0
Possible Duplicate:
Computer is infected by a virus or a malware, what do I do now?
I have been noticing a big increase in my clients' complaining that the problem wasn't fixed, and that their computer is as bad, if not worse, than it was before I fixed it. I have been in the Virus removal area for years, and I have never seen anything like this before. Before I left these computers, I made sure that they were fine before leaving, only to hear a few days later their sad response.
I came across a nasty virus yesterday that even got past aswMBR.
I checked for bootkits with boot remover, and it detected the win32 boot code.
I ran ListParts, and all the partitions checked out.
I was scanning with aswMBR, when it tried to access an exe file in ProgramData\Netflix among other locations, which it actually sat at each one for about a minute, then CMD popped up for half a second, and aswMBR continued with no warnings or errors.
I knew this wasn't good.
I looked at CCleaner's uninstall utility, and found 2 suspicious entries: AT&T Internet Mail (my customer uses outlook, and the entry had been installed that day, with no company registered.), and some "Samsung [model]" Component (it was an Acer Laptop, and the entry, again, was installed that day but it had no company.)
I tried uninstalling the AT&T entry, nothing... didn't show anything, and it was still in the list.
I tried uninstalling the Samsung entry. It instantly removed itself, running cmd.exe with something I couldn't see in time, and the computer started being slow again.
This was the first time I've seen something that Combofix, aswMBR, and Malwarebytes could not remove. Malwarebytes, actually, never even detected a thing, even after running mbam-clean.exe and reinstalling. Also, this virus seems to be loading in safe mode, and Hitman Pro has been deactivated due to 30 days trial over.
I'm out of options...but to reformat, which I'd prefer not to do for this client. This is the first time I've asked for security help in my 10 years of work. Any ideas?
Nathan Drake
Posted 2012-07-21T17:18:35.587
Reputation: 1
If you've tried the usual suspects in terms of troubleshooting tools and they either found nothing or could do nothing it may be that you are either fighting a new worm/trojan which they do not know about or your are fighting ghosts. Either way your choices are the same, leave it and hope that they can detect/fix it soon (or that it doesn't need fixing) risking the users data and security or nuke it to the bedrock and reinstall. – Mokubai – 2012-07-21T17:31:57.907
Yes, I heard that quite often. Often in the form of 'it is even slower than before'. I have since learned to make full disk backups and time a few things (e.g. boot time from off to displaying the desktop). Almost always I cam show that it is actually faster. Having said that, there is a large psychological aspect of what the client expects in addition to people who accidentily reinstall a dozen 'helpful toolbars' within hours after getting a clean desktop back. – Hennes – 2012-07-21T17:42:56.353
I was thinking the same thing, Mokubai, actually. I hope it gets taken care of soon, because we're having a lot of clients with similar issues. And @Hennes, I agree, but generally it doesn't get this bad within 24 hours, especially if it's a client which only uses the computer for business. – Nathan Drake – 2012-07-24T19:32:07.087