Malware? Or just XP being XP?

[billyellis]

Hi,

XPHome, free installs of ZoneAlarm, AVG, SpybotSD, Malwarebytes, SuperAS (all up to date).

Two events have made me a little nervous, and I'm wondering if either or both together are known symptoms of a particular infection. The first is that my SpybotSD resident has been occasionally disappearing from my Taskbar when I mouse over it the first time after booting up. If I reboot it is back again. On its own I assumed some recent update in one of my AV/AS programs is causing interference and I did not worry too much about it.

But then last night I experienced a "double login," where I got to the login screen on booting up, entered the usual info, then saw the wallpaper briefly before the system reverted to the login screen again and was asking for the user/pass a second time. This happened to me once before a couple years ago. This time I shut down and rebooted clean and it did not happen again.

My concern is that the first login screen may have been a fake that some bootup malware used to grab my login info. Has anyone heard of any infections that can do that (mimic the Windows login page at startup)?? Logic says that the SDResident issue is a simple software conflict, and that the login issue is an occasional XP glitch. But if someone knows of a specific infection that might be at work, please let me know.

Thanks.

billyellis

 

[raybay]

You might want to replace AVG with Avast or Avira... the differences can be huge.
Then defragment, and retest in SAFE MODE for those that will work in SAFE MODE.

 

[almcneil]

I see some potential conflicts here.

First, I'd remove ZoneAlarm and keep AVG. You don't need 2 anti-virus. Plus having two anti-virus resident shields running concurrently is has the potential to cause system corruption. ZoneAlarm is highly rated but has been know to have conflicts with other security apps in the past. Ditch ZoneAlarm but keep AVG is my recommendation.

I'd also remove the resident shields from all the anti-spyware. Its the same reason as above. Multiple resident shield could conflict and cause system corruption. Since spyware is not as severe a risk as viruses, remove all AS resident shields.

Now you're using Spybot, Malwarebytes and SuperAntipsyware. All 3 are excellent for detecting and removing the same categories of spyware. I'd drop one and use Ad-Aware instead as it specifically targets adware type spyware.

-- Andy

 

[billyellis]

A little more info - I know there are some backdoors associated with the bootup control files, often with second files of the same name in different directories. I got the following returns searching for userinit.exe and winlogon.exe:

None of these seems to be in a 'dangerous' location, and only one has updated recently - the prefetch file. I don't know enough about PF function to know if I should be worried about that one or not? There were no hits for either winlogin.exe or winiogin.exe, common variants that are usually infections.

Thanks to raybay and almcneil for your replies. I should have specified that I only have the ZA fireawall, not the AV. So I am only running one AV. ZA has definitely had its problems, but I am familiar with it and am loathe to replace it with another firewall unless the alternative software is much better (see my other post this morning https://www.techspot.com/vb/topic134955.html).

I do have both Spybot and SuperAS running on startup, but I have had them running together for a while and have never had any problems. Of course, it may very well be that a recent update has resulted in a new change. I definitely will disable one of them as suggested if the problem with the SDresident crashing continues to see if that helps.

My main concern is that there might be a new virus or trojan that may have hijacked my login info and opened my system up to attack. So if anyone hears about something new that does the 'double login' that I described, possibly mimicing the login screen and recording your info before AV/AS load, then I hope they will post something about it here so that I know I may have an infection.

But maybe it is just an occasional XP glitch. It has only happened twice in 2 years or so. But it is the sort of 'glitch' that catches your attention because it relates to login info.

Thanks everyone!

 

[raybay]

AVG doesn't work well enough. It misses too many infestations, and is too late on others.

Zone Alerm, properly installed, is a Firewall that works substantially better than the Microsoft Firewall.
We have Zone Alarm installed on over 500 computers. Properly installed, Zone Alarm is never a problem. You will not have conflicts unless you get hooked on their inadequate software for removing infestations. For firewalls, Comodo or Zone Alarm... one or the other... are a necessity.

AVG is OK but not nearly as good as Kaspersky, Nod32, Avast, Avira and a few others... There are too many failures on our clients who use AVG, paid version or free version.

 

[billyellis]

Bah. I was ready to maintain the status quo, but raybay it sounds like you really don't like AVG. I assume that you either got fired by them once, lost a girl to one of their emplyees, or you have had some problems using their AV. Time to think about Avast or Avira, I guess.

 

[captaincranky]

Bah. I was ready to maintain the status quo, but raybay it sounds like you really don't like AVG. I assume that you either got fired by them once, lost a girl to one of their emplyees, or you have had some problems using their AV. Time to think about Avast or Avira, I guess.

No, AVG is just something else for raybay to cry all the way to the bank about.

