Tricky infection--does an expert want a challenge?

Hello:

I am stuck with a recurring problem. Before I wipe out and reintall from backup, want to see if an expert from Comodo wants to have a go at cleaning.

Symptoms.

  1. This is an educated guess. Starts when I allow an action in defense+, mixed up with the other permission requests.
  2. Then intermittently, right-click on a program icon on the desktop will not display the appropriate menu–instead menu for right-click on desktop is displayed.
  3. During startup, note about pressing F8 for safe boot disappears.
  4. At some point, computer freezes forcing a restart. It gets worse after this.
  5. Anti-virus updates fail.
  6. Scans freeze. Have to restart.
  7. Scan with Comodo anti-virus: while going thru the scan, cpu goes to 100% computer stops responding, display of files currently being scanned blanks (only this portion) and after a few minutes, back to normal.
  8. At some point, protection gets turned off, usually after forced to reboot.
  9. Also, happens with MalwareByte’s Anti-Malware.
  10. Repeated scans with Comodo, MBAM and PrevX shows no infections.

I can run any scans or tests and provide prompt responses. Can let you have remote access too–if you are from Comodo. However, the trouble-shooting process must start in a day or two and proceed quickly.

In case of delay, we can work out a way for this to proceed quickly the next time this happens. Will not be too long—less than a month from reinstallation!!

Let me know.

Best
Nag

Hi Nag,

Please check this topic and/or visit http://www.geekbuddy.com/ .

A Comodo Expert will check the issues you reported.

Regards,
Ionel

when someone is able to change your pc and security program behaviour, i would not be surprised if he managed to make some parts of that virus features “clean resistent”.
i would never trust my pc after such an infection… even not after a “cleaning” by an expert.

Ionel:

I am aware of the service you mentioned. Someone going thru the motions will be of limited use. Went thru several “help” forums and used the tools suggested there–nothing. Once it shows up, takes weeks for the query–response–query cycle to progress.

My main motivation is to get back at the source of the infection rather than “clean” the system. What should be of interest to you is the chance to improve the Comodo system–I believe there is some sort of vulnerability that is letting this super-bug through–where is this thing coming from, how does it get thru without being detected.

Clockwork:
As I mentioned, after several cycles of this, I made a clean image and periodically restore once the infection gets annoying. See previous para.

maybe your image isnt “clean”. when i speak about cleaning a machine, i would make a real fresh installation.

you will lose much time to find the “source”, and when you have found it, you anyway should make a clean isntallation.

so save time. reinstall the os. and load all programs that you want to use, fresh from trusted sources.

you dont win a thing thats worth to waste so much time while investigating.

and when your security prgrams are able to work, you will maybe not be infected again. IF you are infected again, you have this time the chance to notice the real moment, and then you have the source.

dont use a restore point. save your needed data, reinstall OS, reload programs. thats my first thought when i hear your story.

Clockwork:

This is the nth time I am getting hit with this. Went thru several clean installations–did not help. What I now have is a clean backup. I periodically restore from it–so have a working setup. At some point, the bug gets in and I cannot pin-point it—it does not do the obvious things. Some sort of randomization is built-in.

I know you are trying to help and thanks for trying.

Best

very strange… when theres everything made new, the last thing that stays might be the hard drive. just as a thought, a master boot sector infection?
otherwise, if it would be an “in the wild spreading” virus which couldnt be defended, many others would experience the same infection again and again too… whatever security programs they use.

when its on that sector with rootkit technics, no antivirus can “see” it. and most important, you said, its able to let the “safe mode f8” disappear… this can be hints for a very “base-level” infection.

Have you tried scanning with these rootkit scanners yet?

Wiped the HDD several times, installed from clean media and have a backup from this!!

Sophos Anti-Rootkit shows several hidden files: all are classified as Removable: Yes (but clean up not recommended).

That would be my advice as well. After being infected with a rootkit I wouldn’t trust the system. You can still give it a shot though as you have nothing to lose.

Can anyone recommend whether it is a good idea to rebuild the MBR, like is suggested here for CTM?

Where else could malware be hiding? Perhaps reflash the BIOS. I’m just guessing though. Please don’t try these unless you truly have nothing left to lose. This is outside my level of experience.

Can anyone recommend whether it is a good idea to rebuild the MBR, like is suggested here for CTM?
If you have a genuine windows disc and you keep get reinfected after a reformat. Then it's occurring before windows starts. So yes, I would strongly recommend rebuilding the MBR
  1. Check your bios settings to see if it’s normal

  2. what model and brand of modem you have. Some modem have built-in routers and it have control panel.
    All modems are different and you may need to look online from a different PC when searching it. try and resetting it. If your lucky, there will be a tiny hole in the modem and stick a pin or something in it to reset it

Good Luck

Remember to keep your computer physically disconnected from any network, including wireless during and after install of Windows, until you have activated a firewall. Do this regardless of any NAT router between which could also be compromised.
You didn’t mention which version of Windows you are using, but prior to SP2, Windows XP by default doesn’t have firewalling activated after installation. In that case you can manually activate filtering of incoming connections from network adapter properties, before connecting to get your system fully patched.

You should check any possible other computers at your facility and any removable media like USB sticks where the source of reinfection may also lie.

If you are using a wireless network, make sure your system is connecting to the correct network and it is protected. Perhaps reconfigure the encryption key.

Pay careful attention to what you do after reinstalling. Perhaps there is a piece of software you always install soon or a page you visit that you assume to be safe.


You said that the strange things started happening after you allowed a D+ alerted action. Do you have any logs still left, what kind of action was it, from what process?