Police Virus, back again!

[dombooth]

Hi all,

I've got a client with a Sony Vaio sve151g17m, windows 8.

He runs: Windows Defender and Malware Bytes Pro

It came in with the usual Police virus. Removed it fine, no problems.

It came in again in June for the same virus. I thought maybe I haven't fully removed it. Removed it again.

The client has just called to say it's back again!

Where should I be looking for the cause of this? I'm going to ask him what sites he was on prior to it coming back.

Dom

 

[Martyn]

Do you do anything else after you remove the virus? I run all the updates for Flash Java etc, all windows patches, updates, service packs etc. I've never had a virus come back in 3 years.

 

[dombooth]

Yes sorry forgot to mention that, update Flash/Java/Reader/SPs/Windows etc.

Dom

 

[spin]

That's a "fun" one to remove alright. I would suggest using Norton Power Eraser to check for root kits. I've found these lurking after removal of the visible police malware varients. Also your client needs a decent anti-v installed.

 

[dombooth]

That's a "fun" one to remove alright. I would suggest using Norton Power Eraser to check for root kits. I've found these lurking after removal of the visible police malware varients. Also your client needs a decent anti-v installed.

I'll give it a go when I get in back.

Dom

 

[Steve202]

If its the same thing as before, I'd be tempted to backup the users data and wipe the drive clean and reinstall, sounds like there might be something left over.

 

[dombooth]

If its the same thing as before, I'd be tempted to backup the users data and wipe the drive clean and reinstall, sounds like there might be something left over.

Yeah, sounds like I might be doing that. :/

Dom

 

[Kitten Kong]

I would firstly check using either ieview, of ffview exactly what sites your client has visited in order to get the virus again. Pinpoint it directly to a site, and time (if its well after your removal, then charge the client).

Then I agree with Steve, backup all the data, wipe the drive, and start afresh.

 

[dombooth]

I would firstly check using either ieview, of ffview exactly what sites your client has visited in order to get the virus again. Pinpoint it directly to a site, and time (if its well after your removal, then charge the client).

Then I agree with Steve, backup all the data, wipe the drive, and start afresh.

Thanks Nige.

Dom

 

[damitman]

It could be coming from his backup, external, cloud , network, ect.

 

[ABTECH]

In addition if you are not in the habit of doing so a lot of times the virus will hide out in the System Restore image files. I always clear those images after a serious virus removal and then add the image back after I have determined that it is fully removed.

 

[dombooth]

In addition if you are not in the habit of doing so a lot of times the virus will hide out in the System Restore image files. I always clear those images after a serious virus removal and then add the image back after I have determined that it is fully removed.

Good point, never really thought of that tbh, thanks.

Dom

 

[HFultzjr]

What exactly are your procedures for removing this?

Could be missing something....rootkit, etc.

Is customer using any P2P software?

Is it the EXACT same one coming back or something similar?....Ie, the exact same infected files in the exact same place?

 

[dombooth]

What exactly are your procedures for removing this?

Could be missing something....rootkit, etc.

Is customer using any P2P software?

Is it the EXACT same one coming back or something similar?....Ie, the exact same infected files in the exact same place?

Boot into safe mode
Run TDSSKiller
M/B Quick Scan
Boot into normal mode
Run ComboFix
Run RogueKiller
M/B again
HitmanPro
ESET Online Scanner

I'll check it out when he brings it in.
Don't think he does P2P.

Dom

 

[HFultzjr]

Boot into safe mode
Run TDSSKiller
M/B Quick Scan
Boot into normal mode
Run ComboFix
Run RogueKiller
M/B again
HitmanPro
ESET Online Scanner

I'll check it out when he brings it in.
Don't think he does P2P.

Dom

Try Malewarebytes Rootkit Remover. I have found it to find a lot of things TDSSKiller is missing. TDSSKiller is not getting the results it used to.

http://www.malwarebytes.org/products/mbar/

Have you tried an offline scan after done to see if anything is still lurking?

Kaspersky and latest updates perhaps in a bootable disk.

Can you post the logs so we can see what you are dealing with?

 

[dombooth]

Try Malewarebytes Rootkit Remover. I have found it to find a lot of things TDSSKiller is missing. TDSSKiller is not getting the results it used to.

http://www.malwarebytes.org/products/mbar/

Have you tried an offline scan after done to see if anything is still lurking?

Kaspersky and latest updates perhaps in a bootable disk.

Can you post the logs so we can see what you are dealing with?

Will do when I have chance, thanks.

Dom

 

[johnrobert]

Its my guess he keeps going back to the same sites and gets re-infected

 

[dombooth]

done Boot into safe mode
done Run MBAR
done M/B Quick Scan
done Run ComboFix
done Boot into normal mode
done Run RogueKiller
done M/B again
done HitmanPro
done ESET Online Scanner

LOTS of tracking cookies from p0rn sites.

Trojan.Siredef.C
Trojan.FakeMS

Dom

 

[dombooth]

Its my guess he keeps going back to the same sites and gets re-infected

Good possibility, one site he mentioned that he was last on was:

ero profile . com

(delete the spaces)

Dom

 

[Kitten Kong]

Can you not double check where he's been with ieviewer, or ffviewer etc?