I’m running Windows Vista on an ASUS G50v laptop, with AVG as my antivirus. Now I don’t install unknown programs, or run files I got from untrustworthy sites, but over the last two days AVG has caught two seperate trojan horses, one a generic trojan 1.akyq, and just now FakeAV.COX . Now AVG claims to have safely gotten rid of both, but I’m worried that there’s something it isn’t catching lurking under the surface.
But am I being paranoid? I don’t want to reformat if I don’t have to, so is there any way I can check to be halfway certain that I’m not running around with an infected comp? Or can I trust AVG?
If AVG and found the viruses, and you’re not seeing any unusual behavior (FakeAV lets you know its presence immediately, but telling you that you’re infected with dozens of viruses), then you’re clean.
The only unusual behavior I saw was that Adobe Reader 8 crapped out and simply would not work, in the browser or with homegrown pdfs. So I uninstalled and reinstalled it and everything works fine.
So I suppose I’m clean, thanks! Now I just have to figure out where on earth I picked both trojans up in the first place.
You can download, install and scan with Malwarebytes’ Anti-Malware and Super Anti-Spyware free editions. Before I log off, I do a quick scan with both to make sure my AV didn’t let anything through. Any unusual items will be placed in quarantine. However, before you delete anything, if you’re unsure of that the item is malware, I recommend posting on their forum as false positives can happen.
Also, you should do a complete scan of your computer with AVG and maybe the other two programs. It may take time, so do it when you plan to be away from your computer for a while.
You can’t absolutely guarantee that your computer is virus-free. AV writers are constantly playing catch-up.
But if you do a check with a well-regarded app like Malware Bytes in Safe Mode with Networking, then you can be as confident as is reasonably possible.
Adobe Reader is a major portal for malware infection. Major. Upgrade to the newest version now. Better yet, use an alternate PDF reader program. I’m currently trying Foxit Reader. (But not too happy. It kept trying to install toolbars and other crap during install despite me clicking on “no” at every chance. If someone can recommend a good PDF reader, let me know.)
Also, update Java and any other programs that you use online.
The closest one can get to be 100% virus free is to completely wipe the HD, install the OS from the original disks and don’t connect to a network.
Programs I regularly use to check on things: Malwarebytes, Hijackthis and RootkitRevealer (from SysInternals). The latter is really for experts though as it takes some knowledge to understand what’s really bad or not.
You don’t have to be quite that extreme: merely wiping all your partitions and reinitializing them and reformatting them will be enough. The highest security people will reinstall their OS quite often.
And, while viruses can get in your BIOS, it’s very unlikely except if you deliberately trying to flash it. And, even then, the audience for that kind of hack is so small, that it almost never happens.
Having said all that, OP, to be reasonably sure: Run a bunch of scans, including ones from boot CDs, as those will not be affected by a rootkit.
If you have your data backed up, and don’t mind reinstalling programs, you can even just reformat and reinstall. Unless the virus is in your backup, so scan that really well, and try to save files mostly files that can’t contain viruses.
Best and only sure way is to use hardware. You might check with your IT dept. If the PC is used at home and you use it for some office work they should check it for you.
My employer lets employees bring in home pcs. They don’t fix them. But, they use a Packet analyzer and some other hardware to see if the pc is safe to use on our network. Malware typically reaches out and makes connections. For example Key loggers record passwords on their host site. Malware loves to phone home. A Packet analyzer will catch it.
Biggest issue we run into is machines used to host torrents or porn. Hackers love to find unprotected machines to host their stuff. We’ve even found it on a few of our office computers. A company can lose a lot of bandwidth that way. Network was compromised and they got in. Our logs show attempted break ins almost every day. The battle never ends.
Sometimes the anti-virus software gives fake warnings because their virus definitions are too generic.
If you are sure that you haven’t installed any dodgy software and that you ARE NOT running as the administrator, then it could likely be a false positive.
If you are skilled, you could use WireShark on another computer on the same network you are to monitor the internet traffic over the network and see if there is anything suspicious.
I would recommend that you run a scan with TDSSKiller, this type of rootkit is commonly found with FakeAV infections and virus scanners don’t pick up on it.
I ran tdsskiller with no results, so I suppose that’s a good thing. The FakeAV trojan in particular surprised me, since I had no symptoms even before I removed it- I had been under the impression that the FakeAV family of viruses were pretty obvious about screwing with your toolbars and trying to get you to buy or install their service.
If I wanted to be a real stickler about it (and why the hell wouldn’t I?) I’d note that, in theory, you can never really be sure, simply because you can’t generally decide the function of any given algorithm. Because, if you associate some function of an algorithm with ‘virus-ness’ – doing whatever bad thing it is that viruses do --, and you have a program that infallibly checks whether or not a given algorithm has this function, then you can use this program to construct a halting checker, i.e. a program that infallibly decides whether or not a given algorithm will halt, or run forever; and such a thing is not allowed, by the undecideability of the halting problem. How would you do that? Simple – you write a program P that does two things: 1) Call up the algorithm (call it A) whose halting you’d want to check, and 2) execute the function you associate with virus-ness (obviously, that works as well for any other function an algorithm might perform). P now is a program that performs the virus-function only if the program it calls up in step 1) halts; and hence, if you can check whether or not it performs the virus-function, you can implicitly check whether or not A halts: If P performs the virus-function (or whatever other function you have a checker for), then A halts; if P doesn’t perform the virus-function, then A runs forever.
Not that this has especially much to do with the thread – with the virus checks routinely performed, you’re very probably fine --, but I always thought that it is interesting that such a basic task – reliably checking whether or not a given program acts maliciously, or indeed, computes the square root of 3 or adds two numbers etc. – is actually fundamentally impossible.
This isn’t really a guarantee, just an additional layer of security. A packet analyzer MAY catch malware signatures if it knows what to look for, but it’s not foolproof. For example, malware could use Gmail accounts and log in over HTTPS and to the packet sniffer it would look no different than the user logging in to check their email. That’s just a very simplistic example.
As for other hardware, what do they use? I have a hard time imagining anything that could detect, broadly, “virus-like behavior” with 100% certainty.
you can’t be sure. none of us can. Hell for all I know their are rootkits on every computer system out there embedded in the CPUs memory. You can never be sure, unless you designed every component yourself and built your own computer and not allow it to touch the internet…
Now I just have to figure out where on earth I picked both trojans up in the first place.