Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus and Malware Paranoia?


  • Please log in to reply
27 replies to this topic

#1 Foldingchair

Foldingchair

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Netherlands
  • Local time:04:45 PM

Posted 19 May 2015 - 09:09 AM

As the title gives away, I'm very paranoid about pretty much anything I see in Windows, mostly regarding processes. Even though I'm fairly sure I'm clean and haven't had attacks or any malware, I can't help myself but run scans a lot, and keep an almost obscene close eye on the task manager.

 

I use Norton Antivirus (Paid subscription), Malwarebytes Premium and often run a scan on demand with SpyBot Search & Destroy.

 

Excluding the fact that I'm paranoid and anxious about a lot of things not computer related, I think my virus paranoia comes from a worm I had a couple of months ago. (Not sure how long, but it's probably been like 4 months by now). I managed to find out that the worm was dubbed "vbs.Dunihi.##." (## is where the type and version of the worm could vary.) The worm used wscript.exe to run silently and did its dark magic once a flash drive would've been connected. It would wipe all the files on it and replace them with malicious .lnk files. Which apparently are shortcuts. I eventually found out once it clearly did this on one of my dad's flash drives, and right after it did, Norton would immediately remove the malicious files and notify me.

 

Now, all this has been solved. I've wiped all my drives, reinstalled Windows and put my old Data backup in place of the wiped data. It's also worth mentioning that I completely wiped all the flash drives twice.

I'm pretty sure that this is what's making me so wary about everything nowadays. Knowing that a filthy worm operated silently without my knowing for at least two weeks(?).

 

All that aside, my paranoia has recently spiked heavily and for the last few days I've done nothing but dig through processes, tighten up my firewall and almost literally pressing my nose down onto task manager.

 

Something that caught my eye today is that I have quite a lot of vbc.exe executables scattered throughout my C drive. They all seem to be located in the AMD64, winsxs and the .NET framework folders.

See for yourselves: c57a90e98bae93ce4924ed150f182d70.png

 

 

I've noticed that many of the .exe files originate from folders of different versions from .NET, which would make sense, seeing how often it's updated. I've never seen it run in task manager, but still am paranoid. The same goes for a lot of other processes.

 

So is my paranoia justified, or am I just being silly? Thanks for any help or confirmation in advance.

 

(My apologies about the wall of text as well)


Edited by Foldingchair, 19 May 2015 - 09:33 AM.

"Peace and blessings be upon you all."


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 19 May 2015 - 09:54 AM

Hi Foldingchair :)

It's totally normal to find these executables in multiple folders. For what it's worth, these folders and filenames are used when you apply Windows Updates, so it's the same executable, just compiled differently I guess. There's nothing to worry about :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Foldingchair

Foldingchair
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Netherlands
  • Local time:04:45 PM

Posted 19 May 2015 - 10:25 AM

Alright, thanks! It's also worth mentioning that I don't notice any suspicious account or system behavior anywhere on my computer. Knowing that there's people thinking with (and sometimes for) me gives me a good feeling. After asking a friend who has the executables spread out like that as well it also helps to calm me down.

 

Great to see that this is such an active forum. I'll be coming back more often. Cheers! :thumbsup:


"Peace and blessings be upon you all."


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 19 May 2015 - 10:32 AM

No problem Foldairchair, my pleasure :) If you ever suspect that you are infected, you are free to create a thread in the Am I infected? What do I do? section for a standard check-up of your system.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 rp88

rp88

  • Members
  • 3,022 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:45 PM

Posted 19 May 2015 - 10:42 AM

1)Make firefox your browser and run NoScript in it,

2)and never run any downloaded exe file without first scanning it using virustotal,

3)and make sure windows file explorer is set to "show full file extensions even for known file types" in folder options,

4)and make sure to keep your antivirus and antimalware up-to-date and also keep your browsers up to date and keep your OS up-to-date on security updates (whether to do the non-security updates to your Operating System is a personal choice) and keep programs like ms office up-to-date.

The first of these should protect you from drive-by attacks, the second protects you from malware in any program you download, the third protects you from any other files you download pretending to be safe formats (images, videos, audio, zip archives, documents) whilst really being exe or scr file malware, the fourth protects you from exploits done by any other means.

