J
jccrcomputers
Guest
...
Last edited by a moderator:
MM PC Solutions
Member
- Reaction score
- 11
- Location
- Essex. UK
A couple of bits you may/may not have done:
Reset Internet settings
Reset the host file
Ran combofix
Check with Autoruns for any loose ends?
Reset Internet settings
Reset the host file
Ran combofix
Check with Autoruns for any loose ends?
G
gazza
Guest
In hindsight you should have got them to show you what they were actually doing when the infection hit while you were onsite. What customers say and do can be two different things as I am sure you know.
I would hit with combofix/tdsskiller while you have it in your workshop and also consider looking at the hosts file and browser plugins for any discrepancies.
Who is actually using the family computer when the infection hits? Might be time for OpenDns if they have teenagers.
I would hit with combofix/tdsskiller while you have it in your workshop and also consider looking at the hosts file and browser plugins for any discrepancies.
Who is actually using the family computer when the infection hits? Might be time for OpenDns if they have teenagers.
Xander
Banned
- Reaction score
- 66
- Location
- Niagara region, Ontario
" The customer says he is only going on Windows Live Hotmail and Word documents, which seems to be true when I looked at his history etc."
Have you compared the timestamp of the virus file with the history? Are you looking at the history in the browser or a 3rd party tool like Nirsoft's IEHV?
Have you compared the timestamp of the virus file with the history? Are you looking at the history in the browser or a 3rd party tool like Nirsoft's IEHV?
atlanticjim
Well-Known Member
- Reaction score
- 36
- Location
- Long Island, New York
I cleaned one of these last week, and I found a TDSS rootkit as well. Now I cannot say that they are related but that the infections did happen simultaneously. I used rkill, MBAM, TDSSkiller and HitManPro to clean it up.
As always, BleepingComputer.com is an excellent resource for battling infections. I would suggest you visit there as well for the list of the affected files.
As always, BleepingComputer.com is an excellent resource for battling infections. I would suggest you visit there as well for the list of the affected files.
atlanticjim
Well-Known Member
- Reaction score
- 36
- Location
- Long Island, New York
This is a very good point and I have been seeing more of these lately. "Is there any infected external device" should be a question in our diagnosis.
I am not familiar with Avira, but shouldn't it be scanning any attached devices?
cyabro
Well-Known Member
- Reaction score
- 420
- Location
- New Zealand
I had a similar thing this last week too.
Removed the same malware but the very next day it was back.
When I checked the host file manually it all looked ok, just the usual localhost line.
However when I ran hijackthis it picked up a whole heap of google redirects to the same two ip addresses.
On checking the host file again there were actually a whole lot of extra lines in there but it was like the font was wrong and you couldn't actually read the text so it looked like there was actually nothing extra in the file. The file size was 4kb and after deleting these extra lines, of what looked like nothing, the file size dropped to 1kb and hijackthis scan confirmed no more google redirects.
Removed the same malware but the very next day it was back.
When I checked the host file manually it all looked ok, just the usual localhost line.
However when I ran hijackthis it picked up a whole heap of google redirects to the same two ip addresses.
On checking the host file again there were actually a whole lot of extra lines in there but it was like the font was wrong and you couldn't actually read the text so it looked like there was actually nothing extra in the file. The file size was 4kb and after deleting these extra lines, of what looked like nothing, the file size dropped to 1kb and hijackthis scan confirmed no more google redirects.
RichmondTech
Member
- Reaction score
- 6
- Location
- Richmond, VA
Great suggestions listed here. I would also add that when customers say "I've only been to x site" that's typically not the case. Maybe SandboxIE would be good for this client? I have a few of mine using it since they were infected and haven't heard a peep about it since.
joydivision
Well-Known Member
- Reaction score
- 58
- Location
- Manchester, UK
Do an offline scan with Kaspersky.
Rewrite the MBR just in case, did you say you have used SFC?
I would also replace Java if that is installed.
Also as already pointed out ask if he is using any USB sticks.
Rewrite the MBR just in case, did you say you have used SFC?
I would also replace Java if that is installed.
Also as already pointed out ask if he is using any USB sticks.
