Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scanning routine


  • Please log in to reply
11 replies to this topic

#1 nCharge

nCharge

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 31 October 2012 - 05:46 AM

Hello ,

I want to ask you a scanning routine to detect if there's something hiding in a computer.
Here , priority is given to DETECTION and not to REMOVAL , ("Is there something to worry about before asking experts ?")

Many people are actually scanning their PC with an AV once a week.
According to quietman7 (Answers to common security questions) this is not effective enough , as "anti-virus program will focus on viruses, worms and Trojans while an anti-spyware program tends to focus more on spyware, adware and PUPS".
However I guess there is other threats that are not covered either by an AV nor an antispyware , it is why I ask you an effective way to "fully" scan my system to see if there is something wrong.

I want a scanning routine that can be used as a weekly scan OR as a full scan on an unknown system , meaning that we don't scan after seeing symptoms but a scan that covers all threats because be don't know what's in the system.

It is to say , I don't want to be in this case : http://forums.malwarebytes.org/index.php?showtopic=77680 (Infected system but no detection)

Important : I understand that no product will detect 100% of the threats , as new malware will not be present in the viral database , thus not detected.

What can you recommand ? (AV+Antispyware+... )?

Edited by nCharge, 31 October 2012 - 07:52 AM.


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:02 AM

Posted 31 October 2012 - 07:17 AM

Why not take advantage of the current MBAM special offer only available for a few days ??

Full Pro version with active scanner - (Normal price listed in US$) personal users pay a one-time fee of just US $24.95!
The Newsletter has a sale price of US $17.00 to November 2, 2012 for a lifetime license -

Please convert it your local currency - Currency converter is in the top right side -
See the Newsletter Special offer

Not available with other offers, but the cheapest that you will find it anywhere -

Read the info here >> http://forums.malwarebytes.org/index.php?showtopic=118049&view=findpost&p=612747

Edited by noknojon, 31 October 2012 - 07:20 AM.


#3 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 31 October 2012 - 07:48 AM

Thank you for this special offer ,
But with all due respect , this does not answer my question.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:02 PM

Posted 31 October 2012 - 01:41 PM

noknojon most likely was making the suggestion for upgrading to Malwarebytes Pro in order to take advantage of its prevention features. I too recommend this. The Protection Module in the full version which uses advanced heuristic scanning technology to monitor your system and provide real-time protection to prevent the installation of most new malware. This technology runs at startup where it monitors every process and helps stop malicious processes before they can infect your computer. Keep in mind that this feature does not guarantee something will not slip through as no product can detect and prevent every type of malware. The database that defines the heuristics is updated as often as there is something to add to it.

However, there are several free scanning tools which can be used to supplement your anti-virus and anti-spyware or get a second opinion.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 PM

Posted 31 October 2012 - 03:56 PM

Are you familiar with Windows command prompt?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:02 AM

Posted 31 October 2012 - 04:49 PM

Many people are actually scanning their PC with an AV once a week.

Only On Demand Antivirus / Antimalware programs will behave in the method that you describe, and fully active Antivirus / Amtimalware is always working -

My Antivirus ( MSE ) is always fully active, and just runs a deeper scan every day after it updates.
This might be what you want to do, and not just have a Scanner that you run at a selected time -

Most decent Antivirus programs are Fully Active at all times (even though the odd infection sneeks in) and are set for deeper scans after updates.

Here , priority is given to DETECTION and not to REMOVAL , ("Is there something to worry about before asking experts ?")

Where do you get these ideas from, except just to add to your random "post count" (like you said you would) ?? Read the forum for 1 week FIRST -
Here we ask you to have a Fully updated and Active Antivirus, and add to this with an Active Antimalware like Malwarebytes or SUPERAntiSpyware Pro versions -

Remove all Registry Cleaners etc, and just concentrate on reputable Anti Infection programs where ever you can -
Read the many pages of information from quietman7 first on prevention, rather than removal after the fact.

That should keep you busy for a few days - Hopefully -

#7 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 01 November 2012 - 08:52 AM

Hello there ,

Example : My idea is if you want a real deep system scan you use :
AV Scan + Antimalware (like MBAM) + Antirootkit (like GMER) + Mbrscan (like aswMBR) (It is just an example to show you what kind of answer I seek)

To quietman7 : So you recommand using 1AV+1Antispy + eventually 1 of these tools to confirm ?

To Didier Stevens : No , why ?

To noknojon :
1)In fact I mean many people got an AV (real time scanner included) and planify a full scan once a week (with real scanner still working)

2)I don't say that prevention<detection , it is just in case if a malware sneaks in your system and you're not aware of it , prevention is thus useless , so what kind of tools can I run to ensure that my system is clean ?

And I may be asking some unusual questions , etc... but I don't do it because I want to raise my post count.

Thank you

Edited by nCharge, 01 November 2012 - 08:53 AM.


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:02 PM

Posted 01 November 2012 - 12:21 PM

To Didier Stevens : No , why ?


Otherwise I would have shown you something you can do once a month.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:02 AM

Posted 09 November 2012 - 03:54 PM

Here , priority is given to DETECTION and not to REMOVAL , ("Is there something to worry about before asking experts ?")

