Virus Hunting

platypus

platypus

platypus

Caporegime
Joined
25 Jul 2003
Posts
40,467
Location
FR+UK
I have a remote PC that has a virus on it.

Now. I've done almost everything I can think of. Malwarebytes, Regcleaner, AntiVir, Symantec Endpoint 11 (our company model), and whilst these cleaned over 150 viruses from the computer, it's still infected.

It runs in the systray, as one of these dodgy "Buy me to clean your PC" types of malware. Only having run Process explorer on this PC I still couldn't find anything untoward, also running Autoruns (sysinternals) reveals nothing in particular.

I'm getting physical access to the PC on Monday, so am wondering if anyone can suggest anything before I just blow the hard drive away and re-image the PC. I'll run rootkit revealer on it and various other tools before I do so.

It's a seemingly very clever piece of malware, and I'd quite like to find a bit more about it before sorting the PC.
 
If it's the same type of "Click here to buy me and remove spyware" spyware that I have dealt with in the past then either ComboFix or SDFix will fix the problem :)
 
NathanE said:
Get me RDP access to it and I'll sort it out if you want.
Click to expand...
Afraid not, it's off network now and won't be going back on until its got a new hard drive and been re-imaged. Anything to sort it out or hunt this virus now has to be done offline.

Sin_Chase said:
Tried superantispyware yet?
Click to expand...
No I haven't, will stick that on my usb key to try.

Kona* said:
If it's the same type of "Click here to buy me and remove spyware" spyware that I have dealt with in the past then either ComboFix or SDFix will fix the problem :)
Click to expand...
I shall also investigate these.

Ta :).
 
I'd also like to hear from the more expert or advanced people here on the idea of creating an automated 'suite' of anti virus/spy ware stuff.

I'd love to be able to boot into safe mode, stick in a usb key and then run off a batch of programs. That possible?
 
I'd recommend Spybot. I always do as I think it's really good and notice that you haven't said you have tried it.

Open it up and get it to do a scan the next time you boot up. It will be the first thing the windows does the next time you boot up the PC.

Do you know the name of the virus at all?
Can you download a specific program that will remove it?

Alternativly, open up the virus program and google the name of it. Im sure that removal tools will be in the first few results.
 
Process explorer is ok for showing exe's
But things like the Conficker virus attach themselves to other processes

Run process explorer , go to view , show lower pane ( select either dll or handles )

You can now see what dll's a process is loading , somewhere within on the these dll's or handles lives the little bugger.

You will need to work out which dll it is , then kill the process tree for the exe that is loading it , after this you can then delete the offending dll.

Reboot after doing this to see if it returns.

Best of luck
 
platypus said:
I'd also like to hear from the more expert or advanced people here on the idea of creating an automated 'suite' of anti virus/spy ware stuff.

I'd love to be able to boot into safe mode, stick in a usb key and then run off a batch of programs. That possible?
Click to expand...

I haven't done this for a while but you can use a program called "open suse". its a bootable operating system, then run virus checkers and such what from this.
 
wombraider said:
Process explorer is ok for showing exe's
But things like the Conficker virus attach themselves to other processes

Run process explorer , go to view , show lower pane ( select either dll or handles )

You can now see what dll's a process is loading , somewhere within on the these dll's or handles lives the little bugger.

You will need to work out which dll it is , then kill the process tree for the exe that is loading it , after this you can then delete the offending dll.

Reboot after doing this to see if it returns.

Best of luck
Click to expand...
Cool, cheers. Getting the PC in a hour so lets see what we see :).
 
i've had a few pc's to fix in the past where the only thing that fully worked was 'combofix'

following that, i re-ran nod32 / spybot / malwarebytes etc
 
platypus said:
I'd also like to hear from the more expert or advanced people here on the idea of creating an automated 'suite' of anti virus/spy ware stuff.

I'd love to be able to boot into safe mode, stick in a usb key and then run off a batch of programs. That possible?
Click to expand...

I have been thinking about it myself. But safe mode is not all that great these days for malware removal.

It is best to boot to the Recovery Console's command prompt. It is often possible to remove most rootkits from there simply by using basic cd, dir and delete commands.

If the infection is recent then it will generally show up at the top of a dir command sorted by timestamp descending, i.e.:

dir /p /ta /o-d

95% of malware puts its files in the Windows\System32 folder.
 
NathanE said:
If the infection is recent then it will generally show up at the top of a dir command sorted by timestamp descending, i.e.:

dir /p /ta /o-d

95% of malware puts its files in the Windows\System32 folder.
Click to expand...
Nifty trick, but then I'd need to know the name of the rootkit wouldn't I?
 
They usually stand out like a sore thumb. Maybe it's just me though.

But even then unless you've installed some new drivers or something recently the System32 folder rarely gets new files put in it. So generally the "last month" worth of files added to the System32 folder tend to almost always include the malware.
 
It's not particularly harmful if it jumps to a stick that has about 10 files on it, all of which I know what they are, and their last modified date is not today.
 
platypus said:
It's not particularly harmful if it jumps to a stick that has about 10 files on it, all of which I know what they are, and their last modified date is not today.
Click to expand...

I'd be paranoid and would look at MD5 hash values, instead of relying on timestamps. :p
 
You must log in or register to reply here.
Back
Top Bottom