Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can Trojans come back undetected after deleting?


  • This topic is locked This topic is locked
4 replies to this topic

#1 audiodrome

audiodrome

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 04 January 2009 - 09:30 PM

Last Tuesday, my computer (Windows XP SP3) was infected and I thought I caught it in time but it must have downloaded to my computer somehow. It disabled my Firewall and my System Restore. I tried doing a System Restore but it wouldn't let me. Initially, Avast found a couple of files and deleted them but I negelected to write them down (I remember they were of the trojan-gen type). On Thursday night, I did another scan and it found six files in my System Restore folder all named Win32: Crypt-DGV [trj]. It said that it had successfully deleted them. I then ran some other spyware programs (Malwarebytes, Superantispyware, Ad-Aware, and a-Squared). Malwarebytes detected another bad file and deleted it. I also disabled the System Restore and did another scan to be safe and Avast found nothing.

So now it's been over four days since I got the initial infection and there haven't been anymore trojan files detected in my antivirus/antispyware scans - am I still vulnerable? Have there been instances of trojans hiding out for weeks or months with no symptoms or detection?

Assuming that these programs found the trojan files last week, you would think that if they came back, they would be able to find them again, correct? Or are these trojans able to mutate into files that then can't be detected by antivirus/antispyware? I realize that the viruses "out there" on the internet can change names and configurations and it's always possible to get infected again by clicking on questionable links and the like, but can those original trojans actually mutate into new, undetectable files later on down the line while they're in your computer?

Today, I ran a Superantispyware scan and it found 1039 "infected" files but they were all only tracking cookies. I was told that you can ignore cookies because they aren't that much of a risk. The last time I deleted all my cookies, it screwed up a lot of the websites that I visit on a regular basis. Needless to say, I didn't realize that I had this many cookies, but they are all quarantined now. The weird thing is that I just checked a couple of my regular websites and they all "remembered" me. I thought that if you remove all your cookies, you had to login from scratch the next time. Is it possible that Superantispyware only detected and quarantined the "bad" cookies and left the rest alone?

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,911 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:59 PM

Posted 05 January 2009 - 10:50 AM

The cookies that Super Antispyware removed are "third party cookies". Their purpose is to track your usage across the web and to "personalize" ads. They are not needed. The cookies used by sites you visit to log in with are "first party cookies". SAS only identifies and removes "third party cookies".

You can block the Ad/ tracking cookies from ever installing on your computer by following the steps below.
This applies to Internet explorer browsers.
Click on tools
click on internet options
click on privacy tab
click on advanced button
put a check in the box next to override automatic cookie handling
put a check in the box next to first party accept
put a check in the box next to block third party cookies (those are the ad/ tracking cookies that AVG deletes)
Click OK to exit

Then run a scan with Super Antispyware to remove all of the ad/tracking cookies that are now installed.

Install Firefox and install two addons. NoScript addon and Adblock Plus addon. Once you have Adblock Plus installed, open its preferences and choose one of its filter subscriptions. (I use the Easy USA one and it works great)
The NoScript addon will protect you from driveby downloads of malware, popups, and many more types of scripted malware. With those addons and other protections that Firefox has built in, Firefox will be much safer than using IE.

Set Firefox cookie controls. Uncheck "accept third party cookies"

Use Secunia online scanner to check for missing security updates. http://secunia.com/vulnerability_scanning/online/
After updating Java (if you haven't done so already) go to Add/ Remove and remove ALL old Java programs.
IE browser, Adobe Reader, Adobel Flash and Java have all been exploited recently. Important to get the latest updates to avoid malware exploiting those programs.

Click start, All programs, Accessories, System tools, Disk Cleanup, Put a check next to all items except "compress old files".
Then allow cleanup to run.

If you can imagine it, malware can usually accomplish it. That said, I would suggest you run scans often during the next week after updating both Super Antispyware and your antivirus program. Your quick action has probably removed the malware but best to check.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 audiodrome

audiodrome
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 05 January 2009 - 10:59 AM

Thanks for all the info. As far as updating Java, I was just going through the Internet Options in IE7 and I noticed that I don't have Java installed, only the Microsoft VM Java. Do I even need it? I am certainly going to look into Firefox. Things are getting nasty out there!

#4 buddy215

buddy215

  • BC Advisor
  • 12,911 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:59 PM

Posted 05 January 2009 - 12:30 PM

The link below should answer your question about upgrading to Sun Java.
http://java.sun.com/j2se/1.4.2/docs/guide/.../upgrade-guide/

Edited by buddy215, 05 January 2009 - 12:33 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:59 PM

Posted 05 January 2009 - 04:07 PM

Hello audiodrome.

I see that you have an HJT log posted here: http://www.bleepingcomputer.com/forums/t/192488/hijackthis-found-more-items-after-i-renamed-it/

We do not allow more than one topic for the same computer and the same issue as this causes confusion, and in this case may make the disinfection process more difficult. I have edited your topic there to include the information from the first post in this thread and from the post in your other thread here: http://www.bleepingcomputer.com/forums/t/192504/computer-acting-very-strangely/

Because you have a log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users