What can I do about a virus that's affecting my relatives even though they're in different places?

6

2

In the last week, I have had two family members contact me about possible viruses on their machines. The cases involve different machines in different geographic locations. The only similarities are that they are both on BT and both use McAfee Internet Security packages.

What happens:

The users describe to me what sounds like a standard popup from a website — you know, the "X viruses found on your machine its in risk click here to remove etc etc" sort — however, it seems to sit behind the desktop icons on both machines and persists after a reboot of the computer. As soon as the user logs into the machine, it's there, before the user has even opened a browser window. Also in both cases it seems to stop the user from opening McAfee, saying it's corrupt.

I instructed the user to reboot into safe mode and try to run a full scan, which both users did. Both scans came back clean. However, upon booting back into Windows normally — even with the WiFi switched off — it's there again.

Now for the really weird part.

The first user was my mother. I went around two days later to take a look, and it was gone. There was no sign of it, McAfee opened fine, there were no incident reports, there was nothing unusual showing in ms-config startup... nothing at all. She asked me to format the disk and reinstall Windows anyway, which I did, and it's never returned.

Then, today, a third person phoned me with exactly the same problem. Same ISP, same antivirus.

I am kind of stumped. What should I do from here?

Vade

Posted 2011-03-11T21:33:33.850

Reputation: 163

Possible duplicate of How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?

– Burgi – 2019-06-04T08:31:23.877

3Incidentally, thanks for the good writeup. And welcome to SuperUser. – None – 2011-03-11T21:37:18.937

Hi and thanks, to the admin who edited.. the title makes me sound like a nab and not someone with a first class honours degree in computing ^^ the different places part :p – Vade – 2011-03-12T01:05:20.360

Answers

2

When I run into viruses on systems I didn't setup, this is what I do(In order)

  1. Boot to safe mode, login as user, run msconfig, look for any entries starting up in the users home directory. Those are probably a virus and can be removed.
  2. Boot to safe mode, Run MalwareBytes and scan for the malware.
  3. Grab the AVG rescue disc, boot from it. run a scan and replace/rename any files found to be infected. This is obviously the most difficult to deal with remotely.

When I setup a computer, the user gets two accounts Manager, and User. I explain to them they should use the "User" account and only use Manager to install software. In that case, if they get a virus, I have them logout, login as Manager, then run MalwareBytes, which finds and removes the virus in 98% of the cases I've seen.

Richard June

Posted 2011-03-11T21:33:33.850

Reputation: 787

1

It is a Trojan horse, and depending on the antivirus vendor, the AV could work sometimes, which in this case it did.

Infection vector is probably drive-by download from a dodgy website advert.

Malwarebytes and SuperAntiSpyware to the rescue. The latter has a portable download so you don't even need to install it to run it.

Use both. Then reboot and check if McAfee is working again.

user3463

Posted 2011-03-11T21:33:33.850

Reputation:

Asked: 2011-03-11T21:33:33.850

Viewed: 119 times

Active: 2019-06-04T08:31:11.813