Please help! I have a Virus!
I ran the FS Protection, full computer scan late last night when I was finished online, as I do every night. When I awoke this morning the report says it found a virus. I followed the prompts and did the recommended (automatic) but it said it couldn't clean it or something similar. Something to the fact that it was in an archive. This is the file it is showing ..... Trojan:W32/Gen2846.a60d0c4a55!Online I'm not sure what to do to get this taken care of. Could you please help? Thank you!
I submitted a sample to SAS. I'm not sure how I got this since I havent downloaded anything for a while and it was just the windows paint.net.
Can I just go and delete this file to get rid of it? It is in a zip file. If I do just delete it will it remove all of it?
If it's not an important file you can just delete it, or follow these instructions: Cleaning compressed files
Edit: corrected above link, the previous one was for Mac's
Also, I think you should read this: Should I manually scan my hard disks daily?
Note: An infected file in an archive is harmless unti it's executed or extracted, and if/when that happens the real-time scanning will block it.5 Like
Ok, Thank you Nikk,
I have no idea how I even got this. But, its not important at all. I've been doing the scans just about every night since I've been on the beta program. But, I usually do a different scan each night or so. Also the scan said it couldn't scan a few files. Is there any reason why? Shouldn't it scan all files? Thanks so much again for all your help! I really appreciate your quick response. I'm a little nervous finding a virus. Thanks again!
It can't scan certain protected system files for example, so it's normal to see that.
Also it's different to scan manually and to do a schedule scan. A manual scan will be performed as your logged in user while a scheduled scan will run as System. So a scheduled scan has the ability to scan more "system" files.
I don't scan manually that often anymore, basically only before I create a new system image backup. But then I do both a manual and scheduled scan. For example I have files encrypted with the built in windows function EFS which is a user based encryption. So when I do a scheduled scan(that runs as System) it can't access my EFS encrypted files and they will be reported as not scanned.
And you shouldn't worry too much when malware is found
When an F-Secure security product reports anything malicious on your computer it has already detected and stopped it, preventing it from causing any harm to your system or your data. Our security software will not remove infected files under some circumstances, they will however do no more harm than wasting your disk space and cause additional virus warnings whenever you or a system process is accessing that file.
Ok, great! Thank you very much! I really appreciate you taking the time to explain that to me & for all your help! That makes me feel a little better. Once I realized it was in a zipped file, I felt a little better too. But, its still a little nerve racking when the scan says it found a virus. And again it must have downloaded it on its own somehow since I haven't downloaded anything for a while. And my last scan the night before was clean.
I'm so glad that F-Secure at least stops the virus or infected file from working. Even if it can't remove it. That's great that it does that. I never knew that and makes me feel even better about using F-Secure protection.
A little while ago I had a problem with my email. & when talking with the verizon support guy, he told me that I should be using Norton or Macafee. He didn't feel F-Secure was all that good. I disagreed with him. Granted I haven't used Norton or Macafee for a long time. But when I had both of those before I had gotten viruses and they destroyed my computers. I thought the whole reason for having security protection was to protect your computer. But, it didn't seem like Norton or Macafee protected my computer to well.
I was on the F-Secure Security Beta and now this program and I have had a good user experience so far with it. Much better than Norton or Macafee. They might possibly be better now(since they are always improving) but from what happened before, they left a bad taste with me. And thanks to people like you, I keep learning more and more about F-Secure that makes me keep liking it better and better.
But back to the scans. I just figured I'd do the manual scans because I never really know when I'll be finished working. I guess it still could do the scan while I'm working. But, I thought it would be best to do the scan while nothing was being used on it. Or at least when I wasn't working on it.
However, I think I will go ahead and schedule a weekly scan(for the best time I can find). Since you say it scans more system files that way. Then I can always do a manual scan if I feel needed in between or whenever. Do you suggest just doing or scheduling a regular virus scan or doing the full computer scan? Or does it really matter?
One more thing, I was reading that when an infected file is in an archive, it doesn't delete because it would have to delete the whole archive. I'm a little confused on this. This is where the file was that was found on my computer. Thats what the scan said. However, it was in my download folder. When talking about the whole archive, that doesn't mean the whole download folder, does it? I deleted the zipped file that it said the virus was in. Does that include the archive too? I'm asking because I want to make sure it is complete deleted, so I won't have any other problems with it.
Thank you very much again for ALL your help!!!
The archive in this case IS the zip file. So if you deleted the zip file you're fine. The link I posted had instructions to delete only the infected file in the zip file, but if the zip file is not an important one, it's easier to just delete the entire zip file.
