How do I know if my computer is safe?

Hi experts,

Three days ago I tried to use my standalone home computer running Windows 7 Pro. It's anti-malware software is MBAM 3.0. I clicked on the Start button and about 20 web browsers began to load. I continued to click the red x's as fast as I could and after about two minutes of battle with them, they were gone. I clicked on the Start button again, the menu came up which could BARELY be seen like a ghost, and the browsers popped up even faster. At the same time, thirty or forty print windows emerged. These were picked off a little easier by closing them on the task bar. The web browsers were a little more difficult, taking about 2 1/2 minutes to defeat. Of course, I figured malware. I suppose I wasn't freaking out, because I have backups and a total reformat wouldn't be that troublesome, although it is work I don't have time to do.

I didn't just do a hard reboot on the computer, because I wanted to somehow get to the A/V. I was successful at that, and a MBAM scan found seven things. The first six said Trojan.generic, while the seventh said Trojan.generic/suspicious. The interesting thing is that the path was to an application that is somewhat known for being flagged; not one you would have ever heard of. Maybe it should be excluded.

But, since these were quarantined, the behavior has been normal. I can try anything, and I can't cause it to hiccup. The strange thing is, after running another MBAM scan, bringing up SAS Pro and scanning and finding nothing, I thought I would turn off MBAM and run a malware program I still had, but it was not on the system tray competing with MBAM. So Hitman Pro.Alert was going to scan, but it was past its expiration data. So, I paid for a license, which I received and typed it into the Activation field. You are then supposed to click on the word Activate below it. I did so, and the field where the key was greyed out and a green line progress indicator started from left to right. Three seconds in everything stopped. I tried many times, and the same thing happened. I uninstalled that version, downloaded a new one. Installed it. It asked for an activation key which I provided, and the same thing happened. Is that just a coincidence?

I am wondering if MBAM did find the actual culprit, why didn't it find it in real time. I can restore from a backup from a month ago, but I can be lazy about these things. My other question is if I RDP into my network at work, is there any risk.

Thank you.
LVL 1
Bert2005Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I do not use (or trust) Hitman.  

Can you restart?  Restart and run a full scan with Malwarebytes. If that comes up clean (zero errors) you have probably eliminated the issue.

Do not go to strange or dodgy places and you should be fine.
0
Bert2005Author Commented:
Is RDP ok either direction? To network or from network. I basically have to RDP into work.

Thanks.
0
JohnBusiness Consultant (Owner)Commented:
Generally yes, and I use RDP this way. Just be sure the machine on the other end is not infected.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Bert2005Author Commented:
Thanks. I will use it a bit. Do some reboots. Run MBAM a few times. I used to use Malwarebytes when it was only for running after main A/V programs, and it was very good at finding things others didn't.

Do you have any suggestions of another program I should try? Something from the web, etc.
1
JohnBusiness Consultant (Owner)Commented:
You can try Windows Security Essentials from Microsoft. That works in Windows 7.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Antivirus these days (including tools like MBAM) are largely ineffective.  Want proof?  Upload a piece of malware to VirusTotal or look up a bad link.  MOST AV software doesn't catch it these days.  How do you know your computer is safe?  Buy a new one.  Short of that, reload Windows. Short of that, run tools and be smart about your browsing and personal habits.  Each option is less safe then the previous.
0
Bert2005Author Commented:
OK. Let me kick it around a couple of days and keep your apprised.
0
Bert2005Author Commented:
Thanks Lee. I appreciate that. I rarely get malware, except for spyware that is difficult to keep off. But, it is frustrating when just one gets by, and it is "Once infected, always suspected." I agree with you though.

I suppose I would be much more concerned if it were on my network.

