My dad can't remove a virus on his computer. What should he do?

[DaDude]

My dad works in Networking and with his skills, he was able to see that someone is hacked into his home computer. He uses McAfee Total Protection and has been using it for many years, so he doesn't understand how this hacker was able to bypass the software's proection. He's done a whole computer scan and the McAfee will not find anything wrong. He even went as far as downloading some free anti-virus softwares such as AVG, but those didn't find anything either.

I told my dad that he should just reformat the computer, but he said he can't because not only does he not have the CD backups for his OS, softwares and drivers, but the McAfee is a downloaded copy that he renews every year, so he can't reinstall it once it's gone from the reformat. So, he's stuck with this virus.

Is there anything my dad can do? He's on the verge of just throwing his computer out the window in frustration. Can anyone help?

Thanks!

[+BudMan MVC]

Until we can get some clarification on this statement

"he was able to see that someone is hacked into his home computer."

Does that mean he is seeing traffic enter/leaving his PC that he can not account for? For all we know its his firewall reporting traffic blocked?

If you Dad is not willing to share this info with you - there is no point to continuing this thread.

If he does believe he is infected with something, virus/malware/trojan/rootkit/etc.. And he doesn't know how to remove it, then yes I would suggest the safest course of action is wipe and clean install.

As to your Dad's incompetence in maintaining backups of his software he uses, or even his OS.. Not sure what we can do there - I wonder what his plans are if there was say a HDD failure?? I sure hope he maintains backups of your childhood videos and pictures in better fashion.

Worse case is he orders a recovery media from his PC maker to reinstall the OS and drivers. As to his mcafee install - I fail to see how that could a issue, since if he downloaded it - I looked on the mcafee site for total protection 2013. And it seems that you have to create an account, so if he can remember what email he used. I would think it trivial to recover that license and install exe. Worse case he is out what $50 for the software.

If he has no issues in spending money on books again, that he threw out - I fail to understand at how $50 for some antivirus software that doesn't even seem to work could be that big of an issue.

Again - until you can clarify what your Dad is concerned is a hack or an infection I don't see what else we can do other than debate your Dads intelligence or lack of ;)

[+Warwagon MVC]

Just use any Vista or Windows 7 CD (depending on which windows he has) with the OEM key on the side of the computer. I guess I must be the only person with those ISO's coming out my ears.

[Detection]

Just because you know you are infected doesn't mean squat. Have you ever dealt with a worm manually? I have, it hides behind other processes. The only detection was the computer communicating to rogue sites. Process monitor showed everything that wasn't the virus running at the time of transmission. Explorer.exe googletoolbar, iexplore, Firefox, outlook, etc. removed/disabled the exe and it picked a different one to hide behind. Really a pain. I was able to detect but no one had a solution for about 2 weeks. It was the morto worm.

Anything infected that badly would get wiped, I've dealt with worms, one I can remember was the 'Sasser' worm, was a while ago and I think there was already a removal tool available, but I wouldn't fart around trying to remove anything that bad manually, unless it was critical that it was cleaned, such as a server that couldn't have any downtime, some just go too deep to be 100% you have killed it completely

[sc302 Veteran]

Right. Try rebuilding 100 computers and not allowing them to connect to the network until all are fixed including servers. That is not an acceptable solution in that case. 1 or even 5 computers is doable 100 with an it staff of 1 is not.

The hospital that I worked in was hit with sasser. Only 12000 computers and 50 techs. Again, not happening.

[Detection]

Right. Try rebuilding 100 computers and not allowing them to connect to the network until all are fixed including servers. That is not an acceptable solution in that case. 1 or even 5 computers is doable 100 with an it staff of 1 is not.

I'd say re-imaging 100 computers would be a lot easier and faster than trying to remove a worm from them all

unattended imaging via network

[sc302 Veteran]

Oh I can see that. Hey dumb user you know those files you were working on that you stored somewhere on your computer or laptop drive, yeah f u you are stupid and they are gone. Have a nice day.