IMO, I recommend a scheduled scan over a manual. But then again, it's not necessary to scan that often because of the real-time scan that checks all executed files.
Even if we think F-Secure is the best, it's important to know that no anti-virus product can protect you 100%. Here's a post where I've described some other protection layers, but note that it might get technical. However, the free Malwarebytes Anti-Malware I recommend to any person:
I also use Hitman Pro as a "second opinion scanner": http://www.surfright.nl/en/hitmanpro
Ok, great! Thank you for explaining about the archive file. Ya, the file wasn't important at all. Again, like I said it downloaded some how by itself(or rather I didn't download it & I'm the only one that uses this computer). I will go ahead and schedule weekly scans then. It's great that I won't have to scan every night now.
But, I'm wondering if there's a real time scan, why didn't it catch the infected file? I didn't get any warnings or messages that there were any infected files on my computer until after I did the manual scan(in the scan report it showed the virus). Unless it some how just popped up right before the scan. But, I wasn't even on the computer for about a half hour or so before I even did the scan. Or unless you said, since nothing tried to access the file. But if its a real time scan should it have caught that?
Lol! I had Malwarebytes on my computer before but when I did the switch from the beta to the FS Protection installation, it uninstalled it because it said there was a conflict. I had just reinstalled it about an hour or so ago. But thank you for letting me know. Its good to know I'm on the right track having the Malwarebytes.
I will have to check out the Hitman Pro. I've heard the name before but I'm not familiar with it. But I will look into it. Thank you for letting me know about that.
I'm really sorry I took up so much of your time. But, Thank You so much for ALL your help. I really appreciate it!
No problem! I help out on a lot of forums, that's kind of my thing. Anything from programming, databases, security to basically all other types of problems
Files inside archive files like zip aren't scanned "real-time" until they are executed or extracted from the archive. Until then they pose no danger.
How the zip file got there I don't know, but if it happens again you could check the file's properties before you delete it. Maybe the timestamp or other info could give you a clue to where it came from or what it's for.
Yes, I've read that the beta didn't like Malwarebytes, but that's just a temporary problem (I hope) It hasn't been a problem before, not that I know of anyway.
Hitman Pro is good and fast, it uses several AV engines and is free for scanning. But not for cleaning. But I never expect it to find anything so that's not a problem. I just want it to confirm that I'm clean
I see you're quite new here and have only posted in the beta board so far, so I'll inform you of this sticky post from the Home Security board. It's a collection of useful links and information:
Ok, great, thanks! I sent the file to the SAS and it came back saying it had something to do with Bitcoin or something like that. I know Bitcoins are virtual money but I don't have anything to do with them. Maybe I hit a malicious site or something and it down loaded it. Yes, if it happens again(which I hope not) I'll have to see if I can find out more info so I can try to stop it from happening any more. I know not to open or unzip it.
Yes, I'm pretty new to the FS Protection. I was on the F-Secure Beta until a couple weeks ago when I switched to the FS Protection. Thank you very much for the link to the info page. There are some good things to know on there. Thank you!!!
I've been meaning to create a recovery disc and I noticed there is a link to that about running it. Do you happen to have a link on creating a rescue cd? & do you happen to know if creating the rescue cd is hard to do? Can I use some extra blank cd's or dvd's I've had to create it?
Also, do you happen to know, if I'm still supposed to fill out the daily reports in where I did for the F-Secure beta program? Or am I just supposed to post here now? I thought when I got the email for the FS Protection it said to post here now. But I thought I'd check to make sure.
Again, Thank You very much for ALL you time & help! Everyone I've had contact with here thru F-Secure has been really nice & very helpful! & thats so great, especially when you are having problems and you're already frustrated. But Thank You very, very much again!!!
Well, you can follow these instructions to verify that your protection works. You assume after installing that everything just works, but I like to verify myself as strange problems can happen sometimes when computers are involved:
The link to the Rescue CD is only for severe problems. And I don't think it's the best way to use that as it might delete system files if they are infected, which could then leave you with a corrupt system.
It's better to use a backup solution and create "system image" backups. When you get problems you boot a rescue CD and then restore your entire hard drive. Macrium Reflect Free is a good choice. You can create rescue/boot CDs from within the program. http://www.macrium.com/reflectfree.aspx
I also use Windows own Backup & Restore. For that you create a System Repair Disc (recdisc.exe) to boot from. It's very easy to do, you just need a blank CD. A System Repair Disc can be useful even if you don't use Windows Backup & Restore.
