Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

is my computer clean?


  • Please log in to reply
8 replies to this topic

#1 kjthomps

kjthomps

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 13 July 2009 - 03:38 PM

I've been getting a lot of benefit from these boards in the past week after I suspected I had a trojan and went through many scans to clean my computer. In the course of those scans, I found several trojans (keyloggers/screenshot takers) and other files, which I've quarantined. I've since gone on another, definitely clean computer to change all my passwords for email, online banking, etc., and I don't want to enter those new, clean passwords on my own machine until I'm sure it's safe. I've read on these boards and elsewhere about using Autoruns and other programs to determine my system's status, but after a lot of confusion and uncertainty, I figured it was time to turn the question over to the experts.

I've run scans, in safe mode, with Malwarebytes, SuperAntiSpyware, and Spybot S&D. Teatimer and Avira Antivirus both start when my system starts, and are up to date. I've also done a couple of Windows OneCare scans, though not in safe mode because it requires an internet connection. I've also run ATF Cleaner in safe mode. I can post the results of any of those scans, as well as the Autoruns list. Which files would be most useful for confirming whether my computer is safe to use? Are there other details of my OS that I should include?

Thanks in advance - I thought I knew a lot about programming and computers, but it seems I'm in way over my head at this point.

k

Edited by The weatherman, 13 July 2009 - 03:56 PM.
Moved from XP to a more appropriate forum. Tw


BC AdBot (Login to Remove)

 


m

#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:05 PM

Posted 14 July 2009 - 05:58 PM

Malwarebytes, SuperAntiSpyware, and Spybot S&D

Were any infections picked up?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 kjthomps

kjthomps
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 15 July 2009 - 09:48 AM

Yes: in the course of several scans, each of the various programs found different keyloggers/trojans/viruses, and I quarantined/deleted them. (There didn't seem to be the problem of one scanner finding the quarantine file from another scanning program, though.)

Since then (about a week ago) I've made sure each scanner is up to date and run additional scans, and everything is coming up clean. But since each of them found different things in the first place, that makes me not entirely trust that the computer is absolutely free of viruses: if SAS found something that Spybot and Malwarebytes missed, couldn't there be something that all of them missed?

There were some entries I noticed in Autoruns that seem odd, but I don't know enough about the windows processes that should be running to know for sure if they're bad, and web searches just led me in circles.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:05 AM

Posted 15 July 2009 - 01:18 PM

Without being able to see the actual logs from the programs you used, we cannot determine what type(s) of infection you were dealing with. Usually if a computer is infected, it would exhibit signs of infection (i.e. unwanted pop-ups, bogus security alerts, error messages when you try to run applications, browser redirection). Are you experiencing any of these symptoms?

There were some entries I noticed in Autoruns that seem odd, but I don't know enough about the windows processes that should be running to know for sure if they're bad, and web searches just led me in circles.

Most of the processes will be legitimate as shown in these links.Anytime you come across a suspicious file or one that you do not recognize, search the name using Google or the following databases:Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. Another techinique is for the process to alter the registry and add itself as a Startup program so that it can run automatically each time the computer is booted. A file's properties may give a clue to identifying it. Right-click on the file, choose Properties and examine the General and Version tabs.

Tools to investigate running processes and gather additional information to identify them and resolve problems:These tools will provide information about each process, CPU usage, file description and its path location If you right-click on a file and select properties, you will see more details.

If you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 kjthomps

kjthomps
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 15 July 2009 - 07:32 PM

Thanks, quietman7. I had been looking up everything in ProcessLibrary already, but wasn't sure what other sources were reliable, since there's a lot of conflicting info out there.

I do have saved logs from the scans I ran - I didn't include them in my original message because I didn't want to create a pages-long post by posting everything before knowing what the experts would need to see. I can post any of them you'd like to see.

But at this point it might be more useful to know the answer to this question: if I can look at all of my running processes and account for each one (check the path location to make sure each .exe is really a windows process and not just using a windows name), does that guarantee I'm virus-free? Or is it possible that something could be on my system and be dangerous but somehow stay off the process list?

thanks!
k

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:05 AM

Posted 15 July 2009 - 09:09 PM

is it possible that something could be on my system and be dangerous but somehow stay off the
process list?

Yes, and that would be a rootkit. In many cases they are found with other malicious files to include backdoor Trojans, Botnets, and IRCBots and your system would be showing symptoms of infection (i.e. unwanted pop-ups, bogus security alerts, error messages when you try to run applications, browser redirection). To learn more about these types of infections, you can refer to:It doesn't hurt to check by performing an anti-rootkit (ARK) scan with at least one of the following:Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 kjthomps

kjthomps
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 15 July 2009 - 09:29 PM

Wow, rootkits sound terrifying, and I am definitely going to run the ARKs you recommend. Should I run them while in safe mode, or is disconnecting and turning off all other programs enough?

#8 kjthomps

kjthomps
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 15 July 2009 - 11:52 PM

update: I ran Panda as instructed and it found nothing; Avira wouldn't actually run (I got an error message saying it was missing something it needed to execute); and Sophos found two "unknown hidden files":

C:\Documents and Settings\Owner\Application Data\SecuROM\UserData\*

where * in each case is a bunch of characters Windows shouldn't be able to handle as a filename.

Sophos says "clean up not recommended for this file," but an online search seems to show that these are from Securom7, and that lots of people have spent lots of time trying to delete them. I instructed Sophos to clean up the two files, and after requiring a reboot, it says it's successfully removed them.

Thank you for suggesting the ARKs! I feel a lot better now knowing my system isn't riddled with rootkits. Am I in the clear now, or are there other types of scans you'd recommend just to be sure?

thanks!
k

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:05 AM

Posted 16 July 2009 - 06:05 AM

Your welcome.

BTW to answer a previous question, most anti-rootkit scanners will not work in safe mode because they utilize a driver which is required for the scanning process and that driver will not load in safe mode. Further, there are rootkit variants (haxdoor) that run in safe mode so the usual reason for running a scan in that mode does not apply.

Tips to protect yourself against malware and reduce the potential for re-infection:Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend you disable Autorun asap as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun

• Finally, if you need to replace your anti-virus, firewall or need a reliable anti-malware scanner please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users