Windows XP hijack

Started by Hans Manhave, October 05, 2011, 03:53:16 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Hans Manhave

A friend's business has a machine hijacked by XP anti spyware or something.  I searched for how to remove in the files here, but cannot find all the references I thought there were.

I threw MalwareBytes at it.  SuperAntiSpyware.  ClamAV.  Ran the program the unhides all the desktop icons (that worked too). 

Ran all that in safe mode with networking.  When rebooting in regular Windows mode, it is immediately invaded again.

What step(s) am I missing?

Should I just pull the drive and attach it to a clean system to scan from there?
Fantasy is more important than knowledge, because knowledge has its boundaries - Albert Einstein

Jeff Zylstra

Download and run "autoruns" to see what is really happening.  Check for Browser Helper Objects, but more importantly, check for entries in the "run on startup" area of the registry.  My guess is that you are re-infecting yourself immediately because it is going out to the internet and downloading more stuff.  Also clean out the temp files.  A lot of stuff hides in the temp files and reloads from there.  Try that, and then run MalwareBytes again a couple of times to make sure it is clear.  My guess is that the temp files are the source of your reinfection.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Hans Manhave

Thank you.

Does the 'unplug & connect to clean machine' work for this too?  Or does that process lock the user folders from access & cleaning?  There is no password on the users.  Not part of a domain.
Fantasy is more important than knowledge, because knowledge has its boundaries - Albert Einstein

Jeff Zylstra

Quote from: HMan on October 05, 2011, 04:52:15 PM
Thank you.

Does the 'unplug & connect to clean machine' work for this too?  Or does that process lock the user folders from access & cleaning?  There is no password on the users.  Not part of a domain.

If you're speaking of unplugging the hard drive and using a USB drive connection to connect the infected drive to a clean computer, I would highly recommend that.  It will detect the malware files, and also clean the registry of the infected drive, if I'm not mistaken.  In explorer, just find the infected drive, right click on that drive and choose the option to scan that drive using MalwareBytes.   This is the method that I prefer.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Jan Regnier

#4
Hans...I think this is the bad thing that you cannot "X" out of the screen when it shows up. 
Had to go to Task Manager and delete the IExplorer (if that is what's being used). Run the Malwarebytes etc, restart and then deleted history, temp files etc from the browser.

I also had to add a file back that was needed in the registry - Robin pointed me to "bleepingcomputer.com" for the file.  Used a file called FixNCR.reg and RKill.

I attached the doc I put together after we got this....Maybe it will work...or not....but worth a try.
Jan Regnier
jan.regnier@meyersglaros.com
Meyers Glaros Group, Merrillville, IN 26 Users
EPIC 2020, Office 365, Indio

Hans Manhave

#5
I used RKill.  It found nothing.  Used unhide.exe to unhide or undelete all the desktop icons and programs that it messed with.  Unhide had to be named iexplore.exe to work, lol. 

Then I went back to the office and someone else was called in to handle it.  All that appears to be remaining is that sound files are being played randomly.  Not known how to fix that.

It was impossible to load the task manager during this fight.  No mouse click or ctrl-shift-esc etc combo would let it come up.

It is now out of my hands, I appreciate the input.
Fantasy is more important than knowledge, because knowledge has its boundaries - Albert Einstein

Jeff Zylstra

No problem.  I hate malware with a passion and I'm always glad to help if I can.  The sounds are probably being played because of windows "events" that are happening.  Going into control panel and checking the sounds area (or whatever it's called) should give some answers.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Hans Manhave

Quote from: Jeff Zylstra on October 06, 2011, 10:47:27 AM
No problem.  I hate malware with a passion and I'm always glad to help if I can.  The sounds are probably being played because of windows "events" that are happening.  Going into control panel and checking the sounds area (or whatever it's called) should give some answers.

I found quite a few web references to hijack sound files.  Forwarded all I knew and learned to the friend.  Seems like the autoruns utility should be able to locate the offending progs and the user could then disable them.  Will see what happens.
Fantasy is more important than knowledge, because knowledge has its boundaries - Albert Einstein

Billy Welsh

Billy Welsh
Director of Accounting
LCMC Health

Jeff Zylstra

Quote from: Billy Welsh on October 07, 2011, 02:53:53 PM
You guys need to offer your services out of patriotism...

http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/

Haven't these guys heard of drive imaging?  If these are closed loop systems that don't do anything but operate the drones, I would think that they could re-image these drives since all of them should be the same.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

TrishaOurs

Quote from: Jan Regnier on October 05, 2011, 05:26:40 PM
Hans...I think this is the bad thing that you cannot "X" out of the screen when it shows up. 
Had to go to Task Manager and delete the IExplorer (if that is what's being used). Run the Malwarebytes etc, restart and then deleted history, temp files etc from the browser.

I also had to add a file back that was needed in the registry - Robin pointed me to "bleepingcomputer.com" for the file.  Used a file called FixNCR.reg and RKill.

