An unwanted guest?

[DaveB]

Well.. there have been a couple of developments on the XP machine today. I first read the forum on the Vista laptop then started the XP machine to download malwarebites. As soon as the XP machine started, MSE reported a trojan (mevade.b) and killed it Shortly after, a 'data protection' screen appeared to say that it didn't like what tor.exe was doing and had closed the program. Not seen this screen appear ever before.
I then downloaded malwarebites and let it do it's thing. It let btc-miner and tor.exe through (odd I thought) but highlighted an eventual 50 possible malware files.. 2 of which were trojans. I killed the trojans and let malwarebites restart windows. When it restarted.. I rounded up btc-miner and other files with btc-miner in the name and deleted them. I then opened task manager and found tor.exe running again so 'stopped the process' then deleted the exe and folder living in Programs. I've since left the XP machine running with task manager open but there's been no sign of spurious CPU use.

The problem I now have is what do I do about the other 'malware' progs malwarebites found.. some of them look like MS files and I don't want to delete the lot gung-ho and destroy the OS in the process

ATB
DaveB

[Airspeed]

Well, Dave,
We had a problem 12 months or so back. I used Malwarebytes as it was recommended by a radio techie.
IIRC, you can view a list of progs and their authors. Not sure if this was in MWB, or simply Control Panel? Whichever, you can see whether the files originate with MS or others, which is a good guide to trustworthiness. The one that bugged us did like yours, after deletion, it reinstalled itself. It actually damaged a MS file, and eventually I did a reinstall of Windows 7 to fix it. There was a whole cluster of files from the same source, so they were easily identified, just hard to get rid of. I claim no expertise, just have years of "suck it and see" events. / Persistence is my helper.

[DaveB]

Cheers Mike

Looking down the list, I really have no idea where most if not all of the files highlighted have come from. One thing I've thought about is how I got these little tinkers in the first place and I may have found an answer. This mobo has something called 'Express Gate' (it's an Asus mobo) which flashes up as soon as the pc is turned on. It gives loads of options such as Skype, photo's, web, games and in all the years I've had it.. I've never looked at any of them. The idea is that you can access these things fast without going into the OS. Last week.. I had a look and loaded Skype up then looked at Web which went to an Asus browser. While doing this, I wondered about online security. If you're outside the OS.. how can the likes of MSE protect you I fear I may have been 'pinged' in that odd moment of curiosity That'll teach me won't it

While I can't speak for the trojans (the two MWB found).. MSE has reported nothing else and checking on Task Manager shows no recurrance of BTC or Tor

ATB
DaveB

[Airspeed]

Just checked-Control Panel-Uninstall or change program(me)
The originators are all listed under "Publisher"
If the publisher looks dodgy, it probably is.


Had a feeling that icons appeared, but I don't see them now.
Don't have MWB any more, as it stopped being freeware. Maybe the icons were put in by MWB.

I've also just realised that you're talking XP, while I'm rattling on about W7. So if it don't look like I've described, you know why!

[speedbird591]

Don't have MWB any more, as it stopped being freeware. Maybe the icons were put in by MWB.

The free version is still available, Mike.

http://www.malwarebytes.org/products/malwarebytes_free/

I use MSE, MWB and Threatfire. All free versions, and I do an update check/scan once a month and they seem to handle everything for me. Of course, my laptop may be riddled with bad stuff which they just haven't detected - but not knowing about it is the important thing, right?

Ian

[DaveB]

That's it in a nutshell Ian

The whole 'Malware' thing is pretty open ended as far as I can see.. that is, not ALL malware is bad as such. The tricky bit seems to be deciding which is bad and which isn't I now have a system I feel is 'Trojan-free' which is good but what about all those other things MWB listed

I found an interesting snippet online about Defender and the Vista OS yesterday which may also include Win7. While dossing around on the Vista laptop, I thought I'd take a look at Defender which is built into the OS. I clicked on the icon and got a message saying Defender was turned off.. if I wanted to turn it on, click 'here' so I did.. and waited.. then got an error box. After digging around, I found that MSE turns Defender off as it has it's own version built-in and this is why I couldn't turn it on Not sure if the same thing applies to Win7.. I didn't check I found nothing to suggest an XP version of Defender so I guess one has to put one's faith in MSE and from recent experience.. MSE doesn't do so well on the XP OS

Mike.. yes, Ian is quite right about MWB having a freeware version. The version I'm using at the mo is 14day time limited after which I'm not entirely sure what will happen. Probably, it'll lose some functionality unless I buy it.

ATB
DaveB

[Airspeed]

This thread is getting too intelligent for me! How can I cope when folks talk sense?
That'll be it, I had a freeware for yonks, then it must have updated to V..(?), and my free time ran out.
Agreed, some malware is just annoying spyware that might slow your system down, but if you get rid of it, it'll reinstall next time you go to the site.
I'll check that link and see what I get for $0.00 these days. Some of 'em tell you that there's 963 problems, but only fix two for nothing.
Nice chat.


EDIT: OK that was painless, D/L took under a minute. I won't get "blazing fast scan" and a few others that Dave has with his 14 day Pro trial.
I'll hold off installing until the current backup finishes. I'm getting worried about a hard disc crash, as the machine sometimes turns itself off, and when I re-start, I sometimes get told that boot failed. 2 or 3 more starts gets it up again. May need another HD.

[Kevin Farnell]

Hi Dave

Does Malwarebytes not quarantine the offending items prior to removal?
I’ve had it do this before, which means the files would not be available to the operating system. If they are quarantined and everything is running properly, they can be safely deleted.

another program worth trying, which I trust is Spybot Search and Destroy which can be found at

http://www.safer-networking.org/

There is a freeware version and basically it immunizes your PC against numerous threats. It will also scan your system, but be cautious with cookie deletion or you could need to log in to favourite websites again.

For general cleanup of my system I use CCleaner available at

http://www.piriform.com/ccleaner/download?upgrade

Again, there is a freeware version. This will clean all temporary files and cookies (favourites can be saved). It will also clean the registry, allowing you to make a backup first. I’ve never had it cause a problem or needed to re-install registry from the backup.

Finally, I too have an Asus Mobo with the Express Gate, which I found annoying. It’s easy to turn this off in the BIOS though.
Hope you get your system sorted.

Regards

Kevin

[DaveB]

Hiya Kevin

After the initial scan, it gave me a list of all 'malware' files it found with a tick box next to each one. Two of the files (the Trojans) it had ticked so I hit the Remove/delete/destroy button to get rid of them. It produced a logfile showing that I'd deleted the trojans and had taken no action on the others. If all of these files have been quarantined, I'll be happy to delete them all. I didn't realise they were quarantined

Thanks for the other links. I've used Spybot search and destroy before on my daughters old pc and it worked a treat. I may download and try CCleaner as my registry is bound to have entries with no programs associated with them

Never bothered with Express Gate before and I certainly won't use it again. I may nip into the bios and turn it off as suggested

ATB
DaveB

[TSR2]

Hi chaps, express gate is harmless, just a really quick way of bringing up a web browser etc without needing to boot your OS