If you do these from the moment you boot up a brand new machine (or one restored from a clean system image) you can be fairly confident that it has no malware at all. It's easy to get paranoid about viruses, but with these tips plus some heavy scanning every few months you should be able to feel secure. For scanning I suggest using:

Your existing antivirus whatever you are using at any time in the future(main scanning)

Malwarebytes (second opinion scanning, and the pro version has live features which block some malware from executing as well)

ESET online scanner (third opinion scanning)

virustotal (this is not a scanner but a website where you can upload individual files which you are suspicious of, you can't scan your computer with it but you can scan individual suspicius files)


Checking task manager from time to time can also be helpful, but it is normal to see multiple entries of the same process in their and also normal to sometimes see processes you have not encountered before. If a particular entry in task manager's list of running programs makes you suspicious you can easily find (using right click then properties) where it is on the system and scan it in the folder, or copy the exe file so a copy is in another folder and upload the copy to virustotal.


You might also consider running malwarebytes anti-exploit and maybe some sort of whitelisting program (many are mainly designed to block crypto-ransom-malware but will block other sorts as well) as well, if the above suggestions do not seem enough to you.

Edited by rp88, 19 May 2015 - 10:45 AM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#6 Foldingchair

Foldingchair
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Netherlands
  • Local time:04:45 PM

Posted 19 May 2015 - 11:27 AM

Thanks for the suggestions rp88. As expected I already do most of these things. Recently I've also started using Virustotal a lot.

 

1) I love Firefox, have started using it for about three years and never looked back. Interesting suggestion about the NoScript addon.

 

2) Doing that since recently.

 

3) Doing that regardless of paranoia because I need to see full extensions to work efficiently with files related to games running on the Source Engine (I create a lot of custom textures for mods and such.)

 

4) Definitely always keeping everything up to date. I won't miss one important update unless I am absolutely sure I won't require it.

 

I've been thinking of looking into ESET, so I might check that out.

I also check the source location of a lot of processes I don't trust.

 

Still some useful information out of your post though! It makes me smile to see other people who think the same way. Thanks for the info!


"Peace and blessings be upon you all."


#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 19 May 2015 - 11:31 AM

2)and never run any downloaded exe file without first scanning it using virustotal,


This isn't needed in some cases. If you download an executable from a reliable source (like the official website for trustworthy program), you can assume the executable is safe. This is for executable that comes from third-party, unreliable and shady sources. And even there, if it's the first time that the .exe is submitted to these Antivirus on VirusTotal, they result might comeback clean, even thought the executable is infected so it's not a 100% reliable method.

Edited by Aura., 19 May 2015 - 11:31 AM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 Foldingchair

Foldingchair
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Netherlands
  • Local time:04:45 PM

Posted 19 May 2015 - 11:55 AM

 

2)and never run any downloaded exe file without first scanning it using virustotal,


This isn't needed in some cases. If you download an executable from a reliable source (like the official website for trustworthy program), you can assume the executable is safe. This is for executable that comes from third-party, unreliable and shady sources. And even there, if it's the first time that the .exe is submitted to these Antivirus on VirusTotal, they result might comeback clean, even thought the executable is infected so it's not a 100% reliable method.

 

 

That's true, but if it's a well known piece of software and you're unsure about it, it's still a good thing to consider! But like you said, it's not 100% reliable. :)


"Peace and blessings be upon you all."


#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 19 May 2015 - 11:57 AM

Also, you need to consider the FP (False Positives) that could come out of the VirusTotal reports, it can happen.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 rp88

rp88

  • Members
  • 3,022 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:45 PM

Posted 19 May 2015 - 12:00 PM

Post #6, you're doing all the right things. You're already much safer thn the average computr user, do the other few things as well (NoScript, ESET online scnner (free scanning tool, only runs on demand, no active protection offered), disabling plugins you don't use (putting those you sometimes use on "ask to activate"), make regular backups of your fiels onextrnal media, make a few system images when you know the system is clean and is working as you like with your important programs installed, disable un-necesary startup processes and remove preinstalled bloatware, not following shady sounding links...)and you should be as well protected as it is possible to be.

