Cleaning logs question

**petercj** · 04-28-2005, 02:41 PM

I was wondering how long it takes - based on an average of say 100 logs - to deal with a post on the HiJackThis board.

I'm prompted to ask as someone on another board who is an IT pro said they reinstall windows if they can't clear the machine of malware in 30 minutes. His argument being that this is more cost effective in a commercial situation than trying to remove things like CWS - apparently he spends about 2 hours rebuilding the system.

I think his experience of dealing with malware doesn't go much beyond using adaware and spybot.

My guess would be that it wouldn't take much longer than 30 minutes on the HJT board to sort out the average set of scans.

But that is just a guess and I may be well out.

Any info on this point would be gratefully received.

Peter

**jgvernonco** · 04-28-2005, 03:09 PM

Good question.

I have went to friend's homes armed with a couple of disks, just in cae, and cleared some horrendous infections in under 30 minutes. It is a matter of being able to identify the enemy and know what the steps are that will, for sure, put it down.

However, some of these newer infections, which are requiring 6 or more tools to clear, are, I think, a different story. f disk just might be the command of the day for some of these infections.

The two most imprtant pints are:

1. The average Analysts does his/her work on the internet, so they don't have the machine in front of them. If they did, they would all work faster.

2. In these cases, there is absolutely nothing wrong with the hardware; it the software that has been invaded. I "pity the fool" that can't manage to reformat his own system. Paying someone $60.00 or more to do that would irk me to the point of becoming a fast learner, especially with all of the help that is available for this task on the net.

If you take greyknight, microbell or ct and average their time, Iwould bet it would be about 15 minutes per log. You must factor in the time the user sends, as well, and that is going to be hightly variable.

Does that help?

**petercj** · 04-28-2005, 05:30 PM

Hi jgvernonco

Yes it does help, thank you.

To explain a little more how I got into thinking about this, I was on a string on a small help board on a UK site and two IT professionals were exchanging ideas on trying to get a laptop clean - the presenting problem was that IE would not stay open. Needless to say, I don't think either of the IT pro's had much training in dealing with malware - certainly nothing like the techs here have. They were both working as in-house IT support technicians for fairly large companies.

As I mentioned previously, it transpired that their company policy was that if they couldn't clean a system by using adaware and spybot etc in 30 minutes they would rebuild the system and it was mentioned that this would usually take a couple of hours - so that would be 2 hrs 30 mins in total.

I did mention this board but then I thought you may not offer support to commercial agencies.

It also occured to me that commercial companies might risk some breach of security if they put their logs and details on a public board.

So then I thought I wonder if any specialist boards like TSF do actually offer a specialist service to commercial companies which is done on a private board. I guess a company could have an account with a password to a closed board. Such a service could be made available to companies world wide and I bet there are thousands of companies that would pay a fee to have their computers quickly cleaned up and back in action with no need to disrupt the system or replace data.

I know you always need funds to support your work so I was thinking this might be a good revenue stream to support TSF.

Do you think it's a good idea? Maybe you actually do it already? If you do, I will recommend you to anyone I meet who needs such a service.

Peter

**jgvernonco** · 04-28-2005, 05:35 PM

Hi, Peter,

We are working on it...have much of thr spoftware needed in hand, but needed to get the new site up, first.

This is becoming more and more of a need out there, and we want to fill it.

We hope to have something running in a month or two.

04-28-2005, 02:41 PM	#1 (permalink)
petercj UK Join Date: Oct 2004 Location: South Coast UK Posts: 905 OS: Win XP Pro/XP Home/98se/Suse Linux 9.1 & Xandros 3 Deluxe	Cleaning logs question I was wondering how long it takes - based on an average of say 100 logs - to deal with a post on the HiJackThis board. I'm prompted to ask as someone on another board who is an IT pro said they reinstall windows if they can't clear the machine of malware in 30 minutes. His argument being that this is more cost effective in a commercial situation than trying to remove things like CWS - apparently he spends about 2 hours rebuilding the system. I think his experience of dealing with malware doesn't go much beyond using adaware and spybot. My guess would be that it wouldn't take much longer than 30 minutes on the HJT board to sort out the average set of scans. But that is just a guess and I may be well out. Any info on this point would be gratefully received. Peter

04-28-2005, 03:09 PM	#2 (permalink)
jgvernonco Old Timer Join Date: Sep 2003 Location: Northern Arizona Posts: 7,960 OS: Vista Home Premium, SP 27	Good question. I have went to friend's homes armed with a couple of disks, just in cae, and cleared some horrendous infections in under 30 minutes. It is a matter of being able to identify the enemy and know what the steps are that will, for sure, put it down. However, some of these newer infections, which are requiring 6 or more tools to clear, are, I think, a different story. f disk just might be the command of the day for some of these infections. The two most imprtant pints are: 1. The average Analysts does his/her work on the internet, so they don't have the machine in front of them. If they did, they would all work faster. 2. In these cases, there is absolutely nothing wrong with the hardware; it the software that has been invaded. I "pity the fool" that can't manage to reformat his own system. Paying someone $60.00 or more to do that would irk me to the point of becoming a fast learner, especially with all of the help that is available for this task on the net. If you take greyknight, microbell or ct and average their time, Iwould bet it would be about 15 minutes per log. You must factor in the time the user sends, as well, and that is going to be hightly variable. Does that help? __________________ Donations keep TSF moving forward. Please help. http://www.myspace.com/speedbumpthecelt

04-28-2005, 05:35 PM	#4 (permalink)
jgvernonco Old Timer Join Date: Sep 2003 Location: Northern Arizona Posts: 7,960 OS: Vista Home Premium, SP 27	Hi, Peter, We are working on it...have much of thr spoftware needed in hand, but needed to get the new site up, first. This is becoming more and more of a need out there, and we want to fill it. We hope to have something running in a month or two. __________________ Donations keep TSF moving forward. Please help. http://www.myspace.com/speedbumpthecelt

04-28-2005, 05:30 PM	#3 (permalink)
petercj UK Join Date: Oct 2004 Location: South Coast UK Posts: 905 OS: Win XP Pro/XP Home/98se/Suse Linux 9.1 & Xandros 3 Deluxe	Hi jgvernonco Yes it does help, thank you. To explain a little more how I got into thinking about this, I was on a string on a small help board on a UK site and two IT professionals were exchanging ideas on trying to get a laptop clean - the presenting problem was that IE would not stay open. Needless to say, I don't think either of the IT pro's had much training in dealing with malware - certainly nothing like the techs here have. They were both working as in-house IT support technicians for fairly large companies. As I mentioned previously, it transpired that their company policy was that if they couldn't clean a system by using adaware and spybot etc in 30 minutes they would rebuild the system and it was mentioned that this would usually take a couple of hours - so that would be 2 hrs 30 mins in total. I did mention this board but then I thought you may not offer support to commercial agencies. It also occured to me that commercial companies might risk some breach of security if they put their logs and details on a public board. So then I thought I wonder if any specialist boards like TSF do actually offer a specialist service to commercial companies which is done on a private board. I guess a company could have an account with a password to a closed board. Such a service could be made available to companies world wide and I bet there are thousands of companies that would pay a fee to have their computers quickly cleaned up and back in action with no need to disrupt the system or replace data. I know you always need funds to support your work so I was thinking this might be a good revenue stream to support TSF. Do you think it's a good idea? Maybe you actually do it already? If you do, I will recommend you to anyone I meet who needs such a service. Peter