Thanks for that explanation. I read "scan" as to mean scan as in preventive measures rather than scan as in finding infections. I concur that virtually all scans for clean up reasons must be done in Safe mode. Don ----- Original Message ----- From: <dktrfaustus@xxxxxxxxxx> To: <pctechtalk@xxxxxxxxxxxxx> Sent: Wednesday, June 29, 2005 5:35 PM Subject: -=PCTechTalk=- Re: spyware software? > On 29 Jun 2005 at 13:05, milady wrote: >> One persons opinion? or do others concur?? > > That one wasn't an opinion, I'm afraid. It may seem like a bold > claim, but I'll explain in detail (based on my own experiences of > attempting to remove malicious software on every Microsoft Windows > operating system from Win95 onwards). > > Most virii has the ability to self-replicate indefinitely. Spyware is > similar in nature, although not as destructive. > > If a malicious program is already present in your system memory, > removing the file from the hard drive is no better than removing a > copy. The version held in memory will immediately produce another > copy of itself upon finding the disk-version gone (and vice-versa). > That's why you can't run these scans with any degree in confidence in > "normal" Windows. There is always the danger that the malicious > program is present in a 32-bit environment. > > Moving to the bare-bones, 16-bit environment of Safe Mode removes the > possibility of Windows loading the virus in the first place. > > Standard scans in a 32-bit environment, even with quality programs > like Norton Antivirus, don't do much more than: > > (1) remove or "quarantine" the file from the hard drive, > > and > > (2) attempt to remove the copy already present in memory. > > [Note that I didn't mention the "attempt to fix" setting, which is > set as the default setting on some antivirus programs, and the most > ineffectual of all.] > > But if you look at some of the removal instructions for many of the > more-widespread virii out there, you'll notice that most of them not > only place file(s) on your hard drive, but also place entries in the > standard "startup" sections of your registry, and supply possible > alternate names for the disk-based source file, should it be deleted. > Another common tactic is for the malicious software to aggressively > bar attempts to manually remove the program held in memory, so that > the user has trouble closing it down via the normal method [Task > Manager; Ctrl-Alt-Del]. These things go to great lengths to protect > themselves. > > My experience with antivirus scanning programs attempting to remove a > virus from both memory AND the hard drive has been that, very often, > they don't properly catch the memory version. In that situation, > you're no better off than if you hadn't run the scan at all. > Therefore, permanent removal of certain types of virus is _only_ > possible when using Safe mode. > > > Faustus > > > > -- > <Please delete this line and everything below.> > > To unsub or change your email settings: > //www.freelists.org/webpage/pctechtalk > > To access our Archives: > http://groups.yahoo.com/group/PCTechTalk/messages/ > //www.freelists.org/archives/pctechtalk/ > > -- <Please delete this line and everything below.> To unsub or change your email settings: //www.freelists.org/webpage/pctechtalk To access our Archives: http://groups.yahoo.com/group/PCTechTalk/messages/ //www.freelists.org/archives/pctechtalk/