Sunday, 14 December 2008

Am I virus free?

A few days back, Windows Defender popped up a message to say that a process was attempting to modify my hosts file. I didn't think anything of it for a while as I was running a number of applications that were harmless contenders (such as Mojo CMS, Microsoft Mesh, IIS) and furthermore an anoying URLRedirect service was installed be default on my XP desktop as part of the Dell desktop package which changes your homepage dynamically when a URL is not found.

Initial Virus Scan
As a precaution, I looked up the "SettingsModifier:Win32/PossibleHostsFileHijack" error that was being displayed and followed the advice to perform a full virus scan. I ran a full scan using both Windows Defender AND Semantic (Norton) Antivirus (corporate edition). Both of these gave me a clean bill of health which was encouraging - or so I thought.

Sysinternals

After a reboot and after working in VS for a couple of minutes, I received the hosts file hijack error again. I was now rumbled and determined to find out what was causing this. I allowed the process to modify my hosts file to see what was happening. Microsoft.com was being redirected to 127.0.0.1 localhost. I then went onto sysinternals.com and downloaded both the autoruns application (a tool to determine which processes are launched at startup) and process explorer - an advanced task manager with process tree information and file dependencies.

The first thing that browse all autorun processes. In this list there were 4 libraries and exeutables that were NOT registered to any company. This was suspicious. I searched for the corresponsing entries in google and all of them pointed to a worm or trojan. I found the corresponding executables through the tool and deleted them from my system, some of which were locked hidden system files requiring me to kill the host processes using the sysinternals.

I then peformed the same search using the sysinternals process explorer and found another 5 processes that were not registered to any company. Some of these were desktop extensions that were more than likely harmless (such as Filezilla and Tortoise SVN) but I wasn't going to take any risks. I remove the files and killed the processes.

I then went on a mission to remove any software and files that I was no longer using, simply to allow the virus scanners to run more quickly.

4 hours later and after a subsequent reboot I was still not comfortable. I was receiving a Windows Defender warning from a proces called Kontiki (which is a peer-to-peer media sharing tool). This was likely to be harmless again as it is installed by the media streaming services such as 4OD, but by this stage I was not taking any chances. I have prided myself for having avoided viruses for years, since the disk sharing days of the Commodore Amiga, something had allowed by system to be compromised (perhaps the prevelence of USB keys in the workplace). My firewall is on, my wireless is encrypted and includeds MAC address filters!

I manually removed Kontiki from the startup registry entries (again using sysinternals) and from the program files folder.

Insufficient virus scanners?
I was really concerned that my two virus scanners, both of which were fully up-to-date, had not detected any problems after a full system scan. A collegue had recommened AVG. I downloaded, installed and performed yet another full system scan. AVG found 4 additional Trojans that I had not detected. Fortunately these were not running and were easily quarantined by AVG.

So what is the message? Firstly I am now nervous that I am not clear of viruses based upon the inconsistencies between the virus checking software. Secondly, how on earth is a typical home user supposed to deal with viruses. I am extremely careful, but I will be even more so now. I am still extremely tempted to upgrade my desktop to Vista now that we are moving across to BizTalk 2006 R2 (R1 is not supported on Vista). Hopefully UAC will further mimimise the risks.

Cheers - Jon.

No comments: