Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VAGUE DOUBTS AFTER REMOVING A TROJAN


  • Please log in to reply
3 replies to this topic

#1 all techdoubt

all techdoubt

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 24 August 2009 - 04:00 AM

Hi All,

Hope these are "fresh" questions.

A few weeks ago, AVG found "Trojan horse Sheur2.AVHY" in C:\WINDOWS\system32\drivers\SAP\PasswordLock.exe and promptly despatched it off to the vault.

About a week later Resident Shield detected it in one of my C:\SystemVolume Information\_restore files, and again, off to the vault with it! Yay.

No sign of it since. :thumbsup:

But three questions niggle me........

1. Given that Trojans can open ports, does the pc automatically "close" the port after the Trojan is killed off, or do I need to do something. (Tried looking with Fport and TCP (i think it was) but found the data, and how to interpret it, were a bit advanced for me).

2. I've heard advice to delete all System Restore points, to be safe. But doesn't this action simply leave you with a pc that is probably clean but also doesn't have a single restore point left to fall back on if the cleaning turns out to have failed????

3. I decided anyway, just to be sure, to restore back a few months, knowing that AVG will pick it up anyway if the pc is still infected. However, my pc won't let me do a System restore, even from a Safe startup. Just messages on restart that it couldn't do it. Does this mean something is actually amiss, or is it my other security prorams at work (Spybot, Spyware Blaster, Spyware Guard) "protecting" my pc from changes.

With thanks,

All teched doubt.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:35 PM

Posted 24 August 2009 - 11:11 AM

When an anti-virus or security program quarantines a file by moving it into a virus vault (chest), that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "false positive" especially if the scanner uses heuristic analysis technology. Heuristics is the ability of a scanning program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as suspicious or infected. If that is the case, then you can restore the file and add it to the exclusion or ignore list. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the quarantined file is known to be malicious, you can delete it at any time.

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan was in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by creating backups (snapshots saved as restore points) of vital system configurations and files. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive, partition or volume including most external drives, and some USB flash drives. For more detailed information, read System Restore Overview and How it works and How antivirus software and System Restore work together.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

If your anti-virus or anti-malware tool cannot move the files to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point. In order to avoid reinfection and remove these file(s) if your security tools cannot remove them, the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.
Vista users can refer to these links: Create a New Restore Point in Vista and Disk Cleanup in Vista.

If your anti-virus or anti-malware tool was able to move the file(s), I still recommend creating a new restore point and using disk cleanup as the last step after removing malware from an infected computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 all techdoubt

all techdoubt
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 25 August 2009 - 10:42 PM

Thanks, Bleeping Janitor...... you're helping me on my learning mission.

That's sorted out some of my query, but I'm still at a bit of a loss on questions 1 and 3.

So much to learn ..... and such a small brain to learn it with!

Cheers

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:35 PM

Posted 26 August 2009 - 08:00 AM

A port is an address associated with a particular process on a computer. Ports have a unique number in the header of a data packet that is used to map this data to that process. Port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic/Private Ports. Default port values for commonly used TCP/IP services have values lower than 255 and Well Known Ports have numbers that range from 0 to 1023. Registered Ports range from 1024 to 49151 and Dynamic/Private Ports range from 49152 to 65535. An "open port" is a TCP/IP port number that is configured to accept packets while a "closed port" is one that is set to deny all packets with that port number.Hackers use "port scanning" to search for vulnerable computers with open ports using IP addresses or a group of random IP address ranges so they can break in and install malicious programs (viruses, Trojans). Botnets and Zombie computers scour the net and will randomly scan a block of IP addresses. These infected computers are searching for "vulnerable ports" and make repeated attempts to access them. If your PC is sending out large amounts of data, this usually indicates that your system may have a virus or a Trojan horse.

You can use netstat, a command-line tool that displays incoming and outgoing network connections, from a command prompt to obtain Local/Foreign Addresses, PID and listening state.
  • netstat /? lists all available parameters that can be used.
  • netstat -a lists all active TCP connections and the TCP and UDP ports on which the computer is listening.
  • netstat -b lists all active TCP connections, Foreign Address, State and process ID (PID) for each connection.
  • netstat -n lists active TCP connections. Addresses and port numbers are expressed numerically and no attempt is made to determine names.
  • netstat -o lists active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p (example: netstat -ano).
If the port in question is listed as "Listening" there is a possibility that it is in use by a Trojan server but your firewall, if properly configured, should have blocked any attempt to access it.

There are third party utilities that will allow you to manage, block, and view detailed listings of all TCP and UDP endpoints on your system, including local/remote addresses, state of TCP connections and the process that opened the port:Note: If you're going to start blocking ports, be careful which ones you block or you may lose Internet connectivity. For a list of TCP/UDP ports and notes about them, please refer to Ports for Internet Services.

You can investigate IP addresses and gather additional information at:There are various reasons for System Restore to lose functionality to include malware infection which can essentially disable that feature. You should perform full system scans with your anti-virus and anti-malware tools as the first step in case you missed something. If you're not finding any malware then its time to start troubleshooting.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users