Talk:Malware Removal and Prevention: Overview

From CastleCopsWiki

Jump to: navigation, search

Contents

[edit] Changes

  1. Copied from the Securing Your Computer: series.
  2. Changed numbered options into bullet items (to remove any thought that options are prioritized)
  3. Reordered wording of step 8 (HJT Log posting instructions) to be consistent with steps 1 and 2 style.
Ikester 00:40, 7 November 2005 (EST)
A nice improvement.--Negster22 02:02, 10 November 2005 (EST)

Removed this line: Before beginning this procedure, please allow all programs to run which you may have disabled by using MSConfig or a startup manager. Because, it would be uswise to enable suppressed malware to run which could make the scans difficult to complete, and have other potential undesirable consequences. It would severely compromise an infected system. Plus, the online scans require an internet connection for a considerable length of time and the consequences of that could be disastrous. If the user elects to post a log, then the HJT staff member attending to the log can request the re-enabling step be performed, but while scanning, letting the "malware out of the cage" is probably not a good idea.--Negster22 01:55, 10 November 2005 (EST)

For MSAS: Added:

- November 17th definitions (# 5777) will remove the Sony XCP DRM rootkit.--Negster22 01:16, 20 November 2005 (EST)

Changed steps above --> above steps, because above here is an adjective which should precede the noun, steps. Very minor but more readable.--Negster22 18:42, 25 November 2005 (EST)

Changed first paragraph to add back reference to Intro, emphasize that HJT may not be req't, and up-play malware prevention aspect. --Ikester 21:57, 27 November 2005 (EST)

Made a couple of minor changes to Intro, may make more.--Negster22 20:01, 28 November 2005 (EST)
Made a few changes to the intro.--Negster22 21:21, 30 November 2005 (EST)

Replacing MRP Overview with Beta content which includes the Win 2K/XP SpyAxe Removal procedure .--Negster22 11:17, 19 December 2005 (EST)

Changed link to internal with SpyAxe page renamed to "Malware Removal: SpyAxe Removal". --Ikester 17:12, 19 December 2005 (EST)

Changed Spyaxe Removal Instructions --> Spyaxe / Smitfraud Removal Instructions because the identical removal procedure applies to all members of the Smitfraud group. This way more users can clean independently. -Negster22 11:43, 21 December 2005 (EST)<na> Added Winfixer Popups / Virtumundo victims only additon ot the MRP overview. Need internal link to the page. Now it is external.--Negster22 23:20, 6 January 2006 (EST)

Added Winfixer Popups / Virtumundo victims only addition to the MRP overview. Need internal link to the Winfixer/Virtumundo page. Now it is external.--Negster22 23:20, 6 January 2006 (EST)

Fixed that link. See how I did that? :) --Ikester 23:51, 6 January 2006 (EST)
Not yet, but I'll check it out.--Negster22 13:00, 7 January 2006 (EST)
Question: How does the victim know that a Mundo infection is probable? --Ikester 23:51, 6 January 2006 (EST)
Intrusive Winfixer desktop popups which open an IE page to the site- see note I made on the Vundo removal page- more complete description there.--Negster22 13:00, 7 January 2006 (EST)
I'm wondering if the "Then return to complete the rest of Malware Removal." is really needed. Except for the SpyAxe step 3, for all other steps it's implicitly understood that the victim comes back to the overview. --Ikester 23:51, 6 January 2006 (EST)
Good Point. I can take that out to make it less cluttered.--Negster22 13:00, 7 January 2006 (EST)
Above change done. Glad I thought of that :)--Negster22 13:03, 7 January 2006 (EST)

Changed Spyaxe Removal Instructions --> Spyaxe / Smitfraud Removal Instructions because the identical removal procedure applies to all members of the Smitfraud group.--Negster22 11:43, 21 December 2005 (EST)<na>
Windows 2K/XP SpyAxe victims only --> 2K/XP SpyAxe/ SpywareStrike victims only because smitRem was updated to cover SpywareStrike--Negster22 20:26, 7 January 2006 (EST)
Added a link to the Symantec removal tool via the front page article, for blackworm.--Negster22 00:18, 3 February 2006 (EST)

Got it up in the nick of time ... and I'm afraid it will prove important to have done so. --Ikester 01:25, 3 February 2006 (EST)

