Help with trojans

[slimjim]

So I still have this damn Trojan: Small FHT on my laptop (AVG says it is located in Windows/System32/svchost.exe) - I have done a Factory Reset from the Recovery Partition (D Drive) on the laptop so presumably it had already infected that~X(

I am thinking of trying again using the recovery discs that I made on the first day I had the laptop, and will have to wipe the D drive as I do it... but if the disc don't work I'm screwed. If I decide to do this and it works I still have a couple of things to consider:

Before I did the factory reset yesterday I backed up some files & folders, including pictures and vid clips so one question is "Could the damn Trojan have got onto any of these?" as I don't want to do a successful reset only to load the damn thing back on when I upload the pics etc from the back up

And this is going to sound a really naïve question but I'm not that techie savvy but whilst another external drive was connected to the laptop, only for uploading archived stuff to the laptop - not downloading from - could the trojan have got into any files on that external drive?

 

[slimjim]

I wish I knew for sure what the heck is going on! The laptop was acting oddly which is why I did the scans in the 1st place and AVG reported it. After the full recovery laptop originally running ok then started acting oddly again, at one point with 100% CPU useage with only the desktop running, and the task manager saying 78% for the svchost.exe ! Currently running at a "normal" 21% with GH and Pimp&host running

I did think maybe to go for the Win 10 as that would fully wipe both drive partitions etc but I cannot update Activex and the "Get Win10" has gone from my tray and when I tried to check validation Microsoft said they couldn't determine if my copy of Win 7 was genuine and to do a windows update... but when I ran that it said there were no updates required... Grrrrrrrrr~X(~X(~X(

 

[gb2000ie]

Firstly, your question about external drives - the short answer is 'yes', the longer answer is 'if you can write to it, so can malware, so that includes network drives, external drives, thumb drives, cloud drives, etc'.

Your second question is about your data being infected. As a general rule, if a file is not executable, it can't infect you. That means that movies and photos are fine to restore, as are most other doents. things get a bit grey wit some doent formats like MS Office doents which can contain executable code.

My advice would be to remove all external drives, then format the internal drive, and re-install Windows from an original Microsoft DVD (may need to get on to eBay for one if your laptop manufacturer didn't give you one - don't get me started on that evil practice). The reason I say to use an original DVD is that they are read-only, so unlike a recovery partition, they cannot be tampered with by malware. Once the OS is installed, get your AV installed BEFORE re-installing any apps, reconnecting any drives, or copying back any files from any backups.

That SHOULD have you OK, but, there is a small minority of malware that writes itself into the firmware of hard drives and computers, and that can re-assert itself even after a complete re-format and re-install from original DVD. That is the exception not the norm though, so you would be very unlucky if you've cought something like that.

Hope that helps,

B.

 

[slimjim]

Thanks for the info guys. An update at this end, I was saying earlier that MS seemed to be not recognising my genuine Win 7 and that I was having other update problems (even though yesterday it told me that upgrades were being downloaded and installed)- well when I logged off earlier this evening I got the " Do not power off your machine; installing updates 1 of 193"... 193 !!!! and so nearly 3 hours later it switched itself off and when I logged back in I got a message that my Win 7 was genuine,

Did a AVG scan and it was still finding the " Trojan" in the same location

Forgot to say earlier the other unusual thing that has been happening since AVG found the "infection" is that when I switch all programmes/apps etc. off and shut down the laptop I get a message that programmes are still running and I get the option to Force Shut-down... whether this confirms the presence of a Trojan or not I'm not sure???

 

[gb2000ie]

whether this confirms the presence of a Trojan or not I'm not sure???

Inconclusive - you could get the same symptom from all sorts of benign problems too.

It does imply 'something' is wrong, but that's about it.

B.

 

[slimjim]

Thanks for the tips and advice guys :big hug:

I have Malawarebytes as one of my standard tools so already ran it in both modes - it didn't find anything, I ran M/s MSRT in safe mode - nothing found, AVG won't run in Safe mode but I have just run a full scan and this time (like it has done at times before) it says all is clean - next time it may well find it again. Currently running M/s MSRT and will know in about 3 to 4 hours!

Here's a weird thing - Following the full reset I uploaded some of my fav. video clips from my external backup and up to last might the thumbnails appeared as they always have done - with most either showing the opening shot/title page or at least the same screenshot as usual. - This morning when I opened the folder all but one of the thumbnails had changed to a screenshot from somewhere midway through the clip??????

