Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Police Pro


  • This topic is locked This topic is locked
6 replies to this topic

#1 daltom1965

daltom1965

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 PM

Posted 12 October 2009 - 03:39 PM

Well gang I found a seriously nasty variant of this bad guy. I'm about 100% sure it has rootkit activity. It was on a large school network and came through as a driveby install. It starts up with the usual "your infected" scare screens and over time morphs into several pop ups (fake windows security screens, pop up balloons warning of impending doom to private info) This signies there are multiple trojans at work given enough time to spawn. I would love to kill this thing understanding that it may never be TRULY clean again. I have already replaced the hard drive in the system and would like to "learn" from this infection as I maintain the network mentioned and want to be prepared. I have already eradicated many "fake alerts" like this with major success but this one seems extremely stealthy and persistent so before I started the usual techniques I thought I would run it by you folks. My dilemma is this: I cannot for obvious reasons just plug this system back in to the network and start uploading logs. Is there a proven method you have developed for sharing logs without moving the infection from the infected system to a known clean workstation? Does this family of trojans jump drives when detecting a file transfer say to CD or USB drive? I don't mind plugging in to a broadband connection at home and doing it from there but I would like to have a "starting" list of utilities you think will be needed. Where should we start? Anyone up to this? I will not be home until after 6pm CDT USA.

daltom1965

Edited by The weatherman, 12 October 2009 - 04:27 PM.
Moved from HJT to a more appropriate forum. Tw


BC AdBot (Login to Remove)

 


#2 daltom1965

daltom1965
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 PM

Posted 12 October 2009 - 04:54 PM

To be more helpful I am preparing a DDS and Root Repeal log to post. I am taking this system home and off the enterprise network. I hope to have the post updated with logs later this evening. Hope someone wants to join the fight!

daltom1985

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:55 PM

Posted 12 October 2009 - 07:20 PM

Hello, when you have that together go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 daltom1965

daltom1965
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 PM

Posted 12 October 2009 - 07:43 PM

I have the logs but am having issues getting them posted. I brought the system home as mentioned but am hestitant to plug into home network after watching activity offline at work. I have changed my paassword on my forum account as I intend to plug directly to my cable modem and attempt a connection. If posting requires me to be logged this sytem will keystroke me and compromise my account. more later

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:55 PM

Posted 12 October 2009 - 08:17 PM

Copy it to a disk and then transfer from another PC.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 daltom1965

daltom1965
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:55 PM

Posted 12 October 2009 - 08:25 PM

Logs are in the hijack forum. Sorry for the typos! This keyboard needs a lube job!

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:55 PM

Posted 12 October 2009 - 10:10 PM

OK that's good. I merged all your posts into One there.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users