Join 3,418 readers in helping fund MetaFilter (Hide)


Virus-free or virus hiding: is my computer Conficked or just fine?
April 27, 2009 11:44 AM   Subscribe

On or around April 1, my computer caught something that caused havoc with my antivirus programs but now everything seems fine--this can't be correct?

On April 1 (bad news, I know), my antivirus program (Avira) warned me that it had not been able to retrieve definition updates from the internet.

It has been a frustrating saga to figure out what might be wrong; if you're not into the saga, skip to the last paragraph for an executive summary.

I immediately had Avira run a full-system virus scan, which picked up what Avira called a Trojan (dropper?) in my Temp files that was promptly quarantined. Searching Google, the only info I found to get rid of Dropper was to install MalwareBytes and run a full scan. Well...

I checked MalwareBytes, which I already had installed eight months ago, to find that it also wasn't updating. MalwareBytes did not pick anything up in its full scan. I tried re-naming MB, but the problem was not accessing it but rather updating, and renaming did nothing.

At this point, I tried TrendMicro to see if a program that was not on my computer would pick anything up. It did not.

I then tried grabbing manual updates for Avira via a USB drive from an uninfected computer. The files fail to correctly integrate with Avira.

I also know that my Adobe, Flash, and Java programs were all nagging me to update, and I had not done so for at least five months (not my brightest move).

Several days later, I checked to see if Windows Update was working, which it wasn't. The internet, yes, Update, no.

I then downloaded Avast to see if that would pick anything up. The most up-to-date version available did not pick anything up in its full system scan. Once Avast was installed, it too was unable to update.

I deleted Avast, then restarted my computer. With restart, the desktop, start menu, and system tray failed to become visible, as did a program (Rocketdock) that I installed two years ago. Restarting again did nothing, but once I restarted in Safe Mode I was able to see the desktop, start menu, etc.

However, at that point, Firefox and IE both stopped connecting to the internet. I know it wasn't my ethernet cord, and I know it wasn't the network. The network has a kick-ass automatic quarantine that I know was functioning correctly at the time, as well as some species of firewall.

I did a system restore to a point shortly before April 1st.

At the exact same time, my power cord died. With the battery dead and no AC adapter, I unplugged the ethernet cable and let the computer sit in hibernation.

Fast forward three weeks, and I was finally able to acquire a power cord and I re-connected the ethernet cable. My computer wakes up, with Firefox open and the tabs all reloaded to current information (i.e. Slate had yesterdays's articles not those from three weeks ago). Well, great.

Avira automatically starts updating, and the update goes through. MalwareBytes updates. Windows Update updates. I immediately do a full system scan, using both MB and Avira. MB once again picks up nothing, while Avira picks up another two Trojans (different ones, this time) in my Temp files. I then deleted the named files. I updated Java, then Flash, but haven't gotten to Adobe yet.

Here is the problem: my system seems fine. Antivirus programs, Update, everything that was haywire, now seem good to go. This just doesn't seem possible when the only thing I did was disconnect the computer to the internet for three weeks, and the system restore (which didn't seem to solve the problem three weeks ago).

Executive summary: Antivirus programs, Windows Update and other critical programs failed to update around April 1, Avira antivirus sees nothing but Trojans in temp files while Malware Bytes sees nothing, power cord dies and is resurrected three weeks later at which point the computer miraculously updates all problem programs and all seems well. This surely can't be right?

Tech specs: I am running Win XP (Media) on a Dell E1405, typically using Firefox 3, with Avira Antivirus, MalwareBytes, and Spybot Search and Destroy all installed and regularly updated, Windows Firewall is on and the network also runs a firewall.
posted by librarylis to Computers & Internet (5 answers total) 4 users marked this as a favorite
 
Sounds like it could be conficker...

The Conficker Eye Chart is a quick and easy test for conficker.

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx is Microsoft's page all about Conficker.
posted by namewithoutwords at 11:48 AM on April 27, 2009 [2 favorites]


Nuke and reinstall, take the one moderate headache over infinite minor ones.
posted by Inspector.Gadget at 11:50 AM on April 27, 2009 [1 favorite]


Did your computer hibernate in Safe Mode? If so, is is still in safe mode? If the virus never loaded, everything will update correctly until you reboot, assuming it's still present and hasn't been removed.

