Detecting damage done by virus

windows-7 trojan virus

This morning after I went to college, a virus infected my PC without any user interaction at my end. When I came home my computer was completely frozen and infected with lots of trojans. I have not typed anything important since returning so keys cannot be logged. However I want to know exactly when my computer crashed from the time of infection to see what could potentially be done remotely by a hacker.

The virus my pc was diagnosed with was "fakespypro" on a fully updated Windows 7 installation with firewall enabled. My computer was connected to an internal dorm room network, so probably that has had to do something with it.

Any further information about how I could backtrace this virus infection or ways to discover what data might be stolen would be greatly appreciated.


Unless you have logging turned on (which isn't by default) it is very unlikely you will know what was taken.

However, I have come across this (and similar) malware and they are generally used just to make people purchase rubbish / fake software, they are not trojens in the typical sense that send your files and information to a third party.

I am not saying it isn't possible, but it is unlikely.

If however you want to detect the damage done to your actual system, you can try downloading the good search tool everything (available on Ninite) and sort by date order - this will show you everything copied and modified at the date (there are many similar (built in) tools, but, I think this is the fastest.

Also, from the command prompt, you can type SFC /SCANNOW in order to check the integrity and status of Windows System Files.


The link you included in your question describes specifically what the virus does.

Trojan:Win32/FakeSpypro may be installed from the program's web site or by social engineering from third party web sites. When executed, Win32/FakeSpypro copies itself to "%windir%\sysguard.exe" and sets a registry entry to run itself at each system start:

Adds value: "system tool"
With data: "%windir%\sysguard.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

It drops a DLL component to "\iehelper.dll" and sets the following registry values to load the dropped DLL at Windows start and to register the DLL component as a BHO:

Adds value: "(default)"
With data: “bho”
To subkey: HKLM\SOFTWARE\Classes\CLSID\{C9C42510-9B21-41c1-9DCD-8382A2D07C61}

Adds value: "(default)"
With data: “\iehelper.dll”
To subkey: HKLM\SOFTWARE\Classes\CLSID\{C9C42510-9B21-41c1-9DCD-8382A2D07C61}\InProcServer32

Adds value: "(default)"
With data: "0”
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9C42510-9B21-41c1-9DCD-8382A2D07C61}

It also creates the following registry subkey:

HKCU\Software\AvScan
HKCU\Software\AVSuite 

The DLL, "\iehelper.dll", installed by Win32/FakeSpypro is used to moderate the affected user's Internet use. For example, it may modify search results for the following search engines, by appearing to direct users to browser-security.microsoft.com:

    * yahoo.com
    * google
    * msn.com
    * live.com

Win32/FakeSpypro may modify the Hosts file under \drivers\etc\hosts, to ensure that users visiting 'browser-security.microsoft.com' are directed to the listed IP address as in the following example:

195.245.119.131 browser-security.microsoft.com

There is no mention of opening any back doors and that is not something I have heard of before so I doubt that a hacker was 'in' you computer. I suggest you look at the user accounts though to verify that someone has not created an account they can use at their leisure. This particular trojan is most often picked up as a drive-by download meaning that you do immediately not realize you got it. It can happen even when you visit a reputable site if the site has been hacked. The scary part is if you do not know exactly when you were infected any information entered into your browser could have been intercepted. The good news is this virus does not lay quietly, but bothers you to buy it. I believe it also detected by most anti-virus programs. I like Wil's suggestion about searching your hard drive for recently modified files, but I have my doubts about how much help that will actually be.

Related

Why does "last" fail on Alpine with "last couldn't open file '/dev/null/wtmp' "?
vi: what is verbose mode and when/how do I use it?
Difference between httpd_sys_content_t httpd_user_content_t
How to get Firefox to show XML document trees in a monospace font
Is there a way in Chrome to use SSL by default?
How can I sync Emacs with Google Calendar and Contacts?
Is it possible to find the CPU hogging tab in Firefox?
Redirect all traffic through my Raspberry PI [closed]
Changing Default Shell in Mac OS X
Issue installing VIB on ESXi 6.5U1
How to scan VPN with Nmap
Reversed Terminal / Command line window