Got a new client in Kirkwood last night that had a fake Anti-Virus called Vista Home Security 2012. The client wanted me to come to their house to work on this infection. I told them I would, but if the infection was too bad I’d have to take it with me.
As soon as I arrived I rebooted the PC in safemode with networking. Once I was in safemode I ran Combofix. Combofix said there was rootkit activity and it needed to reboot. Once the PC rebooted I was presented with “Other User” at login. In case you’ve never ran into “Other User” at login it basically means you now have a corrupted profile. Ouch! I told the customer I would have to take it with me and I’d return the PC the next day in 100% working condition.
Once I got home I ran the Kaspersky Rescue disc. The Kaspersky Rescue Disk found lot’s of infections including a TDSS MBR rootkit.
After the infections were cleaned I used a Dell Windows Vista 32-Bit DVD to perform a startup repair (which is really good at fixing corrupted profiles). When the Vista Disc completed it’s repair I was able to boot into the clients profile again.
The client opted to buy Kaspersky Internet Security. So, before you blindly run Combofix on an infected machine you need to be prepared for the chance that your PC won’t boot or that you’ll have some OS corruption. Usually system restore can get ya working enough for other disinfection methods.