Technical advice
Infected pc missing AV updates, but cannot connect to internet. Help wanted...
ke 28. lokakuuta 2009 13:57:11 — phantazmYesterday I visited one of my friends, and I soon discovered that his anti virus program AVG had stopped working 9 months earlier. I tried to update it manually, but was told that there was no internet connection. I checked and noticed that there was a connection, but AVG couldn't connect. I then tried several online scanners - same result: we were told there was no connection.
The short version: every ordinary sites was allowed to connect, but all AV sites were not allowed (and many security blogs too). Luckily I then remembered that WOT had a Panda offer. We tried that, and finally it worked: Panda was allowed to download and install.
The first scan revealed 1 adware, 1 spyware and 1 virus (trj/zlob.gen). All 3 were removed. But the problems still persisted: AV sites are still blocked. And when Panda tried to update itself, the initial problem returned: no connection.
More background: My friends pc was full of security holes, because of missing updates.
I have closed as many as possible, but that only helps from now on...
How do we clean his pc, if we cannot connect?
We have access to another pc, that is not infected.
But how do we do? Any suggestions..?
- Kirjaudu tai rekisteröidy kirjoittaaksesi kommentteja
Might be a malicious hosts file
ke 28. lokakuuta 2009 15:44:03 — amishrabbitAssuming your "friend" is running something relatively modern, eg, windows xp or later...
navigate to c:\windows\system32\drivers\etc and open the file named "hosts" (without a suffix) in Notepad.
If there is any entry other than "127.0.0.1 localhost" delete all those other lines, save the file (again, with no suffix), and it should work immediately.
Alternatively, you might want to read this blog post:
http://blog.webroot.com/2009/10/16/trojan-uses-com...
It looks like that's also a fairly easy fix.
Thanks
ke 28. lokakuuta 2009 16:00:08 — phantazmIt's a portable pc, XP SP2 machine (sorry, I forgot to tell...)
Thanks for your advice; I'll try it and report back how it went...
if you find the malicious entries in the hosts file
ke 28. lokakuuta 2009 16:15:20 — amishrabbitcopy them out of the hosts file and paste them here (later, using an uninfected machine)
Here's the host
ke 28. lokakuuta 2009 16:43:41 — phantazmHere is the host I found, looking into c:\windows\system32\drivers\etc:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# Dette er HOSTS-eksempelfilen, der bruges af Microsoft TCP/IP til Windows.
#
# Denne fil indeholder IP-adressetilknytninger til værtsnavne. Du bør ikke
# angive flere end en post pr. linje. IP-adressen skal placeres i den første
# kolonne efterfulgt af det tilsvarende værtsnavn.
# IP-adressen og værtsnavnet kan adskilles af mindst ét mellemrum.
#
# Kommentarer (som disse) kan indsættes på individuelle linjer eller efter-
# følge computernavn. Kommentarer skal anføres med nummertegn '#'.
#
# Eksempel:
#
# 102.54.94.97 rhino.acme.com # kildeserver
# 38.25.63.10 x.acme.com # x-klientvært
127.0.0.1 localhost
Hm, loks as if there aren't any unusual entries here... :-(
Looks clean, Scandanavian -- the ikea of hosts files
ke 28. lokakuuta 2009 17:13:08 — amishrabbitIf you know the servers where your AV updates are hosted, you could try to do an NSLOOKUP on the domains and see if the DNS resolves. Maybe the DNS settings on that box are whacked out.
Read the blog, but...
ke 28. lokakuuta 2009 17:34:58 — phantazmThanks for mentioning the text in: http://blog.webroot.com/2009/10/16/trojan-uses-com...
However I searched in vain for "Netfilter.exe".
And I didn't find it either in taskmanagers list of active programs/processes...
Any other ideas I could try..?
(My friend loks very tired when
I mention reinstalling windows..)
If only...
ke 28. lokakuuta 2009 18:10:18 — phantazmIf only we could get the update for Panda through another clean pc, and then import them. Panda seems to work, but is almost 2 months behind regarding updates...
PS: In any case, many thanks for the suggestions so far... :-)
I know your friend doesn't want to do it, but . . .
ke 28. lokakuuta 2009 19:03:33 — BobJamThe best thing to do may be to reformat and reinstall. The only reason to go through the tedious removal steps is if 1) Your friend doesn't have backups of his data, and/or 2) Your friend doesn't have a clean image ready to substitute. I mean, how is he ever going to be 100% sure that these removal devices have cleaned his machine completely? He may not see any symptoms for a few days, and then something may come out of hiding again. And in those few days he may accumulate valuable data that will be corrupted by the infection(s).
