Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't get rid of Tencent!


  • This topic is locked This topic is locked
23 replies to this topic

#1 Makaiton

Makaiton

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:07:37 AM

Posted 13 October 2008 - 05:45 AM

I am having problems with cleaning up a large amount of computers on a single network. Many of the computers are running on Windows XP (professional), but some are running on Windows 2000.

My problems include time and date settings constantly being changed and inability to fully clean the computer (time and time again I have scanned many of them, and I'm still finding trojans).

I am currently running Avast Antivirus on several (working on getting them all) computers and have used Adaware and Spybot S&D (as well as A Squared).

Help will be forever appreciated!
All good things should be free. Unfortunately, the opposite statement is what holds true most often.

BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 13 October 2008 - 02:45 PM

How many computers are we talking about ?

Are they each covered by an antivirus program or are they all protected from a central antivirus network program ?

Stating the obvious I presume you have disconnected them from the internet and from the network?

#3 Makaiton

Makaiton
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:07:37 AM

Posted 13 October 2008 - 11:26 PM

Fifteen in all. I can't actually disconnect them from the internet or the network, as the whole thing is always in use. I'm focusing on fixing one computer at a time, if I can.

The majority of these computers are still covered by Kaspersky Antivirus, but I'm slowly converted them all over to Avast, seeing as how the status quo doesn't seem to be doing them much good.

Whether or not this is helpful, it seems the computers running on Windows 2000 are the only ones having trouble with the Time and Date. The computers running on Windows XP still can not be cleaned completely.

While I know the obvious route is to cut the computers off to each other, I can't honestly do that. Is there another way?
All good things should be free. Unfortunately, the opposite statement is what holds true most often.

#4 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 14 October 2008 - 02:45 AM

So they are on a Network , but each has its own individual antivirus protection?


Are ALL the computers infected, or is there any machine that is apparently 'clean'?
Is there a specifc reason why even some of the comps cannot be disconnected or even turned off as I think that is what needs to be done to stop further infection and start to do 'clean up' where possible

You will I assume be aware that, if E mails are being sent from these computers they will doubtless be infecting the recipients' machine(s)?

One assumes you have the right to BE cleaning these machines?

What I suggest you need to do is to disconnect the network, focus on getting ONE machine clean and work up from that , else I think the comps will be probably infecting each other while networked

Sounds as though they have not been ,shall one say, appropriately maintained , protected and used prior to this 'incident'?

#5 Makaiton

Makaiton
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:07:37 AM

Posted 14 October 2008 - 03:20 AM

Yes, they each have their own individual antivirus, and the network itself has no protection that I can see.

Yes, I do have permission to be cleaning these computers.

As I have not had time (yet) to investigate each machine individually, I do know for certain. I do think it likely that there is not a clean computer within this network.

Yes, I've assumed that our e-mails are not safe. Unfortunately, against my warnings, people here are determined to use this network as a hub for their e-mails.

I should be able to easily disconnect one computer from the network at a time, and can possibly even get the entire network shut down for twenty-four hours, but probably no longer than that.

I had just arrived here three weeks ago, and noticed that the computers were running unreasonably slow and had quirks to them. Apparently, they have been "maintained" by an inexperienced user that was recently appointed the position to fix the problems. Since I have been able to fix more problems than she has, I've been given permission to do what I can to make things better. I'm not really sure how reliable any of the methods used have been (many of the programs involved are written completely in Mandarin), so all I have to go off of is what I've already found with A Squared and Avast.

Also, I have scanned all the network files with Avast and found/removed what I've found there.

If disconnecting and cleaning one computer at a time can actually help, what's my next step?
All good things should be free. Unfortunately, the opposite statement is what holds true most often.

#6 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 14 October 2008 - 02:37 PM

What type of work place is this ?
How are the computers networked?
I guess the owner has not yet restricted computer use TO 'work related use only'?

The original 'damage' has been done by seemingly inadequate computer protection and allowing users unmonitored/unrestricted and probably irresponsible access to the computers ---- but its repercussions and spread needs to be stopped;

In reality you have NO idea of how infected any computer is?

Does the employer (owner of the business )have some spare machines ( can get some spare properly protected) machines so that the present ones can ALL be taken off the system and properly investigated?

If this were in my work environment the system would be taken off line for however long

it takes to clean up the mess which has, I guess, arrisen from irresponsible use BY employees.

Now that this HAS been identiified, I think the employer would be irresponsible if he did NOT allow the system to come off line and start to check each and every computer , one at a time

Any work stuff needs to be done from a computer known to be clean ; really if none ARE clean should

the employer really be continuing 'business as usual'?

