I’m getting odd feedback from Windows Defender. I did a full scan and took a long time and showed one hit. So I clicked on the button to remove threat.
Then I did another full scan and again Defender took a long time and said it found nothing but then in the list of issues it showed another hit for the same issue I had removed previously!
And a few minutes later Defender gave me three more messages about finding a problem, all of which turned out to the be the same issue.
I clicked to remove the threat in Defender this time (I didn’t have this option the last time). Now I’m doing another scan (which will presumably take a long time)
So what the heck is going on here? Is there a better program to use?
Here is what it looks like:
Here is the detail for the first scan. Notice is says Status: Removed?
Okay, so Defender just has crap messaging. If I click around in the history of messages I can get the above messages to show and change. None of this is inspiring confidence. What is a good way to make sure the computer has no virus?
Man, I’m circling back to my original advice. I know it’s a PITA but if you keep a backup of all your documents and drivers on a bootable USB stick along with your desired OS on it you can wipe your system and be back up and running in just a few hours, honestly. It’s worth having such a setup for just this situation.
I recommend Rufus to create the bootable USB stick off an .iso of your OS. If you have any questions let me know, I’d be happy to help.
(I recommend saving as an .iso file and using Rufus to create the bootable USB - it seems more reliable by far than the MS tool).
Once the bootable USB is created, make some sub-folders on it containing anything you want to restore (documents, pictures, whatever you want/can fit) and also take the time to look at what your hardware is listed as in Hardware Manager, and go out to the various manufacturer web pages and pull down the latest drivers for your OS so you can install off USB once the OS finishes installing.
Honestly if you such a USB stick prepped and ready to go (and update your important files periodically) you’re going to be mostly immune to shit like ransomware, viruses, malware, and the like.
Scott, thanks, I’m thinking along the same lines as you. I really appreciate your suggestions. I’m trying to think through my next steps and I actually do have some questions for you or anyone who has an opinion.
Why wouldn’t I just use the Windows10 restore the OS recovery option, instead of making a USB boot disk? I’m talking about the new Win10 (or maybe it was new in Win8) option where you can reinstall the OS and it wipes the disk and you have to reinstall all your programs again. I’ve never actually used this
If I have files on other drives, are those files suspect now too? When we say wipe the disk and start over, does that just mean the C drive or all the drives? In addition to a few local disks, I also have network storage with a shit ton of files on it.
What should I do to prepare? I’ll need to hunt down my Win10 key. All the keys for other software, like Office, Visual Studio, and SQL server. I’ll need to get my lastest Quicken backup, the key for Quicken. Most of my important data is backed up to the cloud, but I’ll want an image of my last phone back up, I guess. Do I just move big data stuff like pictures and music off of C and onto another drive or a cloud service?
I don’t know much about the recovery option you detailed in your first bullet point, so I’ll let others comment. I’ve always used media/USB to re-install off a clean install, but your solution might work a little better.
For what drives to recover/backup my advice is to back up everything important but only worry about wiping your OS drive. In my experience (limited as it may be) your system files are what normally get infected, exception being ransomware, which is why I recommend backing up all your documents. Pretend you lost a document. Big deal? Copy it to a USB drive you can keep in a fire proof safe with your other important documents. That sort of thing.
As for the key, the Windows 10 page I linked above let’s you download an iso file and according to that page (I have not done this process since getting the free Windows 10 upgrade) you can install the OS and it won’t need a key, but rather will call home after you are up and running and automatically register you. Check out that page for more details.
I hope that helps, good luck and let us know if you need anything!
Also, dammit Discourse, Tim and I are having a discussion!
It was a tad bit overblown given he had no evidence of an infection from before, but still, hard to argue with always going with the safe option.
Now however? Nuke that shit from orbit. You are just detecting the one, of probably many, delivered payloads that will continuously get replaced unless all the originating processes are eliminated.
Malwarebytes is a good next step if you are super lazy and like living on the edge. Having removed this shit professionally though it’s always safer to nuke.
I would image the whole drive using windows built in image to an external drive then reformat and mount the old image and copy by hand each file and folder you want. Don’t just copy over the whole profile, it’s probably littered with inactive little payloads.
I’m going to tackle this over the weekend, but right now I’m trying to list all the stuff I need to do before I hit nuke. This discussion is very helpful, so just ignore discourse, er, @wumpus software.