I attached the doc I put together after we got this....Maybe it will work...or not....but worth a try.


Oh this happened to our pc laptop right before we got our mac.  We never fully fixed the problem.  i am going to try this.  My hubby will be much happier if "his" laptop is back to normal.
Trisha Ours, CISR

Jeff Zylstra

Hey Trisha, try BleepingComputer.Com.  It's a forum dedicated to the fixing malware on PCs, and you will find tons of help there.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

TrishaOurs

Quote from: Jeff Zylstra on October 11, 2011, 03:18:40 PM
Hey Trisha, try BleepingComputer.Com.  It's a forum dedicated to the fixing malware on PCs, and you will find tons of help there.

Thanks!   :D
Trisha Ours, CISR

Robin Deatherage

I saw a new variation of a fake anti-virus infection last week.  It took some time but I finally got rid of it by running combofix and malwarebytes in safe mode then ran them both again in normal boot up. 
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Mark

Quote from: Robin Deatherage on October 11, 2011, 04:32:01 PM
I saw a new variation of a fake anti-virus infection last week.  It took some time but I finally got rid of it by running combofix and malwarebytes in safe mode then ran them both again in normal boot up.

How are people getting this stuff these days?  I must just be lucky here.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Robin Deatherage

Quote from: Mark on October 11, 2011, 04:34:40 PM
Quote from: Robin Deatherage on October 11, 2011, 04:32:01 PM
I saw a new variation of a fake anti-virus infection last week.  It took some time but I finally got rid of it by running combofix and malwarebytes in safe mode then ran them both again in normal boot up.

How are people getting this stuff these days?  I must just be lucky here.
Well the user who got this infection claimed she was trying to go to a grocery store website to get the phone number of the bakery and then "all of a sudden" strange things started happening.  My guess is she typed it incorrectly and then clicked on something she shouldn't have.  You probably have things locked down tighter than I do or your users are more careful than mine. 
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Mark

Quote from: Robin Deatherage on October 12, 2011, 08:44:30 AM
You probably have things locked down tighter than I do or your users are more careful than mine.

I do use a layered approach -- meaning I'm not just using one thing to protect me.  Do you at least use the free version of OpenDNS as your DNS forwarders?  I think that helps a little.  the paid version woudl probably help a lot, lol.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Billy Welsh

Quote from: Jeff Zylstra on October 07, 2011, 03:34:22 PM
Quote from: Billy Welsh on October 07, 2011, 02:53:53 PM
You guys need to offer your services out of patriotism...

http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/

Haven't these guys heard of drive imaging?  If these are closed loop systems that don't do anything but operate the drones, I would think that they could re-image these drives since all of them should be the same.

SCARY - Apparently they did not do a very good job of physically securing this network.  While they say it did not affect operations, it sure could have.  And some of these puppies are carrying missiles!

http://www.myfoxny.com/dpp/news/military-computer-virus-wasnt-directed-at-drones-20111012-apx
Billy Welsh
Director of Accounting
LCMC Health

Jeff Zylstra

Quote from: Billy Welsh on October 13, 2011, 09:47:46 AM
Quote from: Jeff Zylstra on October 07, 2011, 03:34:22 PM
Quote from: Billy Welsh on October 07, 2011, 02:53:53 PM
You guys need to offer your services out of patriotism...

http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/

Haven't these guys heard of drive imaging?  If these are closed loop systems that don't do anything but operate the drones, I would think that they could re-image these drives since all of them should be the same.

SCARY - Apparently they did not do a very good job of physically securing this network.  While they say it did not affect operations, it sure could have.  And some of these puppies are carrying missiles!

http://www.myfoxny.com/dpp/news/military-computer-virus-wasnt-directed-at-drones-20111012-apx

I'm guessing that some dude plugged his memory stick into an unhealthy playstation and infected the whole network.   I hope they keep investigating this. 
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Mark

Quote from: Jeff Zylstra on October 13, 2011, 10:10:51 AM
I'm guessing that some dude plugged his memory stick into an unhealthy playstation and infected the whole network.   I hope they keep investigating this.

They were operating against policy and using removable drives to transport video and other data between machines.  They probably did use imaging once they finally decided to rebuild everything.  In fact, I bet that they WERE using imaging but the image they were using was infected, so they had to break down and build a new one.

Base images are awesome to have.  Creating them though, is at the bottom of my fun list.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Jeff Zylstra

Agreed, Mark.  I never go through the hassle of automating the new image.  I've found it much easier to just go through all of the Windows new installation questions than to program everything to automatically fill in domain names, etc....

I thought that I read somewhere that this was the proscribed method of transporting and sharing surveillance and reconnaissance videos.  If that were the case, you'd think that something like an Iron Stick would be used, and that the auto run features would be disabled along with registry hacks to block auto runs.  If I know about that stuff, you'd think that they would know about it too!
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Mark

I was actually picturing removable drive bays.  Not sure why, but that's just what I pictured.  Basically, where the whole hard drive slides out and the user essentially takes their computer with them.

