0

After clicking in a fake "download here" button in a webpage for film downloads, a computer has got infected with what I believe to be an adware. I have located the file, VirusTotal gives this analysis of it.

One wierd thing that makes me uneasy is that when I launch Norton's complete check, it freezes after a random number of files checked (~18k, ~30k).

I am familiar with NIFO, but it is really necessary in this case?

eversor
  • 924
  • 4
  • 8
  • 22

2 Answers2

7

It is an unfortunate situation wherein virus infections are, by nature, insidious. Some infections can be cleaned; sometimes by using specific removal tools, sometimes with manual fiddling about with files and reg keys, sometimes using commercial AV products. Other times they intercept system calls and prevent detection or removal.

The best advice, in the general case, is to either restore to a known good back up or rebuild from scratch. If it is considered reasonable to clean then I would recommend doing it from a live cd of some kind. This provides the best chance to clean off the malicious code without it preventing you from cleaning it.

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
  • I would highly recommend the last proposal: "I would recommend cleaning from a live CD" or from another healthy system. This is the only way to have the date of 1st arrival (of malware). This **date** is a key one to know which backup may be used and which one is **contaminated**. – dan Dec 16 '13 at 21:21
  • @danielAzuelos: Indeed, though it can often be tricksome to determine the date unless you did something out of the ordinary or the code was buggy enough to start causing problems immediately. – Scott Pack Dec 16 '13 at 21:22
2

Short answer: Yes, Nuke It From Orbit (rebuild the machine)

Long answer: You're the only person able to accurately make that assessment. I'd say that the lower the importance of the machine, the less necessary it is to rebuild it. For example, if it's just an old laptop used only to play Angry Birds, and never used for anything of importance, ever, then maybe scan and fix is acceptable.

However, it is trivial to rebuild insignificant machines anyway. The only time we are reluctant to rebuild is when the infected machine is used daily or often, and has development environments, and lots of software and important documents on it. This is the exact scenario where rebuilding should be done.

scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54