Anyone knows good help site in malware issues?

[Ianna42]

Recently I had to reformat my hard drive because something moved into my Documents and Settings folder, an exe that ran itself with startup. None of my installed antivirus software recognized it and I decided not to take my chances with staying online. I've backed up all my stuff, so nothing is lost. Problem is, now I'm still freaking, although the exe didn't show up. I don't dare to use my external hard drive. I installed nothing on that, ever, but I'm scared that thing did. I feel I need some info on whether I'm safe and what the heck it was in the first place. Can someone please help me? Does anyone know a trustworthy and *free* board or site where I can ask people more knowledgeable than me in malware issues?

 

[Kane52630]

ask on the Cnet forum, they have experts that specialized on malware and virus issues
http://forums.cnet.com/

 

[Ianna42]

Funny, it never occurred to me that CNet had a forum. I asked them, hopefully someone can guide me to some kind of an answer. Thanks for your help!

 

[V1P3Rt3Ch]

Recently I had to reformat my hard drive because something moved into my Documents and Settings folder, an exe that ran itself with startup. None of my installed antivirus software recognized it and I decided not to take my chances with staying online. I've backed up all my stuff, so nothing is lost. Problem is, now I'm still freaking, although the exe didn't show up. I don't dare to use my external hard drive. I installed nothing on that, ever, but I'm scared that thing did. I feel I need some info on whether I'm safe and what the heck it was in the first place. Can someone please help me? Does anyone know a trustworthy and *free* board or site where I can ask people more knowledgeable than me in malware issues?

What exactly do you mean "although the exe didn't show up" ? Was it there, and now it's gone, or do you mean it's not in the stuff you backed up because you didn't put it there. Could be malware w/a rootkit now hiding it.

ProTip: If you need to back up your data from one windows box to another due to suspected virus infection, simply boot a live linux CD on a separate PC, mount your hard drive through linux (you can use your external too), then share your desired drive letters through windows and mount them on the running linux. Then you can simply do a network transfer of your files without the fear malware infecting your external HD.

 

[Ianna42]

What exactly do you mean "although the exe didn't show up" ? Was it there, and now it's gone, or do you mean it's not in the stuff you backed up because you didn't put it there. Could be malware w/a rootkit now hiding it.

It was there in my previous install of Windows XP under my usual username. It was linked to my login, beacuse it was in my Docs&Settings (\username) and ran instoppably under my processes. When I created a new login - no reformatting -, it wasn't a running process, and there was no instance of the exe file in my Docs&Settings. Then, I reformatted my drive, after I saved my non-system related directories to an old external drive, that wasn't plugged in at the time of the infection. Ran multiple scans on them. The results were negative. Also, among the files in question, nothing was modified during the time of infection, according to Total Commander. I didn't open any installers or html-type files from my old drive, just in case. There is no similar process running now, and no exe file anywhere, hidden files included. Since then, I have scanned my usual external drive (the one I had plugged it when the infection happened) from a different, restricted access username, and looked fine. Not like I trust this too much anymore, so I touched nothing from it.

ProTip: If you need to back up your data from one windows box to another due to suspected virus infection, simply boot a live linux CD on a separate PC, mount your hard drive through linux (you can use your external too), then share your desired drive letters through windows and mount them on the running linux. Then you can simply do a network transfer of your files without the fear malware infecting your external HD.

Sound advice for saving data, but what stops the malware from hiding in any of my files and returning when I go back to Windows XP?

 

[V1P3Rt3Ch]

It was there in my previous install of Windows XP under my usual username. It was linked to my login, beacuse it was in my Docs&Settings (\username) and ran instoppably under my processes.

Sounds like it made itself a service and started when you logged in.

When I created a new login - no reformatting -, it wasn't a running process, and there was no instance of the exe file in my Docs&Settings.

That's because when you created the new profile a new folder for your user is made.

Then, I reformatted my drive, after I saved my non-system related directories to an old external drive, that wasn't plugged in at the time of the infection. Ran multiple scans on them. The results were negative. Also, among the files in question, nothing was modified during the time of infection, according to Total Commander. I didn't open any installers or html-type files from my old drive, just in case. There is no similar process running now, and no exe file anywhere, hidden files included. Since then, I have scanned my usual external drive (the one I had plugged it when the infection happened) from a different, restricted access username, and looked fine. Not like I trust this too much anymore, so I touched nothing from it.

As long as you're not executing code based off of executable in your compromised backup you will most likely be fine (ie, running a version of explorer.exe you might have backed up).

Sound advice for saving data, but what stops the malware from hiding in any of my files and returning when I go back to Windows XP?

Nothing "stops" malware from hiding in those files, you just need to be wary when executing programs (opening a office document, using un-patched software to view media). There are ways of avoiding execution of platform specific code by opening said files in known good sandbox environments. Virtual machines are awesome for this.

 

[Ianna42]

Sounds like it made itself a service and started when you logged in.

That's what I figured. I'm a lot more worried that the file was just the tip of the iceberg. All the scanners, offline and online say that my drive is fine now. I guess it would have copied the exe into the new login, if it could - but I don't like taking risks like that. Maybe I'm paranoid - in over 12 years, this is the first time I was infected with anything worse than tracking cookies.

As long as you're not executing code based off of executable in your compromised backup you will most likely be fine (ie, running a version of explorer.exe you might have backed up).

It never even occurred to me to save any files like that. Nothing system related. Wiped all that clean.

Nothing "stops" malware from hiding in those files, you just need to be wary when executing programs (opening a office document, using un-patched software to view media). There are ways of avoiding execution of platform specific code by opening said files in known good sandbox environments. Virtual machines are awesome for this.

I didn't mean actually 'stops' when I said stops, I know it can still hide somewhere, so I'm checking everything as deep as possible. It's more like I don't know what types of files this particular malware can attack (since I don't know what it was), and I'm trying to find out what is safe to keep. Gonna check out sandboxes, although adding a Ubuntu partition (something I've been planning and delaying for years now) to my drive also occurred to me. Not sure if that would help, though.

 

[ComicChick]

ctrl+alt+del and go to the processess tab. go to www.processlibrary.com, plug them in and it will tell you what they are and if they are safe or harmful

ive done that for .exe's i was unsure of