Jump to content


Photo

so once you get em clean.....


  • Please log in to reply
10 replies to this topic

#1 wookie geek

wookie geek

    Tired, cynical, old man

  • Full Member
  • Pip
  • 19 posts

Posted 13 April 2006 - 10:41 AM

We just got a repeat customer in today. Was just in shop Jan. System was totally hosed so he got a nuke and pave, NIS 2005 and we threw in Spybot. The PC came in with NIS choking and puking. The resident protection for Spybot for IE disabled and unable to reset, 1 of the smitfraud group and trojan.zlob. NIS showed as having the latest definitions, the last weekly scan as shown in the logs found only adclicker. Where is all this crap coming from? How is it getting past whatever defenses are set up? The guys homepage was hijacked to the darn perfectedsecurity site even tho when the PC was sent out Spybot was installed and updated. If I had any hair I'd be pulling it out. I personally think NIS is your basic overbloated pos but I am not in charge here so I have no options on what gets installed as an AV. Even with that said it would seem that there should have been some protection. The issues with NIS are self evident ( keeps trying to block it's own live update) but not really the issue I am wondering about. How is this crap coming in? How is it somehow killing Spybot and hijacking the browser? Finding the guilty files I can do. Cleaning up the registry also but I would like to be abvle to say "look Mr....., this is what got you back into the shop with these problems".

Any insight, links or info at all will be greatly appreciated.

wg
When in danger, or in doubt. Run in circles, scream and shout!!

#2 hornet777

hornet777

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 607 posts

Posted 13 April 2006 - 03:43 PM

I smell rootkit.
After all is invested in correctness, then how does it stand with truth?

#3 wookie geek

wookie geek

    Tired, cynical, old man

  • Full Member
  • Pip
  • 19 posts

Posted 13 April 2006 - 05:27 PM

I smell rootkit.


We haven't addressed everything wrong currently at this point, but since he got the nuke and pave ( format reinstall) in Jan I know he didn't have a rootkit when it went out. I haven't seen/heard anything anywhere about how this crap is propagating. But thanx for the reminder to check for a rootkit in his current problems.

wg
When in danger, or in doubt. Run in circles, scream and shout!!

#4 teacup61

teacup61

    RIP

  • Emeritus
  • PipPipPipPipPip
  • 4,064 posts

Posted 13 April 2006 - 06:24 PM

No protection in the world will keep out what the user lets in if he has bad surfing habits, or isn't careful what is downloaded.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

Posted Image
Posted Image

#5 wookie geek

wookie geek

    Tired, cynical, old man

  • Full Member
  • Pip
  • 19 posts

Posted 14 April 2006 - 11:09 AM

No protection in the world will keep out what the user lets in if he has bad surfing habits, or isn't careful what is downloaded.


True that. I am thinking thats how he picked up the smitfraud item.

wg
When in danger, or in doubt. Run in circles, scream and shout!!

#6 Bmwboy

Bmwboy

    Member

  • Full Member
  • Pip
  • 23 posts

Posted 15 April 2006 - 07:23 PM

Undoubtedly the user has been downloading suspicious items, or looking at some things no person should look at.
Using firefox might help him :p

#7 tsitraveler

tsitraveler

    Member

  • Full Member
  • Pip
  • 54 posts

Posted 16 April 2006 - 12:43 AM

Until you come up with a patch for this customer, you might try getting him to buy ProcessGuard, by DiamondCS (http://www.diamondcs.com.au/)

Stops global shell hooks. It'll deny rootkits, among other things.

Of course, he's still free to hose his sys, but at least he'll start to understand how it happens...

#8 aczechgurl

aczechgurl

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 5,577 posts

Posted 19 April 2006 - 10:58 PM

Bad surfing habits most likely.

But I have a question when you "nuked and paved" did you do all windows updates including sp2 and did you turn on automatic updates?

Aczechgurl




Please consider Supporting SWI's fight against Malware.

Member of ASAP (Alliance of Security Analysis Professionals)

Fight back Malware Complaints

#9 wookie geek

wookie geek

    Tired, cynical, old man

  • Full Member
  • Pip
  • 19 posts

Posted 28 April 2006 - 07:57 PM

Bad surfing habits most likely.

But I have a question when you "nuked and paved" did you do all windows updates including sp2 and did you turn on automatic updates?


Our company policy is that we do ALL Windows update and enable the updates for auto d/l AND install. Please know that on none of my PCs is that my policy. I never want M$ to d/l or install anything before I check it. I decide when I see the updates whether I want them or not. While in my personal life I do not adhere to our company philosophy, I can kinda understand why we do it that for the customers since the majority of them have been running the 60 day trial version of whatever came on their OEM box and have never done any updates at all. (I'm talking XP SP1 and the 60 day trial expired in 03)Well of course the 4/11 patch hosed a bunch of them with the HP share to web and image director software and we got one that it fubard the Nvidia drivers. I think the company's outlook is update and not get screwed by stragers but maybe get screwed by M$, the old "better the devil you know".

wg
When in danger, or in doubt. Run in circles, scream and shout!!

#10 aczechgurl

aczechgurl

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 5,577 posts

Posted 28 April 2006 - 10:23 PM

If you really formatted and did all updates bad surfing is all I can think it might be at the moment.

If you did not format there could be a task scheduler entry that is reloading it.

The majority of them have been running the 60 day trial version of whatever came on their OEM box and have never done any updates at all. (I'm talking XP SP1 and the 60 day trial expired in 03)


I know exactly what you mean, I see this everyday as well, so we have a similar policy.

Aczechgurl




Please consider Supporting SWI's fight against Malware.

Member of ASAP (Alliance of Security Analysis Professionals)

Fight back Malware Complaints

#11 Big Z

Big Z

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 31 May 2006 - 11:13 PM

LOL sounds like your a CompUSA employee! Let me know and don't listen compusa is crap for policy decision making... Trust your instincts, Luke




Member of UNITE
Support SpywareInfo Forum - click the button