So, I'm not really a good malware remover guy. But, alas, even with protections in place and administrative priveledges removed... I still end up with some folks with malware. I got a panic call from one of my users. His "work" computer... which is really his laptop... is "reporting" infections all over the place. I thought I had trained him well... in the sense that his first reaction was to shut down his computer without hitting any screens. I think he might have clicked the wrong thing and sure enough something really nasty is installed.
So, I pull out the trusty thumbdrive with Malwarebytes' mbam software on it... http://www.malwarebytes.org/mbam.php
And, it won't run. So the malware knew how to disable that. So, I try to pull up the task manager, but the malware had disabled that too.
I went back to my thumbdrive and looked for process explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx but I guess I left it off my thumbdrive. So, I pulled out my trusty leatherman and pulled out the hard drive.
Took the drive back to my bench machine. Downloaded mbam, updated and disconnected from the network just in case. Attached the drive using a USB to IDE converter. And now, I'm running mbam against the drive. Sure enough, 17 objects infected so far. And the realtime anti-virus kicked off once when mbam triggered on a file. I'll post back when and if I get a name.
Sometimes, booting to another machine is handy. But, I can't help but think that if the drive had been encrypted... which makes more security sense... I would have been screwed for scanning it on another machine.
All for now. Cheers.
P.S. Okay... well... according to mbam.... the drive 16 instances of Trojan.Dropper, 1 Trojan.Downloader, and 1 Trojan.Fakealert.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment