BleepingComputer.com: Trouble at small repair shop buisness

Hello, I work at a local repair shop in Shreveport, and we have a major issue that has arisen within the past 2 weeks. We have seen 8 computers in the past WEEK show up with the "same" virus. The virus attacks the hosts file and blocks off spybot search and destroy from immunizing. Tizer Antirootkit returns clean, so does malwarebytes, and yet the computers refuse to connect to update.microsoft.com. I ran combofix on one of the computers at work, and, I believe it read that it had a possible tdl4 infection that should be removed. At this time, we simply reinstalled Windows, however, we can not invoke a policy of "Viruses are too hard, if you have viruses, we can not give it back without a full reinstall.". It is not within us to do so. I started reading in some forums about what the microsoft updates were doing and found out about the TDSS virus, and ran TDSSKiller. It came back clean, and yet no connections to microsoft updates. At this point I reset IE settings to defaults, removed customer preferences, and checked the hosts file. Sure enough, it was edited. However, I could not see the permissions of it, which leads me to believe sometheing else is still within the computer. I removed the old file and put a new, clean hosts file in its place. When I got in today, the host file was corrupted again.


All of our scanners are claiming it is clean. We are about to have to resort to using Combo Fix to repair the computers from now on if things progress in this fashion. My issue, is that I do not wish to post 7-10 logs each week asking for "What do I do now?". We are supposed to fix the computers. For years my boss has resorted to reformats as a last resort, however these newer viruses/bootkits/rootkits are too integrated into the system..


I am posting this, in hopes that someone could get back to me in a method to kill these viruses WITHOUT spamming your forums with logs. As I read earlier, y'all have been having a large request of logs flooding in recently without enough people to handle them all. Please, lend us a hand, here.

Hello.

Before I say anything else, let me say that I appreciate your desire to resolve computer issues without resorting to a format and reinstallation. While sometimes unavoidable, it can cause great disruption in the lives of those not accustomed to and prepared for the procedure.

Quote

Quote

I also appreciate this. However I feel the need to expand on it a bit. In addition to constantly being backlogged with help requests, please keep in mind that our MRT is a volunteer organization. Every one of our MRT members has gone through an extensive training process and undergoes a never-ending, self-taught reeducation to remain current on how to address the latest and most devious malware infections. Should they choose to do so, they could take these skills and use them to make money; instead they choose to devote their time and energy here, free of compensation and recognition. To make use of their time and ability to aid a commercial venture is a great disservice to them and is completely contrary to the purpose of Bleeping Computer and the Malware Removal Team.

With regards to a method for defeating the infection, there's not really an easy fix. Malware constantly changes, and with it the solution. If there were an easy fix we wouldn't need users to go through the process of submitting logs, and then working through the infection on an individualized basis. We have to do that because every case is different. To determine the solution to a complex and embedded infection requires a trained analytical eye and lots of research.

I realize that you're just looking for a pointer here, and that I have no problem with. No one can be expected to know all the answers and as compatriots in the field of computer support I've no problem with a consult. The problem is that for infections such as this there isn't really a pointer that can be given. This stuff is nasty; there's no doubt about that. It's constantly changing and every case has the potential to be different.

I hope you can understand where we're coming from with this.

Best of luck,

~Blade

Thank you for the quick reply, Blade. Much appreciation. My main question is: How do y'all read the log files- what are y'all looking for? And how is the Combo Fix patch worked with? If you could just help me understand this, then perhaps we could get a handle of these explosive viruses we have recieved as of late. I do not know if it is possible for you to to disclose this information, as it appears to be kept secretive for a reason, but it is worth a shot. Malwarebytes, AVG Free, and Spybot search and destroy are our regular virus killers. Within the past 3 months we have had to start using Tizer Rootkit Razor, GMER, Hi-Jack this, and a few others from my boss. These tools did work for a little time, but they have not solved these recent rootkits.


I understand where you are coming from, but we are close to invoking an "auto reformat" policy if we spend more than 2 hours without luck at killing a virus. Simply because we only charge a 50$ Fee for viruskill/reconfig/benchfee. That is it. We can't afford to wait on forums..

This is why I would like to learn how to read the files, and know what to look for with this brand of new viruses.. If that is possible..


Thanks for your time.

This post has been edited by Grenading Badger: 08 April 2011 - 09:22 PM

Grenading Badger, on 08 April 2011 - 07:51 PM, said:

Sure - sign up to a malware removal training program

http://www.bleepingcomputer.com/forums/topic86678.html

Maybe once trained, you can volunteer here (or elsewhere) to pay back the time your instructors will have given you freely during training and do your paid work.

Quote

The creator of the tool only wants trained removers to know how CF works and how to read it's logs. So, the best answer for you is to join a training program and learn. As Blade has said; there's no one-cure-works-for-all approach.

Casey