I don't really like to help people fix their infections. I suppose i'm more into prevention and education. It is ALOT easier to say "Download this and run it" than to identify why they got infected and explain to them. They learn nothing that way. Usually a biggie for getting infected is not patching (ok... that plus going to porn, crack, unknown *.biz domains, and sites without a domain name).

Just earlier I loaded up my SP1 vm and went out to get 0wn3d. Having just SP1 with no further patches, this was a walk in the park. Anyway, that was successful then I proceeded to try and clean it with anti-spyware and anti-virus software rather than cheat with the undo disk. There was also one rootkit. It couldn't be detected by AS or av until I uninstalled the offending driver in Device Manager. Then I got to thinking: The machine is compromised to the point where even after running a zillion different programs I still don't feel that I could trust it to do my banking, online shopping or other stuff that requires me to divulge private information. So i'd say "Format, then use a limited account, not the administrator account, and further change your habits"

Just thought i'd share
redxii | 12.19.05 - 10:39 am | #

Yep, SP1 sucks so bad it blows. And as for admin accounts, oh noes!!!

Format is becoming more of an "acceptable" option these days - thank god. I've never been a fan of the theory where it doesnt matter how bad a PC is hosed, you CAN bring it back and anything less is a herioc failure. not true, a heroic failure is six foot men that dress as women!
Paperghost | 12.19.05 - 11:03 am | #

2 word comment on that rant

GOOD LUCK
Anonymous | 12.19.05 - 12:03 pm | #

Good luck in a good way or a bad way? Hmm, guess i know which!

still, the fact remains - with things as they are, we aren't getting anywhere.
Paperghost | 12.19.05 - 12:08 pm | #

That blog of Nicks is a good idea. We at MR have been asked to use his blog for the end user to go through and post a fresh hjt log back to us after. Saves us time. And it scales the whole canned speech down.

For me, I personnaly don't mind this. Gives me more time to concentrate on learning other stuff.
AndyAtHull | Homepage | 12.19.05 - 12:40 pm | #

Great topic again Ghostie.I've jumped the gun(Oh Noes) and started trying to spread the wisdom.Huge respect to NoAdFear&Nick and that PG character!!!
http://www.spywarewarrior.com/ vi...p=107970#107970
&duplicated on the HJT forum as well
Fcukdat | 12.19.05 - 1:41 pm | #

We had to resort to providing an instructional post at Freedomlist for W32.Sinnaka.A@mm / SpyAxe because the sheer volume of people coming for help was too much to handle quickly. After noahdfear's review, I posted a pinned topic a week ago. It has had over 1700 views in that short time.

I requested before & after HJT logs as well as the smitRem© log and an Ewido log.

http://www.freedomlist.com/ forum...p=158849#158849

For this particular infection, the posted instructions are working exceedingly well. Where I can see a potential problem is when the user misdiagnoses their infection and causes damage using a "fix" incorrectly, only gets part of the infection, or misses a completely different problem.

The "all clear" post after cleanup also provides an opportunity to present specific preventative advice to the user. This wouldn't be available if "generic" help became the norm.
Corrine | 12.19.05 - 5:52 pm | #

"The "all clear" post after cleanup also provides an opportunity to present specific preventative advice to the user. This wouldn't be available if "generic" help became the norm."

True - how about the "blog help" posts final steps simply pointing the user in the direction of the forums anyway - a "quick scrub up" section or something. Where (hopefully) all the garbage has now gone, and you can hit them with the "install these for teh win!" post?

That could work. This is definitely one of the more interesting forum-related subjects I've seen in recent months. A lot of people seem to be having the same thoughts at present - the problem is how to realistically replace the current system with something that might work better. Damn, it'd be tricky...
Paperghost | 12.19.05 - 6:47 pm | #

Interesting subject this. I myself have the all clear post. Modified an experts post but nevertheless if there is something standard out there that we all can link to. For each OS system. It will save time for many experts. So that their time can be used for other things.

Something for me to think about.
AndyAtHull | Homepage | 12.19.05 - 7:17 pm | #

Andy, I'm sure we could come up with a "generic" all clear link but where would it be posted? Besides, I'm afraid it would end up as a blind spot since people often tend to miss their own short-comings.

An interesting concept, similar to what PG is suggesting, is Castle Cops http://wiki.castlecops.com/Malwa...ntion: _Overview .
Corrine | 12.19.05 - 9:13 pm | #

hey thats pretty cool - thanks for the link
Paperghost | 12.19.05 - 10:08 pm | #

Hmmm, a little birdy told me to look at the Castle Cops SpyAxe removal page. I wonder who that Nick-YF19 fellow is
Nick | Homepage | 12.20.05 - 5:28 am | #

Fair point Corrine

That link is usefull :D
AndyAtHull | Homepage | 12.20.05 - 12:35 pm | #