PDA

View Full Version : XP Antivirus 2012 - repeated infections - what to do?


jccrcomputers
06-26-2011, 08:55 AM
I have a customer who I went to last Sunday, removed XP Antivirus 2012 from his computer, it was definitely removed from all 4 user accounts on this family PC.

I think it was 2 days later when he called and said they had the virus again. I went, and removed it again, and showed him it had been removed which was acknowledged, I also did some other things they wanted doing so I was paid for this 2nd visit. All seems good.

Then a day later they have the infection again, so I go and remove it for free and change all the accounts to Limited type and do more thorough scans with some other programs. I double check everything, the virus is definitely removed.

XP is up to date, the AV is Avira and I have them using Firefox 5.0. They aren't visiting dodgy sites and they're not stupid - this customer is actually one of my best, he's been using me since 2009.

Then again, a day later, they have the same virus again. The customer says he is only going on Windows Live Hotmail and Word documents, which seems to be true when I looked at his history etc. He gave me access to his email but I can't see anything wrong with it. I have removed the virus again, done even more thorough scans, set Avira heuristics to the highest level, done chkdsk and SFC, and scanned with malwarebytes, superantispyware and sophos rootkit scanner. All is OK. I've had the PC for a day, and haven't been able to get the virus back. I'm bringing the PC back to the customer this afternoon. I must note, I've done all this work for free as well.

What would you guys do in this situation?
From what I can tell, he is reinfecting it. I have done the removal properly and I can't keep removing it for free.

MM PC Solutions
06-26-2011, 09:48 AM
A couple of bits you may/may not have done:

Reset Internet settings
Reset the host file
Ran combofix
Check with Autoruns for any loose ends?

gazza
06-26-2011, 10:02 AM
In hindsight you should have got them to show you what they were actually doing when the infection hit while you were onsite. What customers say and do can be two different things as I am sure you know.

I would hit with combofix/tdsskiller while you have it in your workshop and also consider looking at the hosts file and browser plugins for any discrepancies.

Who is actually using the family computer when the infection hits? Might be time for OpenDns if they have teenagers.

Xander
06-26-2011, 11:29 AM
" The customer says he is only going on Windows Live Hotmail and Word documents, which seems to be true when I looked at his history etc."

Have you compared the timestamp of the virus file with the history? Are you looking at the history in the browser or a 3rd party tool like Nirsoft's IEHV?

atlanticjim
06-26-2011, 11:40 AM
I cleaned one of these last week, and I found a TDSS rootkit as well. Now I cannot say that they are related but that the infections did happen simultaneously. I used rkill, MBAM, TDSSkiller and HitManPro to clean it up.

As always, BleepingComputer.com (http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012) is an excellent resource for battling infections. I would suggest you visit there as well for the list of the affected files.

ZenTree
06-26-2011, 11:41 AM
Install some usb autoruns protection, might be an infected usb drive their end.

atlanticjim
06-26-2011, 11:49 AM
Install some usb autoruns protection, might be an infected usb drive their end.
This is a very good point and I have been seeing more of these lately. "Is there any infected external device" should be a question in our diagnosis.
I am not familiar with Avira, but shouldn't it be scanning any attached devices?

jccrcomputers
06-26-2011, 12:19 PM
Thanks for the quick replies guys.
TDSSKiller didnt come up with anything
Ran combofix
Hosts file is fine
Have also run hijackthis

So I'm very confident there is nothing left on there.
But the question isn't about the removal, its about what to do if he reinfects again. To avoid that situation again, I have installed Sandboxie and also adjusted Avira so the heuristics are better.

The problem with asking the customer to show you what they were doing when they got the virus is that they usually can't remember or they're vague like "I was on this email and then it just happened".

Forgot to mention, I have scanned his USB drive and its fine.
Avira also blocks autoruns and does scan external drives in the background.

cyabro
06-26-2011, 12:20 PM
I had a similar thing this last week too.
Removed the same malware but the very next day it was back.
When I checked the host file manually it all looked ok, just the usual localhost line.
However when I ran hijackthis it picked up a whole heap of google redirects to the same two ip addresses.
On checking the host file again there were actually a whole lot of extra lines in there but it was like the font was wrong and you couldn't actually read the text so it looked like there was actually nothing extra in the file. The file size was 4kb and after deleting these extra lines, of what looked like nothing, the file size dropped to 1kb and hijackthis scan confirmed no more google redirects.

