3

I wanted to remove a probably malicious executable, but instead inadvertently double-clicked on it while using an account with administrative privileges. Nothing visible happened during a few seconds, then the executable removed itself (something a legitimate executable wouldn't probably do).

My next steps were:

  • Ensuring Avast definitions are up to date.
  • Disconnecting the machine from LAN to avoid affecting other machines.
  • Doing a full scan with Avast; this revealed no viruses.
  • Checking for suspicious entries with Sysinternals' Autoruns: I don't see anything wrong there.
  • Trying to run Sysinternals' RootkitRevealer, but it won't run on Windows 8.
  • Runing Sophos Anti-Rootkit and Kaspersky TDSSKiller. No rootkits found (Sophos Anti-Rootkit found a bunch of hidden registry keys and hidden files, but those are likely to be legitimate files).
  • Checking services.msc; given the number of services, it's difficult to check if all are legit.
  • Running sfc /scannow. Nothing wrong there: "Windows Resource Protection did not find any integrity violations."
  • Watching resources usage for a few minutes. Looks like there is nothing exceptional either.
  • Checking the list of Chrome extensions. Nothing wrong there. Internet Explorer is not installed, so nothing to check there.

It looks like the PC wasn't infected, but I'm still scared to reconnect it to company domain. I would like to avoid reinstalling Windows, since it would annoy a lot the person using the concerned machine.

What should I try next?

Community
  • 1
Arseni Mourzenko
  • 4,644
  • 6
  • 20
  • 30
  • 3
    I highly recommend scanning with a Rescue Disk, check this answer http://security.stackexchange.com/questions/66949/how-can-i-tell-if-i-have-the-citadel-virus-without-downloading-an-antivirus/66950#66950 – Ulkoma Oct 13 '14 at 17:32
  • @Ulkoma: in the question you linked, the person can't install an antivirus. Would a rescue disk have a benefit in my case where I already have an antivirus? – Arseni Mourzenko Oct 13 '14 at 18:35
  • 2
    Yes, the biggest advantage of using a rescue disk is scanning your system while it's inactive, the virus can't hide itself when you are scanning an inactive system disk – Ulkoma Oct 13 '14 at 18:55
  • @Ulkoma: got it. Thank you, I'll do such scan as well. – Arseni Mourzenko Oct 13 '14 at 19:43
  • Might want to give GMER a shot, as well as TDSSKiller. Also, check scheduled tasks and look for files that have been hidden (by marking them as hidden or essential to the OS, or through more advanced means like ADS). Ensure your firewall is up and properly configured... – KnightOfNi Oct 13 '14 at 23:53
  • @KnightOfNi: you may want to post this as an answer instead of a comment. – Arseni Mourzenko Oct 14 '14 at 00:26
  • @MainMa Yeah, it started smaller, but then I kept thinking of things... The thing is, that is by no means a complete procedure, and I don't want to imply that it is by calling it an answer. Those are just things you can do... – KnightOfNi Oct 14 '14 at 00:30
  • Norton Power Eraser is another idea that comes to mind. – tlng05 Oct 14 '14 at 02:01
  • How did you discover the "virus"? Is Avast already installed before the infection? And did it warn you about it? – Question Overflow Oct 14 '14 at 02:08
  • @QuestionOverflow: Avast was already installed. There were no warnings. I discovered the virus because the user of the machine alerted me that a suspicious file was downloaded when she was browsing a website. – Arseni Mourzenko Oct 14 '14 at 02:23
  • 2
    If you haven't done any write operation, it may still be possible to recover the deleted file to analyse what it does. Further, you might want to check the recently accessed and modified time of all your files to look for any changes. If egress logging is done, you can also check for any data ex-filtration to suspicious IP address. – Question Overflow Oct 14 '14 at 10:23
  • Was UAC enabled on your computer? – Mints97 Mar 03 '15 at 10:49

2 Answers2

2

All the steps you have taken are valid steps for malware-removal.

I suggest, to be 100% sure, you download and use (via a USB is good enough) the program Malwarebytes (the free version is extremely powerful, the "full" version only adds "24/7" protection if booted).

An other program that is handy to have in possession, and use in this case, is our old-school Hitman Pro, a really powerful "Second Opinion" program that is included in a lot of Rescue/boot discs (think of Hiren's Boot Disc as example).

If all those lights show green, I wouldn't worry too much about it, of course, whether or not a PC is infected is always a question, there are always chances you are infected with malware that escapes software, that's the reason why you should always scan/remove with more than one program!

kalina
  • 3,354
  • 5
  • 20
  • 36
Lighty
  • 2,368
  • 1
  • 23
  • 36
1

All right, if you're on Windows 8, and if you have UAC enabled, you have good chances to kick the bastard out manually.

From what you're saying, if you have UAC enabled, the virus didn't get admin rights. In that case, looking for rootkits and out-of-place services is not very useful (though if you've got as much services running as you say, mind, some of them might need to be cleaned out, but that's not important).

What did the virus do if it didn't have admin rights? Well, the answer is obvious - write itself to autostart with your user account!

The most usual way to do this is creating a reg key in HKCU\Software\Microsoft\Windows\CurrentVersion\Run (sometimes HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run or Software\Microsoft\Windows\CurrentVersion\RunOnce in HKCU or HKU\.Default if you're dealing with an idiot). There isn't usually that much keys in there, you shouldn't have much trouble finding the nastie.

If you're dealing with an exceptionally brilliant kind of a malware author, take a look at C:\Users\<Your user name>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (or just hit shell:startup in Run). That'll take you to the Startup folder.

Another nice place to look would be (don't laugh, it works) the Autostart tab in Task Manager. Also, in the task manager, go through the list of all running processes - chances are very, very high your virus is in the list.

If you can get the original file, I bet many people here (myself included) can take a look and say where did it set itself up for autostarting.

Mints97
  • 1,241
  • 9
  • 8