Member Avatar for Fourier12

I don't know very much about viruses; I went to a website recently and aVast blocked a few trojans that tried to enter my computer. I ran virus scans with aVast!, Spybot, and Ad-Aware 2007 and no viruses were found. How likely is it that if a virus somehow managed to initially get past my anti-virus programs, it could further avoid detection by all three virus scanners? Also, if there was a virus on my computer, would it always show up under the running processes listed in Task Manager?

  • 8 Contributors
  • 26 Replies
  • 188 Views
  • 4 Days Discussion Span
  • Latest Post Latest Post by PhilliePhan

Recommended Answers

All 26 Replies

Member Avatar for semoweb

Ah your fine its nothing to worry about i always run into site's like that and i love the Avast its great.

Member Avatar for jholland1964

How likely is it that if a virus somehow managed to initially get past my anti-virus programs, it could further avoid detection by all three virus scanners? Also, if there was a virus on my computer, would it always show up under the running processes listed in Task Manager?

I would say it could be very likely all three could show clean but you could still have something on there. AdAware especially is not the program it used to be. Avast and Spybot both are very good programs but there ARE certain Trojans which are not picked up by those two.
No, if there IS a virus or Trojan on the computer it will not always show in the task manager, it would have to be running at the time to show in the task manager. There are some that only run at start up and then shut down. There are others that would only run when specific programs are used and if you don't happen to be using those programs at the time then the infection would not be running and wouldn't show in the task manager. There are some which place themselves into your task scheduler and only run at specified times in order to download more infected files.
You all ready have run two programs which show nothing and that it great, but since Avast did warn you then you know that you were "under attack", to be very safe then I would suggest the following:
download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Reboot the computer

Download and run a Full System Scan with HiJackThis. Save the log and post back here with the MBA-M log and the HiJackThis log.
It is better to be safe than sorry.

commented: Just making the rep count :) +36
Member Avatar for shido641

To cut a long post short. The answer to your question is Yes a 'virus' as you say can hide from all three scans. And No!Task manager does not pick up ALL process. Remeber theres a BIG difference between viruses, trojans, and spyware, adware. Anyways im not explaining all that. I would recomend to you to get a copy of Kaspersky with up to date signitures. I would further recomend a rootkit scanner. Rootkits are programs that are able to hide sometimes even from the best of AV. I would also recomend an advance task manager to view all running processes

Member Avatar for jholland1964

No need for another av program, Avast is excellent.

Member Avatar for Fourier12

JHolland1964, I did everything you said, I attached the two log files; can you determine if I have any more trojans / viruses from the log files? I guess it's hard to determine what the trojans on my computer have been doing this whole time; for all I know, somebody has my credit card number and passwords if they were key loggers (right?).

Is Process Explorer by Sysinternals a good advanced task manager (that's what I have now) ? I had trouble following everything on it so I just use the regular task manager.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:14 PM, on 7/24/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AIM\aim.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware.com/Mothership?Comp=%ALIENFACTORY_Company%&SysCode=%ALIENFACTORY_SystemCode%&ai=636E3D34323438313126706F3D35303334353841
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware.com/mothership
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alienware.com/mothership
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix: 
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe
O23 - Service: Altera JTAG Server (JTAGServer) - Unknown owner - c:\program files\quartus\bin\jtagserver.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7784 bytes
Malwarebytes' Anti-Malware 1.39
Database version: 2494
Windows 6.0.6001 Service Pack 1

7/24/2009 7:54:25 PM
mbam-log-2009-07-24 (19-54-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 349844
Time elapsed: 1 hour(s), 30 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\torrentmanager.webmanager (Trojan.Lop) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\torrentmanager.webmanager.1 (Trojan.Lop) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Get-Torrent (Trojan.Lop) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\teenieweenie\AppData\Local\Temp\warcraft3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Member Avatar for jholland1964

Your logs look good. Doesn't appear to me that you had anything which would be a password stealer on there. You don't appear to be running a firewall, unless you are running the Windows Firewall.
Now your infections were from downloaded programs...torrent downloads.
One way to avoid this of course is NOT do it. But if you must then one thing you must do is SCAN every downloaded file with your AV program AND MBA-M BEFORE opening.
Another prevention measure is to use the program SpywareBlaster. It is really a MUST have.

SpywareBlaster doesn't scan for and clean spyware--it prevents it from being installed in the first place. SpywareBlaster prevents the installation of ActiveX-based spyware, adware, dialers, browser hijackers, and other potentially unwanted programs. It can also block spyware/tracking cookies in IE, Mozilla Firefox, Netscape, and many other browsers, and restrict the actions of spyware/ad/tracking sites.