P.S. In my mentions of scanning every downloaded exe file with virustotal you should also scan them all with MBAM and your antivirus. And scanning with mbam and your antivirus should also be done for any other file you download (videos, audio files, zip archives, ms office documents, pdf files...even pictures), non-executable file types don't need scanning with virustotal though.

Edited by rp88, 19 May 2015 - 12:03 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#11 Foldingchair

Foldingchair
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Netherlands
  • Local time:04:45 PM

Posted 19 May 2015 - 12:25 PM

Post #6, you're doing all the right things. You're already much safer thn the average computr user, do the other few things as well (NoScript, ESET online scnner (free scanning tool, only runs on demand, no active protection offered), disabling plugins you don't use (putting those you sometimes use on "ask to activate"), make regular backups of your fiels onextrnal media, make a few system images when you know the system is clean and is working as you like with your important programs installed, disable un-necesary startup processes and remove preinstalled bloatware, not following shady sounding links...)and you should be as well protected as it is possible to be.

 

 

Bloatware won't happen easily as I install and configure Windows myself. I also use Acronis True Image to make a regular image, which has proven its value. Lucky for me, I'm not the average computer user. My issue is just that I doubt about myself a lot and aren't always as confident as I should be about things. But for good reason! :rolleyes:


"Peace and blessings be upon you all."


#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 19 May 2015 - 01:01 PM

And scanning with mbam and your antivirus should also be done for any other file you download (videos, audio files, zip archives, ms office documents, pdf files...even pictures), non-executable file types don't need scanning with virustotal though.


If you use an Antivirus with real-time protection enabled, and Malwarebytes Premium with real-time protection enabled, these files will automatically be scanned as soon as they are downloaded on your system. Otherwise, real-time protection would have one huge issue.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:45 AM

Posted 19 May 2015 - 01:45 PM

I use Norton Antivirus (Paid subscription), Malwarebytes Premium and often run a scan on demand with SpyBot Search & Destroy.

mvps.org and many security experts are no longer recommending Spybot S&D (or Ad-Aware) due to poor testing results and ineffectiveness against current malware threats.

Most people don't understand how to use Spybot's TeaTimer and that feature can cause more problems than it's worth. TeaTimer monitors changes to certain critical keys in Windows registry but does not indicate if the change is normal or a modification made by a malware infection. The user must have an understanding of the registry and how TeaTimer works in order to make informed decisions to allow or deny the detected changes. If you don't have understanding how a particular security tool works, then you probably should not be using it. Additionally, TeaTimer may conflict with other security tools which do a much better job of protecting your computer and in some cases it will even prevent disinfection of malware by those tools.

Since you are using Malwarebytes Premium, I would just remove Spybot.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Foldingchair

Foldingchair
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Netherlands
  • Local time:04:45 PM

Posted 19 May 2015 - 01:56 PM

 

I use Norton Antivirus (Paid subscription), Malwarebytes Premium and often run a scan on demand with SpyBot Search & Destroy.

mvps.org and many security experts are no longer recommending Spybot S&D (or Ad-Aware) due to poor testing results and ineffectiveness against current malware threats.

Most people don't understand how to use Spybot's TeaTimer and that feature can cause more problems than it's worth. TeaTimer monitors changes to certain critical keys in Windows registry but does not indicate if the change is normal or a modification made by a malware infection. The user must have an understanding of the registry and how TeaTimer works in order to make informed decisions to allow or deny the detected changes. If you don't have understanding how a particular security tool works, then you probably should not be using it. Additionally, TeaTimer may conflict with other security tools which do a much better job of protecting your computer and in some cases it will even prevent disinfection of malware by those tools.

Since you are using Malwarebytes Premium, I would just remove Spybot.

 

 

I wasn't aware of Spybot being unreliable. I was aware of TeaTimer being able to conflict with things though. I have a light understanding of the Windows registry, and I knew beforehand that TeaTimer would conflict with Norton also. So I disabled it, obviously. If Spybot really is that redundant, I might get rid of it.


"Peace and blessings be upon you all."


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:45 AM

Posted 19 May 2015 - 02:01 PM


You can always supplement your anti-virus or get a second opinion by performing an Online Virus Scan. ESET is one of the more effective online scanners.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users