• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.
  • Welcome to Free PC Help, a free PC Help forum to get help with your computer problems.

    Free PC Help is a community that offers free computer help and support for all users, all ages, worldwide.

    In order to start asking questions or contribute on someone else's post you will first need to register. Don't worry - it's quick and easy and once you have registered you will have instant access to the entire forum.

    If you do decide to join the forums you will not have the option to send Private Messages [ PMs ] or add a Signature until you have made 5 posts or more. This is an attempt to try to stop Spammers using the PM system or adding links to their Signature.

Strange malware fix.

Seth

FPCH Long Term Member
Joined
Dec 17, 2007
Messages
2,268
Location
Canada
Operating System
Windows Vista - Home Premium
#1
I had a computer in my shop yesterday that was running avg and undergoing disinfection.

Long story short, following the disinfection process, sas's "First Chance Prevention" still popped up with a Vundo dll in the system32 folder. MalwareBytes and other means confirmed the infection, but upon reboot, it just kept returning. I slaved the drive and deleted the file. On reboot it was there again. GRRRR

At that point I decided to send a diagnostic report to sas and let them write the new definition files to deal with such. Before doing so, I disabled System Restore and re-started. I was like WTH when sas didn't report the dll...nor did any other scanners.

YET, all I did was clear the restore points.
 

AdvancedSetup

FPCH Long Term Member
Joined
Jan 9, 2008
Messages
819
Location
34° 12' 35" N, 118° 29' 21" W
#2
Yeah, my guess is that there is still code on the box making a call to copy the file back.
No reason why the dorks that write this crap can't call files back just like SR does.

Just means (IMHO) that SAS/Malwarebytes etc... are missing the calling code as well but have cleaned it up enough that it can't regenerate it's own file which some do, so your removal of the restore points cleaned it say 90% but I still bet there is lingering code on the box that no longer has teeth.
 

Seth

FPCH Long Term Member
Joined
Dec 17, 2007
Messages
2,268
Location
Canada
Operating System
Windows Vista - Home Premium
#3
My thoughts exactly.

New shop policy: SR is to be purged before disinfection.