OldSchoolPC
New Member
- Reaction score
- 4
- Location
- East Greenville PA
A lot of great suggestions. Also try AVG Rescue CD. Download and scan those office documents that he is talking about, it's odd the that particular virus to just pot up like that. Usually it show up when windows boots, save for right when you download it. If clients has a static IP, see if you can change it. That's all I got beyond what others have said.
MobileTechie
Well-Known Member
- Reaction score
- 32
- Location
- UK
I wouldn't want to imply you've missed anything but of course any of us can miss something we've not seen before, or is a new variant.
Definitely agree that an offline scan with Kaspersky would be a good idea to rule out some kind of sneaky rootkit / bootkit.
I'd have a look at scheduled tasks. Some viruses put a task in to re-download the virus daily.
I would have them replace their antivirus with Kaspersky Internet Security which seems to do a much better job than most stopping these things.
Might be worth installing SandboxIE as suggested and training them how to use it. A.t least then you could rule out or rule in web based infections.
Definitely agree that an offline scan with Kaspersky would be a good idea to rule out some kind of sneaky rootkit / bootkit.
I'd have a look at scheduled tasks. Some viruses put a task in to re-download the virus daily.
I would have them replace their antivirus with Kaspersky Internet Security which seems to do a much better job than most stopping these things.
Might be worth installing SandboxIE as suggested and training them how to use it. A.t least then you could rule out or rule in web based infections.
johnrobert
Well-Known Member
- Reaction score
- 260
- Location
- Vancouver BC
When I see this virus or any one of these Russian fake anti viruses
The first thing I do is a system restore to at least a week before it happened
This completely replaces the registry
seems to me the most logical thing to do
Then I run Malwarebytes, look in msconfig etc.
Google the specific antivirus to see if I missed anything
I have done hundreds and never been called back
I thing in your case the family is reinfecting the computer
The first thing I do is a system restore to at least a week before it happened
This completely replaces the registry
seems to me the most logical thing to do
Then I run Malwarebytes, look in msconfig etc.
Google the specific antivirus to see if I missed anything
I have done hundreds and never been called back
I thing in your case the family is reinfecting the computer
- Reaction score
- 84
- Location
- East Coast, NC (USA)
One N&P for free, nothing for free after that.
For home users my warranty on a virus removal is you get 30 days, and if it comes back with a virus I'll N&P for free, after explaining to the client the general idea of why it is unquestionably their fault if I do the N&P and they get reinfected yet again.
I just find that a lot easier than tracking the infection times and trying to prove to an end user that they reinfected themselves; often they want to dispute that. I can backup data and N&P in the time it takes to deal with some clients in that situation.
So if the client agrees to a free N&P, it's on, and I put them on priority service and get to it, no questions asked. They feel more guaranteed they won't get reinfected (after explaining the process to them), and I get them out of my hair quick, plus if they come back yet again, I get paid again, and without any complaint or objection because they understand they did it to themselves. Everyone is happy.
If the client does NOT agree to an N&P, then they usually get charged for the removal again, but we check it in as "warranty" and explain to them that if we track down the infection times and prove otherwise, they will be charged again.
For a business or a setup where I wouldn't want to N&P for any reason, yeah I'll do the removal again under warranty if I have to. I just hate it when that backfires and they blame YOU for the reinfections when it's their fault. But in your case, you've got a home user, right? N&P already.
For home users my warranty on a virus removal is you get 30 days, and if it comes back with a virus I'll N&P for free, after explaining to the client the general idea of why it is unquestionably their fault if I do the N&P and they get reinfected yet again.
I just find that a lot easier than tracking the infection times and trying to prove to an end user that they reinfected themselves; often they want to dispute that. I can backup data and N&P in the time it takes to deal with some clients in that situation.
So if the client agrees to a free N&P, it's on, and I put them on priority service and get to it, no questions asked. They feel more guaranteed they won't get reinfected (after explaining the process to them), and I get them out of my hair quick, plus if they come back yet again, I get paid again, and without any complaint or objection because they understand they did it to themselves. Everyone is happy.
If the client does NOT agree to an N&P, then they usually get charged for the removal again, but we check it in as "warranty" and explain to them that if we track down the infection times and prove otherwise, they will be charged again.
