Wondering what you all think of the the post regarding Opachki on the SANS Internet Storm Center website:


http://isc.sans.org/diary.html?storyid=7519


I know we all like a challenge, but do you think, in this case, it's better to fight the battle (removal), or just nuke and pave? Love to see the conversation about this here; I'm a fighter, but it's all about time vs. money, ain't it?

BTW, I think the world of the fine folks at ISC, but I'm not sure they're right about this one.

This goes well with what I've been always saying – do not try to clean an infected machine, always reimage it.

Do not try to clean an infected machine? seriously? So it won't boot into safe mode, big deal. I'm sure its nothing UBCD can't handle.

Do not try to clean an infected machine? seriously? So it won't boot into safe mode, big deal. I'm sure its nothing UBCD can't handle.

+1, it's at least worth a shot before going the nuke and pave method.

I know really nothing about this trojan, but going by what the article said, I don't see how this trojan is much different than the other ones that I remove every day.

Other than the registry edit, there is no real mention of removal prevention done by the trojan. Thankfully, this guy researches Viruses instead of collecting money to remove them.

edit: the article has a link to a much better analysis of the trojan and the most severe protection mentioned is that virus related files are always in use and they are hard to delete. They also recommend a full reformat and reinstall of windows. I think I died a little inside.

Do not try to clean an infected machine? seriously?

Really, I was shocked to see that in the article. How many millions and millions of PC's are cleaned successfully each day?. Does this guy have any idea how difficult it is to get a reimaged/nuke&paved machine back up to the way a customer wants it. How many PC users keep all their install disks from their important programs, how many of these programs are no longer available or supported if you need updates/patches to the original installs.

This guy might be good with viruses but telling people to never clean an infected machine is just stupid.

I have run across two of these now and they were not simple to fix. The first one remains unhealed as I was trying to get it done remotely for a friend of a friend.

I finally got another today. It started out as a standard "SafetyCenter" infection which was easily fixed with a manual removal. When I booted back into Windows I found that I had the dreaded search engine link redirect. After throwing everything at it (MBAM, Combofix, FS Blacklight, etc,etc.) I was doing some googling and found this article http://onlinehomesbuy.com/2009/07/05/save-your-google-adsense-account-from-ffsearcher-click-fraud-trojan/ and the problem started to make sense. I ended up booting with ERD Commander and running the "system file verification" or whatever and it found a bad atapi.sys. Replaced it, rebooted and no more redirect. Both machines are XP SP3.

The difference between this and the traditional fake antivirus is that it inserts itself into legitimate Windows .dll files and deletes all traces of itself. I didn't even see it when searching by created or modified date.

I should sell this solution on eBay or craigslist or something for all the time I put into it, but hopefully it will keep the rest of you guys from banging your head against the wall when you run across it or maybe everyone already knows and I'm just loosing my touch with Google. If you are my competition and you see this and didn't already know how to fix it, please forget you saw this. :D