Download, install, update and enable all. Close the program, that's it. Just check manually for updates weekly.

Member Avatar for Fourier12

Okay, thanks jholland, you've been really helpful I appreciate it. Just out of curiosity, how can you tell the trojans weren't keyloggers without looking at the source code of them?

Member Avatar for jholland1964

I just go through the names given. There are many places online which will give you the particulars of these trojans, what they do, where they come from, etc. Most of the reputable av sites will give this info if you have the file name. Remember, all this has to be known before there can be a good remover developed.

Member Avatar for KBDenson

Another prevention measure is to use the program SpywareBlaster. It is really a MUST have.
Download, install, update and enable all. Close the program, that's it. Just check manually for updates weekly.

Aside from being free, are there advantages to SpywareBlaster over the Protection Module in Malwarebytes' Anti-Malware (which you have to pay the registration fee in order to get)?

Ken

Member Avatar for jholland1964

SpywareBlaster does NOT run in the background, therefore it uses no resources.

Member Avatar for kaninelupus

I would say it could be very likely all three could show clean but you could still have something on there. AdAware especially is not the program it used to be.

Actually, Ad-Aware is fantastic, as is MalwareBytes. For best results on either utility, boot your system in Safe Mode, as gives the best hit rate and allows maximum access for the utilities to source and remove probs :)

Member Avatar for jholland1964

Actually, Ad-Aware is fantastic, as is MalwareBytes. For best results on either utility, boot your system in Safe Mode, as gives the best hit rate and allows maximum access for the utilities to source and remove probs :)

Malwarebytes' should NEVER be run in safe mode UNLESS it is impossible to run in Normal Mode.

Safe mode doesn't let MBAM load all it's drivers which are often necessary for the best detection and removal results. MBAM works in safe mode but is crippled, so if at all possible it should be used in normal mode in an admin account.

MBAM is designed to work in normal mode. It's simply most effective when run this way. Other tools like Spybot Search & Destroy work pretty much the same in normal mode vs safe mode, but MBAM does not and that's the most important thing to remember. Nothing bars you from using it in safe mode, but the results just probably won't be as good as they would if run from normal mode.
MBAM is stronger from regular mode . This is by design as a lot of new malware runs from safemode also so you gain nothing anyway . There are also multiple infections that as part of their first step blow away the entire safeboot keyset

Member Avatar for Fourier12

What exactly is the difference between booting in safe mode vs. booting in Normals Mode?

Member Avatar for kaninelupus

Malwarebytes' should NEVER be run in safe mode UNLESS it is impossible to run in Normal Mode.

Sorry, but experience has shown me otherwise. Personally in most serious cases, tend to run both in normal Admin boot, then re-run in safe mode to finish off.

And yes some malware tries to disable Safe Mode, but there are usually ways to get around it (setting boot in safe mode from MSConfig for starters often still available if the usual F8 option disabled).

Member Avatar for jholland1964

Normal mode is how you boot your computer all the time. All your drivers are loaded, your anti-virus program and firewall will be loaded and running, display adapters and audio adapters will be fully functional.
In safe mode, you have access to only basic files and drivers (mouse, monitor, keyboard, mass storage, base video, default system services, and no network connections). There also is a safe mode with networking available also, which would allow you to access the internet while in safe mode. Of course this leaves the computer unprotected but at times this may be necessary as there are some infections which will prevent the download and install of clean up tools needed to rid the computer of infection. By booting to safe mode very often these infections cannot start up either and therefore you can download necessary clean up tools.

Member Avatar for jholland1964

Sorry, but experience has shown me otherwise. Personally in most serious cases, tend to run both in normal Admin boot, then re-run in safe mode to finish off.

And yes some malware tries to disable Safe Mode, but there are usually ways to get around it (setting boot in safe mode from MSConfig for starters often still available if the usual F8 option disabled).

The information I have given concerning the proper usage of Malwarebytes' comes directly from the Malwarebytes' forum on the proper usage of their tool.

http://www.malwarebytes.org/forums/index.php?showtopic=9991&pid=48828&mode=threaded&start=#entry48828

http://www.malwarebytes.org/forums/index.php?showtopic=18813&pid=96391&mode=threaded&start=#entry96391

Member Avatar for kaninelupus

The information I have given concerning the proper usage of Malwarebytes' comes directly from the Malwarebytes' forum on the proper usage of their tool.

http://www.malwarebytes.org/forums/index.php?showtopic=9991&pid=48828&mode=threaded&start=#entry48828

http://www.malwarebytes.org/forums/index.php?showtopic=18813&pid=96391&mode=threaded&start=#entry96391

I'm aware of that - thus the preference to run in both modes. While yes some malware now loading in Safe Mode, a large number of the core system processes they would normally lock into are not running, making removal easier.