For a business or a setup where I wouldn't want to N&P for any reason, yeah I'll do the removal again under warranty if I have to. I just hate it when that backfires and they blame YOU for the reinfections when it's their fault. But in your case, you've got a home user, right? N&P already.
- Reaction score
- 3,485
- Location
- Manchester UK
Rather than hijack this, I would look into OTL by old timer. It is a far more thorough scanner and repairer than hjt. It also finds a lot more than hjt.
If your uncomfortable with the otl log, then post it up here, and I am sure one of us would be able to help you with it.
Also update flash players, java.
If your uncomfortable with the otl log, then post it up here, and I am sure one of us would be able to help you with it.
Also update flash players, java.
TLDR Version:
Have you checked Qualys Browsercheck to stop reinfection through insecure Browser plugins. No matter how well you clean it, if you don't block the access point it will come back.
Long Version:
I have repaired 7 of these from different computers in the last week.
Most of the people that had it, said one of the last things they had done was go to Hotmail.
The ones that denied being on Hotmail, their logs confirmed that they had been on Hotmail minutes before the infection had struck.
My notes from this week about the infections are the following.
- 100% of all users where on Hotmail within 5 minutes of the infection being created in the application data folder.
- All users where using Internet Explorer, although the version varied (6, 7 and 8) All versions were patched to the latest security updates possible for their version.
- All machines were XP.
- Most machines had out of date Java but not all.
- All Machines had out of date versions of Flash. Dating back before 10.3
From these statements, my diagnosis of the entry point was most likely to be a drive by attempt with Flash/Java imbedded into a banner on Hotmail. I don't believe the browser would have made much difference, although Chromes Sandbox and Firefox with no-script installed could have blocked the infection.
I would also suspect that it is a variant / follows the same principle of the blackhole exploit kit.
I would post the additional reading on it but as being under 15 post, i cant post URLS.
But basically it will forward the user silently onto a page to determine what vulnerabilities are on the machine before directing them to another page to take advantage of what it finds. All this without any user interaction or other signs.
Qualys Browsercheck should be used to find insecure browser plugins, and the customers need to told to not hide those Java, Reader and Flash updates when in future the programs want to update.
Have you checked Qualys Browsercheck to stop reinfection through insecure Browser plugins. No matter how well you clean it, if you don't block the access point it will come back.
Long Version:
I have repaired 7 of these from different computers in the last week.
Most of the people that had it, said one of the last things they had done was go to Hotmail.
The ones that denied being on Hotmail, their logs confirmed that they had been on Hotmail minutes before the infection had struck.
My notes from this week about the infections are the following.
- 100% of all users where on Hotmail within 5 minutes of the infection being created in the application data folder.
- All users where using Internet Explorer, although the version varied (6, 7 and 8) All versions were patched to the latest security updates possible for their version.
- All machines were XP.
- Most machines had out of date Java but not all.
- All Machines had out of date versions of Flash. Dating back before 10.3
From these statements, my diagnosis of the entry point was most likely to be a drive by attempt with Flash/Java imbedded into a banner on Hotmail. I don't believe the browser would have made much difference, although Chromes Sandbox and Firefox with no-script installed could have blocked the infection.
I would also suspect that it is a variant / follows the same principle of the blackhole exploit kit.
I would post the additional reading on it but as being under 15 post, i cant post URLS.
But basically it will forward the user silently onto a page to determine what vulnerabilities are on the machine before directing them to another page to take advantage of what it finds. All this without any user interaction or other signs.
Qualys Browsercheck should be used to find insecure browser plugins, and the customers need to told to not hide those Java, Reader and Flash updates when in future the programs want to update.
Last edited:
allanc
Well-Known Member
- Reaction score
- 387
- Location
- Toronto, Ontario, Canada
A very clever infection, indeed.
Martyn
Well-Known Member
- Reaction score
- 116
- Location
- Bedfordshire UK
The date stamp should have shown it had been changed as well I would have thought. That is something I check as well.
wtigger
Member
- Reaction score
- 0
- Location
- Central MA
System Restore is the first thing that is corrupted (that I've seen) in most malware infections... Not a reliable fix most of the time...
