Still infected?

Discussion in 'other anti-trojan software' started by Chrishuff1, Jul 2, 2008.

Thread Status:
Not open for further replies.
  1. Chrishuff1

    Chrishuff1 Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    8
    I work for a local ISP and we've been getting Spam Cop reports about one of our users. He'd claimed to have cleaned it up but we got 3 more reports. He brought it in to our office and I cleaned it to the best of my ability.

    Adaware found around 20 items (most were tracking cookies)
    Spybot found a few (less then 10)
    TrojanHunter found a keylogger
    Norton found 17 trojans, all files were deleted and successive scans were clean.

    PC was running MUCH better once the above was done, and I assumed all was well. That evening we received yet another Spam Cop report about that same user.

    Are there any other programs I don't know about that might find something? I DID run Hijack this but all that was there was Norton listings and some java stuff. I'd hate to have to format this guys computer....FWIW he does have a router (non wireless) and he only has it for his XBOX.

    Thanks in advance for any light you can help shed on this subject. And by all means please move this to the appropriate forum if I am posting in the wrong one :thumb:
     
  2. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    If it was me who was going to clean the PC/hard drive, I would connect the user's hard drive as a slave drive on my PC, scan with AntiVir Premium. (Usually, this is enough.) Then, just to make sure the hard drive is clean, put it back into the user's machine and install SUPERAntiSpyware or Malwarebytes' Anti-Malware (get the registered versions, with real-time monitor).
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Chrishuff1,
    You have to do 2 things :

    1. Clean up your system.
    Download HijackThis at this link and create a HijackThis Log :
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

    At the bottom of this link you will find several Malware Forums
    https://www.wilderssecurity.com/showthread.php?t=42148
    Post your HijackThis Log in one of these Malware Forums and qualified helpers
    will assist you to clean your system and which scanners you have to run.

    2. After that ask Wilders for a solution to avoid such a situation in the future, otherwise it will happen over and over again. It's a vicious circle and you have to break through that vicious circle.
     
  4. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    i cant amagine avira managing to clean anything. but the reccomendation to use superantispyware and malwarebytes antispyware is good.
    the OP should also consider using drweb cure it.
    link in my signiture.
    definatly consider posting in a specialist antimalware forum. try to find a setup to avoid the user getting infected again easier said than done thou.
     
  5. Beavenburt

    Beavenburt Registered Member

    Joined:
    Dec 17, 2006
    Posts:
    566
    Second that. Cureit and Superantispyware are two great apps. I've also installed Threatfire on some machines and it has detected where others have failed.
     
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    It seems to be an office computer, which means you can't afford to have a weak security/recovery solution.
    It will take some time to clean this one and even when you run all these scanners, it doesn't mean everything is gone. They will just remove what they know and the rest remains.
     
  7. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    outbound firewall comes to mind! at least to stop it from spreding
     
  8. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    I think you should run AntiVir, SUPERAntiSpyware and Malwarebytes AntiMalware. And maybe add DrWeb Cureit or Kaspersky AVP Tool. Or F-Secure/AntiVir Live CD.

    Then maybe you should consider getting a policy sandbox and a behavioural blocker on his computer, to prevent future infections.
     
  9. ASpace

    ASpace Guest


    Very good suggestion for a user who managed to get so much infected and who claimed he/she "cleaned" the machine . The user will pretty much like the "policy sandbox and a behavioural blocker" ... really good "survival" :gack: o_O :blink: :gack: o_O :blink: :gack: :isay: :blink: o_O :blink: :( o_O :cautious: :gack:
     
  10. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    Well I thought we were giving advice to someone to give advice to someone. So what's wrong with giving suggestions?
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Nothing is wrong with helping someone, that would be very unlogical. :)
     
  12. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Well I thought HiTech Boy's tone was quite sarcastic, though I might be wrong.
     
  13. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    Although the horse has already left the barn, may I suggest a clean backup image for future catastrophies? Just a suggestion.

    Good luck,
    SourMilk out
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    With such an infected system, I would re-install my computer completely from scratch and create clean images at the right moment like you suggested. This is the only way to be sure everything is gone.
     
  15. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    Did you charge him labor?

    IMO all of those tools are mediocre at best, and the first three have lackluster detection/removal capabilities. Which Norton/Symantec product were you using? If you insist on signature scanners I would highly recommend SAS, MBAM, a-squared, CureIt, AVPTool, combofix, and smitfraudfix.

    IMO it's one of two things.

    1) The tools above failed to detect and remove the current infections
    2) The end user went back to the same websites/p2p/etc. and reinfected himself

    He could have a rootkit and some other nasty trojans lurking. You may want to run Combofix and have someone review the log.

    After the pc is cleaned you should discuss proper prevention techniques such as 1) common sense 2) sandbox 3) behavior blockers 4) modified hosts files 5) standard or limited accounts 6) backups/images 7) etc. ;)

    Reinstalling windows is only a temp fix if the end user doesn't change their surfing habits.
     
  16. Chrishuff1

    Chrishuff1 Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    8
    I had the user download SUPER Antispyware, Malwarebytes' Anti-Malware, and Cure-it. After installing and updating / running each program he indicated that it found a ton of additional items. He removed the infections and we have not received anymore spamcop reports.

    And yes, we did charge him labor to clean it up as well as discussed his surfing habits :)

    Thanks again for all your guys' help!
     
  17. Jtaylor83

    Jtaylor83 Registered Member

    Joined:
    Jun 26, 2008
    Posts:
    16
    I think you should get rid of Norton and install avast!
     
  18. JimF

    JimF Registered Member

    Joined:
    Apr 17, 2004
    Posts:
    54
    Location:
    Allentown, PA USA
    Try BoClean. It is free.
     
Thread Status:
Not open for further replies.