Still infected?

I work for a local ISP and we've been getting Spam Cop reports about one of our users. He'd claimed to have cleaned it up but we got 3 more reports. He brought it in to our office and I cleaned it to the best of my ability.

Adaware found around 20 items (most were tracking cookies)
Spybot found a few (less then 10)
TrojanHunter found a keylogger
Norton found 17 trojans, all files were deleted and successive scans were clean.

PC was running MUCH better once the above was done, and I assumed all was well. That evening we received yet another Spam Cop report about that same user.

Are there any other programs I don't know about that might find something? I DID run Hijack this but all that was there was Norton listings and some java stuff. I'd hate to have to format this guys computer....FWIW he does have a router (non wireless) and he only has it for his XBOX.

Thanks in advance for any light you can help shed on this subject. And by all means please move this to the appropriate forum if I am posting in the wrong one

 

If it was me who was going to clean the PC/hard drive, I would connect the user's hard drive as a slave drive on my PC, scan with AntiVir Premium. (Usually, this is enough.) Then, just to make sure the hard drive is clean, put it back into the user's machine and install SUPERAntiSpyware or Malwarebytes' Anti-Malware (get the registered versions, with real-time monitor).

 

Chrishuff1,
You have to do 2 things :

1. Clean up your system.
Download HijackThis at this link and create a HijackThis Log :
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

At the bottom of this link you will find several Malware Forums
https://www.wilderssecurity.com/showthread.php?t=42148
Post your HijackThis Log in one of these Malware Forums and qualified helpers
will assist you to clean your system and which scanners you have to run.

2. After that ask Wilders for a solution to avoid such a situation in the future, otherwise it will happen over and over again. It's a vicious circle and you have to break through that vicious circle.

 

i cant amagine avira managing to clean anything. but the reccomendation to use superantispyware and malwarebytes antispyware is good.
the OP should also consider using drweb cure it.
link in my signiture.
definatly consider posting in a specialist antimalware forum. try to find a setup to avoid the user getting infected again easier said than done thou.

 

Second that. Cureit and Superantispyware are two great apps. I've also installed Threatfire on some machines and it has detected where others have failed.

 

It seems to be an office computer, which means you can't afford to have a weak security/recovery solution.
It will take some time to clean this one and even when you run all these scanners, it doesn't mean everything is gone. They will just remove what they know and the rest remains.

 

outbound firewall comes to mind! at least to stop it from spreding

 

Hi

I think you should run AntiVir, SUPERAntiSpyware and Malwarebytes AntiMalware. And maybe add DrWeb Cureit or Kaspersky AVP Tool. Or F-Secure/AntiVir Live CD.

Then maybe you should consider getting a policy sandbox and a behavioural blocker on his computer, to prevent future infections.

 

Very good suggestion for a user who managed to get so much infected and who claimed he/she "cleaned" the machine . The user will pretty much like the "policy sandbox and a behavioural blocker" ... really good "survival"

 

Hi

Well I thought we were giving advice to someone to give advice to someone. So what's wrong with giving suggestions?

 

Nothing is wrong with helping someone, that would be very unlogical.

 

Well I thought HiTech Boy's tone was quite sarcastic, though I might be wrong.

 

Although the horse has already left the barn, may I suggest a clean backup image for future catastrophies? Just a suggestion.

Good luck,
SourMilk out

 

With such an infected system, I would re-install my computer completely from scratch and create clean images at the right moment like you suggested. This is the only way to be sure everything is gone.

 

Did you charge him labor?

IMO all of those tools are mediocre at best, and the first three have lackluster detection/removal capabilities. Which Norton/Symantec product were you using? If you insist on signature scanners I would highly recommend SAS, MBAM, a-squared, CureIt, AVPTool, combofix, and smitfraudfix.

IMO it's one of two things.

1) The tools above failed to detect and remove the current infections
2) The end user went back to the same websites/p2p/etc. and reinfected himself

He could have a rootkit and some other nasty trojans lurking. You may want to run Combofix and have someone review the log.

After the pc is cleaned you should discuss proper prevention techniques such as 1) common sense 2) sandbox 3) behavior blockers 4) modified hosts files 5) standard or limited accounts 6) backups/images 7) etc.

Reinstalling windows is only a temp fix if the end user doesn't change their surfing habits.

 

I had the user download SUPER Antispyware, Malwarebytes' Anti-Malware, and Cure-it. After installing and updating / running each program he indicated that it found a ton of additional items. He removed the infections and we have not received anymore spamcop reports.

And yes, we did charge him labor to clean it up as well as discussed his surfing habits

Thanks again for all your guys' help!

 

I think you should get rid of Norton and install avast!

 

Try BoClean. It is free.