Posted 19 April 2011 - 09:08 PM
I work at a computer repair shop but I basically just started a few weeks ago and so I'm still being trained. But I'm just looking for some extra info on my own, because I can get actual help from my boss. My dad called me up a few days ago and said he ran Windows XP automatic updates on his PC over night, and in the morning he quickly realized something was wrong. He got some errors for starters, among them the usual "The system has recovered from a serious error." He declined to send an error report...and, it asks him again. And again, several more times until he finally accepts. However, that didn't go too well either. I don't know exactly what happened next because I wasn't there, but he got another error saying the report was corrupted and that it failed. Soon after that, he had shut it down and found he could not boot normally, so he tried safe mode, and that worked fine.
So I finally went to check myself. I ended up loading Hiren's and ran some scans which caught, along with some registry issues, 8 instances of (I forget how the dots and slashes went) Adware Vundo Variant MS Fake. Thinking it was all set, I left only to hear the next morning that the same issues were still happening. So I brought it to work for some help, where upon bootup there were no issues whatsoever. I ran MBAM once or twice on my own just to make sure, not even bothering my boss yet, and nothing came up. Brought it home, left again, and you probably figured...the issues persisted. I DID see it myself. Trying to boot normally simply causes it to reboot. So I brought it back to work today and got my boss partially involved this time. He knew right away when I described the problem, so we ran TDSSKiller, which actually failed to catch anything for some reason. We followed up with Combofix and caught and removed a Bootkit TDL4. Again thinking it was over, I brought it home and still it would not boot normally. Which I thought was REALLY weird because we tested it and it worked fine at the shop after the scans. So to wrap up, the bootkit has obviously dug itself in quite well and I was wondering (I didn't even ask my boss yet) will I need to run the drive as a secondary, back everything up, disinfect the backup, then literally destroy/throw away the drive and get a new one? Or might a Darik's boot and nuke followed by a reinstall do the job? We're gonna throw our full effort at this thing tomorrow.
Some quick last questions, is it possible to infect a CD? Should I snap my Hiren's disk? And also, I had used my good USB flash drive to copy some of my old files from the PC after we ran the scans, thinking at the time that it was all clear. I wouldn't doubt that it's infected now, but how would I safely clean it up? I have my own PC and wouldn't DARE plug it in to that at this point. I even stuck a Post-it warning note to the USB drive just in case. I can always make a new Hiren's, because I have TONS of CDs, but I would really HATE to lose my only USB drive.
I apologize for such a lengthy post. Any info would be greatly appreciated.