Blast from the past...
http://www.computerhope.com/forum/index.php/topic,57605.0.htmlmy now rather embarassing post, probably also incited by deletion of my posts in the malware forum:
So- do these teach people how to use malware removal programs, or how to remove malware? personally I find removing malware myself to be quite a rewarding experience, although I must admit it is somewhat frustrating- around every three months or so I notice rundll32 running in my process list, which is a sure sign I'll be occupied for at least 45 minutes afterward- using a few malware removal tools, and those being unsuccessful, some manual investigation with REGEDIT and REGMON (I love that program. so useful), and maybe FILEMON if I find the need.
My weapons? a intimate knowledge of the registry, and a desire to eliminate these threats myself. Why, just this morning I removed some autorun entries twice in recovery console, only to find them reappear. I used REGMON to discover that WINLOGON was constantly writing to the autorun key the two malware values, so I immediately look in the HKLM\software\microsoft\windows nt\current version\winlogon\notify key to find that a new dll has decided to nest there. deleting all three DLL files at once in recovery console, as well as removing these registry entries in safe mode, and removing the relevant CLSID's from HKEY_CLASSES_ROOT\clsid has returned everything to normal. Strange thing was this was all caused by Firefox not loading a page more then once. As well as the friendly Ad aware SE telling me I had 8 threats (oh good, it'll get rid of these strange auto run keys)- nope. just bloody cookies. I guess they were newer malware as well, because Fix-it utilities didn't pick up any threats other then cookies either.
As I've said far too many times however- I kind of like being in total control of exactly what happens when the malware is removed. Far to often I find overzealous anti-virus or anti-malware doing things that are completely unnecessary, or deciding that what I REALLY wanted to do was defragment my hard drive, or something equally unhelpful in the context of malware removal. So I go solo, with no on-demand scanner (which I would have no choice but to install with IE- another topic altogether). people have called me foolish, and I can do nothing but agree at least partly.
EF's good reply:
This is my view/experience so far.
There are different levels of learning. I say learning instead of training because if you aren't going to be self sufficient then it will be a difficult experience. Some people who work for the popular AV vendors and some who develop the specialized tools have went through the process as well. You will learn how and when to use a large variety of tools as well as ways of ridding the malware with very few tools like you described above. All of this is done in an internet help forum style. You don't just say how it can be fixed, you have to lay it out as you would in the Computer Viruses and Spyware forum helping someone who doesn't know much more than how to click on pop-ups.
With the knowledge you have now it would probably be pretty interesting for you. There is a ton of information to look through even for the beginner. The further you advance the more you will gain access to the more powerful tools. It's usually best to read through the different threads for a few hours a day (or more) before even attempting to turn in your first practice log.
TO reiterate, I remove viruses/malware from peoples computers, for a small fee (far cheaper then you'd get from any store), So it's not a foreign subject to me. But removing malware yourself on somebody's machine is far different from directing that person to do it themselves. They have no experience, or you can safely assume they don't; therefore you need to give them tools that are easy to use and steps that are easy to follow, not steps to delete specific keys in registry editor or something stupid like that. Additionally, because said machine is remote, they also need to use specific tools and logs to get a basic understanding of the state of the machine as well as descriptions of the symptoms. Far too often here and elsewhere I have seen self-proclaimed malware experts see a "symptom" described by the Original Poster and they jump to assumptions about what caused it, going to far as to give precise instructions on how to "remove" this presumed problem, usually with manual instructions involving regedit or even the recovery console. And then, after that post has been deleted and logs are given, it turns out that the symptom was entirely benign and that the presumed threat never existed to begin with, so if they had followed that advice they would have been no better for the wear, and possibly worse off if they were to make a mistake. So it's a *censored* good thing that type of post is exactly what is deleted.
If you don't want your posts deleted,
don't post malware advice in the malware forum It's a rather simple principle. If I ever post in the malware forum it's usually to point something out or even on a few occasions at the request of one of the helpers themselves, If I provide anything I think could possibly step on toes I make sure to qualify it as such, I don't try to pretend to be some sort of authority on the subject like some people *cough* Azzaboi *cough* because that just ends up confusing people, and if they follow such advice after posting their logs then their logs will need to be recreated and posted again anyway.
Yes, the malware forum is short on helpers. That doesn't mean that just anybody can suddenly decide to "help out" randomly. removing malware as a day job AFK and with access to the computer itself is VERY different from guiding people in removing it from their computers themselves remotely, and in a sense the various "schools" that are noted on the thread I linked teach how to work with people in that fashion as much as they teach the actual removal steps. If you want to help, go to one of those. Otherwise shut up.
