cancel
Showing results for 
Search instead for 
Did you mean: 
jkwheeler
Level 7

Do I need to do a clean install because I might have undetected malware?

Hi!

Was having trouble with Windows Update not working.  After much discussion with an agent on Microsoft's community forum, the agent said I had malware and that I should just do a clean install of Windows.  I don't want to do a reinstall for a variety of reasons but I will do it as a last resort.  I thought I would ask you all if you thought I had malware and whether I can remove it before I hauled off and did the clean install.

I list the details below.  Anyone have any thoughts?  Thanks!

jkwheeler

----- Details -----

  • Windows XP Media Center Edition Version 2002 SP3
  • McAfee Security Center v11.0, has VirusScan v15.0, DAT 6549.0000, Engine v5400.1158 (I have autoupdate turned on and working)
  • Ran a full scan in safe mode with networking.  No problems reported.  All zeros in the report.
  • Ran Stinger in safe mode with networking.  Sensitivity level "Very High" with "Report only."  Here is the report:

McAfee(r) Labs Stinger(tm) Version 10.2.0.408 built on Dec  2 2011
Copyright (c) 2011 McAfee, Inc. All Rights Reserved.
Virus data file v1000.0000 created on Dec 2 2011.
Ready to scan for 3515 viruses, trojans and variants.

Scan initiated on Sun Dec 04 17:26:15 2011
Rootkit scan result : Not Scanned


  Master Boot Record(s):....1
  Possibly Infected:.............0
  Boot Sector(s):.................1
  Possibly Infected: ............0

  Number of clean files: 18534


Mmmm... I see the line that says "Rootkit scan result : Not Scanned."  Do I need to do something to get Stinger to give a rootkit scan result?  Does this mean Stinger did not scan for rootkits?

  • Stinger also created a file called vscan.bof.  Do you want me to attach that file in another post?
  • Ran GetSusp in safe mode with networking.  GetSusp created a log called GetSusp.xml.  Do you want me to attach that file in another post?
  • Previously, I posted to Malwarebytes forum.  Their agent went through a lot of details and decided I did not have malware.  But, the Microsoft agent still thought I had undetected malware even though VirusScan said "no" and the Malwarebytes agent said "no."  The Malwarebytes thread is at:
    http://forums.malwarebytes.org/index.php?showtopic=95006
    Note that on the Malwarebytes discussion I mentioned a network problem.  That problem is resolved now so you probably can ignore that part.
0 Kudos
5 Replies
Hayton
Level 17

Re: Do I need to do a clean install because I might have undetected malware?

"Windows Update not working".   Any other signs of a malware infection?

Only post the logs if Getsusp and Stinger had something to report.

Try downloading and running Microsoft's Baseline Security Analyzer, and see what it says. There may perhaps be a Microsoft FixIt for this problem, but MBSA will give you an overview of your security situation and any missing updates.

0 Kudos
jkwheeler
Level 7

Re: Do I need to do a clean install because I might have undetected malware?

I should have time to run MBSA after work sometime in the next few days.

GetSusp marked a few files as "suspect" and it also marked a few files as ""unknown."  Would you like for me to post the GetSusp XML report?  I'm not posting from the affected PC right now so I cannot post the report right this minute.

Is there any issue with Stinger not scanning for rootkits?

0 Kudos
Hayton
Level 17

Re: Do I need to do a clean install because I might have undetected malware?

Anything to report from running MBSA?

As for Stinger, there are two. I take it the one you ran was the normal Stinger, not the Fake AV Stinger? The normal Stinger has a checkbox for rootkit checking - if you read the user guide you will see it on the screenshot of the Preferences window. Where did you download Stinger from?

Back to the original problem(s). Best way to check for malware is to run a free scan with a couple of other tools. You've already used Malwarebytes, so I suggest Microsoft's Safety Scanner. It can be run for up to 10 days after downloading. As for the Windows Update problem, there is one post on a microsoft forum here and a Microsoft KB article here which contain fixes which might be worth a try.

Edit - There's a Microsoft Fixit which might help :

Cannot install updates from Windows Update.png

Also, have you got Update Rollup 2? See http://support.microsoft.com/kb/900325

Message was edited by: Hayton on 07/12/11 03:32:53 GMT
0 Kudos
jkwheeler
Level 7

Re: Do I need to do a clean install because I might have undetected malware?