Member Avatar for PhilliePhan

I have to agree with Judy regarding MBA-M and Safe mode. She is correct in stating that if at all possible it should be run in Normal Windows boot.

Of course, working in Safe Mode does offer advantages for other tools as well as for manual removal.....

Sorry, but experience has shown me otherwise. Personally in most serious cases, tend to run both in normal Admin boot, then re-run in safe mode to finish off.

I believe you have that backwards ;) In serious cases it is often necessary to start in Safe Mode first.

And yes some malware tries to disable Safe Mode, but there are usually ways to get around it (setting boot in safe mode from MSConfig for starters often still available if the usual F8 option disabled).

This is bad advice, period. Please see CJ's comments about forcing Safe Mode and why it is a bad idea to do so:

http://www.dslreports.com/forum/r18150258-Dont-Force-Safe-Mode-on-Infected-PC

BTW: I do not mean to come off as a hectoring know-it-all ;)
A lot is "lost in translation" in a forum setting. It's just that I've been doing this for a lot of years and have seen a lot of bad advice in "open" forums such as here at Daniweb.

Heck, I've given my share of bad advice in the past - I used to tell people to disable System Restore before beginning the malware cleaning process. Thankfully, my friend Blender at SpywareWarrior was able to talk me out of that ill-conceived notion.... LOL! All she said was: An infected Restore Point is better than none at all.......

Cheers All :)
PP

Member Avatar for crunchie

It's ok PhilliePhan, some ppl think they know better than the manufacturers :).

Member Avatar for crunchie

I'm aware of that - thus the preference to run in both modes. While yes some malware now loading in Safe Mode, a large number of the core system processes they would normally lock into are not running, making removal easier.

If you were aware of it, you should not have posted the opposite.

Member Avatar for kaninelupus

It's ok PhilliePhan, some ppl think they know better than the manufacturers :).

No, sometimes it just helps to think beyond their scope at times (not always, but at times). As I did mention, I do run in tandem with Ad-Aware, so what one misses the other catches.

I have to agree with Judy regarding MBA-M and Safe mode. She is correct in stating that if at all possible it should be run in Normal Windows boot.

Of course, working in Safe Mode does offer advantages for other tools as well as for manual removal.....

Was very interesting to note the MSConfig method of forcing Safe Mode now only recommended for XP... which is probably the last time I had to force Safe Mode in that manner (well, with the exception of a couple of early Vista hiccups). Will take that on board.

I believe you have that backwards ;) In serious cases it is often necessary to start in Safe Mode first.

I've heard others take that preference, but had more success hitting in normal boot first, then in Safe Mode (minimal processes). I s'pose the logic being that in Normal Boot both utilities get to catch the active processes, and then re-booting directly in Safe Mode allows a final clean-up before the malware has the chance to re-populate.

This is bad advice, period. Please see CJ's comments about forcing Safe Mode and why it is a bad idea to do so:
http://www.dslreports.com/forum/r18150258-Dont-Force-Safe-Mode-on-Infected-PC

Again, point taken :) Although am actually curious as to whether the tactic of hitting malwatre first in Full Boot might not be why I haven't encountered a failure to re-boot in Safe Mode.

Member Avatar for PhilliePhan

LOL! It looks like we have hijacked this thread and turned it into a nice little discussion. Not that that is a bad thing – too often these discussions take place behind the scenes in the admin threads of various forums. Maybe crunchie can break this off into a new thread?

It's ok PhilliePhan, some ppl think they know better than the manufacturers

That’s too true!
However, to play the devil’s advocate for a minute, many of us who are “self-taught” often used to prefer operating in Safe Mode (I imagine this holds true for you as well). And many of the scanners we used to use were more effective in Safe Mode. But, the times and the tools and the malware have changed.

No, sometimes it just helps to think beyond their scope at times (not always, but at times). . . .

You are absolutely right – Thinking outside the box is always good. “Back in the day” –LOL- we needed to do that a lot. One of the reasons I have stopped volunteering as much in forums is that the process has become boring:

Run MBA-M.
Run ComboFix.
Clean stragglers.
Rinse and repeat.

Boring for helpers, but absolutely great in simplicity for people with malware on their compys.

In the days before ComboFix/VundoFix/SmitfraudFix/LooktoMeFix and all the others, we ripped the baddies out manually kicking and screaming. There were a few baddies that took months to find a cure for.....