The only way he can be sure it is all gone is with a clean install. And once he has that clean install, make an OS image or clone of it so that he'll never have to go through this nonsense again. If things get messed up again, all he'll have to do is restore the image or clone. That's a heck of a lot easier than some malware removal iterations that he/you may end up trying.
By the time any malware removal procedure is completed (and success is always going to be suspect), he/you could've done a clean install and be done with it a lot faster.
If you/he choose to reinstall, follow these instructions here http://www.winsupersite.com/showcase/windowsxp_sg_... exactly. Pay particular attention to Step 6 in the preinstallation checklist, because that stresses the importance of backing up his data files BEFORE you do this.
Scroll a little bit down the page and you'll see the step-by-step instructions for doing this in "Clean installing Windows XP", along with screen shots to guide you.
PRINT THE WHOLE THING OUT BEFORE YOU START because you won't be able to get on line (obviously) while you're formatting/installing!!
Oh, one more thing BEFORE you do this. Write down all his licenses/registrations to any free software he downloaded and installed and wants to get again. These can usually be found in the "Help>About" menu, as I'm sure you know.
And if he already had XP on his machine, you can ignore a lot of the stuff about upgrading from 9X on the web page.
Oh . . . one more thing (I seem to keep remembering stuff here), did he have to download any special drivers for any of his hardware?? If so, then you may want to download those drivers again BEFORE you start and save them to removable media so that you can have something available if you need it.
Woops . . . remembered another tip . . . make sure he has all his ISP and email passwords available for when you can get back on line.
And I'm assuming he has his original Windows CD available for this. Make sure he has the Product Key available . . . you'll need it.
So, here's a checklist of all the stuff he needs to do BEFORE he starts:
1. Get his Windows CD (without this, all bets are off)
2. Get the Windows CD Product Key (again, without this, all bets are off)
3. Back up all his valuable data to removable media.
4. Go to that web page I linked to above and print out the instructions.
5. Download and save any special drivers to removable media.
6. Write down his registrations/licenses to any software that he got off the Net.
8. Write down his ISP and email User ID's and Passwords.
That's it . . . good luck.
Thanks for suggestions
pe 30. lokakuuta 2009 23:39:39 — phantazmThanks for all your detailed advices. Maybe we'll eventually have to reinstall,
and in that case I return to this thread. In the meantime,
many thanks for your time... :-)
try malwarebytes &
ke 28. lokakuuta 2009 21:59:18 — demonluotry malwarebytes & superantispyware first, if all fail then reformat/reinstall...
download from a clean pc then burn to cd & then give ur friend...
malwarebytes
ke 28. lokakuuta 2009 22:04:06 — mark123Grab a copy of malwarebytes www.malwarebytes.org
Thanks
to 29. lokakuuta 2009 16:09:37 — phantazmWe´ll try that and see if it helps...
Hey phantazam !
to 29. lokakuuta 2009 21:56:03 — AthloniteIf you are able to install and Update the definitions of MalwareBytes' then, run a Quick Scan . After it is finished ,if it finds anything , run the Full scan. When done, go to the LOGS tab and post the results in here (copy and paste). I'll see if it warrants using other specialized tools to help rid infections.
Also, try the MRT (Microsoft Removal Tool) in the OS (XP , Vista). Just Start and in the Run Box, type "mrt" the security program should come up or at least , you could click on the .exe to have it come up. Run a Quick scan .
One more thing, is the OS up to date ? Is he able to receive the Monthly updates from Microsoft (Windows Update) ??
Athlonite.
Your help is always needed.
The problem has finally been solved...
pe 30. lokakuuta 2009 23:35:05 — phantazmI think the problem has been solved now, so
thanks to you all for helpful suggestions..!
Here is how it ended: I managed to download MalwareByte and Superantispyware to another clean pc, then transfer the files via usb to the infected pc. Then I ran into the next problem: when i clicked the files to start setup, nothing happened. By then it was quite late, and I didn't know what else to try so I went to bed. Next day there was only a few hours before returning to Copenhagen. I then tried something new; a simple trick that I hoped would help. It looked as if any av site was blocked (except Panda from WOT), and probably any av program was recognized and blocked as well. What if I renamed the filename? That seemed to work: MalwareByte now started, but unfortunately never completed the setup. Well, at least that was promising, so I tried renaming Superantispyware, and this time setup was completed. And now the poor pc could at last be properly scanned. Result of scan:
96 cookies were detected + 407 different kinds of malware..!
Afterwards we uninstalled Panda (since it would only last 1 month). Installed AVG, and then I had to leave; a train was waiting...
So, eventually it was fixed. But I must admit
that was the worst pc I've ever seen...
If there is a morale, I think it's this: an AV program with obsolete definitions is bad enough, but it's fat worse that most peoples definition of a virus is also obsolete. Much to many still think a virus tries to erase the harddisc and kill the pc. But modern vira deliberately leave the surface undisturbed; the abuse is invisible to the average user.