Thanks for sticking with me.  I've simply been busy this week and have not had time to try MBSA.

I got Stinger from

http://service.mcafee.com/faqdocument.aspx?id=TS100815&lang=en_US&prior_tid=2&AnswerID=16777216&turl...

I'll look at Stinger again when I get time to see if rootkit scanning is turned on.  The user guide I navigate to from the link above is the same link you have in your post.

I'll also try Microsoft's safety scanner.

I've tried some of the Windows update fixes already.  I first want to convince myself that I don't have malware and then I want to get back to the Windows update issue.

Again thanks for sticking with me.  I have not abandoned this effort.  I've just been very busy with my job and other things.

0 Kudos
jkwheeler
Level 7

Re: Do I need to do a clean install because I might have undetected malware?

New Stinger report with Windows running in normal mode instead of safe mode.  I made sure the rootkit box was checked.

McAfee(r) Labs Stinger(tm) Version 10.2.0.419 built on Dec  7 2011
Copyright (c) 2011 McAfee, Inc. All Rights Reserved.
Virus data file v1000.0000 created on Dec 7 2011.
Ready to scan for 3690 viruses, trojans and variants.

Scan initiated on Wed Dec 07 18:50:04 2011

  Master Boot Record(s):....1
  Possibly Infected:.............0
  Boot Sector(s):.................1
  Possibly Infected: ............0

  Number of clean files: 18635

Seems to show no issues.

Also ran Microsoft Safety Scanner.  It said it ran successfully and found no problems.

With these results, can we reliably say that the PC has no malware?  I'm still concerned that the GetSusp report called some files "suspicious."  I still can attach the GetSusp.xml file if you like.

If you think that I really don't have malware, then I can set out to try the Windows Update fixes that you listed that I have not already tried.  Should I open a new discussion thread for that?  If so, which community discussion should I use?  Note that I have not shared all the symptoms the PC has of not running Windows Update so I would need to share those details.

I also ran MBSA.  I pasted in the report below.

The MBSA report starts off saying that it cannot scan for security updates because it cannot load the securityCAB file.  Is that because Windows Update is hosed?

MBSA also said that there were incomplete updates and that I needed to reboot to complete the updates.  That surprised me because the last Windows update before the updater stopped running was back in August.  I've rebooted lots of times since August, including.  Just for grins, I rebooted after I saw this item in the MBSA report and got the same result.  The attached report is the one I ran after rebooting.

I'm also surprised MBSA complained that Windows Firewall was not running.  I thought MBSA would have detected that the McAfee Firewall was running and not complained.

Thoughts?  Thanks!

----- Begin MBSA report ------

Security assessment: Incomplete Scan
Computer name: WORKGROUP\COMPUTER2
IP address: 192.168.1.103
Security report name: WORKGROUP - COMPUTER2 (12-7-2011 7-58 PM)
Scan date: 12/7/2011 7:58 PM
Scanned with MBSA version: 2.2.2170.0
Catalog synchronization date: 2011-11-23T00:16:31Z


  Security Updates Scan Results

    Issue:  Security Updates
    Score:  Unable to scan
    Result: Cannot load security CAB file.


  Operating System Scan Results

    Administrative Vulnerabilities
 
    Issue:  Local Account Password Test
    Score:  Check passed
    Result: No user accounts have simple passwords.
    Detail:
   | User | Weak Password | Locked Out | Disabled |
   | Guest | - | - | Disabled |
   | HelpAssistant | - | - | Disabled |
   | SUPPORT_388945a0 | - | - | Disabled |
   | Administrator | - | - | - |
   | David | - | - | - |

    Issue:  File System
    Score:  Check passed
    Result: All hard drives (1) are using the NTFS file system.
    Detail:
   | Drive Letter | File System |
   | C: | NTFS |

    Issue:  Password Expiration
    Score:  Check not performed
    Result: This check was skipped because the computer is not joined to a domain.

    Issue:  Guest Account
    Score:  Check passed
    Result: The Guest account is disabled on this computer.

    Issue:  Autologon
    Score:  Check not performed
    Result: This check was skipped because the computer is not joined to a domain.

    Issue:  Restrict Anonymous
    Score:  Check passed
    Result: Computer is properly restricting anonymous access.

