Laptop infected with virus- Webroot to the rescue

Ambarishrh

Got a call yesterday from a friend, asking for help to cleanup her infected laptop. Haven't seen such infected machine in a while, lots of ads, popups, unable to open browsers, installed some japanese/chinese versions of CPU monitoring tools, fake antivirus, you name it!

Took 3 hours, used malwarebytes, but the scan got closed after some time, restarts the machine, then used my webroot setup, transferred through screenconnect and installed. While preparing the av after install, webroot detected threats and asked me to do a cleanup. As and when webroot cleans up the threats, machine restarted and i started the scan again. (There was some process that was stopping the Av to do the cleanup) Used Rkill and terminated suspecious process. Did another scan, this time all got cleaned and webroot asked for a restart to finish the cleanup. Restarted one last time, did one more scan all clean. Reset all browsers to defaults and also used Shortcut cleaner to take out all custom browser settings made by the threats. So far all looks ok, and client will be getting her own webroot home license on Sunday when she is back to work.rned

Lakshmana

@Ambarishrh What is Webroot ? Where it is being used?What are the advantages of using that ?

nadnerB

Nice work
The offsite infected pc is the worst to work on. Good to see there was a happy ending.

dafyre

@Lakshmana said:

@Ambarishrh What is Webroot ? Where it is being used?What are the advantages of using that ?

Webroot is an Antivirus / Antimalware program, like ESET, or Avast, AVG, etc...

Ambarishrh

@nadnerB Thank God i could remote it and do the things required, otherwise would be driving a bit far to do this! Thanks to screenconnect, i was actually evaluating screenconnect as my go to tool for remote support, one thing i noticed is few windows message screenconnect didn't allow me to click ok to proceed, at that time it just shows that i am connected but not the guest. Used Teamviewer free for that to complete that action, so i have second thoughts about screenconnect!

Ambarishrh

@Lakshmana said:

@Ambarishrh What is Webroot ? Where it is being used?What are the advantages of using that ?

As @dafyre mentioned its an AV software which is pretty famous with the guys here in ML

http://www.webroot.com/us/en/

You can ask @Nic about Webroot if any questions.

Dashrender

Wow - nice solution - but I have to ask, did you recommend that she backup her data and do a complete system wipe and reinstall?

Personally I could never trust that machine again.

Ambarishrh

@Dashrender said:

Wow - nice solution - but I have to ask, did you recommend that she backup her data and do a complete system wipe and reinstall?

Personally I could never trust that machine again.

Already told her that, suggested back up the files and do a clean wipe, reinstall. She wants to check that machine first on Sunday. Has some works due to year end after finishing that, she will get the data backed up and will do a clean install. Also suggested her to use Veeam Endpoint Backup after the reinstallation along with webroot

Ambarishrh

Not sure if there was a tag related to threat cleanup, i created one #threatcleanupstory, hope to see some notes on this, can be handy when those things happens to someone else!

BRRABill

@Dashrender said:

Wow - nice solution - but I have to ask, did you recommend that she backup her data and do a complete system wipe and reinstall?

Personally I could never trust that machine again.

Do you do that for all the malware/virus issues you run into, or just the severe ones?

Dashrender

@BRRABill said:

@Dashrender said:

Wow - nice solution - but I have to ask, did you recommend that she backup her data and do a complete system wipe and reinstall?

Personally I could never trust that machine again.

Do you do that for all the malware/virus issues you run into, or just the severe ones?

Mostly all - Virus = 100% wipe and reload. crapware, I'll generally just remove it, but if I'm suspicious in anyway, wipe and reload.

BRRABill

@Dashrender said:

Mostly all - Virus = 100% wipe and reload. crapware, I'll generally just remove it, but if I'm suspicious in anyway, wipe and reload.

That's my MO as well.

Most of the stuff I see is just annoying crapware.

scottalanmiller

@Lakshmana said:

@Ambarishrh What is Webroot ? Where it is being used?What are the advantages of using that ?

Webroot is a leading antivirus solution and they are very active here in MangoLassi. Hit up @nic and @richard to learn more!

scottalanmiller

@BRRABill said:

@Dashrender said:

Wow - nice solution - but I have to ask, did you recommend that she backup her data and do a complete system wipe and reinstall?

Personally I could never trust that machine again.

Do you do that for all the malware/virus issues you run into, or just the severe ones?

Pretty much all. This is one of the driving reasons why we (and the industry) push having Windows volume licensing and a ready to go imaging solution - because infections mean that you need to do a rapid recovery and you need to do it from pristine image rather than from an image of the infected system. This is another reason why image backups are less than ideal for workstations, because you want to "disinfect them" as thoroughly as possible during rebuilds. Sure files can still be infected, but it is far easier to catch them and protect users this way. It's the standard practice to keep malware from becoming overly invasive.

BRRABill

@scottalanmiller said:

Pretty much all. This is one of the driving reasons why we (and the industry) push having Windows volume licensing and a ready to go imaging solution - because infections mean that you need to do a rapid recovery and you need to do it from pristine image rather than from an image of the infected system. This is another reason why image backups are less than ideal for workstations, because you want to "disinfect them" as thoroughly as possible during rebuilds. Sure files can still be infected, but it is far easier to catch them and protect users this way. It's the standard practice to keep malware from becoming overly invasive.

Most of the issues I have dealt with are again on the personal level.

Been lucky here with relatively no problems.

Dashrender

I have a customer who had had Webroot kick off two virus alerts in the last two days. Looks like Webroot killed the both before they got a foothold though.

JaredBusch

@Ambarishrh said:

@nadnerB Thank God i could remote it and do the things required, otherwise would be driving a bit far to do this! Thanks to screenconnect, i was actually evaluating screenconnect as my go to tool for remote support, one thing i noticed is few windows message screenconnect didn't allow me to click ok to proceed, at that time it just shows that i am connected but not the guest. Used Teamviewer free for that to complete that action, so i have second thoughts about screenconnect!

When ScreenConnect is running as an admin process, you can click everything.