PDA

View Full Version : What File-Types Can Become Infected??



gkar
08-04-2009, 09:37 AM
Like most, for years I have kept my (HT)PCs up-to-date with Windows, antivirus, antispyware & firewall updates; using free tools: Avast; Malwarebytes; Spybot-Search & Destroy; Comodo Firewall.

I have recently been infected with Malware which I have cleaned, successfully, according to all of the above. Still don't know how it got in.

My question to which I have not been able to adequately answer are:

1) what file types -or extensions- can become infected? ie. can Matroska video files (transcoded DVDs to XVid MPEG4) *.mkv be infected, either with viruses and/or malware. Do htese file-types need checking with antivirus software if they cannot be?

2) can infections migrate across partitions and/or HDDs?

Thanks.

Blam
08-04-2009, 09:45 AM
Most viruses replicate themselves to hard drives/flash drives, that is meaning of a virus.

As long as you keep avast! up to date and scan with MBAM once a week, you're safe.

Make sure you delete all system restore points/or disable system restore to avoid reinfection.

Almost any file type can be infected, exes are most popular.
As soon as a file extension becomes popular malware writers find a way to exploit it

Blam

gkar
08-04-2009, 11:23 AM
Thanks for the reply.

So, just to clarify: I have a dedicated HTPC linked to the net (for EPG updates) via my desktop which is set for internet sharing. I have three HDDs: 1x500GB which has the boot drive, media (for video transcodes etc) & Ghost images; 1x500GB which has a music partition & one for backups; & one 1TB HDD which has my TV records & media in separate partitions.

I need to monthly scan the two latter HDDs because the *.mkv & *.ts (FreeviewHD records) could become infected with variants of viruses and/or spy-, mal-ware? Or it's because the file system or other OS-related hidden folders or files could?

Regarding my desktops exposure to the keylogger malware: the only way I could think it could get onto the system (I always check anything (DVDs & CDs included) I download with an antivirus & Malwarebytes scan before opening: same with email attachments) was I connected a mate's HDD to reformat, before reinstalling the OS, as I was unable to accomplish this task from his system: would BSOD everytime.

Finally, do you recommend to leave the System Restore turned off permanently? Why is it so prone to attacks? And can't M$ better secure the area? :thumbs:

wainuitech
08-04-2009, 11:47 AM
You need to weekly scans at least not monthly- it only takes seconds for a drive to become infected if a bug gets in.

Leave System restore ON - if something goes wrong with the system and its turned off you are removing one of the pieces of software that will enable it to be fixed quickly.

IF system restore becomes infected by bugs, then yes turn it off then to clean out the system - some infections go into system restore, and if it gets infected, when you reboot, the infections my reinfect.

IF your antivirus software is any good it should do scans automatically at a time you have set it to, and should detect any infections that try to enter.

GOOD antivirus software, you wouldn't hardly notice the scans. GOOD - meaning NOT Norton.

Edited: if you want to test the Antivirus - go to This site (http://www.eicar.org/anti_virus_test_file.htm) - there are test files you can download ( near the bottom) - if your AV is any good you shouldn't be able to download them - what you should get is something like This Here (http://www.imagef1.net.nz/files/Test_File1239148698.jpg)- thats EsetsNod32 not allowing it to download because it's saying its a virus - its not - only tests the AV's.

Blam
08-04-2009, 12:29 PM
Leave System restore on-but clear all restore points in case any are infected.

Scan the files weekly with Spyware Terminator and Avast!

Although avast! free cannot schedule scans, you can with a little workaround you can schedule scans with avast!, here are instructions for XP:

* Go to Start > Programs > Accessories > System Tools > Scheduled Tasks
* Click (or double-click) on Add Scheduled Task
* In the wizard that appears click Next - a list of programs will appear
* Click Browse and navigate to C:\Program Files\Alwil Software\Avast4 (or whatever folder in which you installed avast!)
* Click (or double-click) on the file ashQuick.exe
* On the next screen give the task a name of your choice and choose how often you want it to run and click on Next
* On the next screen choose the appropriate scheduling options and click on Next
* On the next screen enter the user name and password for the Windows user you want the task to run as, then click on Next
* On the next screen check the box for the option "Open advanced properties for this task when I click Finish", and then click Finish
* On the next screen, in the "Run" field you will see the path for the ashQuick.exe program. After the closing quote enter a space and type in the path(s) that you want scanned. Multiple paths must be separated by a space and any paths that include a space in the path name must be in quotes. Here are a couple of examples:
"C:\Program Files\Alwil Software\Avast4\ashQuick.exe" C: E: - this will scan the entire contents of the C: and E: drives
"C:\Program Files\Alwil Software\Avast4\ashQuick.exe" "C:Program Files" Eownloads - this will scan the contents of the Program Files folder on the C: drive and the Downloads folder on the E: drive, including all subfolders (Note the first path is in quotes due to the space in the folder name "Program Files")
* Click OK
* In the Scheduled Tasks window, from the menu, click on Advanced and choose "Start Using Task Scheduler"
* To test your newly created task, from the Scheduled Tasks window, right-click on the task's icon and choose "Run" from the popup menu. If the scan doesn't begin correctly you'll get an error message. The problem is most likely in the scan path (missing quotes or something like that.)
* Close the Scheduled Tasks window

Blam

Terry Porritt
08-04-2009, 12:42 PM
The eicar test file has been in existence unchanged now for at least 10 years.

