[Rideauman]

My computer has a virus - a bad one. Trojan.pws.panda.123 has embedded itself in the memory of my computer. I've scanned the computer with a number of different anti-virus/malware removal programs (Microsoft Security Essentials, Avast, Spybot, etc.). The only program that seems to see it is DrWeb Cureit. Cureit removes it, but it seems to drop itself back in instantly. I don't have to reboot in order for it to reappear. It attaches itself to the *.dll files of my printer (Lexmark) driver. Therefore, I can't print.

I've reinstalled the printer drivers - no help. I've googled the virus. There are some vague instructions on how to remove from the registry. I've searched the registry and find nothing out of sorts.

I've used Hijackthis - processes running seem to be legit.

Ideas?

 

[stampeder]

Do you have everything backed up? A reinstall down to formatting level might be in order.

 

[hugh]

What anti-virus are you using?

I ask for two reasons: I'd like to know what anti-virus not to use and if you paid for it, then I would recommend contacting their support group and they might be able to give you some direction.

 

[jayoldschool]

Can you pick a restore point?

 

[Rideauman]

Yes, I have everything backed up. Was hoping that I wouldn't have to start over as this would be computer #2 that would need full formatting (see my thread on trying to save data on second drive).

Not sure how far back I would need to go to retrieve a restore point. As my anti-virus program did not pick this trojan up (Microsoft Security Essentials), I'm not sure how long I've had it.

I will keep looking to see if I can get rid of it without starting over.

 

[Rideauman]

I spent some time deleting my Lexmark drivers from the computer and then cleaning all printer references out of the registry. After doing yet another scan, the trojan seemed to be eliminated.

So I downloaded a new driver installation from the manufacturer and reinstalled the printer. The trojan instantly reappears. Weird!

If I keep the printer uninstalled, perhaps installing a different printer (swap with my kids computer) - HP model - the trojan does not show in a scan. However, it must still be buried somewhere within the computer memory. If it doesn't show up in a scan and the computer seems to operate ok, would you trust the system?

I thought that since Dr Web Cureit was the only software picking up this trojan that maybe it was a false positive reading. I am having printing issues (prints, but then hangs at 99% print completion so that you have to reboot to use the printer again), so something is there.

Very frustrating.

 

[Jake]

The problem is you are booting from the same OS that is infected. It is like operating with dirty hands. You are just going to re-infect the PC. What you need to do is boot from a different OS. Lucky for you there is a small utility by AVG you can download and place on a USB stick. It boots up and scans the PC. See post 4 here.

http://www.digitalhome.ca/forum/showthread.php?t=129685

If it only finds a printer DLL infected consider yourself lucky. I had more serious drivers effected.

 

[Spike4881]

Yeah, back in the day we used to boot with a diskette with f prot. It worked wonders.

 

[Rideauman]

Well, this is a bigger nightmare than I thought. When I tried to go to the AVG site to download the anti-virus boot utility, I found that my openDNS account was blocking the antivirus site. Upon further investigation, I found that it was blocking ALL anti-virus sites - my openDNS account shows none of this. Therefore, I have to assume my computer has been fully hijacked.

It is off and I plan to fully format. I will be changing all my passwords to be safe.

What ticks me off the most is that I thought that my computer(s) were fully protected. I have anti-virus (MSE - now Avast), firewall (Comodo), router (WPA2), openDNS. I scanned regularly with Spybot and Adware to pull off the small crap that would come in with browser cookies. What else could I have done???

 

[stampeder]

Which version of Windows are you running?

 

[Rideauman]

Windows 7 x64

 

[Rideauman]

As I write this, I have re-formatted my HD, reinstalled Windows 7 x64, added Avast AV, Comodo firewall, and my Lexmark X8350 printer. That's it so far. As a test, I downloaded Dr Web Cureit, just to run a scan as a test. Low and behold, the trojan shows up in the test. What gives???

Could it be possible that Cureit detects a false positive OR is the installer of the trojan? What are other people's experience with this AV scanner? The printer driver I load is downloaded from Lexmark, not from a CD.

I don't know what to do now.

 

[Rideauman]

Me again. I uninstalled the Lexmark printer and installed a HP all-in-one. No trojan showing. Maybe Cureit developers work for HP!

Still... I don't get why I was having printing issues (never had issues in the past) and redirections on my openDNS account.

 

[Jake]

Sounds a lot like a false positive to me. Also, if the scan identified the same file as last time then for sure it must be false.

 

[Rideauman]

Because the file where the trojan was identified is now gone (on a Lexmark *.dll file - part of the driver installation), hard to determine if it was false or not.