Annoying Trojan Problem! (Fixed!)

So, our laptop has been pretty "clean" from a virus standpoint but all of the sudden I'm getting a daily McAfee alert that it picked up a Trojan (BackDoor-EDY.b). The message literally opens and closes before I even have a chance to read it, which seems weird. So, I run the full scan and and it comes back with no items detected. Strange. I then run a scan in Spybot S&D (Adware/Malware) and it always picks up the same Trojan (a variation of the KillAV trojan) and within that are two files deep in the registry. So, I clean thise files up, rescan, and all is well.

The PC runs fine from what I can see but the next time I reboot (usually the next day), I'm back where I started with the McAfee trojan alert again. This cycle has been going on for a few days and I'm having trouble cleaning this up. I have a limited understanding of viruses, etc. but it seems as though there's something on the PC that is allowing the trojan to re-download.

How can I get rid of this damn thing??

Here's what came up in the LogViewer:

Detection name: BackDoor-EDY.b (Trojan), BackDoor.EDY.b (Trojan)

File: C:\Program Files\Shared\lib.dll

Process: C:\Docs and Settings \....\Content.IE5\some file.htm

Process Description: same as above

-------------------------------------------------------------------

Here's the info from McAfee's Virus Website:

Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/5/2010
Date Added: 2/5/2010
Origin: Unknown
Length: N/A
Type: Trojan
Subtype: Remote Access
DAT Required: 5883

www.malwarebyes.org

Make sure system restore is turned off before you scan and delete. It wouldn't hurt to scan in safe mode too, just make sure you update malwarebytes first in regular windows or in safe mode with networking.

Malwarebytes is excellent. Spybot is no longer worth using.

*Legion* wrote:

Malwarebytes is excellent. Spybot is no longer worth using.

Seconded

Switch to Durex.

Thanks for the malwarebytes suggestions. Do you guys use the free version?

Edwin - should I wrap the condom around my laptop?

No no no, don't you know anything?

IMAGE(http://media.bestofmicro.com/dsl-modem-condom,6-M-193342-13.jpg)

Nuke it from orbit. It's the only way to be sure.

Seriously, an infection this persistent would make me squeamish enough to just sh*tcan the whole thing and start over.

That's me, personally, though.

*Legion* wrote:

Malwarebytes is excellent. Spybot is no longer worth using.

SUPERAntispyware (despite sounding like scareware) is also excellent and I've had good luck with it too. If MB can't get it, this usually can.

NSMike wrote:

Nuke it from orbit. It's the only way to be sure.

Seriously, an infection this persistent would make me squeamish enough to just sh*tcan the whole thing and start over.

That's me, personally, though.

Normally I would but it's my wife's work PC so I'm hesistent to do anything extreme.

The full scan just finished and it picked up 5 additional infected files that neither McAfee or Spybot were able to catch. One of them was a Trojan Downloader, which must be what was installing the BackDoor-EDY every time I rebooted. Anyway, I cleaned those up, rebooted, and so far no trojan alerts from McAfee.

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Gumbie wrote:

www.malwarebyes.org

Make sure system restore is turned off before you scan and delete. It wouldn't hurt to scan in safe mode too, just make sure you update malwarebytes first in regular windows or in safe mode with networking.

Just a heads-up but that link inadvertantly goes to a "clone" adversite which is not associated with malwarebytes at all, even though it may look like the site is a legitimate anti-malware vendor.

I do a lot of home computer repairs on the side, most of the time I'm charging $40 an hour to run MBAM and SAS. They're my goto programs, although I've been hearing good things about combofix, any opinions?

Once you've run known-bad code on your system, the only way to be certain it's clean is a nuke-and-pave. The best you can get with these tools is 'probably' clean. Many malware authors are limiting runs of specific malware to just a few hundred running computers, so it stays below the radar and doesn't get put into the detection programs. They run dozens of variants that differ quite substantially, so if any one gets caught, they don't lose everything at once.

Once you know you've been compromised, probably is the best you can do without a full forensic-style examination of the drive mounted from another, known-clean computer, and most of us don't have that kind of expertise.

You should let her work know that she was compromised. Once that's happened, their IT policy should normally be to rebuild it for her. A good IT department will be able to hand her a new laptop within an hour or so, and take her old one in trade.

Combofix works extremely well for when MBAM or SAS doesn't seem to pick up anything. Thing is combofix often doesn't fix the problem, but usually cleans things up enough that you are able to run MBAM and get rid of the rest of the crap. This is generally a good idea for most common spyware (including "scareware" like Antivirus Plus), but if it is a system that has sensitive data on it Malor is correct in that it should be dealt with by their IT team.

Thanks for all the advice. One last thing (hopefully) - is it a good practice to use a program or manually review all of the processes that are actively running? I have 73 running right now and that seems high being that I'm only using IE and Malwarebytes at the moment. Thoughts?

If you're running XP, Process Explorer is a good tool to vet your processesw to make sure they're legit and not something nasty hidden behind a common process name. If you're confident and know what you can safely turn off you can cut your processes down a lot in msconfig, but I wouldn't recommend gonig too far with that unless you know what you're doing.

manually review all of the processes that are actively running?

If you see stuff that shouldn't be there, that's proof that you're compromised. But any good malware can hide itself; there's almost an infinite number of places in the complexity of a modern OS where it can hide, making itself nearly or entirely invisible to other programs.

Once you have bad code running on a system, it is impossible, absolutely impossible, to be sure that system is clean again, if all your detectors are running under the OS itself. Any malware can corrupt the OS or detection programs to return false negatives. The only way to know for sure that you're clean is to do a forensic analysis from a known-clean system. This is extremely difficult and time-consuming, if you even have the skill set, and are able to write the tools you'd need to do the comparison. It is much, MUCH faster to just erase and reinstall.

Knowing that you're compromised means you're compromised. But once you've been compromised, a machine can look clean while still being infected. Before compromise, you can assume a machine that appears clean most likely is, but after compromise, you can no longer make that assumption. You can't logically prove that a machine is clean from within its own operating system, because any function you use can be corrupted to return false results.

I know you want to just be able to run a tool and know you're all cleaned up. Sadly, that is impossible. The best you get is 'probably'. On a work machine, that is usually unacceptable, and you need to get her workplace involved in the cleanup.

Well obviously you need to buy a new machine since the only true way to be 100% certain is to throw out the other one...

...yeah.

Actually, there's been some theoretical work in ACPI viruses, which would mean you'd have to reflash your firmware, so while you're trying to be dismissive and derogatory, you're actually more right, perhaps, than you think. That day may not be that far off.

Another note: there are millions of compromised computers on the Net, being used for various nefarious purposes. I guarantee you that a lot of those owners are unaware of the compromise, and some have even run tools telling them that they're clean.

It's people who believe that you can reliably disinfect a computer from within the OS that are the best friends of the talented malware guys... they put something obvious in that you "catch" and "clean", while the real compromise remains.

Malor, at some point you're just repeating yourself to the point of nauseam. The following posts after your first one are basically remixes on the same point.

That's not debate, that's brow beating. Glad the issues is "fixed" now, thread done.