Edit

Forums
Technology

Incessant Virus - can it really hide from 3 scanners? - A few Q -re: problems I ran into while fxing infection

  • filter:
  • Tell A Friend
  • tweet this
  • Post to Facebook
  • Text Only
  • Search this Topic »
  • Classic
  • Page :
  • 1
alert mods    
rated:
   posted: Oct. 13, 2009 @ 6:16p

Vista Home / 4gb / AMD 5000+ 64 / Opera 8.x and 9.x

I'd appreciate just getting answers for any Q.s below that you might have the answer to.
The Q. are mixed in with the description of what happened to my computer. It's not very much
to read. If you're new to fixing an infection you might want to start a text file and write down
what you learn from what you read. That's what I'lll do with your answers.
--

I did a lot of reading over the last 40 hours because since Win95 I've been very lucky
to not have been hit with an infection. 2 days ago I was.

My reading is finding that many infections are hard to totally fix. These posts are by people who seem pretty sharp. Is there a 'long road' one can take to ensure the computer is really fixed?

What all I did. I did run the scanners in the proper way. Rebooting after running or doing
whatever they said to do. I also disconnected from the Internet so that no new infections
could come in while scanning. That was my idea and seemed smart or at least not hurtful.

Ran several scanners, in turn, and ran them again. And again. I did that because Malwarebytes
would find a problem even after it had been run 3 times and found only 1 problem on the 2nd run.
Then found 1 more problem on the 3rd run. That seemed odd. Why would that occur?

I ran Avast, TrendMicro's new Beta V 7, and Malware bytes with the latest updates.


I first ran them in safe mode because I could not see the screen with the types of infections I had.
Booting in safe let me see my desktop and run the programs. The infections seemed to not
show up in safe mode. - Why is that ? Anyway.

I then ran the three scanners after booting up normally. And ran them again and again and
Malwarebytes was the only one which seemed to find 1 problem after each run.
ie. Run it 1 time. If found many errors. Fixed them. Rebooted. Ran again. Fixed errors. Finally
got down to 1 error. Fixed it. Reboot. Ran it again. And it found another 1 error. Fix it. Reboot, Ran again
and it found 1 error. After 3x it did not find more errors. Neither did the other scanners.

Then I ran hijackthis logs and used many of the automated helpers. I know what most of the lines
mean in the logs but I have not worked with Vista enough to know how many problems can be or are related to each section (line). I don't have much experience with infections.

These are a few of the automated sites I used.
http://www.hijackthis.de/
http://www.hijackthis.de/index.php?langselect=english
http://www.2-spyware.com/hjt.php

 

This site did not like the http characters in my hijackthis log. Can anyone explain that?
http://hjt.networktechs.com/

I would like to use the site. Can anyone explain the reason it has the error? See next line:

They say-
Critical Error! Your log contains HTML tags. Valid HijackThis logs should not have HTML tags. Are you *sure* you're using this system for analysing your HijackThis logs?

---

This was an easy starter page for anyone using hijackthis. It helps you know what the lines
relate to and that helps you point to where an infection has harmed something.
http://netsecurity.about.com/od/popupsandspyware/a/aahijackthis....


   posted: Oct. 13, 2009 @ 6:16p

Quick Summary is created and edited by users like you... Add FAQ's, Links and other Relevant Information by clicking the edit button in the lower right hand corner of this message.



alert mods    
rated:
   posted: Oct. 13, 2009 @ 6:57p

Honestly you have a root kit installed or something just as nasty.

Unless you really want to spend more hours debugging it. It might be time for a wipe.


alert mods    
rated:
   posted: Oct. 13, 2009 @ 9:35p

There are many routes for reinfection after a reboot, so you have to make sure all those spots are clean or the malware will just get reinstalled. Make sure to turn off and delete system restore points and other cache. You can post your hjt log here if you're not familiar with html tags.


alert mods    
rated:
   posted: Oct. 13, 2009 @ 9:35p

Some antispyware software will give very frightening warnings about things that are not serious at all, such as cookies. If you have rootkits and major virus infections, wiping and reinstalling the operating system is a good answer. Especially if you know how to backup your data, and have all of your software and registration keys you need to reinstall easily available, or if you have a known good clone. But, don't reinstall everything just because some program is giving you a false alarm that you have allowed a cookie.


alert mods    
rated:
   posted: Oct. 13, 2009 @ 10:15p

Use Avast again and this time do a Boot-Time Scan. Booting to Safe Mode does you no good. It's undoubtedly a virus/file associated with Windows, not DOS, and even booting into safe mode the virus is already enabling/attaching itself.

Open Avast in Windows. Using the drop down menu select "Schedule Boot-Time Scan". Click all the check boxes. Make sure its set to scan all drives and to scan within compressed files as well.

Whether its Avast or other antivirus software of your choice, you must scan from DOS. By the time you've reached Windows, even Safe Mode, its too late.


alert mods    
rated:
   posted: Oct. 13, 2009 @ 11:30p

just format


alert mods    
rated:
   posted: Oct. 14, 2009 @ 12:22a

Infections are harder than ever to clean.

