I recently had the first virus infection on my home computer since the early nineties. It was a particularly nasty Java exploit called XP Internet Security 2010.
This seems to be quite a widespread thing, easily catchable, you just have to visit a web site that has various advertisements on it and according to some reports it has even infected the advertising on the US White Pages sites.
So, I guess that what was interesting about this whole thing is how well the anti-virus and anti-malware systems held up.
McAfee
I used to say that McAfee protects my system but now I'll just have to say that it's resident on my system - at least until it expires. Then again, since it was about as useful as an umbrella on a battlefield, it might not even last that long. McAfee's firewall and Anti-virus didn't even pop up a speech bubble during the entire infection episode. Talk about pointless software - All it seems to do is slow the system down with pathetic real-time scans.
Symantec
At work, we used to be big Symantec users until a series of faults in several of their software products and their sudden abandonment of some expensive hardware led me to abandon their entire platform. Nevertheless, I started looking for a Symantec solution as soon as it became apparent that McAfee was insufficient. Unfortunately, all of my googled searches kept finding the same page.
To cut a long story short, on this page, a user offers a convoluted (and dangerous) means of removing the infection and all the other users talk about how Symantec's products are still unable to detect the malware. The last post was 5 days prior to my own searches, so it seems that Symantec is not much help either.
Browsers
Before I start talking about using other tools to fix the problem, I just want to make a point about browsers. I use Google Chrome, which supposedly is immune to this sort of stuff. It obviously isn't. I noticed the problems when they first happened and followed steps to remove the problem. I thought I'd got it but obviously hadn't.
The thing is, that my computer worked fine for a few more days. The only noticible change was that Internet explorer was back on my Start bar as the default browser. I checked the settings in Chrome but it was still the default.
Eventually, I decided to click on IE just to see whether it would start Chrome or try to take over. That was when my real problems started.
The lessons from this;
- No browser is completely safe but Chrome is certainly safer than many.
- Internet Explorer is almost completely unsafe. I used version 8, with all the latest service packs and updates. It was still completely vulnerable and exposed my system. Nobody should use Internet Explorer for anything other that Microsoft Updates (and even then, if we're ever allowed to use a different browser, switch immediately).
Microsoft Security Essentials
This performed a full system scan - in fact, it's still doing it as I write this. So far, it's found nothing and it's been running over an hour (and looks to be about 10% complete). A fast solution it isn't - but I have hope that it's thorough.
PC Tools Spyware Doctor
I've always had a bit of a bias against the windows version of PC Tools. I guess it's because I got burned by the DOS version somewhere along the way, or because it fights with McAfee and causes our systems at work to freeze. In any case, I decided to give it a go, not expecting much.
It did the fastest scan out of everything I tried and detected the malware within minutes. It then popped up a dialog box telling me that it would only fix the problems if I paid for it first.
The price wasn't too bad and I was seconds away from paying for it but given that I've got known and active malware on my computer right now... do you REALLY think I'm going to put my credit card details in? Maybe I'll still buy it but I decided to look for a free solution first.
Spybot Search and Destroy
This software has always had a place in my heart. It's free and it's very good. I've had it on all of my computers but since this one has only recently been reloaded, I forgot. I downloaded it and ran it.
It's still running as I type but at least it's already identified some problems.
Microsoft Lunacy
First of all, it's identified two of those fantastic Microsoft Windows Registry Keys which have been modified.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
What is this crap!!
Seriously... Who puts these registry keys there anyway? Why are they even possible?
This is completely a Microsoft Problem. It's like Ford building a car and building in special provisions for something to disconnect the temperature warning gauge. It's complete rubbish. It's building a system to fail.
Resolutions
After running for about 70 minutes, Microsoft Security Essentials finally detected...
Trojan:Win32/FakeRean
It suspended the task and asked me if I wanted to remove it. I did and it's gone (I hope). Of course my Task Manager is still screwed but maybe a reboot will fix it. In any case, Microsoft Security Essentials scan is still only at about the 25% mark so perhaps there's more to come.
Thus far the answers are;
- Download and run Spybot Search and Destroy. No Windows PC should be without it.
- Download and install Microsoft Security Essentials.
- Make sure that you have a firewall and Anti-Virus program but don't rely on them. Also; remember that it's not necessarily true that on-access scanning is "better" than regular (nightly) full scans.
- Take Regular Backups - and maybe make Windows Rescue Disks (although in all honesty, I'm yet to see a situation where they actually work as intended).
- Use a safe(er) browser like Chrome but don't rely on it as 100% foolproof.
Comments
I feel your pain. My windows partition is used only to play games. A couple of years ago, I found (multiple installation attempts of) a virus on my machine, despite having installed nothing new. Or even browsed the web.
The culprit? After some investigation, I found it.
A game used embedded IE to display welcome screens when connecting to public servers. I tried a couple of Russian servers earlier that day, and...
Let's face it, I don't need to explain much more than that, do I? IE, Russian servers, unexplained infections. Oh dear.
(That's not any kind of prejudice. It's a sad reflection of the reality of some of the Russian economic use of its enormous computing talent.)
Luckily, the infection attempt was caught by the AV system I had installed, and seemed to be removed correctly.
But my paranoia about Windows security runs deep, having tried to disinfect friend's PCs. So I did the ONLY thing you should do with a Windows PC that's had an infection...
Boot from something else, and scan the filesystem for malware from there.
There's too many rootkit techniques, too many nooks and crannies. The only thing you can't scan this way is the registry, but at least no files can be hidden from the scanner.
I used to use Bart's PE bootdisk creator, but these days would probably look at using one of the Linux based solutions like Knoppix - which has ClamAV on it by default.
Of course, this is why I only have a Windows partition to run games in, and do any other "windows things" that I may occasionally need in VMware instances that I can snapshot and reset as needed.
It's installed in our sales force laptops and it has a 100 by 100 effective. No virus, no problems, no helpdesk. The BETTER software buyed ever.
The trick is to have a frozen partition C and a D not frozen data partition . My Documents folder is redirected to D and Lotus Notes is also installed on D.
The operation in the first phase of testing was so successful that we uninstalled the antivirus sotware.
Regards, Albert.
My top ones would be:
Malwarebytes
Avira Anti-Virus (free version)
ComboFix
I also have an emergency AV client by Sophos that you can downlaod from their site, you need to download the ide (identification files)files separately though.
I would also say that On-Access scanning is a MUST and is much more important than running daily scans, why? Because if you download a dropper peice of malware that then downloads further malware, chances are the on-access scanner will pick up the dropper file and thus stop the rest from being downloaded. If you did not have on-access scanning and waited for the daily run the following would have happened:
Dropper downloaded and executed
this downloads further malware that then amends AV/Registry/Browser add-ins etc, creates tunnels and whatever else they want. By the time the daily scan runs there is no way it will be able to pick up everything and repair the damage that has been done leaving your machine wide open with the best option being to rebuild it.