My experience with malware or lack of thereof

[Aloone_Jonez]

As you lot probably know I have a policy of not running memory resident AV on Windows XP because it slows my computer down, causes false alarms and decides to update itself when at the most inconvenient times.

I've been running my current install of Windows XP for over a year now without any problems but I decided to scan it with Malwarebytes for fun. I chose this software because the free version doesn't include a real-time scanner,  automatic updates or any of that shit, it's just a virus scanner and malware removal tool and I've heard good things about its detection rates.

The interesting thing is, it threw up loads of warnings but none of them were serious and I knew about most of them.

Below is a copy of the log with my comments below the relevant parts.

alwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5523

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

15/01/2011 13:31:35
mbam-log-2011-01-15 (13-30-53).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 350296
Time elapsed: 44 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0

So far so good.

Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 18

Oh no, that doesn't look so good.

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Then perhaps it's not so bad.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

That's no malware infection, I did that myself. I don't like MS security centre bugging me about me not having any antivirus software installed so I disabled it.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Alun\my documents\rotaract logo.gif (Extension.Mismatch) -> No action taken.
c:\documents and settings\Alun\my documents\my pictures\noise gen pcb t jun.png (Extension.Mismatch) -> No action taken.

I know, I tried to use data recovery software to get  those files back after I stupidly deleted my My Documents folder by accident. It's hardly surprising a couple became corrupted so they look like random binary data rather than image files.

I tried asking Malwarebytes for more information, just for fun and it linked my to the following useless page:
http://www.malwarebytes.org/malwarenet.php?name=Extension.Mismatch

c:\documents and settings\Admin\my documents\patch\antiwpa_crypt.dll (Hacktool) -> No action taken.
c:\RECYCLER\s-1-5-21-299502267-115176313-1801674531-1006\Dc69\keygen\Keygen.exe (RiskWare.Tool.CK) -> No action taken.
c:\RECYCLER\s-1-5-21-299502267-115176313-1801674531-1007\Dc28\antiwpa_crypt.dll (Hacktool) -> No action taken.
c:\RECYCLER\s-1-5-21-299502267-115176313-1801674531-1007\Dc30\antiwpa_crypt.dll (Hacktool) -> No action taken.
c:\WINDOWS\system32\oobe\antiwpa_crypt.dll (Hacktool) -> No action taken.

Yes, I know about those also. I had to install a pirated copy of Windows because my drive shredded the CD. Those files are a tool I used to bypass WPA. I've used that tool before and know others who've done the same and I'm reasonably confident it's not malware.

d:\documents and settings\Alun\local settings\Temp\MSI61.tmp (Adware.RelevantKnowledge) -> No action taken.
d:\documents and settings\Alun\local settings\Temp\MSI64.tmp (Adware.RelevantKnowledge) -> No action taken.
d:\documents and settings\Alun\local settings\Temp\CSM62.tmp (Adware.Mongoose) -> No action taken.
d:\documents and settings\Alun\local settings\Temp\CSM65.tmp (Adware.Mongoose) -> No action taken.

Some random temporary files on my old Windows installation (no longer used) might be infected or it could be a false alarm (just as likely) as temporary files contain all sorts of random data.

d:\documents and settings\Admin\Desktop\new folder\antiwpa_crypt.dll (Hacktool) -> No action taken.
d:\documents and settings\Admin\Desktop\patch\antiwpa_crypt.dll (Hacktool) -> No action taken.
d:\new folder\alun\my documents\rotaract logo.gif (Extension.Mismatch) -> No action taken.
d:\new folder\alun\my documents\my pictures\noise gen pcb t jun.png (Extension.Mismatch) -> No action taken.
d:\RECYCLER\s-1-5-21-789336058-1960408961-839522115-1004\Dc106\antiwpa_crypt.dll (Hacktool) -> No action taken.
d:\WINDOWS\system32\oobe\antiwpa_crypt.dll (Hacktool) -> No action taken.

