0

A family member yesterday asked me to look at their work laptop (they're self-employed) since the memory usage is almost at 100% after an hour of it not being used (6GB RAM on idle shouldn't be at 100% utilization after an hour!).

I found:

  • A duplicate java.exe is running (I uninstalled Java when I noticed this, still runs even on reboot) with the memory usage increasing by around 50MB each minute.
  • A RAVBg64.exe was running in the background with a memory usage of ~500MB (suspected virus disguised as Realtek Control Panel)
  • Virus scan via Parted Magic's ClamAV revealed two Trojan.Bifrose-infected HP printer driver installation packages (removed easily via Parted Magic's file manager)
  • Virus disabled internet access via any wi-fi adapters (Windows claims that it can't see any wi-fi networks [verified adapter is enabled], but my own netbook finds the networks fine), but connecting via LAN works...
  • An Ag_.exe runs in the background with a CPU usage of around 70% (could be a botnet bitcoin miner?), no luck in tracking this file down since Task Manager doesn't let me open the file location of the process and any searches of the hard drive fail to find it.

This laptop has caught a bad infection (probably the root cause is the Trojan.Bifrose), and I haven't had any luck in removing anything (apart from the Trojan.Bifrose detection and RAVBg64.exe).

Unfortunately the Trojan.Bifrose apparently has the ability to attach itself to Windows' core files (registry, and various executables inside System32), so it's probably likely that the infection is still present.

Rather than attempt to remove the infection, is it best to back-up the important business files (there isn't many, most of the files are on their PC, of which has no such issues), and then wipe & reinstall Windows?

I see no better way; I could be spending hours removing the infection whilst it continues duplicating itself..

Any input in this is appreciated.

AStopher
  • 2,393

2 Answers2

1

Nuke it from orbit, reformat the drive and full reinstall to a blank drive from a trusted source (install CD).

Also check the BIOS to see of all settings there still make sense.

The reason for this is that malware can hid in the strangest places, for example a rootkit can hide outside the visible file system and load programs straight from a hidden partition (for example).

ratchet freak
  • 2,854
0

Before you go about trashing your OP system, all of your device drivers, and ALL of your data & applications, find out if you have a 'Rootkit" (an infection within the Boot Record). Most virus infections can be cured, if you carefully work at it. Rootkits are particularly effective at keeping themselves alive.

This solution was given to me by Microsoft Support 3 1/2 years ago. It's free, easy to use, and worked like a charm, the first time:

   Suggestion: Remove Trojan or viruses
   =====================================

   1. Download file TDSSKiller.zip from the following link -- save it on the Desktop.

          http://support.kaspersky.com/downloads/utils/tdsskiller.zip

   2. Double-click TDSSKiller.zip to unzip the file.

   3. Double-click TDSSKiller.exe to scan the system.

   4. Wait for the scan and disinfection process to complete.

   5. If malware is found in the System Root or any drivers, select "Cure" to rebuild   
      that area.

Kaspersky is one the top antivirus products out there -- there are several others that are equally effective.

You can download the file to another computer if needed, copy it to a thumbdrive, and plug that into the sick machine to run it against the primary (C:) drive.

Whether or not it solves your problem, your friends' machine needs a permanently-active antivirus/anti-malware package to find ALL viruses and malware -- there could very well be more. Good luck!

Wayne Pigeon
  • 1