Personal Antivirus Infection

[OOZ662]

I believe that's exactly what a rootkit is; something that integrates itself directly into the Windows kernel, making it undetectable without certain tools.

I also suggest using something more professional if you're going to encrypt things, like TrueCrypt. WinRAR is the secondary haven (next to ActiveX and IFrames) for viruses on their way to delivery.

[MrRiplEy[H]]

Hmm...

First: Would a Trojan or virus be able to get into a locked .rar file?

Second: I can tell now that AVG is junk, but does anyone know what can possibly make it go crazy like this?

If worst comes to worst I can use the HP Recovery drive to restore windows to it's original state without losing any data currently here. That means that the viruses can still be there, but not active, since the registry and settings are restored to what they were out of the box. However, I would really rather not go through that hassle as it takes about 2 days for the process to complete and once it does I will have to re-install all the programs I have and bring my settings back the way I like them, which can also take another 2 days.

Aside from that, ThreatFire seems to be doing a good job on it's own, and unless there are virus programs that can conceal themselves from Task Manager there shouldn't be anything that can get past me. I ask if a virus can get into a password-locked .rar file because the only information that can be used to steal my identity on this computer is in such a file. I should be fairly safe right now if there isn't.

At this point doing anything but a full format means risking your personal information, internet banking credentials etc. Would be fun to know how you got it, clicked a hack.rar or freepr0n.rar open?

[Ghosth]

It shouldn't be able to get the information out of such a file, no, esp not if its password protected.
And thats something you can do with most any software. Winzip, winrar should all be able to password protect a compressed file.

The other way to go that I havn't seen mentioned, is to make either a dos level virus scanner CD then tell the computer to boot from the cd/dvd.  Or to use a Linux distro that can boot off a CD/DVD without actually installing to your hard drive. Many of them will have a good antivirus as part of the package. Umbutu, Mepis, are just a couple of the possibilities. Since your not in windows, none of the files will be protected, hidden.
(Same basic idea as the dos level scanner) Hit them from behind where they have no cover.

Here they do it with a flash drive.
http://askthegeek.kennyhart.com/2005/12/how-to-make-bootable-thumb-drive-virus.html

[Mar]

At this point doing anything but a full format means risking your personal information, internet banking credentials etc. Would be fun to know how you got it, clicked a hack.rar or freepr0n.rar open?

Firstly, I'm not into this "pr0n" stuff.

Secondly, I most likely got this mess via my brother constantly downloading and installing freeware games, which I've now forbidden him to do.

Thirdly, I'm saying it's not my fault (no offence). I'm the one here that's been keeping the viruses out in the first place.

So now that the source of the viruses has been taken care of and the fact is known that the existing viruses on here (if there are any left) cannot get into the locked file (as Ghosth pointed out), there should be no problem. The only exception would be if a program can view my screen or log keystrokes without being detected by ThreatFire or Task Manager. So far every time something happened there was a program on task manager that I did not recognize, and the something that was happening stopped when I terminated the program. In other words, nothing currently on this machine can escape detection of Task Manager as far as I've seen.


Now that flash drive is a good idea, I'll have to get one and try it out.

[MrRiplEy[H]]

Firstly, I'm not into this "pr0n" stuff.

Secondly, I most likely got this mess via my brother constantly downloading and installing freeware games, which I've now forbidden him to do.

Thirdly, I'm saying it's not my fault (no offence). I'm the one here that's been keeping the viruses out in the first place.

So now that the source of the viruses has been taken care of and the fact is known that the existing viruses on here (if there are any left) cannot get into the locked file (as Ghosth pointed out), there should be no problem. The only exception would be if a program can view my screen or log keystrokes without being detected by ThreatFire or Task Manager. So far every time something happened there was a program on task manager that I did not recognize, and the something that was happening stopped when I terminated the program. In other words, nothing currently on this machine can escape detection of Task Manager as far as I've seen.


Now that flash drive is a good idea, I'll have to get one and try it out.

You cannot be sure you're clean without a format after an infection of this kind. I wouldn't use the box for any banking etc. without full format and reinstall.

[doc1kelley]

I just responded to my daughter's request for help with that darned Personal AV yesterday.  It creates a folder for itself in C:\program files and in C:\program files\common files\.  Actually I even saw an uninstall for it under C:\program files\common files folder but I elected to nuke em all personally and then ran CCleaner to get rid of the left behind trash and she's been good to go.

