What is the worst malware infection you had to clean?

I went over to my dad's office to clean one of the computers of someone who quit today, I went on and saw that his computer was heavily infected. His background was hijacked and so was his browser. He had fake warning messages popping up and had a 2 rouge antispyware programs on there. I quickly opened up IE and went to download firefox so I could browse with that and not get hijacked. I downloaded Superantispyware free and updated and ran a scan. It found over 500 spyware programs and 15 trojans and verious other adware programs such as 180 websolutions. I left the computer scanning with A Squared free and I'm going back next week to scan with AVG anti spyware and Spyware Terminator.

 

ive dealt with more than a few pc's so bad, reformatting was the only option. sometimes reformatting was not an option for the owner, so booting into erd, clearing startup programs, scanning in safe mode with av/spyware apps, etc would do the trick. but yea, its incredible seeing some machines so bad they barely function, and even more incredible the user was never aware malware was even present thinking the computer was just "slow"

 

I live across the alley from a retired gentleman who made the mistake of letting his grandson use his computer while the grandson stayed with him for a week. The kid spent most of his time in chatrooms, clicking on whatever he came to, and downloaded a bunch of games, etc, so you can guess what happened. The poor guy asked me to come look at his computer. It took 3 afternoons of work to get it cleaned up. To begin with, I clicked on the Start menu (XP) and nothing happened for about 2 minutes. Finally, the menu finally came up. At that point I knew we were in for a battle. We would have reformatted if he would have had some kind of restoration CD. I put some anti-crapware tools on CD and went to work. First thing I did was run HiJackThis just out of curiosity. Let's just say the log was a little large, say an encyclopedia's worth (OK, a bit of exaggeration...) I then began the cleaning process with Ad-Aware, which by itself found 842 critical pieces of malware. I then loaded NOD32 and started to run it, but all of a sudden it disappeared from the desktop. I then booted into safe mode and tried again. NOD found 40 viruses plus a ton of other crap. I installed Microsoft AntiSpyware (back when it was still basically the decent Giant AS scanner) and the trojans went nuts!!! I don't remember how much stuff it removed, but that's the only time I've seen an AS resident app catch something, and it was zapping crapware right and left. I then ran Ewido and even more malware went crazy. In the end, I had to use Killbox and some other tools to remove stuff at reboot. It was a nightmare on wheels. I also spent a lot of time online downloading specific removers from Synmantec, Eset, etc to remove specific viruses and other stuff. Was very satisfying afterward to see my neighbor click on his start menu and actually have the menu come up immediately. Also, he had not been able to access his email for a couple of months to get at some pictures a relative had sent him from overseas. I've seen some pretty bad infections, but this computer was one step away from not being able to be used at all.

 

I'm not sure how to answer this. What are the criteria for defining "worst"?
Difficulty in detecting malware?
Difficulty with removing malware?
Quantity of malware removed?
Disk space consumed by malware?
Resulting degradation of computer performance due to malware?

The worst I've cleaned was several years ago, a WinME unit that had no usable AV once the originally installed one expired. The infection was a result of the users kids using Kazaa for an extended period, plus using the PC for hunting down porn. I don't remember all the names involved, way too many. It included CWS, several viruses and trojans, a couple diallers, and interlocked malware that defended each others process. The PC had 60 running processes, over half adware or malware. Constant BSODs. A simple webpage took almost 2 minutes to open, then several more minutes trying to close popups.

AAW and SpyBot were reasonably effective removers back then, but neither were able to complete a scan. The only AV I could make function was F-Prot for DOS, which fit on 3 floppies back then and could be used in pure DOS mode. The cleaning took all day. Every time I killed or removed a specific piece of malware, one of the others replaced it. The cleaning process consisted of switching between safe mode and pure DOS mode via a 98 boot disk, deleting files and registry entries until it would allow more tools to be used. Used KazaaBegone, Hijack This, and several sysinternals tools.

I ended up removing nearly 5 GB of garbage, much of it full page ads. There were half the running processes. Internet speed went from 2 minutes to open a web page down to 2 to 3 seconds, popups gone. Less than a month later, her kids reinstalled Kazaa again when she wasn't looking.
Rick

 

Tracking cookies a few years ago, until I have found out, that IE can block all cookies.
Though, I used to have mallware in the past, but I did not know about it, so I did not clean it.
As for the other PCs, I help to clean them via forums, they are infected with all known nasties.

