Re: How to scan a compromised system?

From: WDms (wdsnews.0226@oregoncity.com)
Date: 06/20/02


From: "WDms" <wdsnews.0226@oregoncity.com>
Date: Thu, 20 Jun 2002 08:46:26 -0700


Except that... all of your ifs are true. If you can think of a situation, I
have a client who experienced it. So the question remains, how do you boot
clean on a modern Windows system?

"x y" <jamescagney90210@excite.com> wrote in message
news:u5avJo#FCHA.1856@cpimsnntpa03...
> You only have this problem with some viruses that are memory resident
> stealth viruses or that purposely try to disable your antivirus program, and
> only if your antivirus scanner does not have that virus in it's database
> already. The most common viruses and worms you're likely to see do not fit
> into either of these categories. Also, these viruses cannot infect your
> machine unless your antivirus scanner is unaware of the new virus. As long
> as your antivirus is set to download updates every day, having a virus slip
> by your antivirus scanner is not very common. We've been running Norton
> antivirus along with Norton Antivirus internet email gateway for 1.5 years
> with no virus outbreak to the best of my knowledge.
>
> If you're in a network environment, running an AV scanner on the network
> drives and running antivirus on an email server or internet email gateway
> can help alert you if one client has somehow been infected. in Windows 2000
> / XP / NT, you can also try monitoring the antivirus service to confirm that
> it is still running on each workstation. IPSentry server monitor and Norton
> Antivirus corporate edition server both allow you to monitor services, as
> would a batch file that uses the netsvc command from the windows resource
> kit or possibly available from www.microsoft.com/download.
>
> Additionally, using registry entries or a .reg file to prevent .VBS and .SHS
> and various other files from having an association in the registry prevents
> many viruses from executing on your computer even if your antivirus is not
> yet aware of them. The lines below, if copied into Notepad and saved as
> filename.REG will roll out some of these settings. I recommend these
> settings for just about everyone. [You can also use Norton Internet Email
> Gateway or Outlook 2000 or XP with the microsoft Outlook security update to
> block file attachments such as the ones below in emails.]
>
>
> :: **************************************************
> :: NOTE: The following command is used in the login script
> w:\update\update.bat file to
> :: automatically import this reg file at every login:
> :: regedit /s w:\utility\chesapeake_update.reg
> :: DISABLE FILE EXTENSIONS ASSOCIATED MOSTLY WITH VIRUSES AND WORMS
> ::
> [HKEY_CLASSES_ROOT\.chm]
> @="chm.file"
>
> [-HKEY_CLASSES_ROOT\.ADE]
>
> [-HKEY_CLASSES_ROOT\.ADP]
>
> [-HKEY_CLASSES_ROOT\.BAS]
>
> [-HKEY_CLASSES_ROOT\.EML]
>
> [-HKEY_CLASSES_ROOT\.ISP]
>
> [-HKEY_CLASSES_ROOT\.JS]
>
> [-HKEY_CLASSES_ROOT\.JSE]
>
> [-HKEY_CLASSES_ROOT\.NWS]
>
> [-HKEY_CLASSES_ROOT\.SCR]
>
> [-HKEY_CLASSES_ROOT\.SCT]
>
> [-HKEY_CLASSES_ROOT\.SHB]
>
> [-HKEY_CLASSES_ROOT\.SHS]
>
> [-HKEY_CLASSES_ROOT\.VB]
>
> [-HKEY_CLASSES_ROOT\.VBE]
>
> [-HKEY_CLASSES_ROOT\.VBS]
>
> [-HKEY_CLASSES_ROOT\.WSC]
>
> [-HKEY_CLASSES_ROOT\.WSF]
>
> [-HKEY_CLASSES_ROOT\.WSH]
>
>
> :: *********************************************************************
> :: DISABLE THE FEATURE WHERE WINDOWS HIDES THE FILE EXTENSION FOR to
> :: CERTAIN FILE TYPES MOSTLY USED BY VIRUSES
> :: E.G. VIRUS.TXT.VBS APPEARS TO BE VIRUS.TXT
>
> [HKEY_CLASSES_ROOT\PIFFile]
> "NeverShowExt"=-
>
> [HKEY_CLASSES_ROOT\ShellScrap]
> "NeverShowExt"=-
>
> [HKEY_CLASSES_ROOT\SHCmdFile]
> "NeverShowExt"=-
>
> [HKEY_CLASSES_ROOT\DocShortcut]
> "NeverShowExt"=-
>
>
>
>
> "WDms" <wdsnews.0226@oregoncity.com> wrote in message
> news:#L4uXc6FCHA.2520@tkmsftngp13...
> > The trouble with the current viruses is they attack the virus scanners.
> Is
> > there a way to boot up a Win2K system without launching the viruses in
> order to
> > run a virus scanner? In the old days we did it with a boot floppy.
> >
> >
> >
> >
>
>