Solved

Trojan removal download recommendation

Posted on 2011-03-18
9
922 Views
Last Modified: 2012-06-21
Yesterday some users on our network had their McAfee disabled and this morning I ran Malicious Software Removal tool from microsoft and found Malware on my computer named Backdoor:Win32/Qakbot.gen!B (partially removed) and TrojanDownloader:JS/Qakbot.F that was removed.  It recommended that I run my McAfee but I cannot get it to run, I think the Trojan disabled it?  Can you recommend any downloads I can try to fix our infected computers?
0
Comment
Question by:SCDL
  • 2
  • 2
  • 2
  • +2
9 Comments
 

Expert Comment

by:bwinkworth
ID: 35165766
Sometimes I'll resort to free online scanners. Bitdefender has one and so does trendmicro. After that I'll run hijackthis to see if there's any entries in the registry.

BW
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 35165783
Hi,

You could load this:

http://service.mcafee.com/SpecializedServiceHome.aspx?lc=2057&sg=VR

Regards,


RobMobility.
0
 
LVL 25

Assisted Solution

by:RobMobility
RobMobility earned 50 total points
ID: 35165788
0
 
LVL 2

Assisted Solution

by:Hapexamendios
Hapexamendios earned 100 total points
ID: 35167814
My favoured option here, when I'm not using our Sophos Bootable AV disk (Linux LiveCD with Sophos injected, proprietary) is to use on of these LiveCDs:

Dr. Web Anti-Virus: http://www.freedrweb.com/livecd
F-Secure Rescue CD: http://www.f-secure.com/linux-weblog/
Kaspersky Rescue CD: http://ftp.kaspersky.com/devbuilds/RescueDisk/

(I obtained the above URLs by downloading the program Unetbootin from SourceForge: http://unetbootin.sourceforge.net/. Unetbootin allows you to take ISOs and make a bootable USB drive using them. Part of its function is providing links to lots of LiveCDs, and it can be very useful - however here we need read-only media).

When your AV isn't working, chances are you have had a kernel-mode driver installed by the trojan. Detecting these is very tricky, and often impossible, from within the infected OS no matter what you do. Using Linux means you lower the chance of it masking itself (since it would then have to be able to do its hiding from Linux as well as Windows, meaning more code and more chance of problems).

Best of luck,
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 25

Accepted Solution

by:
madunix earned 100 total points
ID: 35170703
make sure you run:
ATF-Cleaner
HitManPro
Malwarebytes' Anti-Malware
SUPERAntiSpyware
COMODO System-Cleaner
Prevx


You can make bootable antivirus rescue CD
http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/
Bootable antivirus Rescue CD method consider as the most effective way to remove the virus, trojan and malware because it track down some viruses, trojans and other malware are embedded so tightly into your operating system that when you boot Windows the normal way. Mostly virus is also loaded and cannot be detected or removed by antivirus software  running in that system. In such a case, booting antivirus rescue CD under clean environment can increase chances to track down virus easily which there no interfere from any windows OS services.
0
 

Author Comment

by:SCDL
ID: 35206563
Thanks everyone for your advice.  Hapexamendios you were correct in that it had a kernel-mode driver installed by the trojan. Our 350 pc's and handful of servers were removed from the network Friday morning so I did not see the last 2 comments until after we were back up.  The trojan also disabled McAfee and prevented us from downloading solutions or recover to a previous time. Hapexamendios and Madunix you were both correct in suggesting using CD's to eliminate this nasty trojan which shall remain nameless to prevent notoriety.  McAfee created a program for us directly to eliminate it and after working thru the weekend we were 98% back up by Monday afternoon. Thanks RobMobility and bwinkworth for your quick replies but I would have been a goner without the cd's. Running Stinger was a step in the final solution so I would like to award points for that too, RobMobility.
0
 

Expert Comment

by:bwinkworth
ID: 35206580
Glad you got it all fixed up fella.

Regards,
BW
0
 

Author Closing Comment

by:SCDL
ID: 35206661
I did not get a chance to actually try  Hapexamendios and Madunix suggestions so they may also have worked.
0
 
LVL 2

Expert Comment

by:Hapexamendios
ID: 35206818
TThanks for the credit, SCDL - a pleasure to help, and as you say it looks like you took our advice without even knowing it! :)

I'd just like to add to this post, for anyone coming to it in the future, to remember that if you have an AV product with support, they probably have a way of making a bootable CD available for you to use upon request, and in most cases that will be the simplest way to sort this kind of issue.

Peace, all
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now