PC World's most recent issue rates the most widely available free AV solutions this way,1. Avira, 2; Avast, 3; AVG.

The difference is only a couple of percentage points, and not the, "Avira works, AVG doesn't" BS that is prevalent on this site. Here, you get told to remove AVG even if you're having no trouble with it.

Avast was killed by something on my kids computer, I installed AVG to replace it. That notwithstanding, there is the aggravation of renewing the license every year.

And good old number one Avira, that let in that only infection I've experienced in at least 3 years.

So, my AVG stays.

 

[raybay]

AVG is fine. We used it for two years.
But it simply does not catch as much of the evil stuff as AVAST, Avira, Nod32, and Kaspersky... and when it does, AVG is as much as 7 to 17 days late...
Further, AVG removal tools are not the equal of our top five... Their removals too often come back upon reboot, when compared with our first choices..
We continue to run tests each time we learn of a new infestation on one of our client computers. AVG, once great, is merely good... about the same as McAfee now where once we felt they were the best.
We continue to hope they will return to their old standard, because the more active removal tools, the better off the entire industry is... Good tools discourage evildoers.

Of course, we get no advantage from any of them. We do not sell the products. We do use the paid versions for our business... but it is the customer's choice as to whether to use AVG, Avast, Avira, Kaspersky, Nod32, or their own choice.
We also like SuperAntiSpyware, MalwareBytes, Spy Sweeper, Spyware Doctor, and Advanced Systems...
AVG is not at the top of our list of inadequate removal tools either... Those are left to Panda, Computer Associates, Norton Antivirus, Symantec, McAfee, and Trend Micro.

 

[Bobbye]

Why do you advise removing Zone Alarm? It's a firewall, not an AV program.

free installs of ZoneAlarm, AVG, SpybotSD, Malwarebytes, SuperAS (all up to date).

Good combination- you can improve on the AV, but not because of conflict- simply because there are better ones. For now, why not leave it?

Logic says that the SDResident issue is a simple software conflict,

I don't know whether the 'logic' is correct in this case, but potentially any program running in Real Time has the 'potential' to cause a conflict.

So why not just disable TeaTimer?

I do have both Spybot and SuperAS running on startup,

Why not stop both of them from scanning on startup?

There are several things you can try, but the most important, if you are concerned about malware is not to go around trying to change programs at this point: instead, follow the steps HERE[/B] and hopefully someone will help with the logs you leave.

For myself, I don't have people changing security programs on an already unstable computer. Online scans can be done and program can be changed-if wanted- after the problem has been handled.

 

[raybay]

Most users I see and talk to have an antivirus and other software tied into ZoneAlarm... it is the Antivirus and other "free" stuff that comes with Zone Alarm that causes trouble with my clients.

 

[Bobbye]

Ray, I think this is the first or second year that ZoneAlarm added the AV. For many years, it was only a third party firewall. But it's only the paid version-as far as I know-that has the AV bundled.

 

[billyellis]

OK, here's another option question: can any of the top AV programs be run manually to scan the hard drive from time to time without being installed? That way you could have a backup AV but without conflicting with your installed AV. If AVG is slow to respond to new threats as raybay suggests, the easiest alternative would be to have a different .exe file that you could run to do a full scan every few days. Does anyone offer a program like that? Basically the equivalent of what on-line virus scans do, but from the safety of your own computer.

 

[Bobbye]

Billy, let's sort this out:

can any of the top AV programs be run manually to scan the hard drive from time to time without being installed? That way you could have a backup AV but without conflicting with your installed AV.

1, The answer is Yes. But you need to have an antivirus program always installed on the system. It should not be considered a backup AV The online scans are 'on demand' only and do not replace the AV installed on the system . It needs to be updated regularly.
2. AVG is missing a lot of malware. If you have any doubts about it, uninstall it and install Avira or Avast.
3. Anytime you want to double check the system for viruses, use an online scan. These do not get installed, are 'on demand' and shouldn't interfere with the AV installed on the system. NOTE: some of the online scans do suggest that you disable the installed AV when running the online scan:

Here are two good online scans:

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesn't work, you can use TrendMicro or BitDefender.

If you are unable to run the ActiveX Antivirus Scanners, lets try this Java based solution from Trend Micro.

NOTE: Kaspersky finds but does not remove viruses. It does not prevent viruses. That is the job of the installed AV program.

Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

NOTE: the Eset online scan cleans systems that became infected while running other security programs and allows easy troubleshooting and repair of many malware-related problems. It does not prevent. That is the job of your installed AV program.
NOTE: Remember, the online scan is separate from and not meant to take the place of the installed AV which needs to be active and updating on the system at all times.