I wonder how effective it actually is as a test file, after all, I'd expect all AV software to have been written to specifically pick up this file and reject it....even Nortons :)

So assuming Nortons AV does pick up eicar.com, does that in itself tell us that Nortons must be good????? What about all the stuff that Nortons reputedly does not pick up?

wainuitech
08-04-2009, 01:06 PM
Nortons still is hopeless - I did that test a few months back with a customers PC that had Norton 360 - it allowed it to fully download, and wasn't till I told it to scan that it actually picked it up.

Just about every tech here will have experienced PC's infected with various bugs when Norton Says is clean.

Went to a customers Place this morning, had the latest Norton360, slow as a wet week, and norton took over 1o minutes to load - they said they had done a virus scan last night - found 1 spyware infection.

I ripped out Norton, installed Nod32 - even before Nod had fully loaded it was flashing up lots of messages saying XXXX file detected - Quarantined.

EDITED: Mind you it was the "ultimate" AV on a customers PC on Saturday - it worked so good the Internet / Email wouldn't load - I spose thats one way to protect the PC- block every thing so no one can go anywhere to get infections :p

Terry Porritt
08-04-2009, 01:29 PM
That's interesting about Norton allowing the eicar download. I seem to remember even AVG 2.5 with Win95 spitting out the eicar file download.

For the record, Avast also rejects download of the 4 eicar files.

wainuitech
08-04-2009, 01:59 PM
Norton May have let it download because it was damaged - I ended up removing the AV due to failure of the software, since infections had rendered it unusable. But it did seem strange it picked it up on a scan, but not "live".

gkar
08-04-2009, 05:36 PM
Thanks for the replies:

@ Wainuitech -it is extremely curious how the very magazine this forum is aligned with always seem to rate Norton either at the top or very near the top of every test comparison compiled over the last decade-odd; including the suite test in the March, 2009 edition. Even though they are independently conducted by AV-Test.org in Germany.

Also, Avast4 Home definitely picked up all four of the AV test files you linked. :thanks

@Blam6 -I have been doing what you recommended (sorry: forgot to mention I also had been using Spyware Terminator), except I had been remiss in the time between scans. Also, had recently found that little gem about scheduling Avast4 Home.

Am going right now to setup schedules for Avast, Spyware Terminator. Do you advise installing the extras like WebGuard & Crawler Toolbar during the ST install? Or just the basic package?:thanks

So, seeing as how neither Spybot-Search & Destroy nor Ad-Aware have been mentioned, these programmes are not really required for a secure PC, as the others cover what they can do?

I had an issue on my HTPC which a reinstall of Avast has cured: it would hang part-way through scans on all HDDs. Definitely clean now.

Blam
08-04-2009, 05:49 PM
Don't install Webguard and Crawler. Spam is you ask me!

McAffee site advisor is the only content toolbar I would use...

Spybot and Ad-Aware are just antispyware programs. One AntiSpyware program never gets em all, so having Spybot too is good.

Ad-Aware on the other hand sucks, don't even bother installing it!

Blam

Paul.Cov
08-04-2009, 07:09 PM
Absolutely ANY and EVERY file is vulnerable to being infected and harbouring malware.

However, not all files are so likely to activate / reactivate or spread the malware.

Spreading is most likely if files with .com .exe .bat .scr .doc .dll (and others I forget) are involved. And also if the registry is affected.
All the above file types have potential to be easily accessed (activated), and are also given wider powers to misbehave within Windows. They are files that can one way or another be 'run'.

However, a miscellaneous file with an extention that is less widely recognised by Windows, and unique to a particular ap (eg .bak) is unlikely to re-activate malware on its own, but can be used to store malware which could then called up by the registry, the Run / Startup settings, or some other app to re-trigger it.

First step is to get the registry and startup files clean. Then at least the likelihood of it getting re-activated or spreading is strongly reduced.

Malware sitting in a file that is never used is completely harmless. This is why simply renaming the file can cut down on the chances of it being accessed via other references elsewhere in your system.

But you do need to be sure that you, your apps and your OS will not be disturbing that file.

wainuitech
08-04-2009, 08:54 PM
Reply to:

@ Wainuitech -it is extremely curious how the very magazine this forum is aligned with always seem to rate Norton either at the top or very near the top of every test comparison compiled over the last decade-odd; including the suite test in the March, 2009 edition. Even though they are independently conducted by AV-Test.org in Germany.


I would suggest you read the MANY posts in this forum, regarding Nortons, as well as hundreds of other places that will all confirm the same thing - Nortons doesn't do what it says it does.

There are quite a few people who are members of this forum, who work in the IT business, either running their own IT business ( like I do) or work in IT repair places, and see it on a daily basis - PC's riddled with infections that have Nortons.

Its been brought up many times about the LAB tests, all over the world - they are completely different to "real world" events.

The so called controlled LAB tests - what would you rather believe - what you read in a magazine or the real results that hundreds of other people see and can vouch for and PROVE that a product actually is failing.

If some one said to me the PC in not infected and has Nortons because some magazine said its the best - yet its obviously riddled with infections - I know what I believe.
Search through the forums, there are several pictures posted that clearly show a PC is infected, yet Nortons says its clean.

gary67
09-04-2009, 06:48 AM
I think Nortons execs must pass some large brown envelopes around on a regular basis

Rob99
09-04-2009, 09:25 AM
I love Norton, it makes me look good, and provides a good source of income.

Remove it from any PC and replace with NOD32, even if there are no infections, the computer is normally more responsive/faster and does not bother the user with popups all the time.
But there are plenty of times when the computer is riddled with virus etc.

My next fav would be McAfee.

Gobe1
09-04-2009, 09:45 AM
Ha nice one Rob, yeah make us all look good. yell at the top of you lungs " I am Spatacus!!!" maybe not too loud so people will hear you....