All the Best...

    Jay
  awDoc1

[Denholm]

Be careful with that. I used a similar method to get rid of a very similar bug. However, I went ahead and ran some scans after I thought I removed it. 45 infections and two days later the bug was finally gone.

Just because it doesn't show, doesn't mean it isn't there.

[MrRiplEy[H]]

Personally I don't understand the point of trying to clean a system when far more certain and faster way is to either load a fresh image or just reinstall. Peace of mind and a fresh system.

[Denholm]

For me, the majority of what I learned about computers was gained when I took control of an infected system then cleaned it out. While I understand that reformatting is the easier and safer means of destroying an infection. I would have never been at my level of knowledge about the internal workings of a computer today unless I tried repairing it myself. Plus there's always the part of some people not having a Windows Installer, not having a backup of personal files, not having a recovery disk/partition. There are multiple reasons why people don't reformat. Mine is for knowledge.

[MrRiplEy[H]]

For me, the majority of what I learned about computers was gained when I took control of an infected system then cleaned it out. While I understand that reformatting is the easier and safer means of destroying an infection. I would have never been at my level of knowledge about the internal workings of a computer today unless I tried repairing it myself. Plus there's always the part of some people not having a Windows Installer, not having a backup of personal files, not having a recovery disk/partition. There are multiple reasons why people don't reformat. Mine is for knowledge.

Except that when you're dealing with a rootkit or advanced viruses the maker has infinitely higher knowledge on how to hide the bad code from you. That's the problem.

[Masherbrum]

Except that when you're dealing with a rootkit or advanced viruses the maker has infinitely higher knowledge on how to hide the bad code from you. That's the problem.

Absolutely.   

[Denholm]

Yes, that was quite evident since the computer was infected without the knowledge of the user. That's also why I use a wide variety of scanners along with basic knowledge to weed out and destroy the infections.

I'm not disagreeing that the infection might not be completely removed. I'm simply saying that by attempting to remove the infection I have gained more knowledge about computers. That's my only reason for fighting as opposed to wiping.

[1pLUs44]

Anyone for a plate of screwed?

When I said that not everything is what it looks like, I was right on. Just a few days ago I got hit, hard.

I gotta admit, this is nuts, even by my standards.I've been going bonkers trying to get AVG and malwarebytes to clean up this mess. AVG has never been able to finish a full scan, the computer just shuts off when it gets near the end. At first I thought it was because the computer is overheating, but one time the computer just tried to restart itself and failed. I did a full scan with malwarebytes (which was able to finish) and found and removed an even 200 threats, then I restarted the computer normaly (forgot to mention all my scans took place in safe mode) and AVG starts spewing out warnings of trojans as soon as I connect to the internet. So I go back into safe mode and have AVG run another scan which finds at least 30 more trojans before the computer shuts off (again). So much crap going on I can't remember it all. Today I decided to check out threatfire and I have it running right now. The thing is, now AVG is going absolutely insane. It is constantly detecting anything that opens as a trojan, including itself. All I have to do is open notepad and I immediately get threat warnings, first only identifying notepad as a trojan, then saying that avgcsrvx.exe is a trojan. I myself have never heard of an anti-virus identifying itself as a virus.

So far ThreatFire hasn't detected anything. I'm going to try re-installing AVG and see what happens.

This has been the craziest time I've ever had on this thing.


What do you guys think about this? Think I got singled out by an expert hacker or something? Why didn't malwarebytes get it clean, and why is AVG going nuts? And do you think ThreatFire can keep this crap from happening again? Important questions that require informed answers.

huh, I'm running the free version just fine. I usually download it every couple of months, then delete it. If I get another virus, re-download the latest free version.

[TheZohan]

in the best 2 weeks our store has gotten like 100 of those machines infected with Personal AV.. malwarebytes has taken care of 99% of the issues. for 24/7 protection you can get a lifetime license for 24.99 for personal computers.( which we sell to the customers infected to prevent happening again).

[RTHolmes]

Personally I don't understand the point of trying to clean a system when far more certain and faster way is to either load a fresh image or just reinstall. Peace of mind and a fresh system.

+1

if you're going to use a cloner, take the image directly after installing the OS and all your software, and before connecting to your network or adding your data. dont clone your data, restore data from a current backup.

The hardware firewall in a router is detrimental to your PC's security as well as the any others that are on your network.