Use a seach engine and search for Tutorials for these programs if you need help. They usally describe everything step by step with pictures including how to create a rescue CD. I'm sure you can find videos on YouTube as well.
Sorry, I know nothing about the Beta program. Can't know everything
Great!! Thanks so much again for all the info! Ok, I tried testing(as per the instructions from the link to Testing the Anti-virus and it did block the first download(which is a good sign). And I do remember seeing it block a couple sites/pages before with the warning/block page that it was a harmful site(then I would just close it out). But, I guess with the zip file it might not recognize it right away because like you mentioned before it doesn't know whats inside the zip file(until extracted or opened) beause its zipped closed. So it must have been because the virus was inside the zip file that it didn't catch it right away. Until the scan. But I am glad it caught it.
Thanks for the info on Macrium. I had completely forgot about that. I did have that before when I had my other computer a couple years ago. I will have to get that and use it again! Thanks!
And, Thank you for the reminder with the Windows Repair/Rescue Disc, too. Again, I completely forgot about doing that. Do you happen to have any idea which would be better to use, the Macrium or Windows Rescue? Or do you think I should use both?
I'm sure there should be some good tutorials for those on youtube, I'll have to look. Usually, the instructions are pretty well laid out & tell you step by step, but sometimes it'll say or ask something I'm not quite sure what to do. So, thank you for reminding me about tutorials, too.
Again, Thank you so very, very much for ALL your time, info & help! I really, really appreciate it! (& I'm so sorry for taking up most of your day). Thanks so much again!
You're most welcome!
Regarding zip files I have to correct my self, they are also scanned when downloaded manually. So how you got the file without manually downloading it is a little worrying. Here's a nice tip I use almost every day because it's a very fast way to check all running processes: How to easily scan all processes with 50 AVs
I launch it as administrator so it can check all processes including those running as System. And note that if only one(or a few) AVs detect something chances are they are false positives. Another good thing to look for is if any processes show with purple color as they are "packed images" which mean they are encrypted. Most programs are not so any purple ones are more suspicious than others. Purple should not be confused with blue processes. Blue ones are normal to have as they are processes running as your own logged in user.
I've always used Windows Backup but I understand from others that Macrium is more stable especially for restore operations, and it's easier to use too I think. Using both solutions is a good idea in case there should be a problem when you really need it for an emergency. It's like a backup for the backup
I use a USB 3 external hard drive for the system image backups. A good thing to know is that when booting from a rescue disc they may not have drivers for USB 3, but connecting to a USB 2 port instead solves that but increases the time to restore a backup, which I'm fine with.
Sorry it took me a little to get back to you. Thanks so much for that tool(Process Explorer). Ya, I was thinkin too about how I migh have gotten that download(virus). I'm almost positive I didn't download it. Well, I know I didn't download it(the virus) but the only other thing I downloaded recently was just the FS Protection. And, Paint.net, the new Paint program from Microsoft(about a week or so ago). Unless, it downloaded with that somehow. But, I made sure I was on Microsofts site to download it. I do remember seeing a site a little while ago, it was saying something about bitcoin(thats what the virus had to do with) but I wasn't on it long and closed it out. Not quite sure how I even ended up on that page but I didn't download anything from it. Unless just being on the site, it downloaded something(the virus). I'm not sure.
That tool, that shows all the running processes(Process Expplorer), isn't that kind of like the same thing thats in the Task Manager? I guess its a little more in depth though. I did run it. But, I'm not sure what some things are on there. And, how do you tell the difference between the blue & purple colors? I think, mine just showed purple & pink. I say I think because I think all the purple ones are purple. That's why I was asking about the blue. I don't think I had any blue one's show up. They were all either pink, purple or white. And out of the purple there were only 2 that I'm not quite sure what they are. One is a taskhost(which I'm thinking thats probably something with the computer) PID is 1376 and description says its Host Process for Windows Tasks, for Company it says Microsoft and the Virus Total is 0/55. And the other one is unsecapp.exe(this is the one I'm most worried about, do you happen to have any idea what that might be?) the PID is 1432 but there isn't any description or company for it & the Virus Total is 0/55. Oh, and I did notice another one, which is hkcmd.exe(not sure what this is but I remember seeing that on my other computer too) PID is 1808, Company is Intel and description is hkcmd Module and the Virus Total is 0/54. There are several pink ones(like 10) that are svchost.exe, Host Processes for Windows Service. There are some other pink & white ones that look like they probably have something to do with the system & programs.
That is a neat little tool, Thank you for telling me about it.
The one I'm most worried about is that unsecapp.exe. Do you happen to have any idea what that might be?
