stubborn, and persistent Pest issues such as this, it becomes necessary to remove a machines connection to the Internet while it is being cleaned.



There are always going to be items that we will miss, that competitive scanners will find. As we all know, it is a constant game of cat and mouse.



The other question that comes to mind, is that he does not tell us how he has configured Pestpatrol. By default, we do common location, memory and registry scans. It is possible to select more thorough scanning options, which he may not have done.



Comparing to Competitive Solutions

++++++++++++++

Since PestPatrol's detections are based on pattern matching rather than heuristics, our success at detecting pests depends on whether or not we have discovered them already, and have been able to develop and distribute scan strings for them. I believe most if not all of our competition uses the same technology. We have found that heuristics result in too many false positives, so have stayed away from this approach. It is obviously a constant battle to keep up with definitions for new pests as well as variants of the old ones.



We believe some of our greatest strengths are the size of our scan database relative to our competitors, and the commitment and investment we have made in our Pest Research department. We currently have a worldwide research staff dedicated to this function, and the size of our database far exceeds that of our nearest competitor. (now approaching 90,000)



As far as the end users testing is concerned, they are bound to find some Pests that others will detect that we won't. We are committed to staying up to date, so are always interested in feedback that will allow us to add missed detections to our database. Logs from scans and successful deletions from our competitors where we have missed detections are always welcome to facilitate this effort. It is also quite possible that some of what you have discovered is a result of false positives. This must also obviously be checked out in your testing.

++++++++++++++++



He makes several comments about Active Protection’s function and capabilities. Active Protection does not keep Pests from installing, but it does keep them from launching in memory and doing damage once they have installed. Active Protection is also designed to automatically detect and remove tracking cookies. This is unlike what people are used to with AV products, and is due to the difference in the underlying technology required to address the Pest problem.


[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]

 

[jbrackett]

I just read back over my previous post and realized that you can't really tell who is saying what. Everything between "so here goes..." and my The Crystal Wind... signature is the Pest Patrol tech.

[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]

 

[devastator]

Well that sucks. I thought when it described the "Active Protection" that would stop spyware that was known in the PP database from loading. Well I went with PP over another so i guess we will see how it fairs. Luckily for me if it doesn't work, i can just throw it in the gutter, and go buy another.

Awesomo.

 

[bfralia]

bfralia - what size of company are you looking after? We are only about 50 users, so I don't have the resources to test / learn / implement some of the enterprise products. PestPatrol seems to be relatively cheap (at least for now) - sounds like about $17 CDN / seat for 25 licenses (might be even cheaper for over 25) from Insight Canada. Is the ePolicy Orchestrator a separate bought product, or is it included? I see they talk about ProtectionPilot for SMB - have you had any experience with that? I am a big fan of centralized management for this stuff.
==========================================================
Silmarillion:

My company has close to 300 computers that are located in the US, Scotland, Singapore and Wuxi China. ePO is part of the McAfee Active Virus Defense package. McAfee along with most anti-virus companies licenses per seat then you get unlimited server coverage. ePO has some quirks but allows me to focus on computers with problems because it has a lot of reports that can be run.

With ePO you can control the policies for the entire company. It can automatically download virus definition files and distribute them across the enterprise. You can do the same with software. A user can shut down Virus Scan for about five minutes but otherwise cannot override the policies you have set up. I believe most A/V companies have something similar.

The new McAfee Virus Scan Enterprise is really working well for both spyware and virus detecton.

Remember that even when you have spyware protection, you still need Virus protection. If you get quotes on separate spyware and A/V packages, it may be cheaper to combine it all into one.

 

[bfralia]

Another comment: CA has been bugging the fool out of me to change over to their Trust product. They are insisting they have spyware protection available. You might want to check that out if you're happy with CA. I've seen to many good products they bought and turned it into a mediocre product. I used to have trouble getting through to support and had to wait four hours on hold once. When I finally got through to them my Urdu wasn't up to the task nor was their English.

That's been awhile so they may be much better now.

 

[Silmarillion]

So I finally took the plunge and bought PestPatrol. It was a pain to install, as File and Print Sharing needs to be installed and enabled on all the clients. I could not find a simple way to do this domain wide, so I had to do it manually on all machines. I also had some grief installing on probably half the PCs. I used a .reg file to add some DCOM entries that I found were required when I was evaling the product. I had to do a manual uninstall / reboot / reinstall on some machines to resolve errors at the console. I had to fix a bunch of stale DNS entries on my W2K server that were causing incorrect name resolution (a ping on a host name would return an incorrect IP address).

