Nasty Virus - Cannot Find Nor Remove

[Digital Sage]

Hey folks,

Posting on here to see if anyone's seen anything like this.

Vista system. Strange infection that can't be found by any virus or malware tool i've thrown at it.

All downloads show as contaminated. Attachements refuse to open via email. Google chrome profiles corrupt and any search made in the search bar of chrome goes to softonic results.

No extentions in chrome. No settings in chrome are any different then default (nothing about softonic, but it's persistently redireting).

No results from any scans, in both safe mode and normal.

Tearing my hair out here....

Any ideas?

Thanks

Anthony.

 

[NYJimbo]

Go into the control panel and see if you can start windows defender or if the service is running. We are starting to see more of this.

You might be chasing several issues here.

 

[drjones]

1) Run Windows Defender Offline, bootable disk.

2) Did you use rkill?

3) Use autoruns to check all startup entries & remove any that are malicious/suspicious

 

[Digital Sage]

Windows defender doesn't want to start. Throws error message - found softonic crap everywhere via adwcleaner - the only program out of about 10 tried that found anything.

 

[drjones]

No, create a bootable CD: http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline

Honestly, if you've spent more than an hour or so & you're reasonably good at removing viruses, I'd reinstall windows. Do they have a ton of software that will be a PITA to reinstall?

 

[Digital Sage]

rkill brought up nothing...

Spent about 2 hours on it now. Never seen anything like this. Quite a bit of software on here - but the client stated we could just start again if needed.

Going to try windows defender boot as a last resort...

Disturbing that nothing is being detected by paid virus programs...

 

[Digital Sage]

This thing is insidious.

Windows defender couldn't make a bootable USB Drive - unknown error
So made a CD - and the computer won't boot from it. Just skips the CD even thou it's selected in the boot menu at startup...

EDIT : Booting now from CD, however Windows Defender found nothing...

This system is TOAST!

 

[Xander]

Newest beta of Malwarebytes AntiRootkit says it fixes this.

At the risk of stating the obvious -- don't try to download it on the infected computer.

 

[frederick]

If you've tried every program, time to hit the registry or reinstall. Malewarebytes antirootkit though is a goodway to go.

 

[Digital Sage]

OK - going to give it a try. Thanks for all your help everyone.

 

[FremontPC]

Check out NYJimbo's thread on this too:

http://www.technibble.com/forums/showthread.php?t=47289

You may have to find a donor system to get Defender working right.

 

[Digital Sage]

Check out NYJimbo's thread on this too:

http://www.technibble.com/forums/showthread.php?t=47289

You may have to find a donor system to get Defender working right.

That thread describes EXACTLY what im dealing with. Thanks so much for referring me. Going to tackle it again tonight...

I've spent hours on this, i don't feel it's fair to charge my usual hourly rate as it becomes cost prohibitive. What would / did you guys charge to fix something that takes so long to diagnose? Flat rate? Cheers.

 

[frederick]

I charge a $120 flat virus removal fee. We uped it recently. Does it bite us in the butt? Only once.

 

[DocGreen]

Same here... I charge a flat rate for removals but with the condition the there may be additional fees for extreme infections (usually that just means a nuke & pave, which is a slightly higher charge than removal). So far I haven't had any complaints.

 

[Xander]

I think you'll find that just about everyone here does a flat rate for viruses. As for taking longer, it's not the customer's fault that we haven't learned how to remove the latest virus. Just think how much faster the next of these will go now that you'll recognize it instantly.

 

[Digital Sage]

I think you'll find that just about everyone here does a flat rate for viruses. As for taking longer, it's not the customer's fault that we haven't learned how to remove the latest virus. Just think how much faster the next of these will go now that you'll recognize it instantly.

Yep - agreed. This virus looks quite fresh.

 

[Xander]

FWIW, I had an FBI Ransomware that neither Kickstart nor KAV's live CD would recognize. Fortunately, it held true to the patterns and was based on a skype.dat file under AppData.

 

[CLC]

If you rename the windows defender folder it should stop the downloads showing as infections.

 

[Digital Sage]

Tried that - no luck. This rootkit must be 'phoning home' as it has evolved with every restart, locked out permissions for the renamed windows defender folder have changed, google chrome was saying it was attempting to be compromised before some updates, and now it's compromised.

Trying to open a USB drive has now been compromised - double click won't open it, but right clicking and choosing open still works!

Nasty stuff. Looks like windows repair is the only option.

 

[Xander]

And the new MBAR beta didn't fix it?