Windows XP hijack

[Hans Manhave]

A friend's business has a machine hijacked by XP anti spyware or something.  I searched for how to remove in the files here, but cannot find all the references I thought there were.

I threw MalwareBytes at it.  SuperAntiSpyware.  ClamAV.  Ran the program the unhides all the desktop icons (that worked too). 

Ran all that in safe mode with networking.  When rebooting in regular Windows mode, it is immediately invaded again.

What step(s) am I missing?

Should I just pull the drive and attach it to a clean system to scan from there?

[Jeff Zylstra]

Download and run "autoruns" to see what is really happening.  Check for Browser Helper Objects, but more importantly, check for entries in the "run on startup" area of the registry.  My guess is that you are re-infecting yourself immediately because it is going out to the internet and downloading more stuff.  Also clean out the temp files.  A lot of stuff hides in the temp files and reloads from there.  Try that, and then run MalwareBytes again a couple of times to make sure it is clear.  My guess is that the temp files are the source of your reinfection.

[Hans Manhave]

Thank you.

Does the 'unplug & connect to clean machine' work for this too?  Or does that process lock the user folders from access & cleaning?  There is no password on the users.  Not part of a domain.

[Jeff Zylstra]

Thank you.

Does the 'unplug & connect to clean machine' work for this too?  Or does that process lock the user folders from access & cleaning?  There is no password on the users.  Not part of a domain.

If you're speaking of unplugging the hard drive and using a USB drive connection to connect the infected drive to a clean computer, I would highly recommend that.  It will detect the malware files, and also clean the registry of the infected drive, if I'm not mistaken.  In explorer, just find the infected drive, right click on that drive and choose the option to scan that drive using MalwareBytes.   This is the method that I prefer.

[Jan Regnier]

Hans...I think this is the bad thing that you cannot "X" out of the screen when it shows up. 
Had to go to Task Manager and delete the IExplorer (if that is what's being used). Run the Malwarebytes etc, restart and then deleted history, temp files etc from the browser.

I also had to add a file back that was needed in the registry - Robin pointed me to "bleepingcomputer.com" for the file.  Used a file called FixNCR.reg and RKill.

I attached the doc I put together after we got this....Maybe it will work...or not....but worth a try.

[Hans Manhave]

I used RKill.  It found nothing.  Used unhide.exe to unhide or undelete all the desktop icons and programs that it messed with.  Unhide had to be named iexplore.exe to work, lol. 

Then I went back to the office and someone else was called in to handle it.  All that appears to be remaining is that sound files are being played randomly.  Not known how to fix that.

It was impossible to load the task manager during this fight.  No mouse click or ctrl-shift-esc etc combo would let it come up.

It is now out of my hands, I appreciate the input.

[Jeff Zylstra]

No problem.  I hate malware with a passion and I'm always glad to help if I can.  The sounds are probably being played because of windows "events" that are happening.  Going into control panel and checking the sounds area (or whatever it's called) should give some answers.

[Hans Manhave]

No problem.  I hate malware with a passion and I'm always glad to help if I can.  The sounds are probably being played because of windows "events" that are happening.  Going into control panel and checking the sounds area (or whatever it's called) should give some answers.

I found quite a few web references to hijack sound files.  Forwarded all I knew and learned to the friend.  Seems like the autoruns utility should be able to locate the offending progs and the user could then disable them.  Will see what happens.

[Billy Welsh]

You guys need to offer your services out of patriotism...

http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/

[Jeff Zylstra]

You guys need to offer your services out of patriotism...

http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/

Haven't these guys heard of drive imaging?  If these are closed loop systems that don't do anything but operate the drones, I would think that they could re-image these drives since all of them should be the same.

[TrishaOurs]

Hans...I think this is the bad thing that you cannot "X" out of the screen when it shows up. 
Had to go to Task Manager and delete the IExplorer (if that is what's being used). Run the Malwarebytes etc, restart and then deleted history, temp files etc from the browser.

I also had to add a file back that was needed in the registry - Robin pointed me to "bleepingcomputer.com" for the file.  Used a file called FixNCR.reg and RKill.

I attached the doc I put together after we got this....Maybe it will work...or not....but worth a try.

