Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am infected!


  • Please log in to reply
5 replies to this topic

#1 Mikemad

Mikemad

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 08 March 2010 - 09:11 PM

Having a bad problem with multiple PC's. All are XP SP3 pretty much fully patched, latest Acrobat, Java, Flash, etc. Not sure how it's getting in. Would sure like to know that. PC's have Computer Assoc. Etrust AV 8.1, latest signatures, etc. I have been submitting files to them as fast as I can to be included in the updated signatures. We use Webroot Spyweeper for Anti-Spyware - again the latest signatures. Problem 1st started about 3 weeks ago, slow response time were an issue. Started using Malware AntiMalware Bytes to perform on demand scans. This would often catch items neither Etrust or Webroot would catch, and I would start submitting the files that MAMB caught, to CA and Webroot to get updated signatures. The webroot product has an Internet Communications Shield (ICS) that logs centrally to a console. I was able to catch traffic to various IP addresses (from Svchost.exe) and domains that I start adding as blocked sites in our firewall. I also caught some traffic via Wireshark captures that was suspicious . After the machine cleaned by MAMB, continually got re-infected, I started to look closer and found suspect files in the temp directories and the temporary internet files for the network service and local service accounts. So I started using GMER (I think that's the name) and some of the PC's have suspect atapi.sys (or whatever it's called, you know what I mean!).

Not really sure where to go from here. I am not sure if corporate users are allowed to use this site or not. If not, can anyone recommend somebody who can come help us out for $$?

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:30 PM

Posted 09 March 2010 - 10:48 PM

By corporate users, does this mean these are company computers?

~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Mikemad

Mikemad
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 09 March 2010 - 11:03 PM

Yes sir or madam. These criminals are smart people whoever they are. We have a process which conflicts with our RTM AV scanner, so it is excluded. Found a PC infected a file with the same filename as the excluded process, just in a another directory. I found it with Autorun, after capturing some suspicious outbound traffic with Wireshark. Once I had the port number, I was a just a netstat -nao away from finding the process.

Again, I did not know if corporate computers qualified for assistance here or not, that why I was up front in asking. Ya'll seem to be the most knowledgeable around. I am learning much more about malware then I ever wanted too, that's for sure!

If help is not available here, if there are any consultants, etc that you know about in the Atlanta area, that would be a big help or even a the correct place to post such a query would be of great help. Spending too much time fighting the war to do much research on consultants.

Thanks again!

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:30 PM

Posted 09 March 2010 - 11:40 PM

Since you say this a work computer, you need to contact and advise your IT Department? In most work environments, the IT staff implement specific policies and procedures for the use of computer equipment and related resources. In fact, many companies will require you to read those policies and sign a statement of understanding. These official procedures are designed and implemented to provide security and certain restrictions to protect the network. This allows all users to safely use business resources with minimum risk of malware infection, illegal software, and exposure to inappropriate Internet sites or other prohibited activity. We cannnot take action to help someone circumvent such policies.

Further, the IT staff generally has procedures in place to deal with issues and infections on client machines on the network. As such, they may not approve of employees seeking help at an online forum or outside the business office. The malware you are dealing with may have infected the network. If that's the case, the IT Department needs to be advised right away so they can take the appropriate measures.


Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 Mikemad

Mikemad
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 10 March 2010 - 12:00 AM

I am on the IT staff, head guru in charge. :thumbsup: Sorry I wasn't clear about that. Our policies have worked well since PC's were invented. This is our first bad experience with malware and my lack of knowledge on getting rid of this stuff is crystal clear to me. Hence my request for assistance.

I been working on PC's since 1982, the very 1st PC's with Monochrome monitors and cassette decks for storage. Lotus 1-2-3 anyone? I can cure most single PC's of adware/malware without issues, but this is something different then your normal stuff - not sure what. But our machines are pretty much up to date with MS patches, Adobe, flash, Ie, Firefox, real player, apple, Jscript, etc patches (use Shavlik Hfnetchk for this), AV (Etrust 8.1 Corporate AV) and Spyware (Webroot Spysweeper Enterprise edition) scanners and signatures as well as web filters and firewalls at the network perimeter and it's spreading. Nothing (GMER, Spysweeper, Etrust AV, Malware AMB, MS security Essentials etc) seems to find all of it and then it just comes back. We have images and automated application deployment, along with roaming profiles and have taken to just replacing/re-imaging PC as fast as we can/they are discovered. It's just a bit overwhelming at the moment and I am not sure we are thinking clearly and was hoping to get an outside person to help us figure out how to pin down what it is, how it spreading and how to stop it. Again any references on somebody we can pay for that assistant (if not available here) is very welcome.

About 3/4's of our machines are at Java 6 15 thru 17 - We haven't been able to successfully automate the deployment of Java 6 18 - but that is about the only thing that's not fully patched/updated.

We have 220 PC's and an IT staff of 4, since almost everything is automated.

Edited by Mikemad, 10 March 2010 - 12:05 AM.


#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:30 PM

Posted 10 March 2010 - 02:19 PM

Thanks for clarifying all that. :flowers:

A couple things. 1) It would be best to isolate the computers from each other until the infection is removed. You've a really bad one and it spreads insidiously. Additionally, it is somewhat different on each machine. Each machine will have to be addressed separately in terms of cleaning. Which leads me to the second thing. 2) The tools needed to remove this infection are restricted to the Malware Removal forum. So, please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a link to this topic in the new one. If you post a topic for more than one computer, please be sure in the titles to put something like Computer 1, Computer 2 etc. in the titles and label the machines similarly to keep things from getting mixed up.

If you can produce at least some of the logs, then please create the new topic(s). If you cannot produce any of the logs, then post back here and we will provide you with further instructions.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users