 

my old pc had 200 spyware infections and around 30 trojans.
it was my old windows me pc before i reformated it.
so your worst is worse than mine yay
lodore

 

Fortunately it wasn't my PC. I would have preffered to reformat that one but she didn't have the CDs. It was quite a learning experience though.
Rick

 

I've studied quite abit of malware so maybe some of those are the worst, but recently though in a real situation Zlob that someone couldn't remove and stopped their antispyware from updating.
I remember some of the first and worst Windows viruses. One of those was more joke which viruses today are not because they are driven for financial gain. If I remember it was when pressing the smilie key on the keyboard that would start it off. A character that you had typed would fall to the bottom progressively followed by all the rest until your document was a mountain of jumbled letters at the bottom of the screen.

 

Don't forget to download a good registry cleaner, or at a minumum the one that comes with CCleaner. And clean the registry too. That can speed up the computer too.

Does your dad have his employees run under limited user accounts?

 

Boy does that sound familiar. Being as I'm retired and this brand new computer I have suffered from nearly an identical situation. This new box is the worst I've ever had to deal with. The guy who built is is local, and it's a generic computer. He builds them, gives them to his two sons for a couple of weeks or more to test, then reformats them and sells them.

I needed this one right away, so it wasn't reformatted. I spent 8 hours one day removing games before the thing would even do a virus scan. It took nearly 2 minutes to boot. Found 15 viruses and 2 trojans using 3 different antivirus programs, when it was finally running well enough that I could even get online and download the programs. It had Trend Micro installed, which found nothing......

I ended up regaining almost 4 G of space by the time I had all the games and other junk removed. I finally ended up reformatting it anyway and reinstalling XP Pro. In the end, there was no other way.

 

for quantity of malware it would have to be when i had to fix my friends computer. i ran ewido and watched the number of infections just rise and rise. it was something like 7xx or 8xx.

for difficulty, it would be when i had to fix my dad's friend's computer. it was only infected with spysheriff but i wasted a bit of time as i ran ewido in both safe mode and regular windows and under the two accounts.

 

That's one of the reasons I reformatted, WSFuser. It never occurred to me to use Ewido or anything similar. Plus the registry and Lord only knows what other things were so clogged with garbage, much of which I couldn't figure out whether I could remove it or not, that I just gave up and reformatted.

Kids today are supposed to be much more computer savvy than old folks like me. Maybe they are, but being comfortable with them also seems to breed carelessness.

 

We've reached the point where "relative security" is a very fleeting moment. What's sufficient at one moment doesn't begin to deal with the next threat that comes along. It wasn't that long ago when an AV and maybe an internet firewall was sufficient. That package now is begging for infection. User education is a joke. There's too much to tell them. At varing points in time, it's been unsafe to click on almost any type of link or file, especially when you factor in disguised file types, a JPG is actually an EXE. What do you tell users anymore? Don't click on anything?

I fear that we haven't begun to see the extent of the problem. I regularly harvest malware from my Yahoo e-mail, an account I've set up solely for the purpose of catching spam, Phishing attempts, and malware. Their AV, Norton, takes an average of 2 days before it recognizes the attachments as infected. The same file uploaded to VirusTotal shows about a 50% detection rate. About half of what I'm harvesting is rootkits! Where does this leave most users?

The "users shouldn't do this..." reasoning is pointless. They do. For too many of them, a PC is an entertaining toy, used to send every funny picture or joke they find or to download the newest song. I've actually set up a separate folder for certain users who send me that stuff. It's proven to be useful as I can see some of what they're sharing and tells me which ones need immediate help, and shows me what I need to do for that specific user to defend them, from themselves unfortunately.

I've observed a couple trends that concern me greatly. First is the short amount of time that elapses between the finding of a new exploit or a new way to evade detection software, to its reaching widespread use. Only 2 years ago, my AVs recognized 90% of the infected material I'd get. Now even VirusTotals scans average 50% or less when I send them a file. Signature based security-ware is killing users with a false sense of protection.

The 2nd item I'm concerned with is the amount of rootkit material circulating. It's getting hard to detect and even harder to remove. Conventional security-ware for the average user has no chance. If it doesn't recognize it before it installs, the user has an almost permanent infection, removable only by an expert or a complete reformatting. Reformat, when many PCs don't come with disks? I can't say if the internet behavior of my clients is typical of the average user, whatever one of them are, but if it's any indication, I'm expecting that we'll find that the majority of users PCs are going to be rootkitted if they're not already. Social engineering, the users inability to keep pace with the "education" required to be relatively secure, and the failure of conventional security-ware relied on by most users, these combined will see to it.
Rick

 

I need to break it into categories based on my own experience's with malwares since June06

Most difficult to detect/evasive was Ructock A/B prior to Oct 06,no same drive tools could see it to detect it,let alone remove it

The trojan loaded into ADS and then hid the ADS stream to avoid those detections methods.It loaded by kernel driver so no startup entry was visible,hooked system calls to hides its registry key and filtered network traffic so it could open up a backdoor/send spam and all software firewalls are oblivious to this going on(EG no outbound alerts )

Now this is the scarey part folks unless you suspect it is there and run the relevent tools you would not know it was there if you had it on your 'puters.

