Free Virus Scanners - Missing Infected Files

[Cuban]

Thanks to a careless encounter one of my home PCs was infected with a tojan, I spotted something was wrong when using it to watch a movie the other day as it was responding slightly slower than normal an the 'can I go online now?' dialogue box popped up for no reason.

I normally rely on AVG with frequent updates to scan the PC and various USB devices (mass storage and MP3 players etc.), I ran scans on the PC and a USB stick that I considered the source of the infection with AVG reporting all clear.

Using Explorer and Task Manager I looked at the PC for any files that shouldn't be there, at that point I noticed that I couldn't see my system files in the root of C: going into the view options within Explorer I was not able to select/apply the Display Hidden Files or System Files options.

Dropping to a DOS prompt I could use ATTRIB to see that an AUTORUN.INF and Suit0.Com file had appeared. (Marked SHR)

Deleting them by hand (wrote a batch file as they were being recreated quicker than I could type) lasted a while but something else was also spreading the infection.

I installed a fresh copy of Avira, again that reported no infections.

Getting my hands on a copy of Norton did report and delete the infected files that were were carrying:

Win32/PSW.OnlineGames.NNU & Win32/PaceX.Gen

HTH

[Veazer]

Thanks to a careless encounter one of my home PCs was infected with a tojan, I spotted something was wrong when using it to watch a movie the other day as it was responding slightly slower than normal an the 'can I go online now?' dialogue box popped up for no reason.

I normally rely on AVG with frequent updates to scan the PC and various USB devices (mass storage and MP3 players etc.), I ran scans on the PC and a USB stick that I considered the source of the infection with AVG reporting all clear.

Using Explorer and Task Manager I looked at the PC for any files that shouldn't be there, at that point I noticed that I couldn't see my system files in the root of C: going into the view options within Explorer I was not able to select/apply the Display Hidden Files or System Files options.

Dropping to a DOS prompt I could use ATTRIB to see that an AUTORUN.INF and Suit0.Com file had appeared. (Marked SHR)

Deleting them by hand (wrote a batch file as they were being recreated quicker than I could type) lasted a while but something else was also spreading the infection.

I installed a fresh copy of Avira, again that reported no infections.

Getting my hands on a copy of Norton did report and delete the infected files that were were carrying:

Win32/PSW.OnlineGames.NNU & Win32/PaceX.Gen

HTH

I think most AV programs are a bit of a joke in their ability to truly protect a system. They're decent at detecting known virus signatures, but that's about it and fairly easy to get around anyway. I occasionally collect and test viruses in VirtualPCs to better understand them and i'm amazed at how poor many well known AV apps are. I've got a virus that's several years old that slips right though NOD32 (unless advanced heuristics are enabled), Avira misses it, AVG misses it, etc. Each apps thinks it deleted the virus and plows on like the job is done. Unfortunately, the system is actually fully infected and easily controlled by remote pcs.

It's important to note that the same virus on a limited user account doesn't affect the system, even with AV turned off, so I place much more value on runnings systems with lower user privileges. I also recommend a decent HIPS (host intrusion protection software) like Online Armour that uses whitelisting instead of blacklisting/signatures to protect the system. It's a bit annoying initially, like Vista's UAC, but unlike UAC it learns your allowed apps over time and will start to bother you less and less.

[webfact]

Thanks to a careless encounter one of my home PCs was infected with a tojan, I spotted something was wrong when using it to watch a movie the other day as it was responding slightly slower than normal an the 'can I go online now?' dialogue box popped up for no reason.

I normally rely on AVG with frequent updates to scan the PC and various USB devices (mass storage and MP3 players etc.), I ran scans on the PC and a USB stick that I considered the source of the infection with AVG reporting all clear.

Using Explorer and Task Manager I looked at the PC for any files that shouldn't be there, at that point I noticed that I couldn't see my system files in the root of C: going into the view options within Explorer I was not able to select/apply the Display Hidden Files or System Files options.

Dropping to a DOS prompt I could use ATTRIB to see that an AUTORUN.INF and Suit0.Com file had appeared. (Marked SHR)

Deleting them by hand (wrote a batch file as they were being recreated quicker than I could type) lasted a while but something else was also spreading the infection.

I installed a fresh copy of Avira, again that reported no infections.

Getting my hands on a copy of Norton did report and delete the infected files that were were carrying:

Win32/PSW.OnlineGames.NNU & Win32/PaceX.Gen

HTH

I think most AV programs are a bit of a joke in their ability to truly protect a system. They're decent at detecting known virus signatures, but that's about it and fairly easy to get around anyway. I occasionally collect and test viruses in VirtualPCs to better understand them and i'm amazed at how poor many well known AV apps are. I've got a virus that's several years old that slips right though NOD32 (unless advanced heuristics are enabled), Avira misses it, AVG misses it, etc. Each apps thinks it deleted the virus and plows on like the job is done. Unfortunately, the system is actually fully infected and easily controlled by remote pcs.

It's important to note that the same virus on a limited user account doesn't affect the system, even with AV turned off, so I place much more value on runnings systems with lower user privileges. I also recommend a decent HIPS (host intrusion protection software) like Online Armour that uses whitelisting instead of blacklisting/signatures to protect the system. It's a bit annoying initially, like Vista's UAC, but unlike UAC it learns your allowed apps over time and will start to bother you less and less.

Regarding Online Armor. I was a logtime Comodo FW user but recently switched to Online Armor.

Both FW use HIPS but IMHO OA is the clear winner for many other reasons too! I purchased the full version. Its an amazing firewall - even the free version.

Edited June 18, 2009 by webfact

[jackdanielsesq]

I am always amazed at all the pushups you M$ folks do and how the beatings never appear to deter you from repeating them,

or is it simply the challenge of beating the virus/trojan/yadda?!

I am not knocking M$ at all - I simply never use it on-line. Not using root accounts is of limited value.

The trick is to live clean, and lose all those portable thumb drives - or keep them in-house.

BR>Jack

[H2oDunc]

I am always amazed at all the pushups you M$ folks do and how the beatings never appear to deter you from repeating them,

or is it simply the challenge of beating the virus/trojan/yadda?!

I am not knocking M$ at all - I simply never use it on-line. Not using root accounts is of limited value.

The trick is to live clean, and lose all those portable thumb drives - or keep them in-house.

BR>Jack

Legal copy of Vista Ultimate, updated everyday and over 18 months of trouble free computing. Reading some of the problems linux users are having lately makes me wonder why they ever bother. any Linux user using StarOffice and OpenOffice then you are as open to a virus as any windows user!

At least I get the massive back up of MS if I have a problem. Which I don't

[jackdanielsesq]

Thats unfounded nonsense !!

BR>Jack

[Veazer]

Not using root accounts is of limited value.

That's unfounded nonsense.