Question about antivirus software

I do lots of malware/virus removal, and I occasionally get a customer who is "positive" that he is not responsible for infecting his own PC, that it must have been infected the last time I worked on it. For example: I recently installed a new hard drive and clean WinXP on a dude's PC. He refused purchasing any antivirus software. 3 days later he brought it back screaming and yelling that I infected the PC, that he got it home and it was "unuseable 'cuz all the @*$%&# pop up ads for antivirus software" (we all know these as "rogue-ware"). He "swears" that he wasn't online at all, then recanted and said "I only went to CraigsList". Well, a quick view of history shows it was online on the days after the new hard drive install, and he visited MANY other sites besides CraigsList when the PC was not in our shop. I always clean the history before a PC leaves the shop just for this reason. So there is no way it left here infected. It has NEVER happened in the 7+ years I've been working on PCs. To the point: I'd really like to find an antimalware program that provides the creation dates of the infected files it detects and removes. Is there such a program???

 

Can't help on the program, but don't you love the look on their faces when you pull up the History?
Have done that myself on several people who complained about my work. Doesn't matter that I did it as a courtesy to a "friend".
They just don't appreciate the work involved.

 

Avast might do it for you... it puts date and time on everything else it records in the log. Logically, it should be putting a detailed time stamp every time it quarantines a file as well.

EDIT:
Wait, you wanted the date when the virus arrived, not the date it was removed? Sorry, I don't know if I can help with that. You might want to try talking them into a free antivirus instead of selling one though, or try to install a free trial, just to spare yourself all the extra work.

 

When avast puts a file in the chest, it records the "Last changed" time stamp of that file as well as the "Transfer time" when it was placed in the chest. You can also sort the quarantined file list in ascending or descending order of the "Last changed" time stamp.

Sort of what you're looking for.

 

So I was on the right track! I feel smart. LOL

I haven't had to put anything in the Avast chest in months, so my memory of the details is not quite the best...

 

Yeppers, you were right on. Just have to open the virus chest.

That's because you are smart.

I found out by accident, on an FP of a file I'd had for years. I'm not smart, just stumble into things a lot.

 

I can't on this computer, I have TrendMicro on it right now. I will replace it with Avast when the free trial ends though.

 

Here's a screenie from avast's log viewer. This when some one plugged their pen drive. Yep, should disable autorun:eek And the next a rogue site may be a FP. I tried tried to access it today, but it's down for maintanence :-D
I feel you are asking something way more complex.
Cheers..

 

BIG thanks to everyone!!!!

@ dr.moriarty: in this picture http://i268.photobucket.com/albums/jj5/drmoriarty/Avira-routineavscan.gif is the Date/Time listed at the top under the bold print the date of when the file arrived on the PC?

Yup. There was an infection that was fairly common about 6-8months ago that gave itself the date of Nov 9, 1601!!! I have also seen malware files dated 1900. LOL I also know that the dates shown aren't necessarily the date the file arrived on the PC, but they are usually the date the file was last modified or accessed. But this is all I really need: the date the file arrived on the PC (most preferred) -OR- the date the file was last modified/accessed.

Again- thanks to all that posted! I haven't spent much time with Avast, but now I have a good reason to! On the other hand, I've been I big fan (and long time user) of Avira's free antivirus, but I haven't spent too much time poking around in the various features, so thanks again DocM! I'll give it a shot.

The main reason I don't offer Avira to noobs and average PC folk, is because of that freakin' pop-up ad that appears when the updates are installed. It's easily disabled (well, it's easy for us that can follow a set of instructions LOL ); and even if not disabled, simply clicking "OK" or the red "X" closes it, but it really seems to rub people the wrong way, and some people have even thought it was another rogue!!! roflmao

 

I know I'm not him, but... if I remember my Avira experiences right, the date-time below the bold is the date and time when Avira spotted the virus, not when it arrived and begun nesting.

Moriarty, please correct me if I remember that wrong.

 

If you found where the file is located before it was deleted, you probably could go to properties and see the date created, but that's most Lilkly screwed up too. Haha there's two cents from a simplton haha