Oh this happened to our pc laptop right before we got our mac.  We never fully fixed the problem.  i am going to try this.  My hubby will be much happier if "his" laptop is back to normal.

[Jeff Zylstra]

Hey Trisha, try BleepingComputer.Com.  It's a forum dedicated to the fixing malware on PCs, and you will find tons of help there.

[TrishaOurs]

Hey Trisha, try BleepingComputer.Com.  It's a forum dedicated to the fixing malware on PCs, and you will find tons of help there.

Thanks!   

[Robin Deatherage]

I saw a new variation of a fake anti-virus infection last week.  It took some time but I finally got rid of it by running combofix and malwarebytes in safe mode then ran them both again in normal boot up. 

[Mark]

I saw a new variation of a fake anti-virus infection last week.  It took some time but I finally got rid of it by running combofix and malwarebytes in safe mode then ran them both again in normal boot up.

How are people getting this stuff these days?  I must just be lucky here.

[Robin Deatherage]

I saw a new variation of a fake anti-virus infection last week.  It took some time but I finally got rid of it by running combofix and malwarebytes in safe mode then ran them both again in normal boot up.

How are people getting this stuff these days?  I must just be lucky here.

Well the user who got this infection claimed she was trying to go to a grocery store website to get the phone number of the bakery and then "all of a sudden" strange things started happening.  My guess is she typed it incorrectly and then clicked on something she shouldn't have.  You probably have things locked down tighter than I do or your users are more careful than mine. 

[Mark]

You probably have things locked down tighter than I do or your users are more careful than mine.

I do use a layered approach -- meaning I'm not just using one thing to protect me.  Do you at least use the free version of OpenDNS as your DNS forwarders?  I think that helps a little.  the paid version woudl probably help a lot, lol.

[Billy Welsh]

You guys need to offer your services out of patriotism...

http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/

Haven't these guys heard of drive imaging?  If these are closed loop systems that don't do anything but operate the drones, I would think that they could re-image these drives since all of them should be the same.

SCARY - Apparently they did not do a very good job of physically securing this network.  While they say it did not affect operations, it sure could have.  And some of these puppies are carrying missiles!

http://www.myfoxny.com/dpp/news/military-computer-virus-wasnt-directed-at-drones-20111012-apx

[Jeff Zylstra]

You guys need to offer your services out of patriotism...

http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/

Haven't these guys heard of drive imaging?  If these are closed loop systems that don't do anything but operate the drones, I would think that they could re-image these drives since all of them should be the same.

SCARY - Apparently they did not do a very good job of physically securing this network.  While they say it did not affect operations, it sure could have.  And some of these puppies are carrying missiles!

http://www.myfoxny.com/dpp/news/military-computer-virus-wasnt-directed-at-drones-20111012-apx

I'm guessing that some dude plugged his memory stick into an unhealthy playstation and infected the whole network.   I hope they keep investigating this. 

[Mark]

I'm guessing that some dude plugged his memory stick into an unhealthy playstation and infected the whole network.   I hope they keep investigating this.

They were operating against policy and using removable drives to transport video and other data between machines.  They probably did use imaging once they finally decided to rebuild everything.  In fact, I bet that they WERE using imaging but the image they were using was infected, so they had to break down and build a new one.

Base images are awesome to have.  Creating them though, is at the bottom of my fun list.

[Jeff Zylstra]

Agreed, Mark.  I never go through the hassle of automating the new image.  I've found it much easier to just go through all of the Windows new installation questions than to program everything to automatically fill in domain names, etc....

I thought that I read somewhere that this was the proscribed method of transporting and sharing surveillance and reconnaissance videos.  If that were the case, you'd think that something like an Iron Stick would be used, and that the auto run features would be disabled along with registry hacks to block auto runs.  If I know about that stuff, you'd think that they would know about it too!

[Mark]

I was actually picturing removable drive bays.  Not sure why, but that's just what I pictured.  Basically, where the whole hard drive slides out and the user essentially takes their computer with them.

It's almost like virtual desktops, the sneaker net way. lol  But who knows, maybe it was just a WD Passport.

