Mountain Computer Guy

I ran into a nasty infection recently on a customers computer (Dell running XP SP3), which I believe was partly caused by the “Rootkit.Win32.TDSS.y” rootkit. I threw everything I had in the toolbox at it, thought I had it licked, had malware-remover scans (from within the Windows OS environment) come up clean, and yet, something wasn’t right. I ran Reimage successfully, rebooted and opened up IE, and the symptoms seemed to still be there (redirected websites, etc.). Digging deeper, I discovered outgoing tcp/ip connections to unknown or suspicious hosts, and at that point told my customer that we needed to wipe it out and re-install. As to why, the answer was simple: “This is not our computer anymore.”

You know, I really do not like to do a reinstall, unless I have to, and this decision was mostly due to the fact that I found myself in unstable territory. Even if I could remove what was there (and it was doing a very good job of avoiding that), I really didn’t feel I could reach a point where I felt: “This computer is clean!”. When do you reach that point? Dealing with such nefarious code, as it demonstrates to you over hours of work that it can successfully defeat trusted malware tools and win at “hide-and-seek,”, how do you know, really, that you’ve got it all? It’s been a real eye-opener; I’m committed to learning more about the workings of this particular family of malware, and how best to serve my customers and limit vulnerabilities for them. In fact, all-in-all I’ve noticed that it seems more difficult lately to remove these tenacious threats on infected PCs …