Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

some kind of sneaky malware


  • Please log in to reply
6 replies to this topic

#1 hopacIT

hopacIT

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 19 January 2010 - 08:20 AM

We are a school with somewhere around 60 computers and hundreds of users. We've had some kind of malware infection for the last couple of weeks we can't seem to get rid of. We believe is it mostly floating about on flash drives, but it is probably going around via the network as well. Here are a few facts.

We run Sophos on every machine that updates via server proxy daily. (this hasn't been updating properly, but is no older than a week)

We've run Malwarebytes with the most current definitions many times on almost all the computers

We've also run SuperAntiSpyware many times with updated definitions.

Some evidence of virus is: flash drives automatically have shortcuts to the following folders: documents, music, pictures, etc. along with a text file with a target to the flash drive to some file that doesn't exist. usually something like J:/siouqi.scr

Mostly flash drives aren't able to eject properly, they show up weird in My Computer sometimes as folders instead of drives.

We think it's effecting internet speed somehow but aren't savvy enough with network monitors to tell for sure.

I'm not sure how else to describe it, but I'm happy to answer any questions.

Below is a short list of just a very few of the file names that have popped up in scans:

A0027523 - agent-ink
KsDDdj - krap-I
fLUbAk. mal/tdsspk-c
XkQVbk - generic-a
Deioqi
Pbmig
dioco
Ruecuw


Any help would be greatly appreciated!

Thanks

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:29 PM

Posted 19 January 2010 - 11:12 AM

Hello start by cleaning all the PC's and flash drives so they no longer reinfect every PC they touch.

I am going to ask for some help here as I see a rootkit and we need to clean that .

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:29 PM

Posted 19 January 2010 - 11:32 AM

Since you say this is a school computer, have you contacted and advised the school's IT Department?

In most school environments, the IT Department implements specific policies and procedures for the use of computer equipment and related resources. These official procedures are designed and implemented to provide security and certain restrictions to protect the network. This allows all users to safely use school resources with minimum risk of malware infection, illegal software, and exposure to inappropriate Internet sites or other prohibited activity. If you have an issue, then you need to resolve it with the IT staff or school administrators. We will not assist with attempts to circumvent those policies or security measures.

Our forums are set up to help the home computer user deal with issues and questions relating to personal computers. We are not equipped to involve ourselves in any legal issues that may arise due to loss of business data and loss of revenue as a result of malware infection or the disinfection process which in some instances require reformatting and reinstallation of the operating system.

Further, the school IT staff generally has procedures in place to deal with issues and infections on client machines on the network. As such, they may not approve of your seeking help at an online forum or outside the school. The malware you are dealing with may have infected the network. If that's the case, the IT Department needs to be advised right away so they can take the appropriate measures.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 hopacIT

hopacIT
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 19 January 2010 - 12:26 PM

Boopme - thanks I'll give that a try tomorrow sounds good.

Janitor and other readers - thanks for the reply. just wanted to clarify that I am the it dept. We are a sm nonprofit school in africa so no need to worry about liability. Were just looking for any possible solution since we have few resources available around here. I definitely appreciate your response tho and hope my users would get that same response.

Thanks to both and any future replies as well. You're all bleepin awesome.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:29 PM

Posted 19 January 2010 - 12:51 PM

Below I have provided some generic instructiions for network cleaning. We do not have the staff or resources to assist with disinfection of numerous machines but this will get you started in the right direction. Keep in mind, we at BC will assume no responsibility for any assistance provided.

If this is a client machine, to prevent the malware from spreading to other clients on the network keep this system separated (isolated) from all others and disable network file and printer sharing until fully cleaned. Vista users can refer to these instructions.

If you're not sure about the source of infection, start by disconnecting (isolating) all client machines from the network. Check and disinfect each client individually by performing a full system scan with your anti-virus in safe mode to ensure it is clean before reconnecting.

After that print out and follow these Instructions for using Malwarebytes Anti-Malware and perform a Quick Scan in normal mode, then reboot the system normally. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware it finds.

Note: Some types of malware will disable Malwarebytes Anti-Malware and other security tools to keep them from running properly. If that's the case, please refer to the suggestions provided in For those having trouble running Malwarebytes Anti-Malware.

Start with the server, then one at a time, do the same for each client machine until you ensure it is clean and can be reconnected. That is a tedious task, but it ensures each machine gets individual attention and a full system scan of all files and folders. Trying to do things remotely can result in missed detections. If scanning of a mapped drives only scans the mapped folders, it may not include all the folders on the remote computer. Further, if a malware file is detected on the mapped drive, the removal may fail if a program on the remote computer uses that file.

How to scan your network with Sophos Anti-Rootkit <- this link has instructions for use on large networks

On a network where the domain controller has been infected with a rootkit, you should clean the domain controller before cleaning the remaining computers on the network. See rootkit removal on a network with an infected domain controller.

If you were infected by malware that spreads to network shares or by a password stealing trojan, change the passwords for all important applications and set strong passwords for shared network resources.

Note: As an alternative to Flash Disinfector, you can download and use Panda USB Vaccine.
alternate download link 1
alternate download link 2
  • Double-click on USBVaccineSetup.exe to install the program to C:\Program Files\Panda USB Vaccine.
  • Read and accept the license agreement, then click Next.
  • When setup completes, make sure "Launch Panda USB Vaccine" is checked and click Finish to open the program.
  • Click the Vaccinate computer button. It should now show a green checkmark and confirm Computer vaccinated.
  • Hold down the Shift key and insert your USB flash drive.
  • When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
  • Exit the program when done
Note: Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates an AUTORUN_.INF as protection against malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 hopacIT

hopacIT
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 20 January 2010 - 07:09 AM

Thanks for the advice so far. Updates are:

Have install PandaUSBVaccine on about 30 computers so far and seen that the program is a big help.

Have disabled File and Printer sharing

Resetting admin passwords on the computers

Cleaning up any quarantine in Sophos and restarting

Using Malware Removal tool to get any files remaining after Sophos removal. A few have remaining files unable to be removed, which we are leaving for now, hopefully Malware will catch or the Sophos Anti Rootkit might.

Updating Malware then running quickscans

Restarting.

Preparing Sophos Anti Rootkit to run on machines that show any kind of infection after above. Haven't tried it yet. Curious to see if it has greater effect than the Sophos program we have now which I believe has rootkit scanner in it.

Some machines seem to be improving and clean. Some seem to be sticky.

I'm beginning to notice some kind of trend in a few in results from the scans. Appears there may be some version of CONFLICKR on some of them. That doesn't sound fun. I know it's not everyones favorite worm, but I dont' know exactly what I should be doing, if anything different, than I am now.

Any advice from here?

Thanks so far.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:29 PM

Posted 20 January 2010 - 01:40 PM

To clean or protect your system from the Conficker/Downadup Worm infection you can start by reading these articles:You are safe from Conficker if you can access Window's Critical Updates or if you can go to security sites such as mcafee.com.

There are a number of free removal tools available to download and use.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users