2 Replies Latest reply on Feb 24, 2015 12:21 PM by tfichtner

    LANDesk says there is spyware but can't remove it; other products can't either

    Apprentice

      An employee recently acquired malware on her computer. Most likely drive-by from a web site (she spends a lot of time on the internet). I saw it in Patch and Compliance > Spyware. I was able to do a repair and it was successful and disappeared from the LANDesk Spyware display.

       

      That is, until the next morning. Then it showed up for her, four other desktop computers and three servers. I have attached a picture.

       

      I have tried to remove this on several occasions. The task takes anywhere from 6 to 32 hours to complete. It will either show "success" but not be reflected in LANDesk>Spyware. Or it will fail because it needs a reboot. I reboot the computer and it continues for several more hours and then shows success.

       

      Today I took one of the servers and installed the Microsoft Malicious Spyware Removal Tool. After five hours of deep scanning it came back and said nothing was found.

       

      I purchased MalwareBytes and ran that. It came back and said nothing was found.

       

      I'm in a quandry. Do I have spyware on my systems or not?

        • 1. Re: LANDesk says there is spyware but can't remove it; other products can't either
          Specialist

          most likely there is something remaining in the Windows\Run key in the registry, or in that user's (or other s on that pc) application data or profile folder that points to a file known to be related to that software, or a task that might even re-install the malware periodically.  If you do a google search for Error Doctor Uninstall or Manual Removal , you should find some tips on what files  to look for. 

           

          Have you tried a roll-back / restore in windows? 

           

          the server may be more problematic if those files exist there - your options with the server depend on what the server is, what files were added since the malware was detected, how they made it to the server & what your backup procedures are.

           

          In the case of the client pc, if it has been worked on for a reasonable amount of time already & with no success, my next step would be to re-image the darn thing.  If you want to be kind, you can try to grab whatever documents & files needed prior to doing so with it attached via external usb cable, but in my environment, we don't risk attaching affected drives to anything on the network.  Use a standalone non-networked pc to do that & wipe that pc also when you are done.

           

          Most users at my office are used to saving their important files to their network folder, so when an issue like this pops up, they get a new drive with a new image.  that drive is pulled from their desktop pc, or they are given a loaner laptop so we can go to work on it off-network. Malware spreads so quickly these days, so as soon as malware is identified, if it can't be cleaned with our standard tools, or returns again after restart, the drive is wiped.

           

          I have seen Softmon indicate "potential" malware that I know to be safe, so ultimately the decision on how to move ahead depends on your company's processes & how risky you feel this item is.  If it is making its way onto a server without someone putting it there, in my mind there is still risk of additional infection or spread of the item & it should definitely be addressed.

          • 2. Re: LANDesk says there is spyware but can't remove it; other products can't either
            Apprentice

            I ended up opening a support case on this.

             

            Long story short:  I searched the registry on each machine and deleted the associated keys for this spyware. I then ran a deep scan. Spyware is gone.

             

            I believe since then LANDesk has added definitions to the spyware to resolve this automatically.