Virus reinfection after reinstall win 7 h

[tf76]

OK, system is less than 1 year old.

So arrive at clients house and desktop on screen with 1 image icon.

No other icons, no start, no task bar, when trying to access task manager screen goes black. Do have right click on desktop.

Safe mode works fine.
I tried running rkill, mbam corp, system restore. Mbam corp finds over 100 infections. On reboot goes back to initial problem.
System restore goes back ok but on reboot reverts back to initial problem. Tried system repair install. After reboot goes back to initial problem.

Tried running updated kaspersky live boot usb. Nothing found.

Decided to reinstall taking too long oncall job.
Left system partition and reinstalled over C:.

Installed required drivers and MS Office home & Business 2010.
Everything went well until got a phone call this morning.

Problem is back he says. Last thing he did was import some emails into outlook 2012, then he said he also changed the desktop image.

So, just wondering where would you guys go from here?

He swears there nothing wrong with his emails. Do I have to go through each email to find the culprit I wonder.


Regards,

 

[Boston Pro Comp Serv LLC]

Probably should be looking for a rootkit, TSDD killer might as least identify it. Certainly could have come from email. You just don't know. Image the drive than you can mess with it how ever you like.

 

[tf76]

Sorry forgot to mention I did try run tdss killer found nothing safe mode


Regards,

 

[Boston Pro Comp Serv LLC]

I only see a couple of possibilities, either it didn't get removed when you just wrote over the install. A rootkit, or some other nasty, or he reinfected it. You'll know it's clean if you nuke and pave it, then you know he's reinfecting it. I haven't broken out gmer in a while but if you know how to use that you might try it, or D7.

 

[tf76]

He comes back from holiday next week. I will see if the issue is different. If not I will delete all partitions and reinstall. Then import his email and see how things go. Appreciate the help so far.


Regards,

 

[Martyn]

Don't forget to update his Java Flash Anti Virus etc. If he hasn't updated(or you advised him) his av then he will still be vulnerable. I push Kaspersky and run it on all my computers. I click on every link that I think is a virus or bad site and Kaspersky deals with it. Getting rid of viruses is only part of the solution.

All virus removals we do in the workshop so slaving the drive is one of the processes.

 

[bertie40]

From what I've read, the desktop was clean aside from one icon.

Did you try running Unhideme.exe, as some nasties simply hide the icons, and move program file / start menu entries to another directory (the temp directory if I remember).

This is one situation where running a general cleanse routine can accidentally delete necessary data.

Perhaps that nasty is one of the hidden program's ?

 

[tf76]

No I didn't try unhideme. Nothing would run that I tried in normal account. I tried to run rkill and then mbam but with no success. I also tried other exes but they wouldn't run.

It was a real pain.


Regards,

 

[mike_tech]

If you are unable to run any programs in normal mode it does sound like an TDSS 3-4 rootkit infection. When you try to run an .exe file does nothing launch at all? or do you get an permissions error?

There are many ways to check this, one is to find a long numbered/lettered process in task manager IE 382734738.exe that you cannot kill.

Also if you right click a program and go to the security tab you will notice either special permissions have been set or the "everyone" permission has been changed to deny.

If you have ran TDSS killer and kaspersky boot cd, i seriously doubt you have the above.

I once had a virus that changed the .exe file association so no programs would launch. I would check out the below link as it is a fix for many file associations

http://www.dougknox.com/xp/file_assoc.htm

Thats my 2 cents anyway

 

[nlinecomputers]

He comes back from holiday next week. I will see if the issue is different. If not I will delete all partitions and reinstall. Then import his email and see how things go. Appreciate the help so far.


Regards,

Don't just delete partitions. You need to zero out the drive. Write zeros in all sectors. You may have a rootkit hiding in the MBR with other code stored in other hidden parts of the drive. Writing zeros to all sectors with DBan will erase that for good.

 

[smashedbotatos]

A good diagnostic process to see if it is his email. Create a VM with his version of Windows in it, add a version of Office and import his emails, and see what happens.

For scans like this, I have had the best luck with Kaspersky and BitDefender Rescue Disk as a back up.

 

[FoolishTech]

Don't just delete partitions. You need to zero out the drive. Write zeros in all sectors. You may have a rootkit hiding in the MBR with other code stored in other hidden parts of the drive. Writing zeros to all sectors with DBan will erase that for good.

Agreed. If I reload an OS, I always write zeros when in any type of remotely similar situation.

 

[tf76]

OK, thanks guys.

I will download UBCD 5.1.1 which has DBAN on it and add it to my YUMI USB.
From researching it looks like a quick erase method will do fine for this situation.

Thanks for your responses, I really appreciate it.

I will have to now look into this virtualiztion method that smashedbotatos was talking about.


Regards,