It's almost like virtual desktops, the sneaker net way. lol  But who knows, maybe it was just a WD Passport.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Jeff Zylstra

Quote from: Mark on October 13, 2011, 12:20:28 PM
I was actually picturing removable drive bays.  Not sure why, but that's just what I pictured.  Basically, where the whole hard drive slides out and the user essentially takes their computer with them.

It's almost like virtual desktops, the sneaker net way. lol  But who knows, maybe it was just a WD Passport.

I'm sure that we will never know since how they do things going forward will probably be more classified, if it isn't already.  Hopefully this will bring about change.  I'd hate to see a Predator missile fly over my house headed for Wisconsin.  ;)
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Lance Bateman

The "fun" part - apparently the video from the drones is not secured, can be captured with a $23 piece of equipment!  Ah me, the joys of not having experts set this up.  When they worked on setting up the Navy/Marine Corp Intranet - of course it was lowest bid, and even then Congress delayed funding so long most of the initially hired staff (I was one) found other work.

Per Marines I've talked to (many), it still doesn't work well.

Bob

That was 2 years ago Lance.  Since then it's been encrypted after being embarrassed by militants picking up the video feed.  :)

Jim Jensen

Quote from: Bob Connor on October 14, 2011, 11:13:12 AM
That was 2 years ago Lance.  Since then it's been encrypted after being embarrassed by militants picking up the video feed.  :)

I just heard the other day that they are still getting the new equipment spread all around and that there are still unsecured signals until they replace every transmitter and receiver. I have no corroborating info to validate, but have no reason to question it, either.
Jim Jensen
CIC, CEO, CIO, COO, CFO, Producer, CSR, Claims Handler, janitor....whatever else.
Jensen Ford Insurance
Indianapolis

Lance Bateman

Jim's got the current status - still in the process of updating things, and they still haven't removed the malware fully - in fact they are trying to work around it right now.

The NMCI project - well, I think it's basically 9 years behind so far???

Bob

Talking two different issues..  Malware that got on drones (which had no impact other than embarrassment) recent news and militants using simple child monitors and catching video stream which is old news.

I get my military news email almost daily..  Full of stories before they hit the press.  Next one I get I'll share the link.  Interesting stories from around the world and video clips that will keep you visiting.  :)

That said I do believe in what Jim said that not completely done yet but I suspect the ones in use today sure are.  :)

Donna Syroid

So friends back to one of the questions.  How are these virsus getting into our systems.  One thing mentioned is that someone accidently typed the wrong url.  What are some other ways?  What about a marketing rep putting their USB disk in our machine to open something.  The same one that he just took from another agency office.  Is there a list of things to avoid that we can give to our users?

Lance Bateman

1. Don't allow anything that has been used outside (pc, drives, etc.) to be hooked in to the system without first being scanned by AV.

2. Be sure you have something blocking suspect sites you don't want.

3. Caution all that if they get a site that doesn't look like what they want, back out and make sure they put in the address correctly.  For instance, Denny's has one for a customer survey they are doing at www.dennyslistens.com, but if you put in www.dennylistens.com instead you get a whole different site.

Jeff Zylstra

Gateway anti-virus and content filtering on a firewall is a good start, and then combine that with OpenDNS to further control sites that are visited.  We use Sophos anti-virus, and it has a "whitelist" for applications.  Only those programs that are allowed to run on a machine can execute on that machine.  So if FAKEANTIVIRUS.EXE gets downloaded from a compromised or malicious website, it will not be allowed to execute.  It also stops users from downloading and installing and/or running games.   

To further answer your original question, some legitimate websites get compromised or redirected to bad sites.  You can either click on a malicious link in an e-mail, or visit a legitimate site which has been compromised using cross site scripting or other means.  Many websites display content from other sites in boxes on their web page.  For instance, many of the advertisements on MSN.Com do not reside on their servers.  Other websites display these ads from servers that are somewhere else.  When one of these many servers gets compromised, you get compromised.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Bob

Stay up to date on windows updates and other apps and use common sense.

Without some updates you exploit yourself just visiting a website at times.    Common sense well, Free is not Free, I didn't ask for this attachment, My mom never says Dude so why should I click on link, only my IT department will tell me my computer is slow or infected and stick to your objective..  Don't let pop ups draw your attention or click. 

Intimidation works on those with no common sense.    :o ;)


Jim Jensen

Web searches can get to one quickly too. Performing a legitimate search, perhaps on a client or prospect or other legit reason and land on a bad page - sometimes the URL can tip you off that it's not the page you probably want, but not always. Lord knows that searching for music is a quick way to get one.
Jim Jensen
CIC, CEO, CIO, COO, CFO, Producer, CSR, Claims Handler, janitor....whatever else.
Jensen Ford Insurance
Indianapolis