?
Solved

Cannot Find Source of Virus Spreading on the Network

Posted on 2011-03-25
8
Medium Priority
?
613 Views
Last Modified: 2013-11-22
Our network is currently infected with a Virus of some form that we have been unable to identify.  Even when we have imaged machines, the virus reappears on the machine soon after users go back to using the machine.

Most AV software does not even see a problem on the machines.  We believe it to be a Rootkit.

ComboFix seems to remove the infection, but does not tell us exactly what is happening.

What can we do on our network to find or track this activity?  Would packet captures help?
0
Comment
Question by:AutomatedIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 4

Assisted Solution

by:MaximumIQ
MaximumIQ earned 1000 total points
ID: 35219514
Here are a few things to try

1. stick with one infected machine. keep trying different anti-virus programs until you find one that can remove it and tell you where all the infected files are, then post the results.

2. Identify shared network resources that can be replicating the infection. This can be a program that's executed directly from a shared path, shared documents, spreadsheets, etc.

3. Use Wireshark to capture network activity and analyze that for anything suspecious.

in most cases, viruses like this replicate through roaming profiles, more so if your users switch computers often or from running an infected network resource. the trick is to find an anti-virus that's aware of the virus and would notify you as soon as it tries executing.
0
 
LVL 11

Expert Comment

by:Patmac951
ID: 35219523
Have you checked the registry on the infected computers to see what runs during startup?

Run the regedit command and navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Make sure there are no strange entries that appear to be Random characters that are set to run during startup.  Secondly check the Task Manager for random Process names.  If you see anything strange or odd google it and you should be able to find out exactly what this virus is and how it spreads.
0
 
LVL 11

Expert Comment

by:Patmac951
ID: 35219540
Secondly also check the registry in this area in case the process is specific to the Current User and not the system

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
0
Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

 
LVL 38

Expert Comment

by:younghv
ID: 35219843
We've had a couple of similiar question lately, that ended up being an infected router.
Review this information:
http://tidystorm.com/423/the-redirect-virus-was-in-my-router/

Give that a try and then use the information in these Articles to attack the malware in your workstations:

http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)
0
 
LVL 1

Accepted Solution

by:
vagedis23 earned 1000 total points
ID: 35219983
wat kind of problems are your users experiencing because of this virus.

- change the passwords of all accounts with administrator rights,
- do not use default or easy to guess passwords on any device e.g WIFI routers, switches,  
  printers etc etc
- do not allow anyone to connect USB stcks, ipods, smartphones etc. to any of the computers on
  your network.
- make sure users do not logon with administrative rights to their PC. 90 percent of all mallware
  cannot infect a pc if the user has no administrative rights.

To find the root cause:
- reinstall a computer that is not connected to any network, and install a free firewall such as zone-  alarm. Make sure it is set to block all traffic.
- make sure the passwords on this computer are not used on any other machine in your network.
- use an original cd to perform the instalation of the OS
- download zonealarm on a clean and trusted PC and save it on a new USB stick that has never
  been used before.
- update the reinstalled pc with all security fixes available on a trusted network. Update zone
  alarm too.
- connect the fully updated pc to the network with the virus problem.
- logon with a user that has no administrator rights.
- wait for zone alarm to show you popups about ip adresses that try to connect to the reinstalled
  pc.

When you recognize a computer or ip address that is trying to connect to your new clean pc, for no apparent reason, disconnect that computer from the network.
   
Download a bootable anti-virus cd, and boot the computer that tried to access the reinstalled pc from that cd. perform a full scan of the harddisk and see if any malware is found.

Sardu is a free tool that can download and create a bootable cd-dvd of several different AV companies. I usually use the Bitdefender or Kaspersky boot CD. You can find Sardu here ..
 
http://www.sarducd.it/

Zone alarm you can find here ..

http://www.zonealarm.com/security/en-us/anti-virus-spyware-free-download.htm

Good luck !
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35220878
Since ComboFix did remove the virus, the log should also show what files were deleted and the quarantine should also show what registry keys/values were deleted.

Could we look at the ComboFix log?

You could also get the files from the quarantine folder and upload it to jotti.org to have it scanned and find out the name of the virus.

As also suggested by younghv, could also be an infected router only IF you're using a default password.
0
 
LVL 1

Author Comment

by:AutomatedIT
ID: 35323646
Used WireShark rather than ZoneAlarm, but the result was pretty much the same.

Thanks!
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
This program is used to assist in finding and resolving common problems with wireless connections.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question