Thanks so much again for ALL your time & help!!!
The only program I'm aware of that's named Paint.NET is by dotPDN and not Microsoft. It's home page is http://www.getpaint.net/
About Process Explorer, if you don't launch that as Administrator (or use the File menu option "Show Details for All Processes") not all processes will show a description and Company Name.
You should also enable "Verify Image Signatures" from the Options menu.
After you've done that check the processes again and verify that they show a description, company name, and have a valid signature. I only have a few legitimate processes that doesn't have a valid signature, for example from HP but I've verified by searching online that those programs are not signed.
I think to verify the above is enough along with the VirusTotal detection. You can click on the result in the "Virus Total" column for a process to open a detailed report in your browser and there you might find more information in some of the tabs on that page. For some processes there are comments by other users in the Comments tab that sometimes explains what the process is and what it belongs to.
To understand what every single process is for I don't think is necessary, but if you're curious about a certain one I would just google it. Example for unsecapp.exe http://searchtasks.answersthatwork.com/tasklist.php?File=Unsecapp
Regarding the colors, go to Options menu and "Configure Colors..." and you'll see the difference between blue and purple. And it explains all other colors too.
Process Explorer is like Task Manager but much better. If you want to, there's an option in the Options menu to replace Task Manager with it.
Oh, and if you want a fresh VirusTotal result: Double-click a process. In the Image tab, click the Submit button for VirusTotal. This will re-analyze and(after a few minutes) give you an updated score for the file.
Hmm, ok, I'm sorry, I was under the impression that the paint.net was a microsoft product. I guess not. That is the same paint.net program I had recently gotten/downloaded. But, I'm not sure if that was the same page I downloaded it from. It does look a little familiar. But I'm not certain. Maybe that's when I got the virus. But, I had that paint.net program for probably close to a week before the virus showed up. The virus had something to do with Bitcoin and I remember a site that had something to do with Bitcoin but I just closed it out since I have nothing to do with Bitcoin. I was thinking the past couple days that maybe that site was a malicious site and downloaded it. But, I'm not sure. Could something just download from just being on a site for a few seconds?
Ok, I ran the Process Explorer as administrator and a lot more info showed up. Thank you!! And I looked those questionable processes up. Thanks for the link to searchtasks.answersthatwork site. That's really neat.(Boy, you have all kinds of neat tools ). I looked those processes up and they were either Microsoft or Intel processes. And it said they were good.
In Process Explorer I looked under the "Option" tab but it doesn't have anything there that says "show details for all processes", is that maybe because I ran it as administrator? I seen something in one of the other tabs that says somwthing like "show processes for all users". But, I'm the only user for this computer.
Ok, I seen the differences for all the colors. Thanks! So all the processes that showed up were either pink, purple or white. That's neat how you can replace the regular Task Manager with the Process Exolorer. Thanks for telling me about that!
So, I'm still not really sure how I got that virus. But, thankfully, it hasn't showed back up again. Hopefully, it won't.
Thanks so much again for ALL your help! And for all the new tools too(now I have some new things to play with ). Again I really appreciate All your time help & info in helping me! Thank you!
Could something just download from just being on a site for a few seconds? Yes. Here's a couple of links that explains "drive-by downloads":
This is purely speculation, but in your case it could have been a drive-by download attempt that didn't succed with all steps. For example it managed to download a file but couldn't find an outdated program or missing windows update to exploit. So it couldn't do any damage besides downloading the zip file. But as a said before, a malware in a zip file is harmless if it's never opened.
"show details for all processes" is an option in the File menu, but it's not shown if you launched as Administrator. Task Manager has a similar option as a button. Even if you're the only user you still have processes not running under your own user, processes running as SYSTEM and different kinds of SERVICES. You don't have permission to see all details for those processes until you have administrator permissions.
Thank you very much for the explinations. Wow, I cant believe you can get a virus just by being on or going to a site now. That's pretty scarey. The internet gets more dangerous every day. Thankfully there are programs like the FS Protection! And even more so, people like you to help us when something happens. (Thank You!!!!! )
I'm guessing now that I either got the virus from being on that one Bitcoin site(even only for a couple seconds) or when I downloaded that Paint.net program. I'm kind of leaning toward when I was on that site though.
Thanks again for that Process Explorer, thats a pretty neat tool. Yes, I got a lot more information when I ran it as an administrator. And I learned a lot more about what my computer is doing. I'll have to keep using that.
Thanks so very much again for ALL your time, information & help. I really, really appreciate it!!!!