[Jake]

So a friend asked me to "fix" her computer. Turns out she had more trojans than an AVN Convention. I managed to remove these gems. Some of them had multiple entry points.

Trojan.Vundo.H
Adware.MywebSearch
Trojan.FakeAlert
Malware.Packer.Gen
Malware.Trace
Trojan.Downloader
Trojan.DNSChanger
Rogue.SecurityTool
Trojan.Agent
Trojan.Hiloti
Adware.Adrotator
Adware.EZLife
Adware.StreetAds
Trojan.Agent.Gen
Rootkit.Agent
Adware.BWO
Trojan.Spambot
Rootkit.Dropper
Trojan.Alureon

All that remains is Rootkit.Agent. It is found in a SYS file in the system32/drivers folder with what appears to be a random filename.

At one point the system was all clear (SAFE and regular boots). A reboot and rescan confirmed this. Today I decided to run another full scan and the bugger reappeared. I am using Malwarebytes.

Question. What live CD with malware scanner do you recommend?

PS: This is kinda freaking me out because this person should have known better. Also, judging from the list this was not a one time "oops, I should not have done that". I wonder how long her PC has been infected?

 

[Jake]

Even better than that I downloaded a USB version to boot up and scan from. It is the bee's knees.

 

[Yob]

You mean you installed Malwarebytes on a USB drive and booted off of it? How did you do this? Thanks. (I'm trying to clean someones computer too)

 

[Jake]

Sorry I used AVG on a USB stick.

http://www.avg.com/ca-en/avg-rescue-cd-download

Select the USB stick ZIP version, download and extract onto a blank FAT32 USB stick. Next run the BAT on the USB stick. Pop in your PC, change BIOS to boot off USB first and Bob's your uncle. Don't forget to connect the PC to the network so it can download updates.

If you grew up in the days of DOS you will enjoy the feeling of nostalgia you get from the GUI.

PS: It found win32 Patched.DX trojan. The bad news, it is buried deep in the driver for the RAID strorage.

 

[cooper83]

more trojans than an AVN Convention

LOL. Good one

 

[sailmaker]

Have you tried ComboFix? You have to turn off Avira and if you have other virus programs running such as Avast it will tell you to turn it off. If you don't it will try to run anyway without any guarantees. It is a safe, clean program and was recommended by gurus at VirtualDr. I have used it severl times with only positive results. sailmaker

 

[Jake]

I did my scanning in safe mode so no real-time virus scanner was running. But here is the kicker. I have confirmed that in safe mode all is well. Only when I perform a regular boot does the virus appear. As I mentioned it is getting executed via the SYS file. Not sure why this particular driver is not used during safe mode.

I will give ComboFix a go. From the sounds of things I will need to delete the driver and restore the SYS file from a backup or archive. It is risky since it can render the volume unaccessible.

 

[stampeder]

This is kinda freaking me out because this person should have known better. Also, judging from the list this was not a one time "oops, I should not have done that". I wonder how long her PC has been infected?

Seems to me this is a person who should have her Windows machine taken away from her since she's either recalcitrant or unclear on the virus/trojan-scanning concept.

Given this latest spate of Stuxnet attacks on Windows she needs a good talking-to.

 

[BadLag]

I agree with sailmaker, combofix is a great tool, make sure you get it from BleepingComputers....save to your desktop and doubleclick it will tell you to shut down your AV but it will run anyways, if you cannot figure out what AV processes to kill....very successful at removing rootkits.

The tool will finish with a log txt file to show what it removed.

 

[Big Ben]

Reading this thread has got me thinking. I've always used Norton products whenever I can for anti-virus and Spybot for mal/adware. Is this enough or could I still have risks? I currently have Norton 360 which appears to be quite the system monitor, but I didn't see anyone mention anything Norton above.

I'm aware that specific removal tools are always better than any generic anti-virus for removing threats, but is there something else I should have that any of you recommend or am I just being paranoid?

 

[Jake]

Stamp, The PC in question had McAfee (VirusScan + AntiSpyware 8.5) installed and updated yet it was filled to the brim with infections. Perhaps it was reliance on the security that got them into trouble.

I have put the PC aside while I consider the options. All the tools mentioned have identified something. I am hesitating on removing the infections until I have a complete backup done.

