The machine that gave me fits on Monday/Tuesday finally succumbed to a complete Windows reinstall. As a matter of recording everything I did, I offer the following:
PC had random pop-up windows, evident of traditional malware infection. As a matter of course, I fired up ComboFix to clear the infection. ComboFix ran for a time, but froze up the computer. i have seen this happen before, and the general "fix" is to reboot the machine and start ComboFix again. Did that. Froze up again. Not good.
I managed to get MalwareBytes installed and updated, then ran that on the computer. That program found one infection and supposedly cleaned it. Upon reboot, however, the machine exhibited the same behavior as before.
I noticed that iexplore.exe was showing up in the Task Manager as soon any user logged in, though the process was not found in the registry as part of any normal start-up locales. It occurred to me that I needed to delete the dllcache files, so I did. The program would still fire up on its own. I renamed iexplore.exe in the Program Files folder, but it would reappear in a matter of moments.
Upon the suggestion of a local tech, I installed Avast free and ran the Boot-up Scanner. That found several infections and supposedly cleaned them. However, upon reboot, the problem returned immediately.
After doing some research, I ran GMER with the suggested settings (see below) and the program found no altered files. I tried to run TDSSKiller but the program would never launch - just show a brief hourglass then do nothing. Even in Safe Mode, Killer would not execute.
At this point, I had spent almost the entire day on Monday and a good hour or so on Tuesday working on this. It was time to blow away Windows and reinstall. I saved the user's Favorites to a flash drive (or tried to. After Windows was reinstalled, the Favorites folder was not on the drive, even though the system had said it copied it. Must have been something with the infection).
I spent the next hour or so putting Windows back on, getting the computer into the Domain and installing our standard software (along with her printer software). When reinstalling Windows, I deleted *ALL* the listed partitions, then did a long format on the drive. Neither of those may have been required, but I wasn't taking any other chances. I was tired and ticked - not a good combination for infections.
*GMER suggested settings: UNCHECK Modules, Process, Threads, Show all, and Files. DO check IRP Hooks and NTAPI Registry scan
No comments:
Post a Comment