Update the overview to encompass SpyFalcon.
--Negster22 13:18, 9 February 2006 (EST) Made relevant changes to convert MSAS instructions to the Windows Defender (Beta 2)--Negster22 11:41, 18 February 2006 (EST)
Added Windows Defender Icon but will probably make it smaller still.--Negster22 13:55, 18 February 2006 (EST)

Above done!--Negster22 14:04, 18 February 2006 (EST)

Updated the Blackworm removal link because it no longer poined to the relevant article..all fixed! http://www.castlecops.com/article6486.html --Negster22 15:32, 20 March 2006 (EST)

Changed removal information --> removal links.--Negster22 11:13, 21 March 2006 (EST)

Changed title in the Overview to reflect the most common current Smitfraud variants:
SpyFalcon / SpywareQuake / SpyAxe --Negster22 15:21, 26 April 2006 (EDT)
Added SpySheriff to the Overview because of the recent outbreak of the new variant.--Negster22 00:22, 13 May 2006 (EDT)
Added Titan Shield a new SpySheriff variant--Negster22 23:58, 12 June 2006 (EDT)
Added WinAntiSpyware / WinAntiVirus Popups to the Winfixer (Vundo) Step.--Negster22 19:21, 15 June 2006 (EDT)
Changed Ewido Security Suite -> Ewido Anti-spyware --Negster22 18:37, 11 July 2006 (EDT)
Added new ewido icon to replace the old 'e'.--Negster22 23:12, 11 July 2006 (EDT)
Changed ewido under ATs to AVG Anti-Spyware.--Negster22 15:51, 2 October 2006 (EDT)
Added AVG icon - it's a littlelarge but I will resize it later.--Negster22 16:38, 2 October 2006 (EDT)
Inserted smaller AVG icon as noted above.--Negster22 12:16, 3 October 2006 (EDT)
Inserted symantec icon.--Negster22 22:53, 16 October 2006 (EDT)
Changed Crap Cleaner -> CCleaner --Negster22 18:51, 23 October 2006 (EDT)
Added VirusBurst(er(s)) to Smitfraud group to represent -VirusBurst, VirusBurster and VirusBursters--Negster22 17:58, 1 November 2006 (EST)
Added SUPERAntiSypware to AS scanners.--Negster22 16:09, 17 January 2007 (EST)
Removed mention of Symantec removal tool for Blackworm because MSRT removes it with installation of WUps--Negster22 16:09, 17 January 2007 (EST)
. Added Windows versions supported and change Prevx1 => Prevx2.--Negster22 20:27, 3 June 2007 (EDT)
Added Vista more compatibility info.--Negster22 20:14, 4 June 2007 (EDT)
Changed Step 3 to mention most current Smitfraud variants SpyCrush / SpyLocked.--Negster22 17:14, 9 June 2007 (EDT)
Added the very prevalent Privacy Protector rogue to the smitfraud removal step.--Negster22 12:54, 8 July 2007 (EDT)
Added AntiVirGear Smitfraud variant to the overview, because automatic scanners may result in loss of internet access if that infection exists. Therefore, users should not proceed with using the rest of the anti-malware scanners until AntiVirGear removal is completed or they can skip that and post a HJT log right off. The Smitfraud Reoval cross-references and clarifies this completely--Negster22 19:05, 27 September 2007 (EDT)
Excised the following from AS scanners, since Prevx no longer offers disinfection free to new users:

  • Image:Prevx2il.gif Prevx2 - Limited to 30 days of free cleanup; removes a large number of malware infections (Win 2K, XP, 2003, Vista Beta)--Negster22 12:46, 1 October 2007 (EDT)

Added a qualifier "(Unsure? - then proceed to Step 4)" in Steps 2 and 3, in case anyone is confused about what these rogue programs are.--Negster22 13:50, 6 November 2007 (EST)
Added MBAM to Antitrojan scanners.--Negster22 23:21, 20 March 2008 (EDT)
Added an updated MBAM Icon to overview and added Vista as a platform for Ad-Aware.--Negster22 11:53, 22 March 2008 (EDT)
Expanded on description of Smitfraud AS programs to help victims identify their symptoms.--Negster22 21:15, 29 April 2008 (EDT)
For Windows Defender - removed the notation "This scanner will remove the Sony XCP DRM rootkit" because that is history now and the MSRT removes it delivered in WUPS.--Negster22 21:24, 29 April 2008 (EDT)

