View Profile
View Forum Posts
Private Message
Hello everyone. I have a question about whether it's feasible to flush out a potential virus or malware infection using a particular scanning scenario.
Here's the background:
A friend contacted me and informed me that her PC started throwing pop-ups stating "Your system is infected, blah blah"... textbook scareware scam.
I instructed her to power down the PC and not restart it. I picked it up from her place the next day.
I later find out that the PC is a recent Sony VAIO, and that it runs Windows 7 Home Premium, 64-bit.
Here's what I did next:
Keeping the PC isolated from any networks, I turned it on to see if the malware symptoms persisted. As far as I could tell, they have not. No pop-up warnings, no spoof status alerts in the system tray, no "fake" indications of danger was observed.
After about 10 minutes of waiting for some sign and seeing none, I powered down the PC again.
I then decided to remove the possibly-infected PC's OS drive and slave it to another machine that has both Norton Internet Security 2011 and Malwarebytes Anti-malware.
I started the session by updating both NIS 2011 and Malwarebytes to their latest definitions, then running full-scans on the Windows 7 OS partition on the HDD.
Both NIS 2011 and Malwarebytes returned with 0 infected objects.
Here's where I began doubting the whole scanning exercise:
I then remembered - the PC that's doing the scanning is running Windows XP SP3 32-bit.
So I asking to the community of experts here... is it even feasible to scan the Win7 64-bit partition using Malwarebytes and/or NIS 2011 running under WinXP 32-bit SP3? Would such a scanning scenario even be able to catch problems (i.e. compromised registry entries) while scanning a partition containing a more advanced OS? In other words, is Malwarebytes and/or NIS 2011 for WinXP limited to finding and fixing problems on a WinXP partition? Or does that matter at all since it's just scanning disk data on a slaved drive.
Thanks in advance for any insights or suggestions.
+ Reply to Thread
Results 1 to 9 of 9
-
Last edited by PartingShot; 24th Mar 2011 at 13:04.
-
A virus signature is a virus signature. If it is there and the signature is in the database, then it should find it, regardless of the OS version.
Your friend's problem sounds like the old "messenger.srv" exploit of a few years back. I believe that this service should defaulted to "disabled" in later Win OS's. It might be useful to check its starting status.ICBM target coordinates:
26° 14' 10.16"N -- 80° 16' 0.91"W -
If you can read the files, you can scan the drive. No problem.
Try running something like Spybot search and destroy, it will sometimes turn up things that Malwarebytes will miss. -
The problem with "a friend told me the PC is ..." is that usually the description of the problem and what is actually happening don't match. This is very dependent on the friends computer literacy level.
What was the source of the actual pop-up warning; does she run an AV or was it a web pop-up? You were quite right in suspecting scareware, if it was a web pop-up did the message include something like "click here to fix this"? The last thing you want to do is click on that, nothing on the web is gonna come along and be a good Samaritan and help you, out of the blue.
As SLK001 said the OS version doesn't matter for the AV, the only issue is, can your AV detect that latest 0-day? In case of doubt, scan with multiple AV's. There are a few free AV's (AVG, ClamAV, ), you can do an online scan or you can download a Linux Live CD to run an AV on the suspicious machine without having to remove the drive (the Trinity Rescue Kit is a nice one).
You have the right idea scanning from a different (booted) OS. As for worrying about stuff hidding in the registry; nothing in there can infect a PC, the registry does not contains executable files. Once the malicious files are deleted, any related entries in the registry will be pointing to nothing. Just run CCleaner to clean the registry. And make sure automatic updates get done, they include MS' malware scanner.
Edit: Just saw Nelson's post; absolutly right, you can't rely on a single spyware scanner they all miss something. Ad-Aware, is a good one to run too. I like Spybot S&D and they have a portable version (no need to install).Last edited by nic2k4; 24th Mar 2011 at 16:00.
-
I had a simular situation with a friends laptop yesterday,I scanned it with malwarebytes anti malware,super antispyware,avira rescue cd,and doctor web rescue cd,they all found nothing and took over half an hour each,I booted up in safe mode and installed a program called unhackme, it found it and I deleted it in about 3 minutes.
another good program is fsecure's free rescue disk but you need a internet connection to update the av database , as nic2k4 says its basically down to having the latest updates and hoping your av /malware scanner has that definition in its data base.Last edited by fatbloke88; 24th Mar 2011 at 16:42.
-
Good idea, I'll definitely disable on startup if necessary.Originally Posted by SLK001
Thanks Nelson37. I just completed the scan using S&D, which also found nothing (except tracking cookies on the active OS partition). I've never used it before today. It seems pretty thorough, but it did take me a minute to figure out how to scan all Windows installations in the system (using the "/allhives" switch). Never had to modify the command-line properties of a Windows shortcut icon like this before!Originally Posted by Nelson37
@nic2k4 - nice informative post with lots of good links for reference. Thank you very much for submitting that
I'll check out Unhackme and the Fsecure rescue disk. Thanks.Originally Posted by fatbloke88
Great suggestions everyone. Thank you, thank you, thank you
-
I've been having to clean out some nasty ones that occasionally show up at my agency. I usually start with this cocktail:
Live boot a Windows rescue CD (so I don't have to remove a drive).
Run:
1. EZPCClean
2. Rootkit revealer
3. Avira AV
sometimes more...
Then I restart and boot the HD in Safe mode (with Networking) and use copy onto the desktop copies of:
1. Combofix
2. rkill
3. CCleaner
4. Malwarebytes
5. Unhackme
6. SpybotSnD
7. SuperAntiSpyware
8. AdAware
9. Avast AV
10. HijackThis
Starting in roughly that same order, install what you can (some don't install while in safe mode) and update fully. I then run full scans on EVERYTHING on the HD.
Takes a while. Many times one will catch what others didn't.
I often do boot-time scans with #6 & #9. (Works prior to graphical mode & services loading)
When all is finished, they are clean as a whistle and run FAST!
ScottLast edited by Cornucopia; 24th Mar 2011 at 21:09.
-
Originally Posted by Cornucopia
Sorry for the thread resurrection, but I have another friend in need of a good PC cleaning. Planning on using the stratagy listed by Cornucopia above. I will follow the prescribed order for all the tools listed. The last one, HijackThis, will generate a log. Has anyone ever had their HijackThis log analyzed by *Spy and Seek*? If so, were there any problems, or did it work out okay?
Thanks in advance, everyone
-
I have not used spy and seek,I usually paste the log into www.hijackthis.de
Quote
Similar Threads
-
Looking for free software to partition and backup netbook partition
By jimdagys in forum ComputerReplies: 4Last Post: 30th Nov 2011, 21:20 -
DVDFab7079Beta & Antivirus Software
By DavidEC in forum DVD RippingReplies: 8Last Post: 10th Jul 2010, 21:21 -
Best 2010 Antivirus Software
By hardy in forum ComputerReplies: 47Last Post: 24th Apr 2010, 20:42 -
Question about how Antivirus software can repair severe virus infestation
By jimdagys in forum ComputerReplies: 3Last Post: 3rd Dec 2009, 05:59 -
partition management software
By dream_of_luck1 in forum ComputerReplies: 5Last Post: 5th Aug 2009, 07:50