Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown infection [Moved]


  • Please log in to reply
1 reply to this topic

#1 TLG0102

TLG0102

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 13 August 2009 - 10:42 AM

About August 10th, one of our interns let us know that their development laptop appeared to be infected with a virus. We were running McAfee on the laptop at the time; however it was disabled (and subsiquently removed while we tried to update it) by the virus. Initially it was displaying a popup 'Windows Antivirus Pro Remover' ad. We were unable to run any EXE files on the system at that time. I downloaded PC Tools Spyware Dr and renamed it so it would install, and it cleaned up several trojans - Trojan-Clicker.VB, Trojan.FakeAlert, and RogueAntiSpyware.Sysguard. After running multiple scans, it seemed to be clean, and stopped locking up, but still couldn't reload McAfee (screen is blank), or access Windows Update (screen is blank). IE also seemed damaged, so I installed version 8, which allowed IE to start working again (had been using FireFox initially for most of the above downloads - however it isn't supported by windows update or McAfee).

At this point I loaded Sophos to scan for rootkits, and it found UAC and SKYNET, which it removed. Some research seemed to indicate that it was operating similarly to the Roodkit.d variant. Still had problems though accessing windows update and McAfee. v4.windowsupdate.microsoft.com not blocked (no blank screen), but it appeared to be blocked from attempting to download the signed ActiveX control.

I was then able to download Malwarebytes and run it. It indicated that Rootkit.TDSS was on the system, and removed it. After that Malwarebytes gave the system a clean bill of health, but still can't run Java applications, or access certain sites. I then loaded autopatcher to download any missing updates to the OS. After that I re-ran Mawarebytes, which still says we are clean - however we still seem to be actively blocked from accessing certain sites. Not sure if this an unknown active infection, or remnants of some of the virus' that have gone through the machine. Let me know if you have any suggestions.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,959 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:36 PM

Posted 13 August 2009 - 02:51 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users