Even crazier was the evolution of Rustock A to Rustock B because B had evolved to run a blacklist operation against the ARK's that were looking in the right places that could see it.
Net result if it detected the tool string it would transfer into memory buffer and the relevent tool would not see it

Still all too few tools have found away around this built in anti-ARK feature + Rustocks mode of operation

Rustock B still my most evasive captured trojan todate although alledgedly Rustock C is in the wild but FWIW i will believe that when
a) i capture it.
b)Someone releases a full tech breakdown/reversal of it

Difficult to remove malware was the Gromozon infection prior to the few available now softwares/tools that can take down this bot and its ADS dwelling rootkit.
This is a badboy for sure,it created new password protected admin accounts,randomly named services and generally in a nutshell your 'puter was no longer yours(Own3d)

Most damaging

For me i have very little to do with Virus/worms but back in October06 i had Mixor A and Ludor A rip through my hard drive,some 576 executables were spliced.This resulted in major operational issues until the system was disinfected....the infected exe's obviously would not run the relevent softwares.

The saving grace at the time was that i had PG installed and that had some exe's on the protection list or it would have been time for a R&R

Most amount of crap imported

That would be thanks to the folks at DirectRevenue and a rather large helping of adwares/spywares all in one sitting c/o a consented activeX install at a cracksite.My homegrown super-computer ground to a halt after around 1hr 20mins of nonstop malware importing.I had to hit the reboot into safe mode to get the damn thing ticking over again.
At the time SAS free detected 2893 threats and i labelled the trojan (topoff.exe) my diskilla bot although i believe the servers just hit me every piece of DR **** going on the day

Still lots of bots for the my archives

 

Unfortunatelly all you said is true. Talking about security, users are the biggest problem.
I have to agree, rootkits are the most dangerous bastards these days. They do scare me.
And so far, there is no anti-rootkit software, just some tools, which detect a few of them.
Anyway, there is just one certain thing, it will be still getting worse (more mallware, rootkits).

 

fcukdat said :

Hi fcukdat, I've looked at those mentioned. Did you infect yourself for research and what were they doing?

 

I collect bots c/o infections in the wild.Once apon a time i collected to archive and test versus softwares but now now i collect to share

*Rustock is actively being shipped with some CWS infestations and has been since October06 by my findings.

**Gromozon- The last active Gromozon infection i had was early November 06 before the US servers got downed
Apparently now it is *Italian* IP sensitive now and even the droppers won't import an active Gromozon infection onto my PC now...

 

I cleaned a pc once that was so bad, it would only boot in safe mode. Ad-Aware found over 10,000 things. NOD32 found over 750 things. Ewido (at the time) Found over 450 things.

I was able to get it cleaned with these and a few other useful tools.

 

Ah yes, I click your CC link. thought you may also of been with antimalware. I'm interested in payload and trends also...destructiveness, spread, number.


I've recently helped someone who had a Trojan-Downloader, Zlob Media-Codec. Not only did it download rouges by deceptive means it was tough & clever against antimalware and also backdoor for control.
HJT was unaffective against some of it, SAS amoungst others would not update and it left a dummie for nav, mcafee.

 

the most annoying/worst malware infection i had to clean was on my friend's pc. it was so horrendous i had to get help from this fourm. cmd.exe, msconfig, regedit, taskmanager, internet options, system restore, right mouse clicks, user accounts, were disabled or deleted. anytime i tried to do something like add a .reg file to the system to re-enable/restore these files, i'd get an error message saying "this action has been prohibited by the administrator". this isn't taking into account the DOZENS of popups that kept showing up and getting in the way. safemode didn't help.

long story short. i got dial-a-fix, that removed all the restrictions the virus/malware setup. i used avg antispyware to remove all the malware and did a backup scan with SAS. i came to this forum and a couple of nice users suggested i copy the damaged/missing files from windows repair console. and BAM! problem solved.

this was by far the worst thing i'd ever seen.

 

I once had to disinfect a PC that a friend's kids had used for a year with no regard for security! It took about 30 minutes to boot up! I used AdAware 6.1 to rid most of the browser hooks. I used some spyware cleaners to get rid of the rest, and an AV sweep to clear virus programs. However, it still left a pair of trojans, readily visible in the process list in Task Manager, which were written in such a way as to prevent each other from being closed down. They also morphed their names each time one was terminated, and rewrote a registry run key with their new names each time this happened. They would always ensure 2 of them were running, even after termination attempts. I had to run MJ Registry Watcher (http://www.jacobsm.com/mjsoft.htm#rgwtchr) in Reject mode, to prevent them coming back, while I used RegEdit to delete the startup run keys they were creating. MJRW stopped the new keys from being formed, while I terminated the processes, and deleted them both from prefetch, and their residence under windows\system32. What an awkward pair!

