Why does my Anaconda Download look like This?

[WWGD]

Hi all,
My downloaded copy of Anaconda Navigator ( a compilation of free utilities including Python) came out looking strange --please see attached. Any idea of what could be going on? Hopefully not a virus.

 

[jedishrfu]

This page says if you encounter any problems with anaconda install on windows then disable the virus scanner (scary to me) and try again:

https://docs.continuum.io/anaconda/install#anaconda-for-windows-install

It may be that the virus scanner flagged some key file and wouldn't let it get installed.

 

[WWGD]

This page says if you encounter any problems with anaconda install on windows then disable the virus scanner (scary to me) and try again:

https://docs.continuum.io/anaconda/install#anaconda-for-windows-install

It may be that the virus scanner flagged some key file and wouldn't let it get installed.

Thanks, it says to do so only temporarily, but still a good point. Of course, remember to reinstall ASAP.

 

[WWGD]

Just curious, anyone know what to look for in Sys Internals re some suspicious processes/threads?

 

[jedishrfu]

THis article is for windows 7 but still may be useful:

http://www.techradar.com/news/software/how-to-spot-suspicious-processes-in-windows-7-957026

and this one:

http://www.makeuseof.com/tag/handle-suspicious-windows-task-manager-processes/

In general, I looked up the process names via google to see what they did. Some malware may use three or more processes so that deleting anyone will cause the other two to recreate it.

I used to use hijackthis to detect if any OS handles were being intercepted although I think that's now out of date.

https://sourceforge.net/projects/hjt/

If you can't figure out if a process is legit then post it here and maybe someone can help.

 

[WWGD]

Thanks a lot, Jedi. I will post here if I can find something , for general info/know how.

 

[Borg]

it says to do so only temporarily

Just what a virus needs.

 

[jedishrfu]

Just what a virus needs.

The old jedi mind trick trick.

 

[Borg]

The old jedi mind trick trick.

lol. These aren't the safe applications you're looking for.

 

[jedishrfu]

lol. These aren't the safe applications you're looking for.

Move along, move along.

 

[WWGD]

Just what a virus needs.

But if the source is trustworthy?

 

[Borg]

But if the source is trustworthy?

Even a trustworthy source could have a virus. Software should never be telling you to disable your virus scanner. If so, it's either a virus or they don't know what they're doing. I wouldn't trust either scenario.

 

[WWGD]

Do you know a way of using SysInternals/Process Explorer to detect a virus? I have been trying for a while, following online instructions without success.

 

[jedishrfu]

Viruses don't always live in identifiable processes sometime they co-opt a legitimate process and run under its umbrella.

 

[Borg]

Do you know a way of using SysInternals/Process Explorer to detect a virus? I have been trying for a while, following online instructions without success.

There's no simple way of detecting all viruses like that. Each virus has it's own way of infiltrating a system.
jedishrfu's hijackthis link is your best bet and even that is only a starting point.

Viruses don't always live in identifiable processes sometime they co-opt a legitimate process and run under its umbrella.

 

[WWGD]

Well, of course, you do the best you can and you catch whichever viruses you are able to catch.

 

[jedishrfu]

Like pokemon with real world consequences.

 

[WWGD]

I am not referring to eliminating virus EDIT protection temporarily, I am referring to using Sysinternals, though.

 

[Routaran]

When I am investigating systems for infections, I use Process Explorer(sysinterals), autoruns(sysinterals) and hijackthis.
Here's the basic steps i follow, i'll start from the very beginning so i apologise if some of this stuff seems obvious.
1) Reboot to safe mode with networking
2) Log into an admin account
3) Run autoruns as admin
The purpose of autoruns is to examine what software is scheduled to run on your system at boot/login
4) Run process explorer as admin
The purpose of process explorer is to examine what software is currently running in active memory

5) In Autoruns
Click options>Scan Options
Check all the boxes and then agree to virustotal user agreement
Then Click options>check all 4 hide items
Then Click the refresh button (2nd from the left next to the save icon)

6) While autoruns is gathering data, run process explorer as admin
When its open click CTRL+D to show DLL's attached to processes running on your system. The DLL's will show up on the bottom pane. Please sort them by Company Name.
Then Click on the Process menu item, and then select Check Virustotal.com

Now comes the painful part.
You will need to click on each process on the top pane, verify that it's location is valid. You will search for the file in google, learn about what it does, where it resides, who made and signed the file, etc.
Eg: svchost.exe must located at c:\windows\system32\svchost.exe and must be signed by Microsoft Corporation<-- This is safe (assuming virustotal also says it's safe)
if instead you see scvhost.exe located at c:\windows\system32\scvhost.exe and not signed <-- This is malicious. The file name is incorrect, the c and v letters are flipped and there's no signature from microsoft saying this is their file.
if the file is located in c:\windows\system, it is malicious, etc.
If the file passes the initial check, then you need to look at the list of ALL DLLs attached to the process in the bottom pane. This is why we sorted by company name. All the digitally signed files (files you can trust) will be lumped together. Microsoft Corporation is okay. Everything else must be checked and verified as not malicious. This means you will have to google the filename and learn about it to find out if this is a legitimate file and can be trusted or not.
Over time, you will learn patters and will be able to figure out what's safe and what's not just by looking at the file name and location. But when you start, you will have to do this hard dirty work. No pain, no gain.