I remember some of the baddies (and I'm sure crunchie does as well) and how we had to battle them on the fly, often chasing ghosts or our own tails – Have a look at some of these threads (and see some of my bad System Restore advice on display):

VX2 - before a removal tool was developed:
http://forums.majorgeeks.com/showthread.php?t=49886

Wareout - the first time I saw it and long before Lonny developed his removal tool:
http://forums.majorgeeks.com/showthread.php?t=68734

Haxdoor - before anybody knew what it was:
http://forums.majorgeeks.com/showthread.php?t=54566

It is a whole different process these days and not nearly as challenging.....

Was very interesting to note the MSConfig method of forcing Safe Mode now only recommended for XP... ..
...... and then re-booting directly in Safe Mode allows a final clean-up before the malware has the chance to re-populate. . . . .
. . . .curious as to whether the tactic of hitting malwatre first in Full Boot might not be why I haven't encountered a failure to re-boot in Safe Mode......

-- You should not force Safe Mode in XP.
-- If you can hit the malware in Normal boot, no real reason to try again in Safe Mode.
-- The re-populate argument for Safe Mode after cleaning is a bit weak, don't you think ;)
-- Whether you get the malware or not has no bearing on Safe Boot and the registry as those keys have already been altered by the malware. The keys won't magically revert to normal or restore themselves upon removal of the offending malware (unless you ran a tool that repairs/restores the the re-written or deleted keys, of course).

Cheers All :)
PP

Member Avatar for crunchie

I absolutely hated L2M infections. If the poster rebooted or had a bsod before you got all the files, they just re-populated :). I had some fixes going for weeks :(.

Member Avatar for PhilliePhan

I absolutely hated L2M infections. If the poster rebooted or had a bsod before you got all the files, they just re-populated :). I had some fixes going for weeks :(.

Yes - I remember that well. Another of the tricky "multi-step" fixes that could go on for a week, even with Atri's L2Mfix....
Do you have a "favorite" malware? LOL!
I remember the early Vundo when it was delivered as drive-by StopGuard downloads. I managed to work out a nice fix procedure for those well before any of the tools were developed - That was fun because we actually had to do so much by hand that you really felt as though you were accomplishing something as opposed to having somebody run an "all-encompassing" tool such as MBA-M or ComboFix which do all the work for you, for the most part....

PP :)

Member Avatar for kaninelupus

-- If you can hit the malware in Normal boot, no real reason to try again in Safe Mode.
-- The re-populate argument for Safe Mode after cleaning is a bit weak, don't you think ;)

Maybe not the best explanation, but seriously.... have faced infections where, have run BOTH MWB and Ad-Aware in full boot (with Admin), they claim they have detected and pulled out everything, reboot in safe mode, run them again, and guess what... they both pick up extra pieces. My first experiment with this method was dealing with that blasted MyWebSearch f@cker!

Have hit a few bugs along the way where this also proved true. I'm know that the majority of the time, running just the once in full boot is sufficient, but have just learnt to be extra cautious (yes maybe paranoid, but there you go).

Member Avatar for PhilliePhan

...have faced infections where, have run BOTH MWB and Ad-Aware in full boot (with Admin), they claim they have detected and pulled out everything, reboot in safe mode, run them again, and guess what... they both pick up extra pieces. ....

I do not think we are talking about the same types of malware.

I think I might have misunderstood you - At the very least, we are operating with different ideas of what the malware cleaning process entails.

Merely running multiple scanners, whether in Safe Mode or not, is insufficient to clean many infected machines. Granted, MBA-M is the best scanner/remover to come along in a long time (the last one I liked was EWIDO - it was waaaay better than AdAware and Spybot at the time) , but I would venture that if you had a heavily infected machine and used your scanners, there would still be malware on board. If you then ran ComboFix, I bet it would find and remove additional baddies and still miss some, though it is likely they would show up in the log and could then be dealt with via a script for ComboFix.

Before MBA-M, it was rare for tools such as AdAware and Spybot, etc... to be able to keep up with baddies such as the ones crunchie and I discussed. Very specified tools (smitfraudFix, for example) were needed. AdAware and SpyBotSD were useless. I really have no confidence in AdAware - especially since their white-listing of objectionable items a few years back.

Also, these scanner/removers often left orphans and remnants in the registry and elsewhere - A tool is only as good as its DB and definitions.
Really, I still believe the best mode of cleaning is to have a knowledgeable person look over a few basic scanlogs, such as DDS below.....

Along those lines, I am surprised we here at daniweb rely on HJT - its best days are behind it ;)
I preferred the now defunct Deckard's System Scanner. Better yet, I'd use DDS by sUBs:
http://download.bleepingcomputer.com/sUBs/dds.scr

Cheers :)
PP

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.