[edit] Images

Question on the images, can we move them into the uploads (and link to them) here? --Paul 07:09, 10 November 2005 (EST)

Moved all images to CC uploads--Negster22 21:00, 11 November 2005 (EST)
Made a smaller Spybot image because it was a bit larger looking than the others.--Negster22 21:34, 11 November 2005 (EST)
http://castlecops.com/zx/negster22/mini-Ad-Aware.jpg Made a new image Ad-aware image in JPEG format to make it clearer --Negster22 22:14, 11 November 2005 (EST)
Made ewido image larger--Negster22 22:45, 11 November 2005 (EST)
Nice! That'll work indeed. Question though... did the Special:Upload not work?
I wasn't aware of that link so I used the CC one I had for file uploads:
http://castlecops.com/modules.php?name=Uploads I can do the wiki one later--Negster22 21:19, 13 November 2005 (EST)
Ahh, got'cha. --Paul 21:54, 13 November 2005 (EST)

In the process uploading and updating images (icons) in overview to GIFs.--Negster22 20:53, 9 October 2006 (EDT)
Added new printer image for overview.--Negster22 18:51, 23 October 2006 (EDT)
Added ATF Cleaner as an alterantive for System Cleaners--Negster22 12:24, 8 October 2007 (EDT)
Added yet another MBAM icon because the previous one was too small!--Negster22 13:43, 22 March 2008 (EDT)

[edit] Content comment

I'Changed do the antivirus scans before anything else, as trad malware can be expected to be more aggressive than commercial malware. The best approach would be formal (e.g. Bart CDR boot), but if you want to keep it newbie-friendly, I'd link to free on-demand scanners Trend SysClean and Bitware Defender 8, and AntiVir 6 as that can be used purely in on-demand mode. That way, you don't tangle with whatever resident av they have. Safe Mode Cmd Only is less useless than Safe Mode, which in turn is safer than normal Windows. User:Cquirke

Cquirke, thanks for your comments but please sign them on any talk page. As to your comments, I might mention that this page has been developed through several iterations. For further background you could refer to the Cleaning Malware Project page. --Ikester 14:13, 19 November 2005 (EST)
Hi Cquirke. I, too, thank you for you comments. I will try to answer address some of the points you mentioned:
A great deal of thought went into deciding which AVs to include and the order of our procedure. As far as the AVs go, the criteria considered included: ease of use, detection capabilities, timely updating, ability to both detect and disinfect, and the presence of a 'save a log' feature. Online scans are preferable to downloading another on-demand solution because most users have their own resident AV protection and have no need to install a new scanner for the purpose of getting a 'second opinion.' As you know, because of conflicts in active protection components, that is not an ideal solution anyway. Having more than one scanner and a single active protection component can be done, but that is a much more complicated solution and out of the realm of what we are trying to accomplish here. Since users are performing the malware removal independently, we are trying to minimize complications.
If a user is in need of a complete AV solution or firewall, they can refer to our Roll Your Free Own Security Suite which mentions AntiVir. You may find this antivirus or AVG thread interesting.
The lines between spyware, viruses, and trojans are becoming increasingly blurred. As such, many scanners exhibit crossover capability in detecting malware. Panda is one of the most widely used online scanners recommended by our staff since it meets all five of the criteria stated above. Panda detects both spyware and viruses but does NOT disinfect spyware, and that is one of the reasons we chose to use the AS scanners before the AV scanners. Other than that, as far as the ordering goes it would depend on what an individual user's infections are and whether the incidence of spyware infections is greater than that of viral infections. The former is an unknown, but approx 80% of PCs are infected with spyware/adware vs. 20% with viruses, so if you eliminate the spyware, that enables the AV scans to proceed more efficiently. Here's one supporting link, but there are many more:
In the long run, If the user completes MRP we will have accomplished our objective. That objective is to provide a comprehensive solution that addresses most known components of malware using some of the best scanners/utilities available. (Plus to provide preventative solutions to prevent reinfection.)
Your point about safe mode is a good one. ewido can be run in safe mode and perhaps we shall provide an addendum to those those instructions that the scan is more effective when done in safe mode. Yet, that too could introduce some complications, as some users have difficulty going into safe mode for what ever reason. --Negster22 20:03, 19 November 2005 (EST)
Another reason to run AS before AV:
- November 17th definitions (# 5777) will remove the Sony XCP DRM rootkit. Requires an AV scan afterwards.--Negster22 01:18, 20 November 2005 (EST)