But the bootable USB stick has been invaluable. Not only is it fast but for netbooks it is essential. Also, I was able to download updates and place them on the USB stick. No need for internet access or constantly burning updated boot CDs.

 

[BGY11]

Also make sure to delete all System Restore profiles off the drive, as malware can hide in there and easily re-infect the machine. Easiest way is to disable System Restore then re-enable it.

 

[sailmaker]

Big Ben: The reason you don't hear much about Norton anymore is that most dedicated internet users shy away from Norton these days. Not the program your daddy knew when Peter himself ran it. sailmaker

 

[mastercontrol]

Personally, if I come across an infected computer, I do a clean install. Once it's been infected, you really can't trust it anymore. All it takes is one piece of malware to evade scanning or to be hiding somewhere where it can be reactivated to keep the machine infected. Plus it's not worth spending hours trying to clean up a machine when the time can be better spent just doing a clean install.

Once I've cleaned the mess, I try to educate the user on not doing stupid things like opening attachments, using peer to peer programs like Limewire (almost every bad system I come across has Limewire installed). Antivirus should be the second line of defense - the user should be the first line.

I use Microsoft Security Essentials, which doesn't use too many system resources and does a good job of catching stuff.

 

[BadLag]

I learned 8 yrs ago that MP3's can be infected with malware, I stopped using peer to peer that very day....anti virus programs are designed to stop them before they get on your system, once they are on your computer, good luck removing them, the best defence is user education as mastercontrol said...I firmly believe in Windows Security Essentials as it spots malicious web sites...I read the other day about the bad guys are creating 57,000 websites a week, pushed to you from email or social networking and you do not need to click on anything, just going to the site can download crap to your computer....the recorded history of malware was at 1.9 million in 2009, in the last year alone, another 1.9 million have been recorded....

The bad guys are winning...gotta love ransomeware and rogueware...lol

 

[recneps77]

Sorry I used AVG on a USB stick.

http://www.avg.com/ca-en/avg-rescue-cd-download

Select the USB stick ZIP version, download and extract onto a blank FAT32 USB stick. Next run the BAT on the USB stick. Pop in your PC, change BIOS to boot off USB first and Bob's your uncle. Don't forget to connect the PC to the network so it can download updates.

Didn't know AVG offered a product like that, good to know.

In the past I've used linux livecd's to scan friends' infected computers, which has worked well. This sounds like it does something similar. +1 to AVG

I've never had an infected machine, so there is much to say about 'safe surfing' and knowing what you're doing, downloading, and using reputable sites.

 

[madhi19]

You never know these day even a usb thump drive might get infected while you try cleaning some "friends" mess. I rather use a Linux live CD to scan and backup whatever files need to be saved on an external drive. I format the drive twice and re-install his or her crappy OS. Then I sit them down and we have a talk about how to keep a clean Windows PC! It not that hard you surf behind a Router using Firefox with Adblock+ and you just avoided at least 70% of all the crap that out there, you remove Adobe Acrobat reader and use some other pdf reader and you're at 85% secure. Change you DNS to OpenDNS or Google DNS and your score just went up another 10 points. The rest is just common sense, don't use Limewire and stop downloading every piece of crap you come across the net!
By the way change the default password for your Router!
Feeling secure yet? Or are you ready to give Linux a try!

 

[Jake]

a usb thump drive might get infected while you try cleaning some "friends" mess

I would not worry about that. The USB stick OS is Linux just the same as the CD you refer to. Plus if you are going to get infected it can just as easily infect the memory of a live CD booted PC as a USB stick booted PC.

The AVG OS (let's call it that) also can auto-mount USB mass storage and has access to the linux CP and DD command so it makes for a sweet rescue disk as well (assuming your drive is clean). Given that virus updates occur daily keeping the USB key up to date is easy and no need to burn-baby-burn.

 

[madhi19]

I would not worry about that. The USB stick OS is Linux just the same as the CD you refer to. Plus if you are going to get infected it can just as easily infect the memory of a live CD booted PC as a USB stick booted PC.

The AVG OS (let's call it that) also can auto-mount USB mass storage and has access to the linux CP and DD command so it makes for a sweet rescue disk as well (assuming your drive is clean). Given that virus updates occur daily keeping the USB key up to date is easy and no need to burn-baby-burn.

Nice! I got to look into that. I don't do many intervention anymore most of my folks have learned how to keep their rig clean.