As you lot probably know I have a policy of not running memory resident AV on Windows XP because it slows my computer down, causes false alarms and decides to update itself when at the most inconvenient times.
I've been running my current install of Windows XP for over a year now without any problems but I decided to scan it with Malwarebytes for fun. I chose this software because the free version doesn't include a real-time scanner, automatic updates or any of that shit, it's just a virus scanner and malware removal tool and I've heard good things about its detection rates.
The interesting thing is, it threw up loads of warnings but none of them were serious and I knew about most of them.
Below is a copy of the log with my comments below the relevant parts.
alwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5523
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
15/01/2011 13:31:35
mbam-log-2011-01-15 (13-30-53).txt
Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 350296
Time elapsed: 44 minute(s), 44 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
So far so good.
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 18
Oh no, that doesn't look so good.
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Then perhaps it's not so bad.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
That's no malware infection, I did that myself. I don't like MS security centre bugging me about me not having any antivirus software installed so I disabled it.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\Alun\my documents\rotaract logo.gif (Extension.Mismatch) -> No action taken.
c:\documents and settings\Alun\my documents\my pictures\noise gen pcb t jun.png (Extension.Mismatch) -> No action taken.
I know, I tried to use data recovery software to get those files back after I stupidly deleted my My Documents folder by accident. It's hardly surprising a couple became corrupted so they look like random binary data rather than image files.
I tried asking Malwarebytes for more information, just for fun and it linked my to the following useless page:
http://www.malwarebytes.org/malwarenet.php?name=Extension.Mismatchc:\documents and settings\Admin\my documents\patch\antiwpa_crypt.dll (Hacktool) -> No action taken.
c:\RECYCLER\s-1-5-21-299502267-115176313-1801674531-1006\Dc69\keygen\Keygen.exe (RiskWare.Tool.CK) -> No action taken.
c:\RECYCLER\s-1-5-21-299502267-115176313-1801674531-1007\Dc28\antiwpa_crypt.dll (Hacktool) -> No action taken.
c:\RECYCLER\s-1-5-21-299502267-115176313-1801674531-1007\Dc30\antiwpa_crypt.dll (Hacktool) -> No action taken.
c:\WINDOWS\system32\oobe\antiwpa_crypt.dll (Hacktool) -> No action taken.
Yes, I know about those also. I had to install a pirated copy of Windows because my drive shredded the CD. Those files are a tool I used to bypass WPA. I've used that tool before and know others who've done the same and I'm reasonably confident it's not malware.
d:\documents and settings\Alun\local settings\Temp\MSI61.tmp (Adware.RelevantKnowledge) -> No action taken.
d:\documents and settings\Alun\local settings\Temp\MSI64.tmp (Adware.RelevantKnowledge) -> No action taken.
d:\documents and settings\Alun\local settings\Temp\CSM62.tmp (Adware.Mongoose) -> No action taken.
d:\documents and settings\Alun\local settings\Temp\CSM65.tmp (Adware.Mongoose) -> No action taken.
Some random temporary files on my old Windows installation (no longer used) might be infected or it could be a false alarm (just as likely) as temporary files contain all sorts of random data.
d:\documents and settings\Admin\Desktop\new folder\antiwpa_crypt.dll (Hacktool) -> No action taken.
d:\documents and settings\Admin\Desktop\patch\antiwpa_crypt.dll (Hacktool) -> No action taken.
d:\new folder\alun\my documents\rotaract logo.gif (Extension.Mismatch) -> No action taken.
d:\new folder\alun\my documents\my pictures\noise gen pcb t jun.png (Extension.Mismatch) -> No action taken.
d:\RECYCLER\s-1-5-21-789336058-1960408961-839522115-1004\Dc106\antiwpa_crypt.dll (Hacktool) -> No action taken.
d:\WINDOWS\system32\oobe\antiwpa_crypt.dll (Hacktool) -> No action taken.
Again more warnings about copies of the corrupted files and the WPA bypass crack.
e:\Winprogs\eagle crack\keygen\Keygen.exe (RiskWare.Tool.CK) -> No action taken.
Again another warez crack I used, this time on Eagle CAD software to see if it's true that using a pirated version could fuck up your files which it didn't. For extra protection I installed Eagle in a folder with permissions set up so it can be modified from a regular user account and the program wasn't run as administrator. Anyway, it doesn't matter since I don't use the cracked version and have moved on to KiCAD, the open source alternative.
I wonder if it actually looked at the contents of the file or if it just saw the name Keygen.exe and panicked? I think further investigation is required, perhaps I'll make a copy of notepad.exe and rename it to Keygen.exe and see what happens.
Now I decided to get it to delete my corrupted files (they're no use to me) and the allegedly infected temporary files on my other Windows installation so see what it would do. After removing said files it rudely rebooted my system without asking me! This pissed me off because if I had being working on something I would've lost it and it was totally unnecessary as none of the data in memory or in the start up files was infected.
So what does this teach me?
To be careful when using anti-malware products which often give false positives. I don't think anyone who doesn't know what they're doing should be using such software. If I had allowed my dad to scan my hard drive with this program, it would uninstall the WPA crack meaning I'd have to boot from a live CD and spend ages cracking Windows or reinstalling it.
Malwarebytes may have good detection rates but it's totally shit at advising the clueless user about what to do. I would say the correct advice would be to log on to a good computer forum and ask questions about each of those warnings.