If you can get em off line for as long as it takes, we can help you to clean and protect them, one at a time

one at a time

of interest; I have just located this program that your people may be interested in to 'control' and regulate computer and on- line access

http://www.toplang.com/internetlock.htm

Edited by ruby1, 14 October 2008 - 06:01 PM.


#7 Makaiton

Makaiton
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:07:37 AM

Posted 15 October 2008 - 11:24 AM

I do have an idea of how affected all these computers are, but I'm almost certain that there simply isn't a computer that doesn't actively share files over the network. I'm marginally certain that they don't have any incredibly huge problems, but I do know that whatever it is that is left isn't going away through any of my methods. That's why I'm looking for help from the people I know can help.

Bussiness methodology and ethics aside, I work in a school that is entirely for teaching English. The people who know the details of the network do not speak fluent English, so discovering the details of this all is pretty hopeless. However, after discussing the possible network shutdown with a few higher-ups, it seems that, depending on the actual dangers involved with whatever infections we have, it is likely that I'll be able to isolate all the computers and be able to perform maintainance on them one by one (on my days off, of course).

Problem being, they have no extra computers for me to use. I have nothing clean to start with. On the other hand, I have access to computers outside of the school which I could use as a contact regarding the whole mess.

On the topic of the link, I'm most certainly going to discuss the potential protections of what you have provided me.

Let me know how to start this cleanup (aside from isolating the computers) and I'll let you know when I'll start.
All good things should be free. Unfortunately, the opposite statement is what holds true most often.

#8 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 16 October 2008 - 03:20 PM

Ideally the whole network needs to be taken off line for however long the 'clean-up' takes.

But in practice in this situation for various reasons that seems to be impossible.


Other members may have other ideas/plans to suggest ...........................

but , to start you off, I am going to suggest that a way forward for you is to try to get some basic protection in place first on each computer as this appears to be seriously lacking?

Can you install and fully update a reputable and 'well-known'antivirus program on each ?as until each IS properly av protected you have NO program on board TO flag up problems .......

Then run full computer scans to see what the basic damage may be and where you need to go from there? If they will let you take the network off for 24 hours, you COULD get each with an antivirus program on it, then fully update each , switch OFF the network then run full scans on each computer while they are off line and isolated ;then you can get some better idea of the task facing you .

What IS of concern is the school's seeming lack OF concern about the state and health of their computers;

They may need to be prepared to have any one computer's OS reinstalled ; of interest , one assumes they do not have a contract with a local computer store FOR supplying them with computers and their repair?

Why also do they say the computers remain ON 24 hours a day? Surely this is not necessary?

And to state the hopefully obvious, you will need to ensure that any existing antivirus program is properly uninstalled prior to installing the ..erm..new and good one

I wonder if you will find a computer with multiple antivirus programs on it

Good luck :thumbsup:

#9 Makaiton

Makaiton
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:07:37 AM

Posted 17 October 2008 - 12:01 AM

Okay, so what I'm going to do is simply go through all the computers in the next couple of days and remove the useless av programs and install Avast on them all. After I've got that, should I run Hijackthis and research the logs myself? If there's enough information on the forum for me to use in properly identifying the problem(s), then I could easily get the problem taken care of.

If I wait until I have everything shut down, wouldn't it be that the scan results will probably be the same? Or perhaps your thought is that whatever it is that is plaguing these computers is just jumping ship each time I run a scan? If it is something that simple, then isolating the computers from the network would easily solve the problem.

However, if the problem persists even afterwards, then I most certainly have something I don't currently know how to deal with, and then the entire shutdown of the system really would have been in vain and I would have to convince them (apparently, I'm now competing with the other "expert" in this school) that I can most certainly fix the problem after a second network shutdown.

Ah, this is a mess. Let me know what you think, and I'll get to protecting all these poor computers.
All good things should be free. Unfortunately, the opposite statement is what holds true most often.