 

Right on the money. Also, one of the things that really concerns me is that one never knows if even what we might consider a "safe" sit has been hacked and just waiting for victims. Just last night I was reading about the Super Bowl website being hacked and littered with exploits. Many unwary websurfers with unpatched systems accessed the site and became infected, apparently through scripts placed in the header. The problem is that any reasonable person would not even suspect the site was a haven for some really bad malware. In an instance such as that, as Herbalist has pointed out, user education is rather meaningless. On second thought, I wouldn't say that it was totally meaningless in this particular case, however, as Microsoft had issued a patch for the exploit exhibited at the site - meaning, those with patched machines (and I assume running utilities such as NoScript) would not be exploited. Also, those of us running Linux would not have been infected either, as it was a Windows-specific exploit (at least from what I've read). However, the point still remains that there are exploits and some bad-boy stuff out there that could be lurking anywhere, even at a trusted site that may have been hacked. In that instance, Herbalist's point is sadly but rightly true - there is no place out there that any of us can trust as being totally safe. Personally, I still cannot understand the mentality of people who deliberately attempt to destroy another person's personal property. I realize many do it for financial gain, but that is not any better excuse than doing for sheer malice, as far as I'm concerned. I suppose, though, that we have to have that element on the 'net as well as in society in general - though I would actually have more respect for a burglar who is bold enough to physically break into your house than I do for those cowards who hide behind their spoofed IP's performing their criminal acts from afar.

 

Hello,
The worst infection I had to clean was a stupid user that refused to listen to good advice from people more knowledgeable than him. You know the kind of people that try to be inventive and smart when you are helping them, so when you tell them to open Task Manager, they will tell you they have already disabled mrajs.exe and svccrap.exe? Those people - the worst kind of infection.
Mrk

 

had a popup storm box which had some 42 trojan components (dll \ exe)
over a thousand spyware hits, 3 serious viruses and an undocumented (at the time) CWS trojan

disrupted it with Processguard
vetted with TDS-3 and NOD32
finally resorted to whacking large portions of the registry manually
but I won.....eventually

I then hogtied it so tight it squealed, made the kid in the household the admin
and instructed him on keeping it secured,explained to the parents they either needed to get serious about playing catchup PC knowledge wise or it was too late and they simply had to trust they had already raised him right.

2 years later I had to do a little minor work and upgrades on it.
No serious breeches, minor tracking cookies only.

however that was quite awhile ago, wouldnt hold out too much hope its still going strong
I agree with the assessment that few users are capable of understanding on a level necessary to proactively deal with security, but then I often dont provide them with choices either. Training them to employ sandbox tech religiously is now my primary focus, I also turn them loose with a rule based firewall and HIPS (still PG)
explaining that they dont have to write rules, (I pre-install their software) so anything from these two applications is very very bad juju and deny it. (actually they are supposed to leave PG on full auto deny) But dont write a rule for it, and offer them email support for when they do have questions and want to install stuff, obviously these arent kids but folks that have finally understood its a battlefield

Ive also experimented with remote administration, as a service
but have yet to craft a reasonable value model for my current demographic

the success Ive had is more to do with finding out how they use their computer and configuring it with all the applications (trusted aps and largely opensource) they will need, prempting attack vectors with alternative applications and behavior alteration. While Ive had alot of success in keeping malware off their boxes, I havent had very good success in making it pay very well, still too labor intensive. What I really need is volume licensing and preconfigured images for different usage patterns. But lack the volume to make that work well either. Catch 22

 

Around 1500 infections, both major and minor is my record of battle on a single PC. A very bright young man on another forum taught me a nice little trick for cleaning up infested PCs. (Kudos to Codefrog ) With malware becoming ever smarter, some load even in safe mode now , while others can recognize when they are being scanned for and go dormant . Pull the drive from the infected PC and place it in an external enclosure. Hook it up to your PC loaded with your scanning tools. The OS of the infected hdd dose not load, neither do any of the bad guys so they are ripe for the picking. To date there is no known malware that recognizes a USB connection so your PC is safe as well. Once the exes. and othr components have been detected and removed, all are basically crippled. It is then a pretty simple matter of re-installing the hdd, running your choice of junk cleaner and a couple runs with a good reg. cleaner, or manually if preferred. Wha-la, you have a clean system with all user info. intact and you have not tore the guts out of the OS either.