XP XP Antivirus 2011 comes back after cleaning

[xxenon]

Hello all: I've seen a wave of XP Antivirus 2011 infections in the last 2 weeks, mostly on people using Bittorrent, Frostwire, etc.
The worst of them lock up the machine even in safe mode, so I clean as follows:

1)Boot to an ERD or Bart's disk, navigate to [User]\Local Settings\Application Data

2) Rename any .exe or .ini files found here.

3)Reboot in safe mode and scan with Combofix, MWB, then Avira or the user's resident antivirus.

This has worked well for about 15 customers, but in the last 2 days I've had three calls saying the virus has returned.
All 3 people swear that they haven't downloaded anything.

Any ideas on how these people are getting re-infected?

 

[Kitten Kong]

You've said it yourself, torrents, frostwire etc.

Also what else have you done to clean the system, apart from scan it? Even that there has been issues with scanning mwb in safe mode. If your so insistant on using scanners, how about SAS, hijack this, Kaspersky, give it a proper scan.

Have you done any manual removal? Have you checked the registry?

Have you also checked your clients browsing habits, to see if they have visited the same site, as they were infected from, using ieview, or firefoxview?

 

[SmithFamilyDesigns]

A vast majority of virii recently have been boot/root kits that store code in the mbr. Combofix normally does a decent job of getting these, but theyre getting smarter. Always check the mbr and tasks.

Sent from my HTC Vision using Tapatalk

 

[buzzcut]

The computer is only as good as the user. I tell all if they navigate to torrents to be aware that they are mostly like to be invested at a higher rate than those that don't. I have 2 kids age 9 and 11 that have their own computer for at least 3 years and have never been infected. They know better to click on pop ups especially "WINNER". If those computers left your bench virus free, they only have themselves to blame. In this case I would check their browsing habits.

 

[Martyn]

You talk about getting rid of them but what about being proactive? Any virus removal I do I make sure they have the free versions of SAS, MWB and CCleaner installed. Show them how to use the programs. I also make sure all their vulnerable plugins are up to date like Flash, Java, Acrobat Reader etc. This is also in addition to their anti virus which also obviously isn't doing its job. Be proactive after the being reactive and get the referrals from a happy client.

 

[mraikes]

IF the computers were actually clean when you returned them, then they're getting reinfected the same way they got infected to begin with.

Part of my standard speech for customers is that anyone infected once, is likely to be infected again. A new risk factor has entered their computer life. Maybe illegal downloads, an email buddy forwarding viruses with their stupid jokes, a compromised website (MSN, Google, Facebook, Etc), a free wallpaper addiction.

The point is that something has changed in their environment, self induced or not, and now they are at greater risk.

For your virus-comeback customers, take a little extra time to investigate internet histories, new files created, etc. and you'll likely discover when & where the problem began.

 

[xxenon]

I use CheckMBR, GMER, and Blacklight, but I haven't seen them find anything that Combofix and MWB missed.
SAS just isn't as good as it used to be.
HJT is more useful for cleaning out junk programs and startup issues, viruses seem to hide pretty well from it.
As for cleaning out registry entries and dll's manually, unless you get rid of the malware completely it will recreate them.

I use Sandboxie on my own machine, I'm going to start putting it on customers after malware removal. They may be picking this stuff up from sites: Icefilms seems a common thread.

I haven't yet been back to a re-infected machine to check the history.

Thanks to all for useful suggestions.

 

[Kitten Kong]

You can lead a horse to water but cannot make it drink. I've found even showing clients how to run sas mbam etc, most never do. When that happens i turn proactive and try and upsell a sas license.

 

[Cbrooks]

Try removing system restore points(Turn system restore off and back on).. I have noticed a lot fewer viruses coming back after I've done this.

 

[MobileTechie]

I would say you need to add more steps to the process.

It's possible that all of that missed a rootkit so I'd check for hooks and check the MBR. Also some malwares set up scheduled tasks to download files from websites. This is easy to check using autoruns and look for other entries whilst you're at it.

Then you need to get rid of old restore points as has been mentioned plus remove old java versions and update java and flash and adobe reader.

With the java exploits they need not have noticeably downloaded anything.

 

[Martyn]

With the java exploits they need not have noticeably downloaded anything.

Agreed MT. Exactly my point in my post about doing these things after the virus removal. If you don't plug the holes then they possibly are going to get reinfected.

Here is how an Autotrader exploit worked.

http://community.websense.com/blogs...otrader-co-uk-infected-with-malvertizing.aspx

 

[zaoka]

hi

Run HitmanPro, remove temp files and reset IE.

Also you can try KillSwitch from Comodo, select View and mark "Hide known processes" and see what is left.

If that does not help try rebuild MBR from LiveCD, once MBR code is removed malware becomes visible to AV programs.

 

[Automate]

|

I had a similar experience to this one a couple months ago.

Customer had Windows Recovery AND Xp antivirus 2011 on their machine at the same time. Did a general clean which got rid of windows recovery and xp antivirus 2011.

After that I started working on how to get the program files back to the start menu. Got everything working okay, rebooted, and XP Antivirus was back in action. Strange since I deleted the programs files and entries. SO crazy!

Did the removal process again and restarted multiple times and the malware was finally gone.

Must have missed something the first time.

 

[Tekguy]

As others have stated may sure Adobe Flash & Reader & Java are up to date. Also don't forget to check the hosts file. If that's modified the pc will be reinfected rather quickly.

I always like to run TDSSKiller &/or Hitman Pro on all machines I work on to check for rootkits. These are both fast scanners and very effective.

 

[KM@ Dave]

Things to try:

Remove all restore points
Clean ALL Browser history
Clear the downloads, maybe a .exe or .com has a virus wrapped into it
Do an offline virus/malware scan

I frakin' hate Rougeware.

 

[pcdrpros]

AVAST AV BOOT TIME SCAN.... works everytime