Now that all the clients are up and running, I have started to use the product. It would be nice to have more control over which PCs you want to scan - you have to select them out of a list that it generates from the computer browser service. You can select one by one, or all or none.

The biggest issue I have so far is false positives. I have well over a dozen so far. Some of the things the scanner has "detected" as various threats are AutoCAD drawings, links from the "Recent" folder in users' profiles, GIF files, files from IBM Client Access (used to access and AS/400 box from Windows), data files from an old DOS estimating program, etc., etc. I have been reviewing the logs and reporting these to CA, so we will see what their response is. It was a painful process, as there is no way to copy from the log screen - I had to retype everything.

The product so far still looks useful, and more comprehensive and manageable than others, but it is still pretty rough around the edges. Hopefully any changes CA makes are for the better, and help to bring the product closer to being ready for prime time.

 

[diogenes10]

installing Messenger and then putting on the messenger plus program with sponsors will give you a very nice case of lop to work with.

I am having trouble helping someone get rid of a case so I put it on my machine to see if I could get any ideas of what was going on. It tripped the av program with a trojan immediately upon finishing install, added a number of programs and folders and substantially updated favorites information. It ought to give you a number of things to find.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[Shinken]

Starting at the top, probably the best way to load a computer up with malware is to go to a few porno sites. While the malware will be mostly http generated adware/dialers/loggers, you will also probably also get some viruses (viri?) in the mix.

My experience eliminating malware is that CounterSpy seems to block and elminiate the most, although SpySweeper is a very close second. To eliminate malware except viruses, I usually download the 15-day trial version of CounterSpy and run it, along with Ad-Aware & SpyBotS&D to clean up some of what CounterSpy misses. If this doesn't do the trick, I unload CounterSpy and load the trial version of SpySweeper, and run it. As a last resort, I disconnect the broadband cable and run SpySweeper in Safe Mode 2 or 3 time in a row.

This usually works for non-virus malware.

When I'm done, I VERY STRONGLY recommend that the client purchase a subscription to either SpySweeper or CounterSpy. Remember, just downloading either app to clean up the mess is a disservice to the good people to developed these products, and a disservice to the client who needs a good real-time blocker & scan/remover.

I recently read a good review of Spyware Doctor, but haven't tried it yet as there is no trial version. Their loss...if I could try it a few times, I might like it enough to recommend it.

Since anti-spyware (I use the term to mean all non-virus malware) apps aren't quite as good as McAfee or Norton are with viruses, using Ad-Aware & SpyBotS&D provides some nice additional cleanup.

Lastly, use a good 2-way firewall, such as ZoneAlarm or whatever your flavor. That way, even if malware is a persistent self-regenerating rootkits, at least it won't tie up your bandwidth, and the damage can be minimized by keeping it contained and not allowing internet access to the critters.

Regards,

S

 

[jcassidy]

I was just testing antispyware applications last week. I was testing the McAfee ASE module with ePolicy management along side VirusScan 7.1/8.0. I did cleanup with Spybot and Adaware to see what if anything was missed.

For whoever was looking on how to get infected:
To get infected, I did a few things. First I googled "free wallpapers" and just started clicking. That's always good for a few. I searched for URL lists of know infected sites and visited alot of them. I also installed Claria (GAIN) and HuntBar.

A little off topic:
While the McAfee product was a little inferior to Spybot and Adaware, I like that I can centrally manage it with ePolicy and the reporting through ePolicy is fantastic.

 

[Silmarillion]

I managed to get on the list for the beta of PestPatrol R8 (this will be the first major CA release since V5 when they bought PestPatrol). V5 was basically useless when we got into actually using it, and had numerous issues. It really was not ready for prime time. I have not had a chance to set up the R8 beta yet, but from the documentation, it looks promising. They are also releasing eTrust Antivirus R8, and the two products will be integrated. We recently upgraded to V7.0 of eTrust AV, and I like the centralized management. Once it is set up it is mostly hands-off. I also have set up alerting, so if a client detects a virus, I get an e-mail.

I am curious to hear if anyone else has tried the R8 beta of Pest Patrol. The spyware problem has been greatly reduced since XP SP2, and I am also waiting to see what Microsoft does with the Giant product (currently MS Anti-Spyware beta).