It is very difficult to force policies on mobile users that prevent saving to their computer. Fought this fight, USB drives, VPN, etc management wanted noting to do with it. After all we can only do what management wants, we can only suggest best practices.

[Detection]

Oh I can see that. Hey dumb user you know those files you were working on that you stored somewhere on your computer or laptop drive, yeah f u you are stupid and they are gone. Have a nice day.

:laugh: True, in that scenario I would make sure all 100 users knew what was going to be done a week from now, tell them to move everything important into a folder on the desktop ready to be backed up, anything not in that folder was getting wiped, if they have any issues doing that, to let me know, then if they lose anything, it's there own fault

Tech support are not known for their understanding or patience

EDIT - Either that, or the company should have been making them save everything onto the server via networked drive / had a backup solution

[xWhiplash]

:laugh: True, in that scenario I would make sure all 100 users knew what was going to be done a week from now, tell them to move everything important into a folder on the desktop ready to be backed up, anything not in that folder was getting wiped, if they have any issues doing that, to let me know, then if they lose anything, it's there own fault

Tech support are not known for their understanding or patience

EDIT - Either that, or the company should have been making them save everything onto the server via networked drive

Why aren't they saving on a network share anyway that is RAID5 and backed up daily if the data is that important?

EDIT - I replied before your edit :p

[DaDude]

Not sure why you keep saying your dad has magic skills at detecting viruses, if the AV doesn't detect them, and he has no idea how to remove them, then I don't see how he would even know he had one.

In order to detect something an AV misses, you have to know exactly what you are looking for, and if you do, then you know how to remove it too.

For example, my AV says nothing, but my PC is acting weird / slow / crashing, first place I look is in task manager > processes, find out what is causing it, when I see the malware process, I then know which steps to take to end it / hunt it down / remove it

The reason I looked in task manager > processes, is because I know the way most malware works, where it hides, where it runs,

If I didn't know that, then I wouldn't have any reason to look in task manager in the first place, and therefore would have absolutely no idea that it was a virus, it could be a faulty piece of hardware

So, from the above, if your dad knows he is 100% infected, then he has to know where to look to confirm that, and if he knew that, he would know how to kill it

He doesn't know there is a virus nor does he know what kind of virus it is. What he does know is that someone is hacked on the computer. He assumes it's some sort of virus installed that's connecting his computer to that hacker.

Just because you know you are infected doesn't mean squat. Have you ever dealt with a worm manually? I have, it hides behind other processes. The only detection was the computer communicating to rogue sites. Process monitor showed everything that wasn't the virus running at the time of transmission. Explorer.exe googletoolbar, iexplore, Firefox, outlook, etc. removed/disabled the exe and it picked a different one to hide behind. Really a pain. I was able to detect but no one had a solution for about 2 weeks. It was the morto worm.

Thank you. Finally someone with some sense. Just because my dad works with computers and it knowledgable in certain parts of that area, it doesn't mean he's in expert in all areas. Really, are you going to just grab any surgeon to operate on your heart?? No, because there are different types of surgeons out there. Same with computers and networking. There are different areas and I assume that this virus is outside of my dad's area of expertise.

[Detection]

He doesn't know there is a virus nor does he know what kind of virus it is. What he does know is that someone is hacked on the computer. He assumes it's some sort of virus installed that's connecting his computer to that hacker.

For the 100th time, how does he know he has been hacked? About 5 people have already asked you this.

And as for your surgeon analogy, to be a heart surgeon, you also have to know about the entire human body, you think they would get a guy to study hearts only for 5-10 years, then stick him in an operating theatre and say:

'There is your patient, he needs a triple bypass, but we don't care that you have no idea how to get to the heart, or where it is located, what the other organs do, or what to tell the other surgeons to do while you are operating on him'

No, and to be in networking, and not know a thing about security is a joke, if he sold hard disks for a living, then fine....