I'm not sure if we do have something already I tried a cursory search, are we linking to or talking about specific malware? Old and new infections? With the new page on Starting With A Clean Machine I think we should include some additional information on what comes pre-bundled so users can make informed decisions. --Robin 14:29, 30 January 2006 (EST)

[edit] Prevx1

Note that Stubbs100 added Prevx1 references into MRP. No justification was given. Are the changes acceptable or should they be rolled back? --Ikester 23:47, 13 September 2006 (EDT)

If I get a vote, I vote rollback. --LU 04:27, 14 September 2006 (EDT)
What are your reservations?--Negster22 15:24, 14 September 2006 (EDT)
I am very impressed with Prevx because I have witnessed twice now where they were the first to detect a dangerous threat. Marco is a top notch investigator and threat researcher. Let's leave it for now. I never used Prevx1, but will try do so. Let's all try it.--Negster22 15:24, 14 September 2006 (EDT)
No doubt, Prevx1 is a top notch product, I use it too. My concern is that it isn't really 'free' enough to qualify. --Erikalbert 09:24, 4 October 2006 (EDT)
Not for the "Roll your own ...." page I agree but several utilities that would require payment beyond an evaluation period, are included with MRP. Does Prevx1 have some sort of free trial period? --Ikester 15:51, 4 October 2006 (EDT)
Yeah. "Firstly, a word about Prevx1; Prevx1 already provides free detection of malware. Each user is also offered 30 days full clean up and protection. The 30 days begins only when Prevx1 is used to remove and existing infection or stop a new infection. If your PC is never infected, or your PC is never re-infected after this 30 day period then Prevx1 is entirely free to use." http://free.prevx.com/ --Erikalbert 02:59, 5 October 2006 (EDT)
Do FPs also cause the 30 day period to kick in? I would assume so if they are removed. --Negster22 16:29, 17 January 2007 (EST)

[edit] Prevx2 no longer removes at all

"Temporary Activation replaces Trial Activation for new Users.

Any user who previously installed a Trial of Prevx 2.0 on their PC will continue to receive the benefits of that previous trial license - that is free use until 30 days after they first have Malware detected on their PC - even if they uninstall and reinstall. This means that for all existing customers, whether trial or paid, there is NO CHANGE. We have simply changed the description from Trial to Temporary Activation.

For completely new customers, that is those that have never installed Prevx 2.0 on their PC, Temporary Activation has one restriction - it will not perform malware cleanup/removal - all other protected features are active. It will detect malware and will block malware execution, but it will not cleanup malware that is already on the PC. In order to cleanup/remove malware from your PC with Prevx 2.0, a paid-for cleanup license is required. This only effects NEW customers.

In summary:

Existing Customers Trial: Detects, Blocks and Cleans malware until 30 days after first infection. Expired Trial: Detects only - no blocking or cleanup. Paid: Detects, Block and cleans malware during license period. Exired License: Detects and Blocks only

New Customers: Temporary Activation: Detects and Blocks only - no cleanup. Paid: Detects, Blocks and Cleans malware during license period. Expired License: Detects and Blocks only - no cleanup."

http://www.castlecops.com/postx202869-0-0.html Time to remove? --LU 11:01, 30 September 2007 (EDT)

Thanks, LU. I'd say yes? Anyone else want to weigh in? There is no point in offering an AS scanner in the MRP that won't remove malware for new users, which I assume most of the MRP followers are.--Negster22 14:36, 30 September 2007 (EDT)
Indeed, thanks for this info LU. I agree Negster. No point in having it included in the MR portion of the MRP procedures. --Ikester 01:47, 1 October 2007 (EDT)

[edit] Link name consistancy

Would it be okay to change the links on this page to reflect how the pages are named where they actually link to? Or barring that, to move those pages to what they're named? (The latter seems more troublesome). For example: Clean the Clutter>Clean Out the Clutter; Antiviral Scans>Online Anti-Virus Scans; AntiTrojan Scans>Trojan Removal Programs. Tyciol 08:51, 21 June 2008 (EDT)

Retrieved from "http://wiki.castlecops.com/Talk:Malware_Removal_and_Prevention:_Overview"
Personal tools