[Jeff Zylstra]

I was actually picturing removable drive bays.  Not sure why, but that's just what I pictured.  Basically, where the whole hard drive slides out and the user essentially takes their computer with them.

It's almost like virtual desktops, the sneaker net way. lol  But who knows, maybe it was just a WD Passport.

I'm sure that we will never know since how they do things going forward will probably be more classified, if it isn't already.  Hopefully this will bring about change.  I'd hate to see a Predator missile fly over my house headed for Wisconsin. 

[Lance Bateman]

The "fun" part - apparently the video from the drones is not secured, can be captured with a $23 piece of equipment!  Ah me, the joys of not having experts set this up.  When they worked on setting up the Navy/Marine Corp Intranet - of course it was lowest bid, and even then Congress delayed funding so long most of the initially hired staff (I was one) found other work.

Per Marines I've talked to (many), it still doesn't work well.

[Bob]

That was 2 years ago Lance.  Since then it's been encrypted after being embarrassed by militants picking up the video feed. 

[Jim Jensen]

That was 2 years ago Lance.  Since then it's been encrypted after being embarrassed by militants picking up the video feed. 

I just heard the other day that they are still getting the new equipment spread all around and that there are still unsecured signals until they replace every transmitter and receiver. I have no corroborating info to validate, but have no reason to question it, either.

[Lance Bateman]

Jim's got the current status - still in the process of updating things, and they still haven't removed the malware fully - in fact they are trying to work around it right now.

The NMCI project - well, I think it's basically 9 years behind so far???

[Bob]

Talking two different issues..  Malware that got on drones (which had no impact other than embarrassment) recent news and militants using simple child monitors and catching video stream which is old news.

I get my military news email almost daily..  Full of stories before they hit the press.  Next one I get I'll share the link.  Interesting stories from around the world and video clips that will keep you visiting. 

That said I do believe in what Jim said that not completely done yet but I suspect the ones in use today sure are. 

[Donna Syroid]

So friends back to one of the questions.  How are these virsus getting into our systems.  One thing mentioned is that someone accidently typed the wrong url.  What are some other ways?  What about a marketing rep putting their USB disk in our machine to open something.  The same one that he just took from another agency office.  Is there a list of things to avoid that we can give to our users?

[Lance Bateman]

1. Don't allow anything that has been used outside (pc, drives, etc.) to be hooked in to the system without first being scanned by AV.

2. Be sure you have something blocking suspect sites you don't want.

3. Caution all that if they get a site that doesn't look like what they want, back out and make sure they put in the address correctly.  For instance, Denny's has one for a customer survey they are doing at www.dennyslistens.com, but if you put in www.dennylistens.com instead you get a whole different site.

[Jeff Zylstra]

Gateway anti-virus and content filtering on a firewall is a good start, and then combine that with OpenDNS to further control sites that are visited.  We use Sophos anti-virus, and it has a "whitelist" for applications.  Only those programs that are allowed to run on a machine can execute on that machine.  So if FAKEANTIVIRUS.EXE gets downloaded from a compromised or malicious website, it will not be allowed to execute.  It also stops users from downloading and installing and/or running games.   

To further answer your original question, some legitimate websites get compromised or redirected to bad sites.  You can either click on a malicious link in an e-mail, or visit a legitimate site which has been compromised using cross site scripting or other means.  Many websites display content from other sites in boxes on their web page.  For instance, many of the advertisements on MSN.Com do not reside on their servers.  Other websites display these ads from servers that are somewhere else.  When one of these many servers gets compromised, you get compromised.

[Bob]

Stay up to date on windows updates and other apps and use common sense.

Without some updates you exploit yourself just visiting a website at times.    Common sense well, Free is not Free, I didn't ask for this attachment, My mom never says Dude so why should I click on link, only my IT department will tell me my computer is slow or infected and stick to your objective..  Don't let pop ups draw your attention or click. 

Intimidation works on those with no common sense.   

[Jim Jensen]

Web searches can get to one quickly too. Performing a legitimate search, perhaps on a client or prospect or other legit reason and land on a bad page - sometimes the URL can tip you off that it's not the page you probably want, but not always. Lord knows that searching for music is a quick way to get one.