RichmondTech
06-26-2011, 12:28 PM
Great suggestions listed here. I would also add that when customers say "I've only been to x site" that's typically not the case. Maybe SandboxIE would be good for this client? I have a few of mine using it since they were infected and haven't heard a peep about it since.

joydivision
06-26-2011, 01:47 PM
Do an offline scan with Kaspersky.

Rewrite the MBR just in case, did you say you have used SFC?

I would also replace Java if that is installed.

Also as already pointed out ask if he is using any USB sticks.

OldSchoolPC
06-26-2011, 01:53 PM
A lot of great suggestions. Also try AVG Rescue CD. Download and scan those office documents that he is talking about, it's odd the that particular virus to just pot up like that. Usually it show up when windows boots, save for right when you download it. If clients has a static IP, see if you can change it. That's all I got beyond what others have said.

MobileTechie
06-26-2011, 02:23 PM
I wouldn't want to imply you've missed anything but of course any of us can miss something we've not seen before, or is a new variant.

Definitely agree that an offline scan with Kaspersky would be a good idea to rule out some kind of sneaky rootkit / bootkit.

I'd have a look at scheduled tasks. Some viruses put a task in to re-download the virus daily.

I would have them replace their antivirus with Kaspersky Internet Security which seems to do a much better job than most stopping these things.

Might be worth installing SandboxIE as suggested and training them how to use it. A.t least then you could rule out or rule in web based infections.

johnrobert
06-26-2011, 06:35 PM
When I see this virus or any one of these Russian fake anti viruses
The first thing I do is a system restore to at least a week before it happened
This completely replaces the registry
seems to me the most logical thing to do

Then I run Malwarebytes, look in msconfig etc.
Google the specific antivirus to see if I missed anything
I have done hundreds and never been called back

I thing in your case the family is reinfecting the computer

FoolishTech
06-26-2011, 07:13 PM
One N&P for free, nothing for free after that.

For home users my warranty on a virus removal is you get 30 days, and if it comes back with a virus I'll N&P for free, after explaining to the client the general idea of why it is unquestionably their fault if I do the N&P and they get reinfected yet again.

I just find that a lot easier than tracking the infection times and trying to prove to an end user that they reinfected themselves; often they want to dispute that. I can backup data and N&P in the time it takes to deal with some clients in that situation.

So if the client agrees to a free N&P, it's on, and I put them on priority service and get to it, no questions asked. They feel more guaranteed they won't get reinfected (after explaining the process to them), and I get them out of my hair quick, plus if they come back yet again, I get paid again, and without any complaint or objection because they understand they did it to themselves. Everyone is happy.

If the client does NOT agree to an N&P, then they usually get charged for the removal again, but we check it in as "warranty" and explain to them that if we track down the infection times and prove otherwise, they will be charged again.

For a business or a setup where I wouldn't want to N&P for any reason, yeah I'll do the removal again under warranty if I have to. I just hate it when that backfires and they blame YOU for the reinfections when it's their fault. But in your case, you've got a home user, right? N&P already.

Cadishead Computers
06-26-2011, 07:18 PM
Rather than hijack this, I would look into OTL by old timer. It is a far more thorough scanner and repairer than hjt. It also finds a lot more than hjt.

If your uncomfortable with the otl log, then post it up here, and I am sure one of us would be able to help you with it.

Also update flash players, java.

Beatus
06-26-2011, 07:33 PM
TLDR Version:
Have you checked Qualys Browsercheck to stop reinfection through insecure Browser plugins. No matter how well you clean it, if you don't block the access point it will come back.

Long Version:
I have repaired 7 of these from different computers in the last week.

Most of the people that had it, said one of the last things they had done was go to Hotmail.
The ones that denied being on Hotmail, their logs confirmed that they had been on Hotmail minutes before the infection had struck.

My notes from this week about the infections are the following.
- 100% of all users where on Hotmail within 5 minutes of the infection being created in the application data folder.
- All users where using Internet Explorer, although the version varied (6, 7 and 8) All versions were patched to the latest security updates possible for their version.
- All machines were XP.
- Most machines had out of date Java but not all.
- All Machines had out of date versions of Flash. Dating back before 10.3

From these statements, my diagnosis of the entry point was most likely to be a drive by attempt with Flash/Java imbedded into a banner on Hotmail. I don't believe the browser would have made much difference, although Chromes Sandbox and Firefox with no-script installed could have blocked the infection.