 

[slimjim]

Update - So the Microsoft Malicious Software Removal Tool scan found nothing, I don't know how strong a tool it is but it sure is thorough as it took just under 4 hrs and looked at over 1,250,000 items!

 

[gb2000ie]

Update - So the Microsoft Malicious Software Removal Tool scan found nothing, I don't know how strong a tool it is but it sure is thorough as it took just under 4 hrs and looked at over 1,250,000 items!

It's a very good tool against stuff that is well known. What it' not designed for, and hence not good at, is detecting new and emerging threats as they happen. That's what AV with daily updates is designed to protect against - though of course, it is only about 90% effective.

BTW - AV is not something anyone should rely on - think of it like a safety net in case anything gets through, your true protections lie in the simple stuff:

0) - THE most important thing - ALWAYS BE SUSPICIOUS - if a website offers you an upate to something, and you didn't got to that site looking for that thing, the answer is NO! The IRS will never email you, neither will your bank. If in doubt, phone them. Never click links in emails, type the URL into the address bar of your browser yourself. Finally, if something looks too good to be true, it almost certainly is!
1) keep your OS up to date - Patch Tuesday is not a suggestion, it's a vital part of your protection
2) keep every app that touches they web up to date RELIGIOUSLY - browsers, email clients, chat client, and web plugins.
3) If you can, avoid Flash. If you need it, keep it up to date RELIGIOUSLY - it is the single biggest vector of attack today.
4) Get Java (not JavaScript, Java) out of your browser. You can probably get away with removing it from your whole computer, but a few people may still need it for the odd app. What you do not need it for is the internet, and after Flash, Java is the biggest danger on the net.
5) keep your media players up to date - all of us on here play media files a lot - there have been successful attacks that use boobytrapped movie and photo files to hack computers that have out of date media players installed. Much less common than Flash vulnerabilities, but a bigger danger for us than many other people, since we constantly download media files from people we don't know personally.
6) never re-use passwords, and to make that possible, use a password manager.
7) consider running AV. It is only 90% effective, and hence cannot protect you if you ignore steps 1 through 5, but 90% effective is a lot better than noting, so it's probably worth doing. If you run AV - make sure you are getting daily udpates, otherwise it's pretty useless!
8) consider running ad-blocking plugins like Ghostery - there has been a big spike in malicious advertising (known as malvertising), though if you throw Flash and Java and Silverlight off your computer, you're safe from the kinds of malvertising doing the rounds at the moment.

Not quite an answer to your specific questions, more general good advice.

B.

 

[slimjim]

Thanks for taking the time to put that comprehensive advise together...

I have 2 Java installed - Java 8 Update 60 (Oracle Corporation) and Java(TM) Development Kit Update 15 (Sun Microsystems Inv)

Is one the Java to be wary of and the other the script to keep?

My vid clip thumbnails still showing those different screenshot to before - any idea what might be behind that/anything to worry about?

AVG (update daily) has not reported the Trojan now since Saturday morning and I have been scanning each time I fire up the laptop.

 

[gb2000ie]

Is one the Java to be wary of and the other the script to keep?

No - JavaScript is part of your browser, so not something installed separately, and hence not something you can (or should) install. The two Java's you mention are the potentially dangerous kind.

It's OK to have Java on your system, you just don't want it in your web browser. This help doent from Oracle shows how to disable it for all browsers in one go: http://anon.projectarchive.net/?http://java.com/en/download/help/disable_browser.xml

My vid clip thumbnails still showing those different screenshot to before - any idea what might be behind that/anything to worry about?

Not a clue, but it's not something that I would worry about. It's almost certainly something very simple. OSes tend to cache those thumbnails in hidden files (for efficiency), and the algorithm used may have changed since the last time the cache was generated.

AVG (update daily) has not reported the Trojan now since Saturday morning and I have been scanning each time I fire up the laptop.

*fingers crossed*

*touching wood*

B.

 

[slimjim]

Thanks again B. - Java now disabled in all browsers.

At lunchtime today M/soft gave me back the "Get Windows 10" logo

 

[slimjim]

As for the main problem I'm still thinking it was a false positive, AVG updated the database and didn't report that threat again, fingers crossed anyway!

Let's wait and see




Time to update?

My current feeling is it might be best to wait a while and let the "teething troubles" get sorted out... and more time for 3rd parties to get their apps/software fully Win 10 compatible