Major Virus Infestation

[Rich-M]

Had one of the most badly infected computers I have ever had. Client wasn't sure where this came from but could have been an attachment to an email from someone he knew who he found out later didn't send it.

System was Intel 6700K with 500 gb Ssd drive and 16 gb 2133 Ddr3 ram moving like a snail. Most of the desktop items would not open to right or left click. Classic Shell start menu gone and Win 10 start menu would flash quickly then go away if open too long. I tried to run Hitman Pro Kickstart from usb but would not run. I could boot to it but would show up failed with any choice. I fought hard and finally managed to open a score of rkill programs and picked back some speed and was able to run some scans. Rogue Killer removed 7 Trojans but system began to slow down. Hitman Pro found next to nothing, Malwarebytes MBar rootkit scan found nothing as did Malwarebytes which was also onboard as pro version along with WD as only defenses. Adw Cleaner pulled a few as did JRT but nothing much. Zemana found nothing and of course Combofix will not run in Windows 10. I kept having to rerun rkill versions when system would begin to slow again. Each time I would access my flash disk I had to go in another way because the last way in was blocked next time. So I decided it was a losing battle and manged to get into System Reset which beautifully restored Win 10 to day 1 with the files and data in tact I simply had to reinstall programs. PC Setup, Recovery and Update,Recovery, Reset Pc and you can choose with or without current files. It took about 1 hour to complete. I forgot to mention System Restore had only 1 restore point  which was of no use and I noted System Restore defaulted to 250 Meg which is really stupid.

 

I never knew what was in there but whatever it was I have never seen such a powerful virus basically that nothing could touch and I have been doing this 15 + years.

[Steve K.]

You did the right thing for sure. When things get that nasty, really the only thing you can do to ensure the box is clean is to just salvage what data you can and start fresh with a Reset. Too many times I've seen ppl try to clean up a box then a few days/weeks later are right back where they were!

Thanks for sharing the adventure @Rich-M!

-S

[Rich-M]

I forgot to mention I normally would take the drive out and copy the files and data before doing this but that was not necessary as the user had two backup hard drives.

[ShockerSH]

23 hours ago, Rich-M said:

I forgot to mention I normally would take the drive out and copy the files and data before doing this but that was not necessary as the user had two backup hard drives.

 

Nice - Yeah great tip. 

Did the users have any backup? I was using Backblaze however for awhile now I'm using Crashplan for this very reason. I love how you can be really granular on changed files/version history.

[allheart55 (Cindy E)]

Are you using free or pro CrashPlan, @ShockerSH?

[ShockerSH]

Unfortunately.... I pay for it.

I was using the FREE version. I bought a 1TB drive for my parents and backed up my PC to them and their PC back to me. However, they kept turning off the external drive or the laptop (or both) and it just became a pain for me always calling them.... (sigh).

So now I'm using the family edition. I pay like $50 a year or something. That said, I do backup 3 computers to my main box and then back up that main box to Crashplan since it's unlimited data, versions, deleted files. Love it.

 

[EarthDude]

Today I read the news about the virus:

"Infections like Safe Finder break the stereotype of malware-free Macs. In fact, browser hijackers and ads-serving threats pose, by far, the prevalent category of offending software affecting this operating system. The impact from such attacks normally won’t go beyond Internet surfing alone, but the restricted scope of adverse influence doesn’t make these occurrences any less abominable than other farther-reaching breaches. The above-mentioned app reroutes its victim’s Safari, Chrome and Firefox preferences to search.safefinder.com. What this means is the unwelcome page will be popping up instead of the custom homepage, favorite search engine and new tab. Furthermore, the same effect may occur when the user simply enters an arbitrary site’s URL in the address bar. This indicates that the hijacker also skews DNS settings on infected Mac OS X boxes. " 

Maybe it was him?