7 Replies Latest reply on Dec 7, 2010 12:05 AM by Attila Polinger

    Laptop attacked with malware

      I have Macafee installed in my system.

      And still the system has got a trojan kind of think.

      It gives fake errors like :No memory, No harddisk found, computer is at risk etc and prompts to purchase the defragmantation software.

      Even gave a scan with mcafee, it detects the trojan and deletes but still the problem persists.

       

      Any clue.

      Let me know if more details required.

        • 1. Re: Laptop attacked with malware
          Attila Polinger

          Hello,

           

          in my experience a trojan installs several files, one at device driver level which loads before the McAfee services and makes sure that reg keys and files are rewritten continuously and upon deletion, several other files are at various places causing reinfection/rewriting of any files that it uses to be complete.

          .

          In our organization they use this method: remove the harddisk of the notebook and attach via a special cable to another computer so it is detected as an outer winchester. Then use the other computer's antivirus system to scan and clean the harddisk attached. This might or might not be a complete cleaning as with some new trojans there can be remaining regkeys after the cleaning that were not yet known by the cleaner program and left there referencing now nonexistent files.

           

          Theoretically it is possible to cut all heads of the "hydra" trojan by employing several well placed VirusScan Access Protection rules together with some manual reg.exe statements and / or attempts to unload the trojan device manually, but usually these kinds of pests load under some system processes (by also creating some reg keys at relevant sections) which cannot be unloaded and which can be removed by many reboots and possibly via the rules above. Once these are all taken care of and the only file remaining is the trojan loader, a new scan could detect it and mark it as delete on next reboot.

           

          Also, if you search for this trojan on the internet, there might be some hits how to get rid of it manually...

           

          Attila

          1 of 1 people found this helpful
          • 2. Re: Laptop attacked with malware
            Peacekeeper

            I assume it is this 1

            https://community.mcafee.com/thread/29298?start=0&tstart=0

             

            If so try the fix mentioned BUT do not click on the programs touted at the top of the page. they will try to get you to buy them.

             

            You tried going back via restore to before when you got this? Alternatively the leftover bits might be in the latest restore area and that is where it is reconstituting itself. Also delete all internet temp files.

             

             

            Message was edited by: Peacekeeper on 6/12/10 7:51:47 PM
            1 of 1 people found this helpful
            • 3. Re: Laptop attacked with malware

              Thanks a lot Attila and Tony for your responses.

               

              It has worked.

               

              I too have got exaclty the same problem mentioned in the above thread.

              I just followed what is told there and it looks like it is solved.That was really helpful.

               

              + i just googled and got some info like clearing up the temp folders as told by you.

               

               

              But I am not sure how can i guarantee that the bug will not appear in the future.

               

               

              Thanks

              • 4. Re: Laptop attacked with malware
                Attila Polinger
                But I am not sure how can i guarantee that the bug will not appear in the future.

                 

                Using certain VirusScan Access Protection rules enabled could minimize the likelihood that a trojan can plant itself to vital registry parts. I suggest you enable block and report for these at least:

                 

                - prevent registry editor and task manager from being disabled

                - prevent remote creation of autorun files

                - prevent creation of Browser Helper Objects and Shell Extensions

                - prevent programs registering to autorun

                 

                This should take care of HKLM and HKCU branches as well.

                 

                Attila

                 

                 

                Message was edited by: Attila Polinger on 12/6/10 12:07:43 PM CET
                • 5. Re: Laptop attacked with malware
                  Peacekeeper

                  I assume those settings in Enterprise. As far as I see they are not in the  Home product.

                   

                   

                  Message was edited by: Peacekeeper on 7/12/10 6:57:04 AM
                  • 6. Re: Laptop attacked with malware

                    yes, they are there in the Enterprise edition.

                     

                    A couple of those above listed rules were already enabled and now i enabled the rest of them.

                     

                    Thanks

                    • 7. Re: Laptop attacked with malware
                      Attila Polinger

                      On second thoughts it is advisable to enable some other Acces Protection rules that protects McAfee files and settings, so for example nothing could kill its processes crippling the AP protection. Finally on the main AP configuration page please set "Prevent McAfee Services from being stopped" to complete the whole thing.