Outbound data constantly blocked by malwarebytes
I've been attempting to clean a client PC over the last week. I've gotten rid of most of the infection, but I'm having an issue with what appears to be a self-propagating infection. I'm able to shear off pieces of the infection, things such as Trojan.Zlob.Q (Which I've never seen before) and SAPE.Heur.a7b7, but everytime I load Windows 10 I get the same outbound traffic being blocked. Traffic to the same two sites every time: heato.info and listcool.net. I've exhausted most of the options I can think of including Emsisoft, Malwarebytes, Norton PE, Norton Security, ADWCleaner, Spybot, HitmanPro, Sophos and Junkware Removal Tool. I'm running out of options on my own and really need a new set of eyes on the problem that might see something I don't. Any help would be appreciated.
Apparently Symantec has such info hence its AV should have signature to remove it. Also note, the Trojan creates a PowerShell script that runs once a day. It may have create batch job task.and to run itself even though it has been "cleaned". It probably has its registry not cleaned up. The iexplorer or svchost may be injected on the fly to make those callback.
https://www.symantec.com/security_response/writeup.jsp?docid=2016-020300-4629-99&tabid=2
If the Norton eraser did not help, with latest signature updated, then it is better you refurnish the machine instead trying to clean malware in specific as it is not clean slate anymore.
https://www.symantec.com/security_response/writeup.jsp?docid=2016-020300-4629-99&tabid=3
Can consider doing applocker to enforce only trusted application to run. Use process explorer to see process loading strange libraries and dll. There is also GMER to reveal rootkit.
If disk is not encrypted, try boot on cd and do the scan so that the malware is not running.
https://www.symantec.com/security_response/writeup.jsp?docid=2016-020300-4629-99&tabid=2
If the Norton eraser did not help, with latest signature updated, then it is better you refurnish the machine instead trying to clean malware in specific as it is not clean slate anymore.
https://www.symantec.com/security_response/writeup.jsp?docid=2016-020300-4629-99&tabid=3
Can consider doing applocker to enforce only trusted application to run. Use process explorer to see process loading strange libraries and dll. There is also GMER to reveal rootkit.
If disk is not encrypted, try boot on cd and do the scan so that the malware is not running.
ASKER
Thanks guys for the response, you were both very helpful in my pursuit. I've since solved the issue!
If you would be so kind, how did you finally resolve the issue?
- Bobby
- Bobby
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Looks like some critical files may have been repaired. Thanks for sharing. Do rescan using AV just to make sure.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Part of discovery and sharing that makes this contribution worthy as now you shared those experiences : ) thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Even AV can have corrupted signature causing BSOD likewise for OS provider. Not be taken by surprise but always have backup and test in staged environment before production rollout.
- Bobby