Joines
New Member
- Reaction score
- 0
- Location
- Philadelphia, Pennsylvania
So....
I Had a client yesterday request remote support to cleanup adware (she said she was getting random advertisements on her desktop). So I figured this would be an easy safe mode w/ networking job in which the viruses practically remove themselves. However, I was wrong.
When this client said advertisements were on her desktop, she actually meant they were playing over her speakers. At first, I didn't believe her. I was very cautious to ask if it was her TV in the background making the sounds (I could hear the ads, I never did ask if it was her TV). One of the ad's was for the Army, one was for a bathroom remodeling service, they were completely random.
So I decided to do my usually cleanup process, remove temp/history/temp internet files from the profiles, run ccleaner, run malwarebytes, remove unnecessary startup items, look over Autoruns for suspicious entries and temporarily uncheck them. However Malwarebytes only found a few adware items, there was little to go off of in Autoruns, and there was nothing active on the desktop when the computer was booted normally to even insinuate that there was an infection, of course until random ad's started playing over the speakers. I figured that the few adware items Malwarebytes found were just remnants of what was left over from something that the virus scanner maybe picked off. However after another reboot, it became clear that this wasn't the case.
At this point I decided to take pull out process explorer to take a deeper look. Process explorer revealed an iexplore running under a service host, which I found strange since there were no browsers open. I closed the iexplore process, and of course it quickly came back. At this point I was happy to find anything. After digging around process explorer for a little while I traced a .dat file within the iexplore process to C:\WINDOWS\system32\config\systemprofile\Local Settings\AntiPhishing\4254D-DSFSS-SDfSDf3-SDF.dat (not actual file name)
Admittedly this was the first time I've seen the documents and settings structure rebuilt within another folder (C:\windows\system32\config\systemprofile\) so I was a bit skeptical of the entire folder to begin with, however after researching I found that it is apparently legit and contains a standard profile for the local system. What caught my attention was what was inside the temporary internet files, hundreds and hundreds of .mp3, .gif, .swf, .fla, files. I immediately figured, okay so this is where the ad's are being stored, i'll just delete them all (500mb worth) in safe mode and then see if I get any program errors while booting to lead me to the next step.
So I rebooted into safe mode w/ networking once again. Out of curiosity I loaded process explorer and saw no iexplore process (and was happy) I then deleted the entire systemprofile file structure (after researching that this was possible). At this point process explorer was still open, only because I had forgotten to close it and my little iexplore buddy returned to greet me in safe mode. I went to check the systemprofile file structure, and remarkably the 500mb worth of temp files had returned. I should also mention that ESET NOD32 Antivirus also blocks a website from loading everytime the computer boots. These problems obviously all go away when you unplug the internet.
I have tried multiple live CD's including Kaspersky's, Avasts scans, UBCD4Win (forget what I did in here at this point), ERD Commander (to delete the files again, still came back), I had scanned with Gmer, Rootkit Revealer, Kaspersky's TDSSKiller. I have ran Combofix. I have pulled out some of my hair.
I have spent probably 4 hours on this PC, and only because I am stubborn and the customer didn't need it back right away.
Since this I have ghosted the drive and reformatted, however because of my stubbornness I am still troubleshooting the issue on the ghosted drive.
I had setup the drive as a slave and let Gmer scan it this way and found some interesting iexplore entries that previously were not shown (ieframe.dll I believe)
Things I haven't done today which I will tomorrow:
-uninstall and delete the sound driver with driversweeper
-slap computer with fish
Have any of you seen anything of this sort before?
Does anyone have any suggestions?
I Had a client yesterday request remote support to cleanup adware (she said she was getting random advertisements on her desktop). So I figured this would be an easy safe mode w/ networking job in which the viruses practically remove themselves. However, I was wrong.
When this client said advertisements were on her desktop, she actually meant they were playing over her speakers. At first, I didn't believe her. I was very cautious to ask if it was her TV in the background making the sounds (I could hear the ads, I never did ask if it was her TV). One of the ad's was for the Army, one was for a bathroom remodeling service, they were completely random.
So I decided to do my usually cleanup process, remove temp/history/temp internet files from the profiles, run ccleaner, run malwarebytes, remove unnecessary startup items, look over Autoruns for suspicious entries and temporarily uncheck them. However Malwarebytes only found a few adware items, there was little to go off of in Autoruns, and there was nothing active on the desktop when the computer was booted normally to even insinuate that there was an infection, of course until random ad's started playing over the speakers. I figured that the few adware items Malwarebytes found were just remnants of what was left over from something that the virus scanner maybe picked off. However after another reboot, it became clear that this wasn't the case.
At this point I decided to take pull out process explorer to take a deeper look. Process explorer revealed an iexplore running under a service host, which I found strange since there were no browsers open. I closed the iexplore process, and of course it quickly came back. At this point I was happy to find anything. After digging around process explorer for a little while I traced a .dat file within the iexplore process to C:\WINDOWS\system32\config\systemprofile\Local Settings\AntiPhishing\4254D-DSFSS-SDfSDf3-SDF.dat (not actual file name)
Admittedly this was the first time I've seen the documents and settings structure rebuilt within another folder (C:\windows\system32\config\systemprofile\) so I was a bit skeptical of the entire folder to begin with, however after researching I found that it is apparently legit and contains a standard profile for the local system. What caught my attention was what was inside the temporary internet files, hundreds and hundreds of .mp3, .gif, .swf, .fla, files. I immediately figured, okay so this is where the ad's are being stored, i'll just delete them all (500mb worth) in safe mode and then see if I get any program errors while booting to lead me to the next step.
So I rebooted into safe mode w/ networking once again. Out of curiosity I loaded process explorer and saw no iexplore process (and was happy) I then deleted the entire systemprofile file structure (after researching that this was possible). At this point process explorer was still open, only because I had forgotten to close it and my little iexplore buddy returned to greet me in safe mode. I went to check the systemprofile file structure, and remarkably the 500mb worth of temp files had returned. I should also mention that ESET NOD32 Antivirus also blocks a website from loading everytime the computer boots. These problems obviously all go away when you unplug the internet.
I have tried multiple live CD's including Kaspersky's, Avasts scans, UBCD4Win (forget what I did in here at this point), ERD Commander (to delete the files again, still came back), I had scanned with Gmer, Rootkit Revealer, Kaspersky's TDSSKiller. I have ran Combofix. I have pulled out some of my hair.
I have spent probably 4 hours on this PC, and only because I am stubborn and the customer didn't need it back right away.
Since this I have ghosted the drive and reformatted, however because of my stubbornness I am still troubleshooting the issue on the ghosted drive.
I had setup the drive as a slave and let Gmer scan it this way and found some interesting iexplore entries that previously were not shown (ieframe.dll I believe)
Things I haven't done today which I will tomorrow:
-uninstall and delete the sound driver with driversweeper
-slap computer with fish
Have any of you seen anything of this sort before?
Does anyone have any suggestions?
