Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection pushed down to users by Group Policy


  • This topic is locked This topic is locked
4 replies to this topic

#1 michaelkimbrough

michaelkimbrough

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 05 December 2009 - 05:47 PM

Long story. I'm a teacher and part-time network administrator at my school. Our domain controllers (2) still run Wondows server 2000. I noticed two weeks ago that one of them had its antivirus program turned off (McAfee Enterprise 8.5) and I could not get it back on. After some reasearch, I deleted two old registry keys related to a previous Mcaffee install, reinstalled the software and it starts up and updates. I thought that was the end of it. Nowthis week, I'm getting calls from students saying their networked computers are either re-directing when doing Google searches or just not connecting to any web site. I scanned one of the student machines and Malwarebytes identified 7 problems: Hijack.Desktop, Hijack.Display, Hijack.DisplayProperties (twice), Hijack.Regedit, Hijack.Run, Hijack.taskmanager. These are the registry keys identified...they all start with the same thing so I'll only write that part once: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
after that is: Explorer\ForceActiveDesktopOn
ActiveDesktop\NoChangingWallPaper
System\NoDisplayBackgroundPage
System\NoDisplayScreenSaverPage
System\DisableRegistryTools
Explorer\NoRun
System\DisableTaskManager

These registry keys correspond to group policies we use for students to limit their ability to change certain parts of the OS. I then went to the two domain controllers and ran DDS. I've atttached both DDS logs below. RootRepeal will not run on either machine. It starts on the first DC, but freezes and it causes a blue screen on the second DC, so I have no logs from it. DDS1 is from the first DC and DDS2 is from the second. DDS2 is the machine that had the antivirus problem described earlier.

I noticed that I could clean the student computer with Malwarebytes and as long as I logged in as a member of any user group other than a student, it stayed clean. When I log in as a student, it is reinfected. I then deleted the group policy I was applying to students and tried again. Sure enough, no infection. I've scanned both DC's with several online scanners and none report anything abnormal (I know I'm not suppposed to take a server online, but I'm desperate). Any help would be appreciated.

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:40 AM

Posted 19 December 2009 - 04:23 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 michaelkimbrough

michaelkimbrough
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:40 AM

Posted 21 December 2009 - 07:46 AM

Thanks for the response...I know you all are extremely busy. I got some local help and they feel that the problems Malwarebytes identified could be legitimate group policy changes. Since Malwarebytes is a consumer product they think these may be false positives. We have ordered a new server with Windows 2008 server and plan to create a new domain. I'll set it up as a non-production network and test group policy using the new server and a spare computer or two. If malware bytes flags those group policy changes to the registry too, we will know these were false positives. I think you can close this case now. Merry Christmas to you.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:40 AM

Posted 21 December 2009 - 12:11 PM

Thanks for letting us know.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

With Regards,
Extremeboy

Edited by extremeboy, 21 December 2009 - 12:12 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:40 AM

Posted 21 December 2009 - 12:13 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed.
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users