#10 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 17 October 2008 - 08:24 AM

As I said, others may have a different idea to suggest for this conundrum...but MY suggestion is you need to start by getting them all with a BASIC properly working and fully updated av program

Once you have THAT on and scans run in full deep mode, that should give you some idea of the scale of the problem facing you ; you might then wish to perhaps select what appears to be the LEAST infected one and throw some other scans at it to get IT back and working properly


While you are going round them it would be useful to see if the XP ones have , hopefully, SP2 installed on them; my suspicion is they will not have even SP1 installed and therefore wide open to infections :thumbsup:

Two scans you will doubtless be needing in the cleaning process are malawarebytes , instructions are http://www.bleepingcomputer.com/forums/ind...st&p=959453

and superantispyware
http://www.bleepingcomputer.com/forums/ind...st&p=959604
I suggest you gett the antivirus cover on and see what your predicament looks like; it is quite possible that some of the computers will be irretrievably infected and the only sensible course of action is a complete reformat and reinstallation of the OS

#11 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 18 October 2008 - 05:34 AM

Another tip for you;I strongly suggest you empty the Temporary Internet Files folder on the computers as nasties may be hiding in there

Another small yet' packs- a- good -punch' program to try is the 'stand- alone 'program called Stinger from http://vil.nai.com/vil/averttools.aspx
the LATEST exe version is the one I have linked you to so it requires NO updating per ce
its exe is http://download.nai.com/products/mcafee-avert/stinger.exe
this shot shows what tabs are available for the cleaning process;


Posted Image

I suggest on Scan Targets, you scan both

on Virus Detection you ,I think, will wish to select 'delete' ; and in the Detection I suggest you select everything as you, in reality, have NO idea of what you may find :thumbsup:


Another point came to mind on this ; you are working on 15 different computers ( or will be); it is, I think VITAL that you actually label each and every one of them from simply even one TO fifteen and note what you have done on each of 'em; you need to keep close tabs ON the work you do so you know exactly what has been done on each and do not end up duplicating the work and missing a computer out of the loop OF cleaning

Edited by ruby1, 18 October 2008 - 12:42 PM.


#12 Makaiton

Makaiton
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:07:37 AM

Posted 23 October 2008 - 06:09 AM

As it turns out, it seems I've found the root of the infection; an assortment of nine computers open to public use in the school. They are riddle with Win32 trojans and rootkits. I've been installing firewalls to help prevent the spread of the infection, and found that this has at least slowed the deterioration of the network. I've got the okay to take the network down as many days as I need, and everything is moving along slowly but steadily. There are quite a few computers to fix, and I'm not sure I can completely remove all the infections. However, I will feel satisfied with at least preventing information from leaking out of the computers.
All good things should be free. Unfortunately, the opposite statement is what holds true most often.

#13 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 23 October 2008 - 07:49 AM

As it turns out, it seems I've found the root of the infection; an assortment of nine computers open to public use in the school. They are riddle with Win32 trojans and rootkits. I've been installing firewalls to help prevent the spread of the infection, and found that this has at least slowed the deterioration of the network. I've got the okay to take the network down as many days as I need, and everything is moving along slowly but steadily. There are quite a few computers to fix, and I'm not sure I can completely remove all the infections. However, I will feel satisfied with at least preventing information from leaking out of the computers.

thanks for letting us know :thumbsup: once you yet things 'under control' maybe post back as I am sure the Team can help you to thoroughly clean up :flowers:

#14 Makaiton

Makaiton
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:07:37 AM

Posted 27 October 2008 - 05:47 AM

This Wednesday is when I shut down the network and clean the school throughout. I'm looking forward to tracking the rest of these rogue trojans and trapping them in a corner.

On a side note, is there a program that can monitor or prohibit the installation of new programs and printer use? I feel like there should be a way to do this with Windows XP, but I haven't taken the time to find out if I can do it that easily.

Interestingly enough, I went to download Stinger from it's site, and there was also a .rar to download for some reason (the page didn't specify). So, I downloaded it, and Avast suddenly went off telling me that I was downloading a trojan. Know anything about it?

Edit: I was just now informed we have a ghost program on all of these computers. Literally, as I'm sure you know, all I have to do is completely clean two computers and I can carbon copy the good PC onto all the rest.

...thinking now, that seems like way too easy of a fix, doesn't it?

Edited by Makaiton, 27 October 2008 - 07:49 AM.

All good things should be free. Unfortunately, the opposite statement is what holds true most often.

#15 Makaiton

Makaiton
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:07:37 AM

Posted 29 October 2008 - 03:26 AM

I'm going for the quick fix and seeing how it goes. If I can save time by only needing to completely clean two computers, my employers (I'm a teacher, not an IT) will be all the more pleased.

I plan on following your directions and then following the procedure outlined for a Hijackthis log.

If the Ghost doesn't work as planned, I'll just go ahead with the original plan and shut the network off and work on the computers all at once. Who knows how that will work, though.
All good things should be free. Unfortunately, the opposite statement is what holds true most often.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users