Can you take the hard drive out, and place it in an external enclosure and then connect it to another computer and run your antivirus/antimalware scans?


alert mods    
rated:
   posted: Oct. 14, 2009 @ 6:54a

Think you have a rootkit? Run Unhackme. It's free for 30 days and does a very good job of helping to get rid of them. Nothing is perfect though.

As jimrome said, scanning the drive while NOT booting your machine from the hard drive is a very good idea. You can remove it as he said or you can boot a CD like ubcd4win and then scan over your network or boot a rescue CD from one of the AV companies. My favorite is the Kaspersky rescue CD, which is free.


alert mods    
rated:
   posted: Oct. 14, 2009 @ 7:57a

I agree, anything that runs from that drive is going to be suspect at best, because the system has already loaded (in who knows what condition) at that point. Unfortunately, it's almost impossible to give a straight answer on what it "clean". As a security person, I'll tell you that the only way to be sure is to completely nuke the drive and do a clean install from a known good source. That's the only way to be 100% that the system is clean.

In practice, unless you have critically sensitive data, you can try the suggestions above. Just make sure you are scanning the drive as a secondary and using multiple tools to verify. The problem is that all scanners go after the most common infections. If the author has tweeked it at all, for example moving the executable to another location, the scanners may miss it. You need a good mix of signature-based and heuristic scanners. If you clean it as best you can and still see strange behavior or unexplained outbound connections or services, it's time to wipe and reinstall.

To others, please let this be yet another warning to backup your data regularly and make an image of the system before it gets infected. It's 1000x easier to load up a recent image and continue on than it is to start from scratch.


alert mods    
rated:
   posted: Oct. 14, 2009 @ 12:21p

You might have luck with this which I "discovered" on Microsoft site: Microsoft Security Essentials


alert mods    
rated:
   posted: Oct. 30, 2009 @ 1:19p

I did solve the reinfection problem.


I figured a followup was in order since so many good replies came from FW members.


I'm 99% sure the reinfection came from my cache in the browser. I thought the malware would find
any infected files in the cache because it had found infected cache files before.

However on a lark while reading I found a program called ATF-Cleaner.exe - that's the entire program
just a small exe file. The program lets you select from many places on your computer that files
might be saved but not really needed and it lets you delete them.

I can't recall why I decided to use the program. Maybe I read a post where someone mentioned that it
helped fix a reinfection problem.

When I used it I had no more reinfection problems.


I'm extremely happy with the results of this problem. While it was super irritating I'm thankful no
data was lost. And I'm happy that I found good help here and online.

I use the program above after using my browser. And I do avoid using IE browser. I've found that
it is just not as safe as Opera. I have not used Firefox so I can't comment.

But since Opera has less than 4% of the browser market and IE has over 50% it makes sense to hack
IE since the hacker will find so many more people to hack into.

Another place which I use but did not seem to help me fix the problem is

Shields-UP site which checks every port in your computer to verify if you are or are not invisible to
people running port scanners. The site is well written and has been in operation for at least 7 years.

Go here to verify your ports are not open and that you're invisible to hackers.

https://www.grc.com/x/ne.dll?bh0bkyd2

it's an odd url So if it's unique to me then use the main url ending at .com

The ATF cleaner is found here

http://www.atribune.org/index.php?option=com_content&task=view&i...

I only just read a note on his site where he offers ATFCleaner.

He states it's for XP and 2000 only.

Then he also states that for Vista he has disabled a few functions due to him not
knowing how some functions in ATF can affect Vista.

I used it on Vista and have had no problems and it did fix my reinfection problem. I've been away
so it's been about 3 weeks that I've been using ATF Cleaner with Vista and as I say no problems.

I click 'Select ALL' when I run ATF Cleaner on Vista

I've not had any issues with cookies or my login parameters to any sites
when using Opera 8x or Opera 9x.


So here's what worked for me.

Safe mode - run MalwareBytes
reboot into:
Normal Boot - run MalwareBytes
Reboot
Run ATF Cleaner
Run Malwarebytes again


If everything is OK then reboot and enjoy.


Note: You could probably modify when you run ATF Cleaner. It could be run first I suppose without
any harm as it's only deleting cache and files used by the browser and Windows Temporary files.

 

http://www.fatwallet.com/forums/technology/959280/m14256391#m142...


 Close

Sign Me In
Nickname: 
Password: 
Remember My Login Information:

Forget your login information?

Not Already A Member?
Sign Up Now!
  • Quick Reply:  Have something quick to contribute? Just reply below and you're done! hide Quick Reply
    		 
     
    Click here for full-featured reply.


Disclaimer: By providing links to other sites, FatWallet.com does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to FatWallet.com.


While FatWallet makes every effort to post correct information, offers are subject to change without notice.
Some exclusions may apply based upon merchant policies.
© 1999-2009