Trevor said:
I have a second pc that I use with a home theater system. The other
day I finally got around to putting an anti-virus program on, had been
running fine for over two years without it, no viruses or popups.
Downloaded avg from download.com.
Two DAYS after installing, and there's a firestorm of
malware/scareware/ransomware on the machine. Didn't install anything
else. The system has always been fully patched Windows update wise.
Only rational reason I can come up with is that there was something
lurking on the machine, and that installing avg activated the malware
somehow...maybe defending itself?
Paranoid reason is that avg and/or download.com have been compromised.
Anyone had any problems with them, or heard of such a thing?
I would sooner assume *your* machine was compromised, than assume a
major web site was.
Major web sites *do* get hacked. The main page at Asus was hacked a few
years back, and was handing out some kind of viral payload. I think the
MSI site suffered from the same thing, and I did get something from them.
So it does happen. It probably gets the most publicity, if tons of users
immediately notice what has happened. And then it cannot be swept under the rug.
I suspect a good number of compromise situations, are from legit sites
that got hacked.
Occasionally, commercial media (the driver CD that came with something,
the installable software or the like), will have something viral on the
CD. So that kind of thing has happened too. Even some hardware devices
have shipped, with viruses on them.
Maybe you could give MBAM a try, and see what it manages to find. MBAM
apparently runs best, booted in regular Windows mode. The most trouble
you'd have, is in cases where the malware won't let MBAM run.
Or, you could use one of the Linux LiveCD based scanners. There is
one from Bitdefender and one from Kaspersky. (And a third package, you
could run on any other Linux LiveCD environment you might have.) So that is
another approach to finding the culprit.
First, disconnect the compromised machine from your network.
Using a clean machine, burn this ISO9660 file using something like
Nero or Imgburn (to make a bootable CD), and then boot the CD on the infected
machine. And see what it digs up. The program on the CD, will use DHCP
to get an IP address on the infected computer, and then go to the Internet
to get 27MB of virus definitions. As long as the infected machine can
reach the Internet without any complicated login procedures or the like,
you shouldn't have a problem with it getting the automated downloads.
The only thing to be careful with here, is when a Linux LiveCD quarantines
Windows files, it may store them on a RAM disk, rather than on one of the
hard drives. If you need the files, to be able to get the OS booted later,
you may want to save those quarantined files. Or, you may recognize you're
in a lot of trouble, if for example "userinit" ends up in quarantine.
http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/
23 Jun 2009 10:05:01 119701504 kav_rescue_2008.iso
I keep a packet sniffer running all the time, and if some malware is
stupid enough to immediately kick up a fuss, I can walk back through the
log and check to see where the "t=0" event is. But with the better
quality malware snoozing and waking later, there is no guarantee
you'll be able to correlate what happened, to your surfing habits.
It could have happened ten seconds ago, or a month ago.
Oh, and ask me how secure I feel, using a computer for financial things
There is no banking done on this machine... A PC is a leaky bucket, with
extra holes drilled in it to enhance the leak rate.
Happy bailing,
Paul