I would also suspect that it is a variant / follows the same principle of the blackhole exploit kit.
I would post the additional reading on it but as being under 15 post, i cant post URLS.
But basically it will forward the user silently onto a page to determine what vulnerabilities are on the machine before directing them to another page to take advantage of what it finds. All this without any user interaction or other signs.

Qualys Browsercheck should be used to find insecure browser plugins, and the customers need to told to not hide those Java, Reader and Flash updates when in future the programs want to update.

allanc
06-26-2011, 08:52 PM
I had a similar thing this last week too.
Removed the same malware but the very next day it was back.
When I checked the host file manually it all looked ok, just the usual localhost line.
However when I ran hijackthis it picked up a whole heap of google redirects to the same two ip addresses.
On checking the host file again there were actually a whole lot of extra lines in there but it was like the font was wrong and you couldn't actually read the text so it looked like there was actually nothing extra in the file. The file size was 4kb and after deleting these extra lines, of what looked like nothing, the file size dropped to 1kb and hijackthis scan confirmed no more google redirects.
A very clever infection, indeed.

Martyn
06-26-2011, 09:08 PM
I had a similar thing this last week too.
Removed the same malware but the very next day it was back.
When I checked the host file manually it all looked ok, just the usual localhost line.
However when I ran hijackthis it picked up a whole heap of google redirects to the same two ip addresses.
On checking the host file again there were actually a whole lot of extra lines in there but it was like the font was wrong and you couldn't actually read the text so it looked like there was actually nothing extra in the file. The file size was 4kb and after deleting these extra lines, of what looked like nothing, the file size dropped to 1kb and hijackthis scan confirmed no more google redirects.


The date stamp should have shown it had been changed as well I would have thought. That is something I check as well.

lan101
06-26-2011, 09:36 PM
I was thinking N&P maybe at no cost. You could also maybe sell him sandboxie or something similar since he seems to get reinfected somehow.

wtigger
06-27-2011, 12:53 AM
When I see this virus or any one of these Russian fake anti viruses
The first thing I do is a system restore to at least a week before it happened
This completely replaces the registry
seems to me the most logical thing to do



System Restore is the first thing that is corrupted (that I've seen) in most malware infections... Not a reliable fix most of the time...

MobileTechie
06-27-2011, 07:43 AM
Often the virus turns it off but you can turn it back on again.

If I can use it, I too use system restore as the first port of call. If you can get it working and if it's not infected then it's the best possible fix - quick and complete. Obviously it's not always like that.

OldSchoolPC
06-27-2011, 09:00 AM
+1 for using System Restore first. Then, after restoring it run whatever antivirus/antimalware programs you have plus HijackThis and Autoruns etc.. Alternatively, use the Registry Restore in UBCD4WIN and then run such programs remotely.

jccrcomputers
06-28-2011, 03:54 PM
OK, so I've had 3 more PCs with this same virus now. Removal is easy, but I have now found where its coming from. All of my customers who have brought in a PC with this virus have said they were on their Hotmail when they got infected. I did some Googling and others have said it comes from Hotmail. Does anyone know a bit more about this?

glricht
06-28-2011, 05:24 PM
OK, so I've had 3 more PCs with this same virus now. Removal is easy, but I have now found where its coming from. All of my customers who have brought in a PC with this virus have said they were on their Hotmail when they got infected. I did some Googling and others have said it comes from Hotmail. Does anyone know a bit more about this?

I've had a few customers with this and they all came in via an email with a "PDF" attached. Wasn't really a PDF, it had a name such as "See This File.PDF.exe" - people with extensions turned off only saw the PDF extension.

Two of the customers got it from a phishing-type email supposedly from the IRS that said their recent payment had been canceled.

mraikes
06-28-2011, 05:54 PM
OK, so I've had 3 more PCs with this same virus now. Removal is easy, but I have now found where its coming from. All of my customers who have brought in a PC with this virus have said they were on their Hotmail when they got infected. I did some Googling and others have said it comes from Hotmail. Does anyone know a bit more about this?

Hotmail, MSN, Yahoo, etc are not unusual sources.

Here's a thread that may shed some light: http://www.technibble.com/forums/showthread.php?t=28552