1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Infected Machine

Discussion in 'Computer Security' started by tripwire45, Jan 9, 2004.

  1. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    179
    287
    This probably belongs in a different forum but it also is a troubleshooting issue so I put it in here. [EDIT: moved it for you, Trip.]
    I'm doing some small jobs for Zial and we've got a home user that appears to have an infected machine. The user is not techically savvy so she had a hard time explaining it to me.

    She started to have "symptoms" a few weeks ago but didn't really do anything about it until it became a big deal. She's getting all kinds of unwanted pop ups, browser's home page resets itself to a different site, the works. Her college age kids came home over the holidays and downloaded spybot to try and clean it out. NG. The stuff just came back. I figure it's in a file that periodically reachs out to the internet and pulls the junk back in.

    She couldn't even boot yesterday but can now. Outlook periodically refuses to open. Sometimes she'll get screen flicker.

    She has cable access and since it's "always on" I asked her to unhook it until I could have a look at the machine. It's a Sony Vaio (yuk) running XP home. It's an older machine that had it's OS upgraded a year or two ago. They have or had Norton on it but probably didn't pay the annual fee to have the automatic virus definition update service (woe is them).

    I'm set to go out tomorrow at 9 a.m. my time (about a little over 11 hours from now). Since you all should be waking up in a little bit, I figured it would give you most of your day to ponder the problem. I'm taking my laptop out in case I need to get to the internet and download a tool to clean this thing out and get it back up to speed. Any wisdom you want to provide before I tackle this one is of course, greatly appreciated. Thanks folks.
     
    Certifications: A+ and Network+
  2. Nelix
    Honorary Member

    Nelix Gigabyte Poster

    1,412
    3
    82
    You could try downloading the free version of adaware to remove/clean the system, you would have to burn the install file to CD.

    Sounds like a browser highjack, is it 1-2-3- found.com, if so I got this once and even though I ran adaware AND pest patrol, both of which said that they had removed it, everytime I rebooted the machine it reinstalled itself, I had to search the registry to remove it fully and browes the Program files folder for it aswell.

    HTH
     
    Certifications: A+, 70-210, 70-290, 70-291
    WIP: 70-294
  3. AJ

    AJ Administrator Administrator

    6,771
    102
    221
    Deff spyware of some sort or other Trip :( , like Gator or something like that. Have a look in the installed software or search through the registry to see if Gator is there.

    HTH

    AJ
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Looking at doing ..................
  4. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    179
    287
    I spent quite awhile there and finally had to leave. Used Spyhunter which seemed to do a pretty good job and scanning for the little buggers. Most of them were erraticated but not all. Forgive my ignorance, but if Spyhunter scans the registry and personal profiles which it seems it does, and I then remove the malware, then where are they residing?

    Gator did show up but does not reoccur. What is reoccuring is ClientMan, MySearch, PeopleOn, and MyWay in the Registry and Adbureau and DoubleClick in Profiles.

    They had three virus infected files as well.

    I'm a little leery about manually checking the Registry since I'm not that savvy at Registry hacks. I was also thinking about downloading a freeware firewall such as Zone Alarm to alert users not only when something is trying to invade from the outside but when something already on the computer is trying to get out to the internet (so it can be blocked).

    I've only dealt with this problem once years ago. It took me a week to get all the stuff off finally and I don't recall all the steps I took. :(
     
    Certifications: A+ and Network+
  5. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    Have you run Stinger on the machine, Trip - just to check for viruses, etc ?

    I'm sure you'll know the link (from Network Associates - its on the site here somewhere - I'll try and hunt it out). Just to rule out any nasties on the box.

    EDIT: For quickness, here is the link for Stinger, Trip
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  6. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    179
    287
    Keep the cards, letters, suggestions, and miracles coming in, folks. I have to try and tackle this one again Monday.
     
    Certifications: A+ and Network+
  7. Nelix
    Honorary Member

    Nelix Gigabyte Poster

    1,412
    3
    82
    Download the free version of adaware, install it on there machine and update it by clicking the 'check for updates' button when the prog starts.

    I would'nt be too fritened about using regedit, I used to be the same as you until one day I had loads of stuff that kept installing itself, so I searched the reg and found them lurking in there and thought bugger it just delete them, and everything was fine.

    Backup the users files onto CD then run regedit, do a search for the names you listed above and if it find any just hit delete then F3 to continue the search, that way if it does go belly up (I'm sure it wont) you can reinstall all the users data.

    EDIT: there is an option to carry out a thourgh/deep search make sure this option is ticked
     
    Certifications: A+, 70-210, 70-290, 70-291
    WIP: 70-294
  8. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    For Adaware, look at LavasoftUSA

    The guys are right - it is ridden with spyware. Doubleclick is a well-known piece of spyware, as I assume the rest are too.

    With all the above info, you'll crack it and clean it no probs, Trip :thumbleft
     
    Certifications: MCP, A+, Network+
    WIP: Clarity

Share This Page

Loading...