I'd take the opportunity to run as many updates and scans while you can before rebooting, and then make a good backup of everything you value (Just data, or a system image if you can). Then reboot a few times, and see if everything is working. The good Inspector's advice is also valid, if you don't think this will play out well... just remember to scan your data / backup medium before you put it back on the fresh install.
posted by GJSchaller at 12:17 PM on April 27, 2009


Good point, GJSchaller. The computer started again in regular, not Safe, mode. This is most likely due to the length of the hibernation (at a certain point greater than 10 days, it shuts down hibernation mode and has to be restarted).

I will be taking the advice given, especially the Eye Chart.

I'd really like to avoid the nuke method, if at all possible.
posted by librarylis at 12:43 PM on April 27, 2009


As I've posted in the past, but now have an updated instruction set from my friend Kevin (who does this for a living and allows me to repost it):

Go to a clean machine and download the following programs and save to a flash drive or CD:

Note: Disable any antivirus programs first as some of these files create false positives and are blocked.

Roguefix from http://www.technibble.com:80/repair-tool-of-the-week-roguefix/
ComboFix from http://www.bleepingcomputer.com/combofix/how-to-use-combofix
SmitfraudFix from http://www.bleepingcomputer.com/files/smitfraudfix.php
SDFix from http://www.bleepingcomputer.com/resources/link252.html
AntiRootkit from http://research.pandasecurity.com/archive/Panda-AntiRootkit-Released.aspx
Ad-Aware from http://www.lavasoftusa.com/products/ad_aware_free.php
Spybot from http://www.safer-networking.org/en/download/index.html
Anti-Malware from http://www.malwarebytes.org/mbam.php
HijackThis from http://www.bleepingcomputer.com/files/hijackthis.php
WinsockFix from http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml

Go to the infected machine and boot into Safe Mode. Once to the desktop the first step is to turn off System Restore. To do this right click on My Computer and choose Properties. When the Properties box comes up click the System Restore tab and check the box at the top to turn off system restore on all drives. Click Apply and OK and then restart the PC, again into Safe Mode.

Once to the desktop insert the media containing your tools and copy Roguefix, ComboFix, SDFix and SmitfraudFix to the desktop. Rename all three .exe files (I use snoopy.exe, linus.exe and lucy.exe, but anything will do). Run Roguefix and follow the instructions to scan and clean. Reboot when prompted and choose Safe Mode again. Run SmitfraudFix and choose option 2 from the text menu. When prompted click yes to clean the registry.

Once that program finishes run ComboFix. If you get a prompt about installing Recovery Console click No. This one will most likely reboot the PC before it can clean all the items but whatever it does just leave it alone until it shows you the log file. Reboot the PC again into Safe Mode if needed and run SDFix.

Once that finishes reboot the PC again into Normal mode (which SDFix will probably require) and copy the Panda AntiRootkit to the desktop and run it. Update it and if it finds anything remove all the entries on the list. If you have a Rootkit reboot the PC and run Panda again, and keep doing that sequence over and over until it finds nothing.

Once Panda shows clean reboot to Normal mode and install Ad-Aware, Spybot, RogueRemover and Anti-Malware. Update each one, then reboot again into Safe Mode. Run each of the programs back to back, once again removing everything they find.

When you have all that done, reboot into normal mode, update your antivirus program and do a full system scan. If there’s not one on the PC or if it’s expired you can get good free ones by searching Google for “AVG free” or “Avast free”. If you want better protection against spyware as well as viruses I suggest products from either Panda or Kaspersky.

HijackThis is up to you. If you want a little help to verify that the machine is actually clean you can copy HJT to the desktop once you've finished all the cleanings and rebooted to normal, run it and save a log file and send it to me as an attachment. I'll look through this and give further advice if needed.

The final item, WinsockFix, is there in case you lose the connection to the Internet at any point during the process. Some malware alters the TCP/IP stack to better monitor all online activity and removing it will sometimes damage the socket files. Run this program to rebuild the entire network structure and get back online, then pick up where you left off.

As a warning, occasionally Combofix and Smitfraud fix don't restart the GUI, usually when they don't trigger a reboot. If they finish and you have a blank screen hold down CTRL+ALT and tap DEL to open Task Manager, then click File and New Task. Type "explorer" (without the quotes) into the Open: field and click OK.

Hope this helps and good luck!
posted by deezil at 4:37 PM on April 27, 2009 [23 favorites]


« Older Why is there such uniformity i...   |  I am in a temporary position o... Newer »
This thread is closed to new comments.