The best thing to start with is to spend 2 years and become an expert -

Well, the options you have are limited only by your Education and Reading of the topics / forums.
You can perform no tests for problems that do not exist on your system without knowing exactly what you are looking for.

if a malware sneaks in your system and you're not aware of it , prevention is thus useless

Exactly how are you going to prevent this ?? Any decent malware hacker can pass your security unless you have Active Prevention at all times -
I left that link for Active Malwarebytes Pro version that you had no interest in - Major Error - You need this protection -

Your link to a topic in the MBAM Malware Removal forum is an example of knowing How to read if you have a problem.
The first thing Maniac needs to read is logs to show if there is any infection actually existing on the system, or an operating problem -
Once the specific problem is defined, only then can the correct tools be used to try and remove that infection.
The person in this case complained of a TDSS rootkit, but there was no need to run a specific TDSS tool for that infection.

This was followed by Combofix that created a log which must be read to find more details (and maybe remove part of an infection)

After the problem seemed solved this information was given http://forums.malwarebytes.org/index.php?showtopic=9365
That list includes most normal things a person needs to do to keep generally safe and secure at MOST times - "Must-Have Software" is included in the topic along with a link to This thread from Grinler at BleepingComputer http://www.bleepingcomputer.com/tutorials/tutorial82.html
These are industry standards that are taken as the better advice topics from Experts, for all users on the Internet today and are updated as required.

There is generally NO 100% method unless Didier Stevens can provide a monthly session for you to run.

If you can not read logs produced by scanning tools to see if there is a problem existing, then you are "Running Blind" - This is why so many people just use Combofix or another tool that is Not Required with the idea that it will cure everything and end up doing damage to their Registry -

Read several other topics that go for 3, 4, or even 5 pages to find the one small infection that is the basis of the problem.

A topic that is solved with one scan, usually means that the person infected has very limited protection, rather than installed removal tools
Installed removal tools are mostly useless unless you know why they are there and how to use each tool for each case -

You are better using an Online Antivirus scanner once a month and following the basic security directions in the above links -
Stay away from any "Registry Cleaners" and any "Speed-up My Computer" programs, and just follow the given advice from

I have no more to offer on this topic, and all I can see is that you wish to become an Expert in 2 weeks and not 2 years -

Just FYI. Over the years I have been infected with complicated problems that have needed removal, but I left that to Well Trained Experts only -

#10 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 13 November 2012 - 10:52 AM

Thank you for all these informations noknojon ,

Let me go back to some points :

1-

The person in this case complained of a TDSS rootkit, but there was no need to run a specific TDSS tool for that infection.

There was no need to run a specific TDSS tool : Because it wasn't actually a TDSS infection ?

2-

You can perform no tests for problems that do not exist on your system without knowing exactly what you are looking for

Once the specific problem is defined, only then can the correct tools be used to try and remove that infection.

So , tools like TDSSkiller , Combofix are useless for people like me (they won't help me to say whether my system got something or not) unless I know how to decrypt their logs ?

3-

Exactly how are you going to prevent this ?? Any decent malware hacker can pass your security unless you have Active Prevention at all times -

This is what I'm trying to say : My worst scenario is even with all updated security suite , a malware can penetrate in my system without any alert.Then no sign of infection , meaning that I will be running infected without knowing it because as the malware suceed to sneak in , it has all privikeges to tamper with sexurity software.
Result : Full bypassing of security softs.It is why I'm asking such scanning routine in case this happens.

4-

There is generally NO 100% method unless Didier Stevens can provide a monthly session for you to run.

Sorry , I don't see what you're trying to say.

5-If I do undrestand , you recommand me doing a monly scan with an online scanner beside all real time protection I got , only that ?

And yes , I may want to train to be an expert someday.

Edited by nCharge, 13 November 2012 - 10:54 AM.


#11 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:02 AM

Posted 16 November 2012 - 04:53 PM

1. "There was no need to run a specific TDSS tool : Because it wasn't actually a TDSS infection ?"
This was picked up by reading the posted DDS logs, plus Maniacs many years of experience -

2. "So , tools like TDSSkiller , Combofix are useless for people like me ....... unless I know how to decrypt their logs ?"
In a word Correct - Overkill can be as bad as lack of protection; Combofix is a prime example - It is a specific tool only -

3. .... a malware can penetrate in my system without any alert.Then no sign of infection , meaning that I will be running infected without knowing ..
Again Correct, but scanning and learning how to read logs (DDS / OTL / C/fix) and regular A/virus scans can help with a good program -

4. "Sorry , I don't see what you're trying to say."
Read the above posts from Didier Stevens - "Are you familiar with Windows command prompt?"

5. "... you recommand me doing a monly scan with an online scanner beside all real time protection I got , only that ?"
Use WOT and similar "pre-detection" surfing tools - Active Antivirus And active Antimalware are both recomended -
The list above by quietman7 is the best place to start researching for online and Active Protection -

"And yes , I may want to train to be an expert someday."
Enrol in an online school now (like the one here) and start learning the basics, not in 12 months -



#12 nCharge

nCharge
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 19 November 2012 - 05:25 PM

Maniac said :

Yes, so that I asked. Your problem was: c:\users\TY\AppData\Roaming\linkinfo3.dll

Still , I did not find anything related to this file , I wonder if it's really a rootkit or what kind of threat ?

a malware can penetrate in my system without any alert.Then no sign of infection , meaning that I will be running infected without knowing

Does this apply only to 0-day malware ? Will regular users will be able to detect those stealth malware by further update of AV/Antimalware ? Or are they doomed (if they don't know how to read logs)?

I find quietman's list interesting for Active protection but can't find some to-do-scans each week, or month , whatever ?
(See previous post to know why)

Edited by nCharge, 19 November 2012 - 05:29 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users