[Dot Matrix]

He doesn't know there is a virus nor does he know what kind of virus it is. What he does know is that someone is hacked on the computer. He assumes it's some sort of virus installed that's connecting his computer to that hacker.

Thank you. Finally someone with some sense. Just because my dad works with computers and it knowledgable in certain parts of that area, it doesn't mean he's in expert in all areas. Really, are you going to just grab any surgeon to operate on your heart?? No, because there are different types of surgeons out there. Same with computers and networking. There are different areas and I assume that this virus is outside of my dad's area of expertise.

To be in networking though, security is one of the bigger areas you should be knowledgeable about. It drives basically everything about networking, and what networking professionals do day in and day out.

To me, it sounds like he should have retired or found another profession years ago.

[Growled Member]

For the 100th time, how does he know he has been hacked? About 5 people have already asked you this.

I've been wondering that myself.

[DaDude]

Very funny how this has turned from a virus thread to a "your dad needs a new job" thread. FYI, my dad is very successful and probably makes a lot more than many of you ever will. A few of my relatives have to work two jobs to make a living. Funny thing is, my dad's salary is a lot higher than their 2 salaries combined!! So make fun of my dad all you want. I hope to make as much money as him some day. How did he make so much? Very simply. He's good as what he does!!!

For the 100th time, how does he know he has been hacked? About 5 people have already asked you this.

And as for your surgeon analogy, to be a heart surgeon, you also have to know about the entire human body, you think they would get a guy to study hearts only for 5-10 years, then stick him in an operating theatre and say:

'There is your patient, he needs a triple bypass, but we don't care that you have no idea how to get to the heart, or where it is located, what the other organs do, or what to tell the other surgeons to do while you are operating on him'

No, and to be in networking, and not know a thing about security is a joke, if he sold hard disks for a living, then fine....

Ok, if you ever need a triple bypass, go to an oral surgeon since you're so convinced that ALL surgeons need to know about hearts.

[HoochieMamma]

We don't care how much he makes, I can go ahead and say I make more than him with certainty. Do you think that makes him good at removing a virus or being "hacked" as he would put it? Put that **** aside for a second and try and get more info on what has happened.

1 - How does he know he has been hacked? Sounds like he doesn't know what he is talking about if he is using McAfee in the first place tbh. WE NEED INFORMATION ON THIS

2 - Removing viruses/malware is pretty damn easy, get him to remove the HDD and scan it in a dock on another computer if he thinks something is on it.

[Detection]

Ok, if you ever need a triple bypass, go to an oral surgeon since you're so convinced that ALL surgeons need to know about hearts.

Grow up, your argument is invalid, dentists vs heart surgeons has no similarity as networking vs security

If I went to a job interview for a networking job, and they asked me if I could remove a virus and I said no, I would get laughed out the door

If I went for a job as a heart surgeon, why would they ask me if I knew how to repair a tooth ?

[DaDude]

If I went to a job interview for a networking job, and they asked me if I could remove a virus and I said no, I would get laughed out the door

How do you know? Is your career in networking?

In my line of work, many people misinterpret what I do because in my line of work, there are different areas that many people are unaware of. I'm sure the same goes for networking.

[Detection]

How do you know? Is your career in networking?

In my line of work, many people misinterpret what I do because in my line of work, there are different areas that many people are unaware of. I'm sure the same goes for networking.

My line of work has always been in IT, and yes it has involved networking, and yes I know how to remove malware and yes I can build a machine, and all the other basics anyone in IT should know

Malware removal is what you learn at school, with crayons

[Karl L.]

I agree with everyone else who said that you (or your dad) need to give us more detailed information about why he thinks he has been hacked so we can give you a more specific answer. You have rejected the most obvious general answers already (i.e. reformat). This thread won't evolve into a productive discussion if everyone has to keep guessing what the specific symptoms could be, not to mention the possible mitigations for those symptoms. BudMan and sc302 (along with numerous others) have already offered their assistance if you can provide this information.