    Issue:  Administrators
    Score:  Check passed
    Result: No more than 2 Administrators were found on this computer.
    Detail:
   | User |
   | Administrator |
   | David |

    Issue:  Windows Firewall
    Score:  Best practice
    Result: Windows Firewall is disabled and has exceptions configured.
    Detail:
   | Connection Name | Firewall | Exceptions |
   | All Connections | Off | Programs |
   | Local Area Connection 4 | Off* | Programs* |

    Issue:  Automatic Updates
    Score:  Check failed (critical)
    Result: The Automatic Updates system service is not running.

    Issue:  Incomplete Updates
    Score:  Best practice
    Result: No incomplete software update installations were found.

Additional System Information
 
    Issue:  Windows Version
    Score:  Best practice
    Result: Computer is running Microsoft Windows XP.

    Issue:  Auditing
    Score:  Best practice
    Result: This check was skipped because the computer is not joined to a domain.

    Issue:  Shares
    Score:  Best practice
    Result: 2 share(s) are present on your computer.
    Detail:
   | Share | Directory | Share ACL | Directory ACL |
   | ADMIN$ | C:\WINDOWS | Admin Share | BUILTIN\Users -  RX, BUILTIN\Power Users -  RWXD, BUILTIN\Administrators -  F, NT AUTHORITY\SYSTEM -  F |
   | C$ | C:\ | Admin Share | BUILTIN\Administrators -  F, NT AUTHORITY\SYSTEM -  F, BUILTIN\Users -  RX, Everyone -  RX |

    Issue:  Services
    Score:  Best practice
    Result: Some potentially unnecessary services are installed.
    Detail:
   | Service | State |
   | Telnet | Stopped |


  Internet Information Services (IIS) Scan Results
IIS is not running on this computer.

  SQL Server Scan Results

   Instance MICROSOFTBCM

    Administrative Vulnerabilities
 
    Issue:  SQL Server/MSDE Security Mode
    Score:  Check failed (non-critical)
    Result: SQL Server and/or MSDE authentication mode is set to SQL Server and/or MSDE and Windows (Mixed Mode).

    Issue:  Exposed SQL Server/MSDE Password
    Score:  Check passed
    Result: The 'sa' password and SQL service account password are not exposed in text files.

    Issue:  CmdExec role
    Score:  Check passed
    Result: CmdExec is restricted to sysadmin only.

    Issue:  Registry Permissions
    Score:  Check failed (critical)
    Result: The Everyone group has more than Read access to the SQL Server and/or MSDE registry keys.

    Issue:  Folder Permissions
    Score:  Check passed
    Result: Permissions on the SQL Server and/or MSDE installation folders are set properly.

    Issue:  Sysadmin role members
    Score:  Best practice
    Result: BUILTIN\Administrators group should not be part of sysadmin role.

    Issue:  Guest Account
    Score:  Check passed
    Result: The Guest account is not enabled in any of the databases.

    Issue:  Sysadmins
    Score:  Check passed
    Result: No more than 2 members of sysadmin role are present.

    Issue:  SQL Server/MSDE Account Password Test
    Score:  Check passed
    Result: No SQL user accounts have weak passwords.

    Issue:  Service Accounts
    Score:  Best practice
    Result: SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the local Administrators group or run as LocalSystem.
    Detail:
   | Instance | Service | Account | Issue |
   | MICROSOFTBCM | MSSQL$MICROSOFTBCM | SYSTEM | LocalSystem account. |
   | MICROSOFTBCM | SQLAgent$MICROSOFTBCM | SYSTEM | LocalSystem account. |


  Desktop Application Scan Results

Administrative Vulnerabilities
 
    Issue:  IE Zones
    Score:  Check passed
    Result: Internet Explorer zones have secure settings for all users.

    Issue:  Macro Security
    Score:  Check passed
    Result: 4 Microsoft Office product(s) are installed. No issues were found.
    Detail:
   | Issue | User | Advice |
   | Microsoft Office Excel 2003 | All Users | No security issues were found. |
   | Microsoft Office Outlook 2003 | All Users | No security issues were found. |
   | Microsoft Office PowerPoint 2003 | All Users | No security issues were found. |
   | Microsoft Office Word 2003 | All Users | No security issues were found. |

----- End MBSA report -----

0 Kudos