Piece it Together

Discussion in 'malware problems & news' started by Rico, Jan 18, 2010.

Thread Status:
Not open for further replies.
  1. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,695
    Location:
    Texas
    Recently I cleaned a heavily infected machine, until I was confident that it was clean.

    I used:

    Remove Fake AV
    MBAM (crippled & would not install, while infected)
    SAS + AVG (crippled & useless)
    Vipre (safe mode did not remove all, infection returned normal boot)
    HJT, Runscanner
    Before malware loaded, I got to MSCONFIG, disable startups + services, > reboot. This allowed control.

    Next I installed Linksys wireless USB adapter, Eset Online scan, then perform the above again. Next I uninstalled linksys usb adapter & software,

    Linksys software prompted during uninstall remove (can't remember what) said yes.

    Next - Probably shout have done this sooner in cleaning process. Rootkitscanners - Trend Micro rootrepeal, Avira's rootkit tool, Sophos

    New AV Avira scan clean MBAM SAS clean.

    Now the machine performed well & I was quite pleased.

    When the machine was picked up, I soon got a call that she could not connect to then internet. A friend found.

    Ethernet & video drivers MISSING - he installed missing drivers & all was well.
    __________________


    Because I hooked up wireless (linksys wireless usb) I was not aware of missing drivers.

    Most likley Is?

    1. Drivers missing upon arrival for malware removal?

    This does not seem real to me as malware wants to call home.

    2. Rootkit scanner removed via mistake or drivers contained infection. And I did not pay enough attention to the logs, the rootkit scanners made?

    Question - Do these rootkit scanners automatically remove, or is the user supposed to checkout the hidden finds, for manual removal??

    3. Something else?

    Anyway curious as to why drivers were missing.

    Thanks
    Rico
     
  2. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    Why care? Important is that all is fine now :)
     
  3. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,695
    Location:
    Texas
    Why Care = The unknown occurred, & I was not in control, so to avoid future, same type scenarios. I'm trying to figure out what happened (using my routine) & why it happened. Now another person has complained about not being able to connect after I cleaned his machine.

    Temp. or immediate additions to my routine.

    1. DD driver backup/restore & Driver Max (for backup/restore) Vista Win7. Added to cleaning routine. I may never know why certain drivers are deleted but I can replace them. I've toyed with a full backup, which may or may not make sense, when receiving a heavily infected machine.

    2. I've eliminated linksys, uninstall its software driver for USB wireless adapter. I installed & uninstalled, with no problem.

    3. Next inventory commonly used cleaning tools, & look for driver problems.

    4. Pay much more attention to scan logs.
    __________________

    I suspect, or I'm currently sniffing around 'Rootkit' scanners, they do look for hidden drivers. At least the word driver is in there description.

    Others which will undergo close scrutiny are "Remove Fake AV" & "Viper"


    Rico
     
  4. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Save yourself the time and trouble just by jumping in at the deep end and slave scan the drive, or go with Live CD scanning.

    Antivirus & Antimalware being unable to run is now just too regular, and much hassle. You get more sucess breaking the problems down 'somewhat' in the (infections) inactive state. Then try tackling in a booted windows.
     
  5. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,695
    Location:
    Texas
    Hi K_C

    What is slave scan? CD scanning do you mean boot CD? Im very disappointed with Avira boot disc, when it finishes, it really does not do the job. Likewise Dr. Web Cure It, has never helped.

    Any suggestions?

    As far as the original problem, I'm thinking it's Viper

    Thanks
    Rico
     
  6. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Hi. by slave scanning, I mean ... having a spare computer, connecting the infected hard drive so to be scanned by as many scanners as possible, and in quick time - because Live CD scanners tend to take quite a while (the whole process). I have Avira and A-Squared as my scanners, plus Malwarebytes. There is a good chance between these 3 that they will find the/ a problem.

    Ultimately though, looking around the file system and registry you can get a better idea if anything is wrong. Tools like HJT, Eset's SysInspector (pretty reliable rating score for dll's and potential problems), Ice-Sword, OTL by Oldtimer (def one of the most thorough and helpful system snapshot tools). Gmer gets mentioned a lot, but crashes far too many times (bluescreens), I've found.

    You mentioned do these scanners/rootkit tools auto delete. And this is a good point because a lot of the free tools you find on the vendor sites auto-remove anything they deem to be problematic. Same with some of the last resort malware removers, like combofix, which is definitely a last resort tool, IMO. Combofix will auto remove what it finds. Google is your best friend - when determining if it's a bad file before you attempt force deletion. So would be better if the user had the option to remove flagged items, or not to.

    Might well be the case with what happend to you, Vipre - gave a false positive.
     
Thread Status:
Not open for further replies.