Suspicious EXEs

Question

Possible Duplicate:
Computer is infected by a virus or a malware, what do I do now?

I caught a pretty nasty virus yesterday and am finally in a position to sit down and start dealing with it. When logged in (Windows 7) under normal mode, I literally can't access/force start any of the typical safeguards:

• Task Manager
• Command Line
• Microsoft Forefront Endpoint (my AV)

I have rebooted in safe mode w/ networking and ran a scan on my system for any EXEs or DLLs that have changed since yesterday. Here's what it came back with:

Obviously, I blacked out my username (just for security reasons). Do any of these jump out at SU as obvious viruses? Anyway for me to figure out which ones are safe to delete? What would SU do with these? Thanks in advance.

Answer 1

I wouldn't touch any of those directly.

Use autoruns to disable them being loaded on start.

After that you will have all the time to inspect the suspicious elements. But most importantly, if the malware is never loaded, you should be able to make use of Forefront again to clean everything up.

Answer 2

You will probably want to get some sort of hashing tool on either that system or another secure system that you can copy those files to. Once you have an MD5/SHA1/SHA256 hash of the file, you can search VirusTotal for that hash and that will tell you whether or not those are infected files.

Answer 3

Download and run MBAM and it will probably deal with it.

Answer 4

I usually look at the properties of EXE and DLL files first, to see if they've been signed by anyone - or if they even contain any version/company information at all.

It's too easy for malware authors to call their executables svchost.exe, thus (temporarily) avoiding suspicion.

Right-click on the file, choose properties and see if there's a 'version' tab. For example, the file 'calc.exe' on a computer I'm looking at right now shows the following information:

File version: 5.2.3790.1830 Description: Windows Calculator application file Copyright (c) Microsoft Corporation. All rights reserved.

And then there's load of other version information underneath it (eg Language, Internal Name).

If I find an EXE without this information in it, I treat it as suspect, even if it tests clean with an antivirus scanner. I've yet to encounter it - but it is possible that a file with a digital signature may not be valid. In the 'digital signatures' tab in the file properties (which is only present if a signature is), click on the Details button to verify the certificate.

My sister seems to have a particular talent for picking up malware that's as-yet-unknown to AV vendors - so this approach is often useful. I once had the pleasure of submitting three previously undetected samples in the same month (it turned out they were all variants of already existing malware - but had been changed just enough to avoid being picked up).