Do not forget about ReadyBoost flash drives

The story did not happen to me, but in front of me - literally, in the next room. Published with the permission of the perpetrator / main participant / as well as the main victim.

The situation is simple to not want. The plug-in for Photoshop downloaded from ThePirateBay. Further along the chain - an injection, not even at startup, but simply when displaying the installer exe-file in Windows Seven Explorer. AVG Internet Security could only mumble: “Sir, in the system process a trojan!” More precisely, two trojans: Win32 / Virut and Win32 / Heur . They both worked for glory: all exe-shniki in Windows, Program Files are infected. This includes taskmgr.exe and explorer.exe. The next time you start, the system refuses to start the explorer, as a result - the missing desktop.

Further more interesting. We consider what the Internet is writing about these Trojans. The first (Virut) is removed using intricate removers from various companies: the same AVG ( rmvirut ), Symantec , Dr.Web (with their CureIt! ). With the second it is more difficult, more precisely - in any way. They promise the end of the world and the full apocalypse today. Under the protected mode, an attempt was made to cure Virut, cureit found about 600+ (sic!) Objects (mainly in the system directories) that they tried (and even seemed to) cure.
')
A reboot into normal mode showed that the actions are almost useless. Sites of all anti-virus programs are still blocked. SpywareDoctor , which was, wanted to take on Heur, just could not download the database. As a result, the most important data was stored on a flash drive. At that time, only files on the system disk were infected.

Next comes boot from the Vista installation disk, delete the system partition, recreate it and format it. Well, the installation of the native laptop VHP. Then everything seemed to be calming down: the usual process of reinstalling the system was going on - downloading updates, installing drivers, was delivered to Norton 360 , who didn’t want to work under Seven (Sonar’s online protection flew due to the lack of support for the new system) the other day 3.5 versions of Norton). It seems that nothing foreshadows trouble ...

But at one point, the system updates from Microsoft were simply refused to download - the Update Center complained about the inability to connect to the patch storage. There was an attempt to open the site of any of the antiviruses - zero response. At the same time, Norton is silent and "eyes tupit."

As it turned out, it was not his fault. He tried to do everything he could ... in the absence of all of his bases, which he simply could not merge from the official site of Symantec earlier. At the same time, neither in autoload, nor in the registry, nor in the processes, it seems, nothing superfluous was observed. The Trojan was sitting, or rather sitting, deeply and with a wry grin.

The reason for all the problems of the freshly grown from the ashes of the system was the ReadyBoost SD-box, which stuck in the card reader under Windows Seven, and then continued to work and do evil under the new system. They just forgot about it. As a result, in such situations, do not forget to pull out all media and information transmitters from the infected system .

Update: thanks to the activity of users, I had the opportunity to invite to the resource the culprit of the turmoil and the affected Yurgeno . I think he will be happy to answer your questions and clarify some inaccuracies that I could admit during the retelling of events.