A related problem is software, that hasn't been updated. If it still works, why fix it? most people thinks, and then worry about other things, more obvious and visible.
Re: The problem has finally been solved...
pe 30. lokakuuta 2009 23:42:21 — Sami407 different kinds of malware..!
Whoa! I would say reinstalling the operating system is still the only way to be sure the computer is safe. I don't think I could trust a system that was this badly infected, there's always a chance the antivirus software didn't catch something.
8 months is a long time...
la 31. lokakuuta 2009 02:36:08 — phantazmYes, I know it's a lot. But the poor pc had been increasingly vulnerable since February when AVG (for some unknown reason) stopped being updated. However all these infections were hiding below the surface, and his main programs (image/video/music) still worked. If he had ever tried to visit a security related site, he would probably have 'smelled a rat' - but why should an artist do that? Ok, I would do that, but I'm also a strange hybrid; 50% graphical and 50% digital - so I love numbers as much as colours...
Here's how SAS looked when finished:
"Totalt antal trusler" is danish for "Total number of threats"...
Echo
la 31. lokakuuta 2009 19:49:55 — BobJamAnd if this person stores valuable data, it might be corrupted eventually, or otherwise infected. Data is at high risk no matter what, unless h/she does a clean install.
Yes
su 1. marraskuuta 2009 13:32:55 — phantazmI have advised him to back up his data; but I better remind him too..
so after removing 407
la 31. lokakuuta 2009 01:03:20 — demonluoso after removing 407 different kinds of malware, will u able to install malwarebytes & run the scan (just in case superantispyware miss something)?
btw, avira & avast is much much better than avg (according to www.av-comparatives.org)...
August 2009
Total detection rates:
2. AVIRA 99.4%
5. Avast 98.0%
12. AVG 94.0%
Well, it's almost finished...
la 31. lokakuuta 2009 02:47:12 — phantazmWell, it's almost finished because we're still going to scan the pc with other av programs in the near future. But it was only a 2 day visit, so it was a race against time to get a clean machine, and reanimate his 'dead' version of AVG.
Yes, I know AVG isn't the best, but it ain't bad either.
And it's the program he already knows.
A new unfamiliar program
wouldn't be better.
at least, imo...
Hey phantazam !!
la 31. lokakuuta 2009 09:32:16 — AthloniteNext time you visit, could you post the LOG from SaS ? There might be underlying infections that were not completely deleted (Rootkits for example) . These are not completely detected by either MBAM or by SaS. You would need more sofisticated removal tools for this job and I don't mean just a rootkit remover like Blackice or Sophos' antirootkit .
A rootkit, if left untouched , will steal your info. along with downloading more Malware. TDSServ. is another dangerous malware that is not easily detected. Another possibility would be the Conficker virus which IS detected by the "mrt" already installed on your PC via Windows updates. Lots of hidden threats are still on this PC and the only way for us to detect is to have the logs from SaS and if possible, MBAM.
Athlonite.
Your help is always needed.
Cause for clean install
la 31. lokakuuta 2009 19:58:01 — BobJamThis highlights my main reason for recommending a clean install. By the time you get done these malware removal iterations (and STILL not be sure it was all successful), you could have done . . . say 4 or 5! . . . clean installs. Just do a clean install (along with a low level format to extinguish the rootkit possibilities) and be done with it!
I should have agreed ...
su 1. marraskuuta 2009 03:14:12 — Athlonitethe first time. Looking back on this thread and reviewing the answers, I should have also agreed that a Reformat and re-install was the way to go. All this time without any protection from either antivirus or antispyware could and would have compromised this PC beyond repair. But, by looking over the logs (which is always interesting to see what an unprotected PC has picked up) this would ensure that our advice on re-installing was in order.
When you go back to your friend's house to finish your work, run a HijackThis and upload to VirusTotal : http://www.virustotal.com/ to see if any of the antivirus still pick up any hidden infections. This would probably ensure that a Flatten and Pave approach is the right way to go.
I know it's a long process if you haven't done this before but, BobJam has outlined all the steps to take so, you should be good to go if you so desire.
Athlonite.
Your help is always needed.
MBAM
ke 28. lokakuuta 2009 22:08:52 — g7wDownload MBAM and it's recent definition file.
If MBAM can not or will not install on the infected machine...
Since it's portable, tie the 2 PC's together; ie, network them. scan the infected PC remotely from the clean PC.
Otherwise, low level reformat the notebooks HD - use Disk Manager and write 0's then rebuild the MBR, reformat, and reinstall Windows XP, get *all* the updates, and move to Avira or Avast for free AV.
-------
WOT Services Ltd. - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
- G7W