Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Widespread Infection on a Win XP PC


  • This topic is locked This topic is locked
3 replies to this topic

#1 SuperiorAssassin

SuperiorAssassin

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 03 January 2011 - 03:23 PM

I have been working on a PC running Windows XP for a client for over a week now. This computer is Hijacked beyond belief. As it turns out, the client claims he has noticed the machine being VERY slow for over a year. So I am taking that to mean that the initial infection occured over a year ago. Now this PC is loaded up with Backdoors, Trojans, Adware, Spyware and many other forms of Malware.

Some of the detected Programs include:

IRC.Backdoor
MyWebSearch
Torjan.KoobFace

but there are 100s of others I have detected, many of which were no problem to remove. I have ran dozens of fixers and sweepers with no luck.

I have tried Removing the programs in Safemode, Running Virus Scans off of Boot Disks, Editing and Optimizing the Registry, Deleting StartUp Entries... I have never seen a computer more overrun than this one, it may be some of kind of home user record. It even keeps having all of its services and drivers being disabled after removal attempts.

Normally I go by the 3 hour rule, If I cant fix it in 3 hours, back it up and start with a Fresh OS, but in this case the client has very expensive tax software that can not be reinstalled and is a 1 install per license software, so I HAVE to repair.


I convinced the client to buy licenses of Kaspersky being its the best in preventative security, but Inspite all my best efforts I STILL cant install the KAS2011 Internet Security, which I am convinced would fix any problem I have. I even rand their AVP Tool and submited a support ticket with no help. Can anyone help me out?

I will post GMER Log when its done.

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:40 PM

Posted 03 January 2011 - 05:12 PM

Normally I go by the 3 hour rule, If I cant fix it in 3 hours, back it up and start with a Fresh OS, but in this case the client has very expensive tax software that can not be reinstalled and is a 1 install per license software, so I HAVE to repair.

Normally I don't reply to these sorts of thread as you're earning for your time and i'm not, but in this case I thought i'd make an exception - call it continued Christmas spirit.

I convinced the client to buy licenses of Kaspersky being its the best in preventative security

It's far too late for prevention and no AV is going to deliver a trustworthy PC. The first issue is that of the backdoors that you mention. Given that there is no way of knowing what an individual with remote access may have done with the OS in question, replaced or infected system files, tweaked security settings to make reinfection easier, there is no way I would do anything with my PC in this state except reformat and reinstall regardless of any installed software problem.

Whether your client is using the PC for their own or another's tax is immaterial - the security of this machine is waaaaaaaay beyond compromised and there's no other sensible alternative than to start afresh.
I'd also tell your client that anything they have had access to on this machine since God was a lad should seriously be considered to be public knowledge. That means any bank accounts that have been accessed, credit/debit cards used, passwords entered, risqué pictures of his/her partner, whatever...
If you want a poster child for identity theft, congratulations, you've got a prime candidate.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The second issue is taken from Attach.txt: Install Date: 12/19/2006 1:09:00 PM The installation is over four years old and that's about as old as i've seen for a long time. If ever an OS was ready for a refresh it's this one. Installations/uninstallations and Windows updates leave a detritus that will slow down a system and it t'aint going to improve without a nuke and pave.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Feel free to ask for a second opinion, either here or elsewhere, if you don't like the above, but it's good advice - although to be fair, I am biased as I gave it!

So long, and thanks for all the fish.

 

 


#3 SuperiorAssassin

SuperiorAssassin
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:40 AM

Posted 03 January 2011 - 05:56 PM

Thanks for your reply, and I completely agree with you 100%. I have already had the conversation with my client about security and how not only should the system be refreshed but he might want to just throw it away. The tax software is a pro level software and is encrypted and does not use files that hackers could read without said expensive software, but that does not do much against a keylogger.

I already recommended the restore route, but that would mean he would have to purchase a $3000+ software that he just renewed for the new tax season, we already called the company and there are no refunds or reinstalls, period.

I know that if I can at least clean the PC to the point of the Kaspersky install, Kaspersky would be able to take care of it from there for the most part, and I already reset all the security settings.

Just for an update, Kaspersky Technical Support recommended Kaspersky 2010 Rescue Disk, which seems to be working and finding things I have not come across yet, so I have high hopes.

As far as me being paid, I should be paid for my time. Im a professional Web/Media Developer and PC Technician and my time is valuable and I never have enough of it. I help out on several different communities and rarely need to ask for help. One thing that I always appreciate is the tech community and try to put in as much as I give out, I would help on this forum... but responses are only regarded by moderators only. Perhaps if you came to me with a web question for one of your clients, I would not be so quick to get offended because you were getting paid.

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:01:40 PM

Posted 03 January 2011 - 06:20 PM

As far as me being paid, I should be paid for my time. Im a professional Web/Media Developer and PC Technician and my time is valuable and I never have enough of it. I help out on several different communities and rarely need to ask for help. One thing that I always appreciate is the tech community and try to put in as much as I give out, I would help on this forum... but responses are only regarded by moderators only. Perhaps if you came to me with a web question for one of your clients, I would not be so quick to get offended because you were getting paid.

I'm not offended by you earning money for your expertise and i'm sorry if a statement of fact read as such.

I know that if I can at least clean the PC to the point of the Kaspersky install, Kaspersky would be able to take care of it from there for the most part

You must know as well as I the limitations of anti-virus programs. The chain of events can be considered as: infection creation, infection collection/submission, infection analysis and finally infection solution. If KAV hasn't come across a particular infection or if they don't consider one to be worth their time to deal with or, as sometimes happens, worth the risk given the potential for OS borking that sometimes occurs, then their software won't deal with it.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users