Roy said:
I am not sure, but it looks like I have more Advertisements on my IE
now that I have installed AVG. Each time I do a search....ads at the
top and ads at the bottom.
Eh? What's that?
Wow, that was a quick response.
You are right, it did change my search engine.
Well, I am glad I realized the answer before posting the question
here.
AVG ( the free version ) changed my search engine from google to
something else "Powered by Google." So I saw the google Icon and
figured I was still on google.
So just a heads up.
And yes, I do know it is a free version and the ads pay for the cost &
we should support the companies or they will not make their fine
products.
That is not a problem for me. And the search engine
https://isearch.avg.com may be safer then google, I don't know.
But, if they are going to change my search engine, I would at least
like to be asked. (( they may have asked but I really don't think
they did )).
Did you try changing it back ? I'm curious whether AVG would
bother to change it again or not.
One more question please...
What do YOU do when you have a file test POSITIVE for a
virus/Trojan/male ware?
Do you "repair" the file? Quarantine it? Verify the POSITIVE and if
so how? Do you run 2 virus scanners and if so which do you trust the
most?
Treatment depends on the file. If it was a System File, and both the
working copy and the cached version were damaged, then I might have
to do a Repair Install to get a fresh copy from the Windows installer CD.
A file can be "repaired" in some cases, as the AV program knows the
infection mechanism (like, an added sector) and can then attempt to
fix it. But not all infections will be that easy to deal with.
To verify something you've quarantined, first we'll assume your
system survived. It probably wouldn't be a good idea to reboot,
if the file is necessary for the system to come up again. I use
www.virustotal.com as it has the ability to scan a submitted file
with multiple AV scanners.
If you have a real malware problem though, you may find the
browser is just about useless. They may modify the browser,
so it can't reach bleepingcomputer.com or virustotal.com and
so on. You may have to move the file to another computer,
and work from there. Move the file to a Linux computer
and use the web browser there...
If the infection has a name, sometimes you can download a "cleaner"
specific to the infection. For example, if you got a TDSS rootkit,
Kaspersky has a cleaner specifically for that family.
If the file is part of an Application Program, you could uninstall
the program. Then re-install to get a fresh copy of the application.
If some of your files "disappear", you can dig up a copy of
"unhide.exe" and use that to try to bring them back.
But afterwards, if you survive the experience, it's pretty hard
to trust that the system is completely clean.
The free version of Malwarebytes MBAM, can be used for a lot
of the "popular" problems. Lots of viral content, is set up
to recognize a copy of MBAM being put on a system, or a user
going to their site. So the tool gets "respect" from virus
writers.
I ask because occasionally I will run a program, say a game cheat or
trainer and those kind of programs just seem to drive my Virus scanner
nuts. And one AV program may say INFECTED and another might say
CLEAN. So what do you do?
When you run the file through
www.virustotal.com , the description
will say whether it is adware or something more serious. If you think
the program file is "trustworthy" and it's all a "mistake", you
can use Google to check and see whether "program X seems infected"
results in other people having seen the same thing.
If it was a false positive, you'd think not all the AV tools of
the scanner server would have the same false positive, at the same
time.
If you get executable files from "megajumbofileserver.com", instead
of from the company or person who wrote them, that might mean the
file you get, is different than a file from the originator. So even if
others aren't seeing virus indications on the file, it could be
that the "megajumbofileserver" has added its own adware or toolbar
code to the file.
I need to figure out how to run the Virtual Machine Software. maybe
that might help me. Will it do you think?
You can run an OS in a "container", but there are proof of concept
malware designs out there, that can "punch out" of a virtual machine.
I don't know right off hand, whether it's a function of the state
of VT-x being enabled or not (hardware virtualization support).
The thing is, a virus writer would have to be pretty sure of themselves,
to go to the extra trouble. How common is it for home users
to run VMs ? From a commercial perspective, is a virus writer
going to craft something specifically for VMs ? Seems too "hard"
a target to be worthwhile. On the other hand, if the author of
the malware is a nation-state, and the target contains valuable
information, then all bets would be off. If you're a "valuable"
target, live at a .gov address, then you're more likely to see
a complete array of approaches. But for botnet purposes,
it probably isn't worthwhile targeting VMs specifically.
There are much softer targets out there you could capture.
Like a person's host OS.
As to whether malware can tell it's inside a VM, yes, it can.
When I boot Linux in a VM, Linux can tell immediately it's inside
a VM, and then it does stupid things.
I thank everyone for any help, ideas or advice they share with me.
And, you can disagree with me, but please don't feel the need to be
disagreeable to get your point across. I'm just here to learn.
Again, I'd like to thank those of you responding. I'm usually
inundated with helpful advice and feel bad because I don't get the
chance to thank everyone individually. But I will try.
You're asking a malware question, in a non-malware group. The
answers you get, might not be as good as if you asked elsewhere.
You never know. There are some USENET groups, I simply won't
send people to though, because of the rough crowd that hangs
out there, and the chance they'll fight with one another more
than they'll help you.
Malware protection is a layered approach. And the very first
layer, is choosing what to download. I gave an example of the
"megajumbofileserver" source of files. If a file is worth
having, it's worth trying to trace down the author and use
the authors web site. But some people just can't be trained
as to what to look for in a site, so they're going to be
relying on their AV software to be their primary protection.
On some sites, I use this:
http://www.siteadvisor.com/sites/virustotal.com
In that case, I'm asking siteadvisor, whether it thinks
the virustotal.com site is safe or not. Web sites that offer
downloads, siteadvisor can scan the site and determine how
virulent it is. At least one site got flagged, not because
the owners of the site put malware on it, but because
someone broke into their server, and loaded it up with
malware. Even some search engine web pages, contain
rudimentary comments about how trustworthy a site is.
So it's possible to get a few "opinions" before even
touching something dodgy.
But just the other day, a search engine sent me to a
dodgy site, so their "dodgy check" isn't that reliable.
When I need to unpack a dodgy Windows download, I use Linux
in a VM, and I use a copy of the WINE program loaded. That
allows Windows downloads, to be run in Linux. I disassemble
things like webcam drivers that way. (WINE runs the installer,
sprinkling the fake C: drive in Linux with the driver files.)
WINE stored installed programs, in a section of the Linux file
tree, so you can go in there after WINE runs an installer, and
look at the fragments. And maybe, upload a fragment to
virustotal.com etc. By doing it that way, I don't have to keep
thirty different "unpackers", to sniff at stuff.
Usually, if a download is "packed", it's a hint of the
potential for trouble. I use a hex editor for a quick check.
The bit pattern after the PE header, tells me how "stinky"
the file might be. And if I know I've just downloaded a
webcam driver from a Chinese site, the combination of "packed"
and dodgy source, equals "head for the Linux VM and WINE"
as the next step.
Some day, there is going to be a class of malware which is
cross-platform, and can attack through VMs. So at the moment,
all of the above approaches are "security by obscurity", and
there is no guarantee we'll "stay in control" forever. I
think it's just a matter of time until this happens.
Not "if" but "when".
Paul