The problem with copying files to a USB is that the Quicken data file (the most important file) will keep changing. Right now I back it up to a network drive, but those drives are vulnerable to ransomware attacks. I don’t know what the answer is. Maybe just always keep backing the shit up (which is a hassle) or find some sort of cloud service, which might be out of reach of the ransomware slugs.
Comcast gives me a free copy of Norton, which I use on my Mac. I installed it on my PC, it asked for a restart, but then failed to launch. It also failed to uninstall. I had to download a Norton tool to specifically uninstall after a broken uninstall event. What the? I can’t tell if the virus got to the Norton stuff or if it just, you know, poor quality Norton stuff.
@Gendal, I’m going to do the nuke/reinstall shuffle, but meanwhile I downloaded Malwarebytes to see what I can find. I am also going back to another full scan from Defender, which is the only tool so far to find whatever it is on my box.
To be honest, I’ve never thought Norton was a very good product. It’s clunky, eats up a ton of resources, and doesn’t offer any better protection than other products. I actually only run native Windows Defender protection on my home PC, but then I have like two dozen sites I go to and I delete emails I don’t recognize, so I’m kind of boring on the PC. It’s also primarily for gaming, so any extra software running in the background I am extra unlikely to have running.
As for document history, that doesn’t seem like I think I would even be saving. You mean like change history for your Word documents and the like? Meh. I’d get rid of it. Let me ask you a question, how many times since you started storing it have you ever used any of it? I’d go off the answer to that question as to whether or not to keep it.
So I am expected to believe this webpage somehow “infected” a fully patched Windows 10 installation? So either the browser or the OS, or both, were vulnerable?
Fuck it, I don’t believe this, I am going there myself. When I do, I see this in Chrome:
Also looking more closely at this screenshot, this looks… really bogus?
trojan:win32/fuery.b! seems like a … speculative “just in case” detection scenario not an actual viable threat. Search for it yourself.
Trojan:Win32/Fuery.B!cl is a heuristic detection designed to generically detect a Trojan Horse. Due to the generic nature of this threat, we are unable to provide specific information on what it does.
who is Aaron Elhajj and why did he download this file? It is in g:\users\aaron elhajj\downloads and it dosn’t seem connected to whatever that starshatter website was in any way
I was thinking pretty much the same thing. I was highly suspicious that he got infected from that web page.
However! The scanner results pretty much point to an infection, wherever he got it from. I am guessing Tim’s son is named Aaron and wanted to listen to the Last of Us sound track? Who knows. The point is his virus scanner can’t get rid of that file, which means it is almost certainly running or being replaced by another process - either of which is game over in malware land.
Dude, that’s awesome! I think you’re right. I came to the same conclusion last night, but I was using different data. I scanned with Malwarebytes and got a bunch of hits from the G drive, which was the same drive that Defender flagged as having malware. So every hit I had came from the G drive. About two years ago the G drive had been my boot drive (at C) but then it filled up with data, so I pulled it and replaced it with a nice fast SSD drive. I installed the OS fresh, made it the new C, and then added the other drive as G, in case the kids needed some of the files from it.
So all the infections were on a data drive, not on the OS drive. Was I at risk for the past two years? I have no idea. But I wiped that drive and now Defender says there are no hits. I haven’t run Malwarebytes gain, but it cleaned up all the hits it found. I also nuked 600 Gb of file history. Once I’m satisfied it’s all clean, I may start saving file history again. I don’t use it often, but there have been one or two times it’s saved me some grief.
This is awesome. I didn’t even realize there were sites like this. I wish I’d known to do this last night! Thank you wumpus.
Also, discourse rocks! I typed all this shit in and then accidentally navigated away from the page with the back button. I moved forward and my message was gone, but then when I came to the topic is was right here in the compose window. Fuck yeah!
Man, tell me about it. Welcome to my world. When my kids were about 12 or 14, I made them both administrators on the PC. It was a bonding moment. I took each of them aside and said, “I’m making you an administrator.” There eyes got big and they were very happy. I was just tired of always having to install shit for them, but it was fun to see them get all excited. But there is always a downside. I stay updated and do scans if something seems fishy. Occasionally my name would pop up as the user in the list of infections, so it kept me humble. Now they have Apple products and the PC is just for me. I still keep it patched and updated to the latest (because that’s how I roll), but still I get the occasional weekend like this one.
Thank you wumpus! I appreciate your input on this.