Again more warnings about copies of the corrupted files and the WPA bypass crack.

e:\Winprogs\eagle crack\keygen\Keygen.exe (RiskWare.Tool.CK) -> No action taken.

Again another warez crack I used, this time on Eagle CAD software to see if it's true that using a pirated version could fuck up your files which it didn't. For extra protection I installed Eagle in a folder with permissions set up so it can be modified from a regular user account and the program wasn't run as administrator. Anyway, it doesn't matter since I don't use the cracked version and have moved on to KiCAD, the open source alternative.

I wonder if it actually looked at the contents of the file or if it just saw the name Keygen.exe and panicked? I think further investigation is required, perhaps I'll make a copy of notepad.exe and rename it to Keygen.exe and see what happens.

Now I decided to get it to delete my corrupted files (they're no use to me) and the allegedly infected temporary files on my other Windows installation so see what it would do. After removing said files it rudely rebooted my system without asking me! This pissed me off because if I had being working on something I would've lost it and it was totally unnecessary as none of the data in memory or in the start up files was infected.

So what does this teach me?

To be careful when using anti-malware products which often give false positives. I don't think anyone who doesn't know what they're doing should be using such software. If I had allowed my dad to scan my hard drive with this program, it would uninstall the WPA crack meaning I'd have to boot from a live CD and spend ages cracking Windows or reinstalling it.

Malwarebytes may have good detection rates but it's totally shit at advising the clueless user about what to do. I would say the correct advice would be to log on to a good computer forum and ask questions about each of those warnings.

[Refalm]

Internet Security products without an active community often give out false positives.

I remember AVG thinking Worms Reloaded was a trojan horse, because it needed to connect its netcode to Steamworks.

I also saw that you had a lot of flags on stuff in temporary directories. Just run CCleaner next time, to remove all the bullshit that gets hogged up in Windows. Microsoft already made a huge mess with dll's as it is.

[reactosguy]

Meh. I barely get any malware despite the fact that I have Avira Free Edition. But then again, my wireless network is secured with WPA2.

I wonder the next trick under a cracker's sleeve? Take over the US Government's vital PCs with well designed rogue AVs?

Oh yeah, and speaking about rogue AVs, be careful when you get them. They took over my sister's computer multiple times. I went on a site that talked about it and said to use a program to remove it, but it failed and I had to manually remove it (delete its registry entries, and eventually the files deep in the AppData folder).

[Aloone_Jonez]

CCleaner doesn't save much disk space, only 300 odd MB but it fixed a few registry errors.

I've just run Malwarebytes on a friend's computer too and it only found one piece of malware which wasn't even serious. I reinstalled everything on his old PC nearly two years ago after he was complaining about it being slow. I installed a pirate copy of Windows 2000, Firefox, OpenOffice.org and no AV or firewall. He's pretty clueless when it comes to computers so I expected to find loads of shit but it hardly found anything: a setup.exe which contained a malware (can't remember what but it wasn't that bad) and a copy of said malware in the registry.

His computer was a bit slower than it was when I set it up for him but defragmenting the drive and running CCleaner on the registry should fix that. It was still much faster than it was when he let me fix it when it had a few AV programs running in the background. What's more surprising is his configuration is set up to run everything as administrator or at least power user (can't remember which).

I scanned my other computer and got the same warnings about the WPA crack which I've added to the ignore list.

[reactosguy]

I just realized why antiviruses reporting a lack of malware on the computer is never a good thing.

he was complaining about it being slow

I use MSConfig to fix speed problems. It allows you to disable useless shit piles at startup (I've disabled WLM because it nags me at startup) which can save you some used memory. Unfortunately Microsoft decided to rig WLM so that it runs at startup whenever I run it again manually.

 

What's more surprising is his configuration is set up to run everything as administrator or at least power user (can't remember which).

Guess what boys and girls, don't run root on Linux stuffs or hackers will get you.