Malware scans

UncleDoug · April 22, 2008, 7:53pm

Melih,
About a year or more ago I mentioned about “dumb” compression program scanners that I found a decade ago. What I meant was that they only could open a file if the file extention was the correct for the compression program. If it was a zip file or arj file it needed to have the extention zip or arj if you named a zip arj or .123 it could not open it, where as back then 1stReader could.

Just came up with another problem most malware programs have and that is only being able to scan 1 layer of compressed software. I would prefer if a program could scan 2 to 3 layers deep, if not deeper !

IF that could be possible?

What brought this up, was early this morning (my daughter is in Amsterdam and she never keeps in touch via email at 5-6 pm but more like 3-4 am)

I was typing to Tom in Germany on Yahoo messenger via Qnext when I got another message via msn messenger via Qnext from my sister n law in Florida. And there was an attached file.

You might say I was asleep because initially I missed the four line message was in Spanish.
I tried to scan the file misfotos1.zip but could not with 3 of the antispyare programs I have and avira.
Decided to open it and when two of my programs StartUp Monitor both warned me that it wanted to run at startup, and later a warning about wanting to change my Host file I immediately stopped and started scanning.

Nothing was found with the Free SpywareTerminator, SuperAntiSpyware, AVGantiSpyware, and Spybot, nor when I scanned my system with the Avira all of these were the Free programs and I did a Deep scan with each.

One item was found when I used the Panda anti rootkit scanmer Pavark.exe It was an unkown and hidden root kit that I had it delete (if I had a way of copying that file and sending it Comodo to be analyzed I would have)

I will be trying to send the file folder misfoto1.zip which contains a file misfoto1.jpeg-facebook.com when I get back late tonight.

Not sure if anyone has thought about the ability to read and scan files several layers deep, again if that was possilbe

Comodo seems to be developing its software to be independent and combined. Possibly it could add an anti root kit program to its list independent and also an option with a CAVS scan.

There are several anti root kit scanners, some better than others!

Uncle Doug

Melih · April 22, 2008, 9:32pm

thats a functionality of an AV product. however there are limitiation as this could be abused to waste AV resources by sending AV into an infinite loop of unpacking. So there are limits put into AVs as to how deep they will dig for compressed files.

thanks
Melih

EricCryptid · April 28, 2008, 11:55am

Perhaps an independant compressed files only On-Demand scan could be a solution.

Eric

UncleDoug · April 28, 2008, 8:01pm

Hi Eric,
Might be searching the wrong way but was hoping a way to fix a warning that one of the scans located at jotti.org Sopho rootkit displayed. This was the only item

Warning: Error parsing raw registry hive S-1-5-18. Registry scan may not be supported on this version of Windows.

In reading one of the symptoms is internet crashes, which has occurred frequently, while I am reading or changing sites. I hoped there might be a fix besides reformatting.As I mentioned after I canceled the install of this questionable file I ran several scans have continued using some of the programs found at jotti.

Aviara Free did not find anything nor did SpywareTerminator, Super AntiSpyware, Windows Defender, SpyBot, and AVG(Ewido) anti spyware. Pavlov rootkit did, Also A Squared found a possible worm.
In running Kapersky online scan I had to start over and turn off Avira Guard off Avira kept giving blocks and warning messages with the Kapersky scan and way way too long. With Avira Guard off it finished and had about 20 generic warnings about areas that were locked (no direct locations) and two definite warnings for 2 tools that I have located on my HD EvID to open up ports that I downloaded from SpeedGuide and SmithFraud a tool I fixed a malware attack two years back.

Eset online scan did not find anything, F-Secure found a worm in control.exe in System32 and dllcache, Dr.Webb found one major and 3 minor items. Would like to run IKARUS but did not know how to translate. I would prefer antispyware and rootkit other than anti virus scans.

Oh I did not use SpywareDoctor (Starter Edition found in Google Pack) it does more than the free trial, Although SpywareDoctor did a great job of finding objects it influence with other anti malware products caused my system to slow down (combined cpu and ram useage) because of interaction.