Since the attacker presumably has persistent access to your dad's machine (otherwise this would not be an ongoing issue), running SysInspector to try to out the rootkit might be a good idea. If your dad has an inkling of what to look for, the SysInspector report would certainly be a good start. If not, uploading that report to Neowin will probably help us determine what is happening, or at least give us something to argue about other than your dad's competence and your analogies. Also, I agree with Detection that your dad should absolutely run Kaspersky Rescue Disk. It is an excellent resource for detecting and removing rootkits outside of the infected environment. (More specifically, it is a Gentoo-based live CD for scanning the Windows installation on your computer. Make sure you update its definitions before you start the scan.)

[Hum]

I've concluded that the best action to take is to open the window and toss out the computer.

[nub]

McAfee is crap anyways.

Besides Malware Bytes, run this http://support.kaspersky.com/5350

[Yorak]

Here are the options I see here:

1. Your father's networking skills are so superior to the rest of the world that he cannot verbalize his deeply complex virus infection to us common folk. (Unlikely.)
   
2. His "skills" are still in winter hibernation and/or he never had any to begin with. If he does not want to explain how he knows that he has been "hacked", he probably doesn't actually know.
   

You are not explaining the issue very well. You should probably tell him what other members have already said. You were given steps to take.

[Motoko.]

Tell him to GNU/Linux

[Shiranui]

We don't care how much he makes, I can go ahead and say I make more than him with certainty.

1. What do you do?
   
2. How much do you make?
   
3. Can you spare me some cash?
   

[+BudMan MVC]

"What he does know is that someone is hacked on the computer. He assumes it's some sort of virus installed that's connecting his computer to that hacker."

Again - How does he know, what is he seeing that leads him to this conclusion?

We going to go round and round with this - or can we just call it quits until there is something more to go on? Contrary to some of the statements about heart surgeons and regular doctors, etc.. I hear ya, IT is "broad" field -- and I can tell you for sure that "networking" does not mean they have to know about security of the os, or how to clean a virus.. Or even how to read a sniff.

Lots of router jockeys at where I work - and I am with ya many of them wouldn't have clue one how to clean a virus. So I am not all surprised that your Dad might not know where to get going.. But again without something to go on to why your dad says he has been "hacked" there is really nothing anyone can say other than wipe it and move on.

People can keep throwing out different antivirus/antirootkit tool/software names.. But I don't really see how that is going to accomplish anything.. It all comes down to

If you Dad has such skills that he detected the problem - then there has to be "something" that lead him to that conclusion.. So post what this "something" is.. If its a network sniff - sure lets see it... Netstat showing a connection from some IP? Strange Icon on desktop, maybe one of his icons is of place? Something in the event log, something!

Do you take your car to the mechanic and tell him something is wrong with the engine? What do you expect the mech to do?? Does it not start? Does it make a strange noise? Does it stop when your at a red light? Is there some light on the dash telling you to check engine?

If only answer is there is something wrong with it - what is the mechanic to do? Not like we can take the car for a spin and see for ourselves.. So your going to have to give us something to go on.

[Kelxin]

I guess I must be the only person with those ISO's coming out my ears.

Sadly I still have DOS 1.1 all the way through Windows Server 2012, every single one either in ISO or IMA disk image, and about 38 different variants of linux, unix, etc.

Honestly, this thread is going nowhere. All he keeps saying is "someone is hacked on the computer". DaDude.... Consider us doctors here. All you're saying is "he knows he feel bad". There is absolutely no way for us to diagnose or help him with that. If the best solution he has is to ask his kid to post on a forum, he might as well just let his "hacker friend" live the land. If he wants to get rid of it, tell him to format and start from scratch. If that's not a "good solution" then this thread is just a troll thread, and we should stop feeding the trolls.

/end thread.