Spybot Search & Destroy Screenshot

**slgrieb** · June 27th, 2008, 05:13 PM

Yesterday I went out on a service call for a malware infected system. I started by installing Spybot and running a scan. After a few minutes I told the customer, "Mmm, I think this needs to go back to the office." I set it up to run a scan, went on another job and when I came back this is what I saw.

I apologize for the quality of the photo, but I was trying to get it quickly because I was convinced the system would crash or explode. Anyway, the number of Win32.Agent.cmn infections is 29329. And that isn't a typo. You can use your browser's zoom feature to check it out.

I clicked the fix button, then left again. When I returned, Spybot had locked up, but when I rescanned the system 100% of the Win32.Agent.cmn infections were gone, and the second scan (which took about 12 minutes) removed everything but the Win32.Agent.pz infections. ComboFix killed those. After I ran Eset's online scan (clean, BTW) I took it back home.

**clauded** · June 27th, 2008, 06:06 PM

and that thing would still boot and run?who says windows is not stable,lol

**slgrieb** · June 27th, 2008, 07:23 PM

I'm not sure "ran" is a good description. "Crawled" might be more like it. But yes, I'm confident that the machine was free of infection when I returned it. But I did have a really long chat with the owner about security.

With only a couple of exceptions, all of the files infected with Win32.Agent.cmn were either fonts or DivX movies downloaded via LimeWire.

Edit: One point that is frequently overlooked in discussions about infected systems isn't whether or not the system is clean after the removal/reformat or whatever, but whether the user's passwords and personal data may have been compromised. It's always safest to assume the worst, but it can be very hard to communicate to users the need to change all their critical login information on any banking or investment sites, and communicate their concerns to the relevant security departments.