If you find something you think is malicious, right click on the parent process and then select suspend. This will stop the process from running and give you an opportunity to clean/remove it.
If you accidentally suspend a system process, you will crash windows. There are certain processes you cannot suspend. System, winint, etc are things that your computer cannot run without. There's others that i don't remember and i don't have access to process explorer right now to give you a list (i'm run Debian)

Once suspended, you will have to navigate to the file in question and then change the permissions on the file from allow to deny all. This will prevent the file from running on your system after a reboot.
The really good malware programs have several threads running that monitor each other, so if you kill one thread, the others simply restart it. This is why we suspend and change to deny permissions on all the files one at a time. Then do a hard reset and then on next boot, they cannot run and your computer is clean.

If you mess up and set deny permissions on a valid system file, you will kill windows. Unless you keep a record of your changes so you can undo them, you will end up having to wipe your computer to fix the problem. So please be careful.

When you have gone through the entire list and suspended everything that you think is malicious, go ahead and kill the threads one by one until none of the suspected malicious software is running.

7) Once you are done with Process explorer, you will switch to autoruns. You will need to go through each tab at the top, Logon, IE, Explorer, Services, etc and check the entries that were not hidden (files listed are not windows, and virustotal thinks they are suspicious)
Then just like in process explorer, you will unleash the power of google on those files to figure out what they are and what they do. if the files are safe (virustotal spits out false positives) then ignore them. If they are malicious, uncheck the entry to disable the autorun on the file and then navigate to the location of the file and change the permissions on the file to deny.
Once you are done with the entire list, close process explorer and autoruns and then click and hold th power button till the computer shuts off.

Some malware, spawn with random names and locations as part of the windows shutdown process. A hard shutdown prevents this.

8) Reboot back into safemode with networking. Then run highjackthis as administrator and redo the same thing, check each entry, verify it's okay, if it's not, uncheck it. Then reboot again.

9) Finally, boot back into normal mode and if you haven't completely destroyed windows by now, you can be reasonably assured that the system is clean. The only exception is root kits as they filter information about themselves before it reaches the Windows API, meaning you will not see them in process explorer, autoruns, highjackthis. The only way to get rid of them and be sure about it, is to wipe the system.

 

[WWGD]

Excellent, thanks, one can always ignore extra material but harder to make up what is missing, so prefer your approach. Thanks!

 

[Routaran]

The process is even more effective if you don't boot the infected system and instead boot from a Linux LiveCD or the windows installation disk. That will ensure that none of the malicious software is running, so root kits cannot hide anymore.

That's my current approach. I boot a Debian Linux USB, mount the windows registry somwhere on the filesystem and start browsing through all the autostart locations to see if there's anything funny looking scheduled to run on boot.
After I'm done, the only things that start are valid windows files and the A/V. Then save the changes and reboot normally. I backup the registry hives before making changes just in case I screw up, so the method is almost fool proof.
You can also throw in a sfc /scannow using windows installation media's recovery console to verify the integrity of system files.

 

[OCR]

If you mess up and set deny permissions on a valid system file, you will kill windows. Unless you keep a record of your changes so you can undo them, you will end up having to wipe your computer to fix the problem.

If you set a system restore point right before doing all of this, and you did happen to mess up... could that undo the changes you made ?

I know you'd still have the malicious software, but would a system restore operation even run, or work... at all ?

[COLOR=#black] ..[/COLOR]^←[COLOR=#black]...[/COLOR] "... and if you haven't completely destroyed windows by now ..." [COLOR=#black]... [/COLOR] lol

 

[Routaran]

If you set a system restore point right before doing all of this, and you did happen to mess up... could that undo the changes you made ?

I know you'd still have the malicious software, but would a system restore operation even run, or work... at all ?

[COLOR=#black] ..[/COLOR]^←[COLOR=#black]...[/COLOR] "... and if you haven't completely destroyed windows by now ..." [COLOR=#black]... [/COLOR] lol

No, system restore backs up portions of your windows registry. It does not affect your file system.

When you modify access permissions on a file, those are file system changes and aren't covered by a system restore. This is the reason why this approach can be very dangerous if you're not careful. You make a change to a system critical file and didn't write it down, then you're hooped.

You can still look at the bug check codes (BSOD error code) go through some of the dumps and identify where you messed up but it's just a giant pain. You've killed Windows at that point, and good riddance I say! Wiping the system and installing Linux is faster lol

If all you did was suspend/kill processes and then uncheck them from autoruns/highjack this, then a system restore will work. But the problem is that its very easy to miss something. Malware will often add autorun entries in multiple places. You can catch one autorun entry and but miss another, it will just run again and you have to restart the entire process. As a beginner, the safe advise is to not change permissions but then you could be at it for hours and hours because some stupid malware keeps respawining at which point, you realize that wiping the computer to begin with would have saved you 4 hours.

Thats why I change the access permissions on the files themselves. Either I completely clean the system in 2-3 reboots or I ruin Windows in 1 reboot and I have to wipe and reinstall windows. I haven't done the latter in several years.
Either way, I will have a fully working system in an hour or two. User is happy.

 

[OCR]

Thanks Routaran...[COLOR=#black].[/COLOR]