The main function of the installed antivirus program is to prevent. The online scans are to find. Keep in mind that if a virus gets into a system, it can cause damage, so the first priority is to PREVENT!

If you suspect malware, instead of trying to second guess what you problem is, it just be easier to run the malware programs.

To do that, you should disable ALL Real Time Protection. It can affect the scans and it can also slow the system down, here is my suggestion:
AVG
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this:

) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

SPYBOT TEATIMER

• Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
• On the left hand side, click on Tools, then click on the Resident Icon in the list.
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• Click on the "System Startup" icon in the List
• Uncheck the "TeaTimer" box and "OK" any prompts.
• If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
• Exit Spybot S&D when done.

(When you are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

 

[billyellis]

Thanks, Bobbye.

I do have AVG installed and have no plans to remove and only use an uninstalled AV. I was only thinking of having a 'backup' as a second AV that might catch anything AVG missed but not interfere with AVG like it would if it were installed fully. If malware is what AVG is missing, I am probably OK - I run Spybot, Malwarebytes and SuperAS regularly.

My concern with the online scans is privacy. Who out there has never downloaded a song or other file that they did not pay for? With the RIAA winning a recent lawsuit against a middle-aged woman for $80K and jail time for downloading a handful of mp3's, I am not comfortable with online scans, which could easily be in partnership with the RIAA to be collecting file data for them for future lawsuits. Call me paranoid, but when they make an example of a poor grandmother and send her to jail for minor file abuses, I have serious reservations agreeing to long terms of use and allowing companies to scan my hard drive.

You said that yes there were some AV's that could be run manually without being installed - can you suggest a couple that are good and catch most infections?

Thanks!

 

[raybay]

AVG has just announced a new version. I think it is AVG 9.0. It is reportedly substantially improved.

There are a few, but they are generally ineffective in finding or removing the most serious infestations. In the interest of personal security, and performance, I would want the best installed.

Right now, I think the best includes the free versions of AVAST or Avira Antivir, along with SuperAntiSpyware and MalwareBytes... or SpySweeper, Spyware Doctor, and Windows Defender.

 

[Bobbye]

You said that yes there were some AV's that could be run manually without being installed - can you suggest a couple that are good and catch most infections?

I gave you two online virus scans. You are asking for the impossible> how can you get an updated database of viruses if you don't want to scan online?

My concern with the online scans is privacy.

Allow me to make a blatant statement: you gave up your privacy the day you first signed on to the internet! Surprised? Don't be. But using reputable programs AND downloading them from safe sites can help protect your files. You want to keep malware out! Some of the stuff nowadays is hard to remove. And it can changes files, delete files, corrupt files- on and on.

A lot of people here are using file sharing- for music, for videos, for social interaction> that is a straight line to malware.

Please follow these simple steps to keep your computer clean and secure:

1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

System Restore Guidehttp://www.bleepingcomputer.com/tutorials/tutorial56.html[b

2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently.
  You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2
• Visit this site[Adobe Readeroften and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

4.Remove Temporary Internet Files regularly: Use

• ATF Cleaner by Atribune or
• TFC

[5] Use an AntiVirus Software(only one)

• This can save you a lot of trouble with malware in the future.It should be kept updated and useed to scan regularly.
• See This link for a listing of some online & their stand-alone antivirus programs:
  Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall)
[*]See Understanding and Using Firewalls including links to download a firewall.

7.Consider these programs for Extra Security

• Spywareblaster:
  SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad
  This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files
  This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

And always keep this in mind:

Maintaince - what´s that?

14 ways to get Infected without trying- A little bit of humour but also based on fact.

1) Look for cracks, subdivided in illegal software and .....
2) Practice unsafe hex, browse the web for free pOrn
3) Look for software that adds smileys to your posts, mail etc
4) Look for kewl skins, screensavers etc
5) Look for spyware removers, concentrate on the kind that makes you pay before it removes anything
6) Install a P2P program and repeat all of the above
7) You always want the best; use p2p to download anti-virus/firewall software.
8) Do NOT pay for anything, the internet is a place where you can steal anything from everyone without even saying as much as thank you
9) Don't have/use/update antivirus/security software
10) Look for pokergames, slotmachines and other gambling outfits
11) Look for ringtones and other stuff to bling your phone
12) Click on those unexpected links and attachments in email, because you're curious...
13) Do loan your laptop to the next door neighbour for the weekend and give him your Admin account login so he can get his project done with no hassles
14) Let the Babysitter use your laptop for 'schoolwork'

From Geeksto go:Thanks to Metallica for most of those and CalamityJane, bitman, Lonny, shelf life. :