Do you think that the antivirus programs moving toward behavioral methods rather than definitions and signature-based are not as good. I guess they tout it as Zero-day antimalware. Of course, I am just trying to stay away from ransomware.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Be smart about how you use the computer and use backups that include OFFLINE backups and potentially cloud backups so if you ever do get hit with ransomware, you can just restore rather than pay terrorists.
0
Girish RTeam Lead, Mobile Solutions, FingentCommented:
Enter into Windows Safe Mode and run a virus scanner. Else you can also use a System Restore to take your computer back to a point before it became infected.
Like John mentioned windows security essentials safeguards your home or business PC.
0
BillDLCommented:
  1. There is no reason to run an Antivirus application in Safe Mode if the computer is able to boot into Windows normally and stay booted for the duration of the scan.  Many viruses are only functional and detectable as malware while the computer is running normally.  The only reason for running a scan in Safe Mode would be if the computer only boots into Safe Mode, but you would be getting much the same result as you would if you removed the drive, temporarily connected it to another functional computer, and ran the Antivirus application from there to scan the drive.   All it would be finding would be known and recognised viruses by file name or registry values.
  2. RDP works by sending mouse and keyboard commands and retrieving compressed images.  Unless you are copying files between drives on the two computers or have shared drives, a virus couldn't be transmitted between the two.  However, RDP does have some security risks in that it exposes both computers to open ports that can be visible to malicious people over the Internet.  Anything that leaves a port open to the outside presents a risk.  https://nakedsecurity.sophos.com/2017/11/15/ransomware-spreading-hackers-sneak-in-through-rdp/  If your computer actually has a trojan sitting there unseen at the moment it could potentially allow malicious intrusion using RDP, or any other commonly used port.
  3. There is absolutely nothing to mistrust about Hitman Pro.  It is owned by Sophos, a highly respected IT security company that has been in existence for 30 years.  Their 30 day trial and $25/year version is fine as a scanner for detecting known and new malware and potentially unwanted programs and spyware.  That version doesn't have real-time protection, so it can only be used to scan the system regularly.  The $35/year version does have real time protection and other features and can therefore be left running as the main antivirus application.  (https://www.hitmanpro.com/en-us/hmp.aspx) Bear in mind what Lee W mentioned though, NO single antimalware application is going to catch all or even most viruses.  One will catch some that others don't.  The best you can do is have a good one running in real time and do "2nd opinion" scans with one or more other programs at regular intervals.  
  4. When those popup windows started you say:  "I continued to click the red x's as fast as I could and after about two minutes of battle with them, they were gone."  Some windows comprise only an image and the X is faked to look like the "close window" button.  By clicking anywhere in that image you are often spawning new windows.  Web pages can be loaded without the status bar, address bar, or any of the user interface navigation aids of a standard browser window.  They can also be written to spawn new windows when they are closed.  Your battle may just have been this kind of "annoyance" rather than malicious activity.  The easiest way to close an active window that you are unsure of is Alt + F4, and if more windows pop up look in Task Manager and kill the browser and any other running programs that are likely to be creating the popup windows.
  5. You mentioned in your question; "The first six said Trojan.generic, while the seventh said Trojan.generic/suspicious."  Those findings sound like "heristic" detections where the scanner looks for tell-tale signs that resemble recognised or typical malicious activity rather than actual named malware.  Quite often these are red herrings (false positives).  As you mentioned, "The interesting thing is that the path was to an application that is somewhat known for being flagged".  This is quite common to all antimalware applications that look for typical patterns.
1
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
On my standalone machines the account I use regularly is a Standard User account.

The account used to set up the machine originally remains the Local Admin account.

UAC zipper is set to MAX.

This provides a small but sometimes critical extra security barrier. Plus, if something like this happens, usually an errant click when searching for drivers (oh man, the number of baddies :P ), I can START --> RUN --> LOGOFF [ENTER]

That kills the session.

Then, log on as admin and scan the Standard User profile for any errant files set within the last 24 hours. DELETE
0
Bert2005Author Commented:
Thanks experts,

I do use offline backups. Especially at work. Besides my scheduled backups, I have multiple hardware drives that I disconnect completely from the computer.

Thanks Philip for the idea. Hopefully, I won't need it.

@BillDL

#2 I use RD Gateway to connect to the office so it should be 443. I use GTMPC to connect to home, so I would hope that GTMPC server would help stop anything.
#3 I have read good things about Sophos and HitmanPro.Alert. THE FACT THAT I CAN'T ACTIVATE IT WITH A NEW PURCHASED KEY SEEMS TO BE A FLAG. Sorry for all caps. Is that just a red herring?
#4 Good to know about the red x's. I would have thought that after a while, they would have taken all the RAM, and the computer would have frozen or just crashed. The printer windows were weird.
#5 I just thought it was interesting in that I get a lot of those Trojan.generics, which I delete or quarantine. I have never received one with Suspicious at the end. SAS finds the same type trojans. Not sure why I need both.

FYI: It seems like bad viruses have decreased now that ransomware has prospered.

@GirishR Great idea about System Restore. System Restore is another one of those things that Microsoft knocked off, and its version is so much worse. I remember years ago when I had Roxio's GoBack. It "went back" sucessfully 99.99% of the time. SR seems to work about 45% of the time. Just says it didn't work.
0
Thomas Zucker-ScharffSolution GuideCommented:
Lee is right.  The only clean/safe machine is one not connected to the internet and filled with concrete and I  a locked room.

HitmanPro.Alert is excellent software,  imho.  I've been a user since before it was owned by Sophos.

Backups are the key.  Also you can try operating in a VM.
0
Bert2005Author Commented:
Thanks Thomas,

Actually Lee never said that. He was referring to backups. Probably air-gapped. I do use VMs at work just not at home. Probably a good idea. As far as not being connected to the Internet, in today's world that is pretty much impossible for a business. And, home computing would be rather meaningless as well.

I agree with everyone. Backups. Some disconnected. Careful browsing. I am still more interested in opinions on whether my computer is virus free based on the information. And whether HitmanPro.Alert's not activating could be due to a virus.

I agree that the best way to know if I am virus-free is to reformat my computer. But, it's just not always doable.

Thanks again.
0
Bert2005Author Commented:
Thanks everyone. It is too difficult to go through and try to figure points. So, I will leave John with 500 and just leave EE to divvy up the others. Seems like a lot of assisted solutions, but everyone gave some good info.

BillDL probably gave me the most information, but John was the only person to actually address my question.

I rarely do this. I do not wish to knock anyone who tried to help me, I just felt like there were only two questions I asked and they weren't really addressed. One was in the title and not the actual question.

But, was RDP safe using RD Gateway and RDS and is there a way to tell if my computer is clean.

Again, appreciative of the time and help everyone gave.
0
JohnBusiness Consultant (Owner)Commented:
You are very welcome and I was happy to help
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Malwarebytes

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.