XP Total Security 2011

[Hans Manhave]

Another observation: virus scanning software comes and goes.  It appears that what was great with Windows XP is not as great with Windows 7 and vice versa. 

See www.av-test.org for individual scores.  Most of my subscriptions for this expire in the May-July period.  Looking at replacing them individually or as a server based.

[Hans Manhave]

Adding some more, hopefully helpful, suggestions.

From www.clamwin.com download and run ClamWin.  Do read what it says about itself.

Furthermore, click on the link 'anti-malware links' at the Clamwin website and look for free removal tools and try several.  I ran F-Secure Easyclean and it was the one that cleaned my Google/Bing search redirections.

Remember to use www.virustotal.com for individual files.  I just did and 42 different virus scanners ran.  Only one had a positive determination which I am sure about being a false positive.

[Mark]

You could always put an HTTP virus scanner in the mix, too.

I use HAVP, which is an open source non-cacheing proxy that utilizes ClamAV (or some commercial products if you like).  I use it as a parent proxy to squid, which isn't a perfect setup, but I do believe that it can be used transparently as well.

Just a thought.

As a side note: I don't spend much time cleaning Malware here.  In the past 5 years, I think I saw 3 Fake AV infections, all within a few months of each other.  All I do is use taskkill to remotely kill the process then mbam it and be done.

[Jeff Zylstra]

+1 for the remote taskkill, Mark!  Whenever one of these things happens, it's real easy to lose your head and forget about some of the little "tricks" of the trade like taskkill.   This website shows how to use taskkill remotely, and also shows a very simple batch file that will kill the task(s) for you.   Very nice.

http://blog.jeffharbert.com/index.php/2009/03/using-taskkill-to-end-remote-processes/

[Bloody Jack Kidd]

Have had 3+ incidences in the past 30 days - FakeAV.  Everytime, Symantec and MBAM failed to clean.  Sophos did the job though.  Symantec has really be letting us down recently.

[Jeff Golas]

Tell me about it...over the past 2 years...I think it truely blocked one instance where something came in. Other than that the comps got infected and had to be re-imaged.

Hans - just food for thought...with these spyware infections, yeah you got rid of the annoyance part of it, but are you sure its completely gone? My rule with spyware nowadays...if it got infected, there's prob no 100% method of cleaning it out. Who knows what else is in there or if there's a backdoor left behind.

[Mark]

Have had 3+ incidences in the past 30 days - FakeAV.  Everytime, Symantec and MBAM failed to clean.  Sophos did the job though.  Symantec has really be letting us down recently.

That's why you need the layered approach.  It can be very difficult for these things to be caught by real-time scanners and Symantec has been venting about that for a while now -- and crying for people to submit them when they find them.  I think most people are just so frustrated with Symantec in that moment that they often don't submit anything.  I can say that I never have.

mbam has done the trick for me every time though.  Maybe I've just been lucky.

[Mark]

Tell me about it...over the past 2 years...I think it truely blocked one instance where something came in. Other than that the comps got infected and had to be re-imaged.

I just don't have these problems here.  Don't know what to tell ya.

My users are Power Users & not allowed to install anything
I use Squid + HAVP as I've said before.
We use OpenDNS free

I added a Cisco IPS this year, but haven't seen it block anything yet

Other than that, I don't know what else might be different.

[Hans Manhave]

Also using OpenDNS free. 

MBAM was able to clean some stuff, but not all.  It does a very good job at preventing outgoing effects from this particular infection, showing several a minute and stopping them, but it couldn't remove it.  There were very complex instructions for people, running hijackthis or others and submitting logs, taking more advised action etc.  Running the FSecure Easyclean (free) did do the trick.  Amazing what features were suddenly restored after it finished running (including a reboot and some more running).  Microsoft Security Essentials is easily defeated by this trojan (XP Total Security 2011). 

[Jeff Zylstra]

Glad that it worked for you Hans, but I've found mixed results with just about everything that I've tried.  Either the anti-virus misses the infection, or if it detects it, it can't both completely remove it and also fix all of the damage that was done.  Many of the "repairs" on sites like BleepingComputer.Com have to do with arcane registry fixes that may or may not affect daily operation of your computer.  I suspect that they probably do catch all of the mischief, but I'm also sure that the day is either coming or is already here when these things will leave some kind of a "backdoor" into systems, even after being removed.

I liked that thought of Microsoft's "steady state" software, but this won't run on anything past Windows XP.  I've found that Faronic's DeepFreeze has some management issues as far as unfreezing to allow Windows and software updates and then "refreezing" the computer to armor it again.  I haven't used SandBoxie on my own system, but haven't found it stable enough to run on other systems.  I'm also wondering if these sandbox type programs are truly as invincible as they say they are.  If so, they may be worth it.  At least for the producers and agency owner's machines. 

[Mark]

The most important thing is and always will be education.  We can have all the tools/scanners/blockers/fixes/etc in the world at our disposal, and if users aren't properly educated, we will still end up with these infections.

Everyone has heard this before, I am sure.  I just don't know how much it's actually bought into, but trust me -- a little education goes a LONG way!