Back to your comment, why could not the anti malware program leave a warning and list of files that could not be scanned because of layers of compression, and suggest the user manually scan the files listed,

Another annoying item free scans for many programs do is give no locations or incomplete locations where suspected files are located, And how many are false positives.

At least these programs did not list dozen of ad cookies like adaware did when I used it.

Thanks for any suggestions or help you can provide.

UncleDoug

EricCryptid · April 29, 2008, 8:02am

My first suggestion is for you to delete all your temp files including cache etc. I suggest running Ccleaner www.ccleaner.com . Once installed Click on Settings >>> Advanced and uncheck the (Delete Temp Files only 48 Hours or Older) then run the Cleaner.

Next do a Registry scan for invalid entries & obsolite software with Ccleaner.

You’ll be prompted to create a backup of the Registry before removing the invalid entries.

Some rootkits are hidden registry values etc.

Reboot after doing the cleanup and then see if you’re still getting the same results in scans you’ve had previously.

Control.exe is your Windows Control Panel.

Eset is said to have the fewest False Positives out of any of the other Anti-Viruses out there. Virtually 0 in the retrospective scans by av-comparatives.org

Hope this helps.

Eric

UncleDoug · April 29, 2008, 4:15pm

Eric I use Ccleaner as one of my main clean up tools. Just noticed a new version was released yesterday 4/28/08.
I find that of the registry cleaners I use Ccleaner is the safest. With the others I need to reinstall Flash Player.

You might want to look at some of the others RegScrubXP will always find more (soon will no longer be supported)
EasyCleaner from TonyArts does more than just registry cleaning. For deep cleaning and searches I use JV16 Power Tools (last free uncrippled version). Also use UPHClean is from Microsoft to Clean User Personal Hive

For temp files I use serveral programs CleanUP is another program that Cleans the HD that works pretty good.
I also use MRU Blaster I usually run last and has always found items the others miss. Several times I have seen ATF cleaner recommended but found that the removal count goes up and down if I run it several times in a row. If I use it, its after CleanUp, Ccleaner and before MRU Blaster.

Eric wondered what you use to defrag?

For the HD I use Contig (from SysInternals) at the end and sometimes at the beginning before running another defrag program. Found myself using jkdefrag the most but was also trying out Defraggler from the authors of Ccleaner. I also only need to run PageDefrag (defrags the page files) once a year or at the most twice a year.

Found two free programs for registry defrag AusLogics Registry Defrag and Free Registry Defrag. I run one of these after eitehr deleting or adding a lot of registry keys.

Two other programs I would like you to check are AMDeadLink it finds and lets you delete bad links that you have saved over time. And from file Hippo udc it is an update checker of files you have on your HD that they have a newer version. What is great about it is it does not install on your HD but just sits there until you run it.

I will run these cleaners in safe mode (it has been a while) and then check. If that error reappears I will run the repair console

Thanks
UncleDoug

EricCryptid · April 30, 2008, 7:44am

Interesting stuff… I’ll have to look into those other programs when I’ve more time on my hands.

Have we helped much with regards to your initial query about Malware Scans?

Eric

UncleDoug · April 30, 2008, 4:55pm

Eric, after running several of the HD cleaners I listed and also the registry cleaners I ran the Windows error checking tool checking both boxers C: Properties Tools.

After running major registry cleaning I usually run the System File Checker “SFC /scannow”, then the Windows error checking tool. Did not run the SFC this time, but have ran it recently.

Everything seemed okay until just now,

I was reading the thread about malware scan and removal free trial. Clicked on the link that brought me to the other page with Sign Up. When I hit the back button to back up it crashed with the Microsoft popup send report and then I was completely out of these forums and on the desktop.
Don’t remember if it was the first back click or the second. But this is what I was wondering about?

I will uninstall IE7 and if that does not help I will try using the XP repair console to reinstall the original registry keys.

Possibly you are someone else might have a suggestion ? This does not happen often but it is annoying!

Thanks UncleDoug

system · May 3, 2008, 8:55am

Hey Uncle ;D

Use JKDefrag: Download MyDefrag 4.3.1 for Windows - Filehippo.com

I use it for Defragging, It is VERY VERY GOOD! I stay away from Reg Cleaners. IMO, The best Reg Cleaners are you and me & regedit.

Josh