Wow...crazy heavy malware calls today!

YeOldeStonecat said:
Phone ringing off the hook....all 3 of us out onsite cleaning up rigs hit with hard drive alerts and security fortress 2012. Big outbreak today.
Click to expand...

Seeing this at my day job too, for some reason it seems to mostly be our east coast locations.
 
Hello,

All the ones I've seen lately have outdated Flash and/or Java.

Can't seem to convince people to keep them updated.

On several, the update notifications were showing as needing updated, but customer didn't run.

They said they were "afraid to", with all the bogus "updates" out there.

Been instructing them on using Filehippo Update Checker to look for legit updates and how to download and install.
 
HFultzjr said:
Hello,

All the ones I've seen lately have outdated Flash and/or Java.
Click to expand...
I noticed when I installed Flash the other day on a computer that it asked if you would like Flash to update itself automatically which is the default. It's about time they did this. I don't install Java on computers anymore unless the customer is specifically using it.
 
Also seeing alot of malware calls today. I was out all day on clean up duty!

Alot of customers are reporting that they are afraid of clicking on the updates. Ive got 2 computers in the shop now that I have to start scans on. I also have an HP laptop with overheat issues that came in too. Business is good today for some reason.

Have a great day everyone!
 
HFultzjr said:
Hello,

All the ones I've seen lately have outdated Flash and/or Java.

Can't seem to convince people to keep them updated.

On several, the update notifications were showing as needing updated, but customer didn't run.

They said they were "afraid to", with all the bogus "updates" out there.

Been instructing them on using Filehippo Update Checker to look for legit updates and how to download and install.
Click to expand...

Tis my rule of thumb also...but one of the rigs I worked on today HAD all updated...Adobe 10, Flash 11, Java 6.31, IE 8.0.

This new variant here is leaving a redirector behind that we've not yet been able to clean off. Within several minutes your browser starts going to affiliate sites instead of what you hoped for. "letmehelpu" is one of them.
 
Hey YeOldeStonecat,

I'd suggest checking with aswMBR, TDSSKiller, and MBRCheck.exe for MBR infections and running a subsequent OTL scan. If you'd like you can post an OTL log here after running the rootkit scans and I'd be happy to go through it for you to identify the problem.
 
Oh yeah..she's been rooty scanned. TDSS gets blocked..GMER finished and came up clean. Ran out of time...will continue Monday with MBR checks...which is what I'm starting to thing it is. Manually checked everything HJT would...quite clean. TCP/winsock rebuild. Scanned with SAS, MWB, Panda AV, even brought out old Spybot. Will have to continue with MRT (Microsoft tool) on Monday, and yank drive and slave to another machine and scan. TCP clean, no proxy in browser connection settings, browser set to default, even installed and tested Chrome and she still gets redirected.
 
Last edited:
Xander said:
Wish I had your troubles. I have seen virtually no viral infections for probably 3+ months.
Click to expand...

It's been a fairly quiet winter! Although bad timing...these time consuming things are cutting into my bigger work stuff...I was supposed to get a Hyper-V host server built today to begin a migration soon. And some quotes for migrating another SBS2003 domain up.
 
YeOldeStonecat said:
Oh yeah..she's been rooty scanned. TDSS gets blocked..GMER finished and came up clean. Ran out of time...will continue Monday with MBR checks...which is what I'm starting to thing it is. Manually checked everything HJT would...quite clean. TCP/winsock rebuild. Scanned with SAS, MWB, Panda AV, even brought out old Spybot. Will have to continue with MRT (Microsoft tool) on Monday, and yank drive and slave to another machine and scan. TCP clean, no proxy in browser connection settings, browser set to default, even installed and tested Chrome and she still gets redirected.
Click to expand...

Wooow....sounds quite a bit nastier than what I've been seeing.

Good luck and keep us posted.

Have you tried renaming TDSS to something like explorer.exe?

I have put it in the startup folder on occasion and sometimes it will run as the oprating sytem is loading......hopefully before it gets blocked.
 
Glad I'm not the only one that noticed that. I had 4 calls today about the same stupid virus. SMART HDD. Luckily it is easy to remove and clean up after but jeez it was odd.
 
The absolute best approach IMO is to boot to a WinPE build and run TDSSKiller from within WinPE. Configure it to only scan Boot Sectors and TDSS File System.
 
compnet said:
I've yet to see a redirect combofix didn't kill.
Click to expand...

I've seen it fail to clean some in the past...and this one is added to the list...redirects still happening even after running combfix.
Will see what happens Monday...hopefully MWB or SAS will have updated definitions to deal with this new variant.
 
I've been seeing alot more lately when in the same situation its a rootkit hidden in an small partition tacked on to the end of the drive that is set to hidden and boot last one was only 1 meg large. Used partition magic to delete grow the main drive over the now unused space and set the boot flag on the right partition. After this all the tools that wouldn't run work just fine. Hope this might help.
 
mrvoids said:
I've been seeing alot more lately when in the same situation its a rootkit hidden in an small partition tacked on to the end of the drive that is set to hidden and boot last one was only 1 meg large. Used partition magic to delete grow the main drive over the now unused space and set the boot flag on the right partition. After this all the tools that wouldn't run work just fine. Hope this might help.
Click to expand...
Yeah, Pihar.B is becoming increasingly common these days. I kill it offline with TDSSKiller.

You can also use partitioning software to do it though and then set the System Reserved partition as Active (if it's Windows 7). You have to be careful not to end up here however:

http://triplescomputers.com/blog/?p=81
 
YeOldeStonecat said:
Tis my rule of thumb also...but one of the rigs I worked on today HAD all updated...Adobe 10, Flash 11, Java 6.31, IE 8.0.

This new variant here is leaving a redirector behind that we've not yet been able to clean off. Within several minutes your browser starts going to affiliate sites instead of what you hoped for. "letmehelpu" is one of them.
Click to expand...

I had this exact same thing after removing the initial Security Fortress infection. Multiple root-kit infections left in place. Like you, I tried a lot of rootkit scanners and malware removal tools. Luckily it was an XP machine and combo-fix found and removed the rootkits. I then had to repair the TCP/IP stack manually, and all was good!! I'm not sure what I would've done if it had been a Vista or 7 P.C as I think combo-fix doesn't work on these O.S's.
 
You must log in or register to reply here.

Similar threads

HCHTech
Alerts!
Replies
10
Views
2K
Sky-Knight
Sky-Knight
lan101
Why do HP printers suck so bad lol
2
Replies
33
Views
3K
britechguy
britechguy
thecomputerguy
Adding EDR to my stack and how to sell it.
Replies
6
Views
1K
Sky-Knight
Sky-Knight
thecomputerguy
It's been a week.
Replies
11
Views
3K
brandonkick
B
thecomputerguy
It's the clients, they just kill me.
Replies
16
Views
3K
frase
frase
Back
Top