• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 555
  • Last Modified:

What have we missed? Network user gets malware in spite of best efforts

The point here is to double-check our work and get advice from the community.  A high-level employee frequently gets malware of the "Buy this Antivirus now" variety which - while annoying - is typically easy to clean.  A few days ago the malware was much worse and has prompted this question - what are we missing?

The machine is not locked down - the user is an Administrator on the local workstation but not on the server it is attached to.  The only other thing we noticed was that Java was slightly out of date.  Other than that, things look okay.  The machine runs Symantec A/V (corporate) and Microsoft Security Essentials simultaneously.  Internet Explorer has been removed and replaced with Firefox so that pop-ups can be disabled, and the Adblock Plus add-on is installed and running.  Finally, the websites the user visits test okay on other machines (and server logs document the access).  Is the tech staff here missing something or are we simply dealing with (forgive me) one very clueless user?    

If the answer is the user, what more can we do to stop future infections based on the information provided here.  Thanks.
0
james_axton
Asked:
james_axton
  • 8
  • 5
  • 4
  • +1
3 Solutions
 
itguy565Commented:
James,

I would suggest running malwarebytes on this workstation as well as TDSSKILLER and Combofix

The problem you are describing makes me believe there is a rootkit on this machine that is masking the real problem from your antivirus scanner.

0
 
james_axtonAuthor Commented:
itguy565 - I should quickly note that the machine is already fixed and clean, as it was before the incident.  I'm not asking what to do to fix it, but rather looking for advice going forward :)
0
 
itguy565Commented:
malwarebyte can be downloaded from : http://www.malwarebytes.org
TDSSKILLER can be downloaded from : http://support.kaspersky.com/faq/?qid=208283363
ComboFix can be downloaded from : http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Another tool you could look at would be GMER : http://www.gmer.net/
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
itguy565Commented:
Even though the machine appears to be fixed there is still an issue that is allowing Viruses to enter this machine. Assuming the machine is fully patched using windows update I would still recommend scanning the machine using the tools above.

There could be a Rootkit dropper on the machine in which case this would explain the constant infections that you have come under on this workstation.
0
 
itguy565Commented:
If there is a rootkit on this machine you will have to remove that first. This could very easily prevent your virus detection software from detecting and removing the real threat.
0
 
Fred MarshallCommented:
This is a common, while not-so-typical situation.  I work on infected computers and my observations over many years of doing it go like this:
- the computer needs to have protection.  Here I'll assume that the computer *does* have protection.  I don't care a whole lot *which* protection really.  They all some out more or less the same.
- are there any "kids" using the computer?  This includes inquisitive or adventurous adults.  If so then there are likely very few things to do except:
1) educate the users
2) apply "parental controls" whether the user's an adult or not.  You don't have to say you did it.
(For example, some security programs will warn of bad web sites but leave that bad page a click away.  Parental controls will ask for a password to get through this step.  So, you turn on parental controls and don't give out the password.  I've done this in a particularly "parasite prone" computer when the number of calls I received became excessive for the customer.  I've not had ONE complaint and the computer has remained "clean".)

Notorious web sites with likelihood of parasites:

- Adult sites
- Warez sites
- Crack sites
- Computer driver search results....

Google "How did my machine get infected?"

In my experience, the problems occur when the users of protected computers are adventurous.  That's the bottom line.  So, you limit that adventurism as much as is possible within the constraints of your situation.
0
 
younghvCommented:
"The machine runs Symantec A/V (corporate) and Microsoft Security Essentials simultaneously."

Although MSE is also an anti-spyware application, it is primarily for AV and I would never run them at the same time - they are both "on-access" applications and they could conflict with each other.

In your corporate environment, you are probably required to stay with Symantec - but my experience has always been that it just isn't a very effective product.

What are your other protections (firewall, HOSTS file modification, etc.)?

I've never seen a benefit to switching browsers, and the detriment is that now the IT techs have to learn the intricacies of an addition application. Managed properly, there is no reason to move away from IE.

Have a read of this EE Article - noting that it is written for the home user - but everything in it applies to an enterprise situation.
MALWARE - "An Ounce of Prevention..."\

This Article deals with the initial steps I take when disinfecting and you can compare your actions to mine:
Stop-the-Bleeding-First-Aid-for-Malware
0
 
james_axtonAuthor Commented:
itguy565, checking for updates is a good suggestion, and there were a small amount that needed to be applied.  

fmarshall, no kids at all, just the user.  But the introduction of parental controls is another good idea, even for executive employees :)  You also backed up the theory that we're just dealing with a single bad user, rather than it being something that someone missed.

younghv, you are right - running the two of those apps against each other is silly.  One will be removed.  You're also right on both counts with Symantec - it's required, and it is sub-par.
0
 
younghvCommented:
Thank you for responding.

I am convinced that Malwarebytes (Pro) is the best augmentation program you can run in establishing your 'Defense in Depth'. Regardless of the AV product/suite you are running, you will be providing a much broader breadth of protection.

The "Enterprise" (Server based) product has not been released yet, but you can buy multiple licenses (Server and Workstation) at a substantial discount.

If you don't mind, please list the steps you took while cleaning. I've really had my eyes opened here on EE - and other forums - about how out of date some of my own methods were.

Another EE Article I think worth reading for anyone dealing with malware:
Malware Fighting – Best Practices
0
 
Fred MarshallCommented:
Yes, even with protection, there are "rules".
And even with "rules" there are "bad actors" ... but I would not label them "bad" really, just inquisitive, adventurous.
I'd not go so far as to say "naive" but naivete does factor into this type of problem.
For example, if you get a flashing popup that says FIX IT NOW !!!!  FLASH FLASH FLASH  CLICK HERE NOW!!!
Some folks will hasten to click at the first opportunity.  Others will be more cautious.  Others will run like hell and do nothing or exit out as best possible.  So a lot depends on temperament and some on training.

Try to download Free AVG or Malwarebytes and see how many opportunities you're presented with to, by default, select the Trial version instead of the Free version.  That's a good example of where temperament comes into play.  The more adventurous a person is, the more likely they are to encounter such things.  I really believe there is *no* protection good enough under those circumstances.  That's what I see in practice; fortunately not very often.  (I live in a small community where customer loyalty and repeat business is high - so I get a good chance to see the repeat cases).
0
 
itguy565Commented:
James,

I left several applications at the top, did you get a chance to run them?
0
 
james_axtonAuthor Commented:
Thanks all!  More replies tomorrow and we'll close this out as well.
0
 
james_axtonAuthor Commented:
younghv, we agree with you about MalwareBytes.  Very quickly here are the usual cleaning steps (they match very closely with what itguy565 said): 1) Task Manager to stop the offending process; 2) HijackThis to remove rogue entries; 3) Reboot to Safe Mode; 4) Malwarebytes update and scan; then if necessary 5) Combofix / TDSSkiller.  That's it.  Anything still present gets a Google search afterward, but that's rare.  

itguy565, as I stated earlier the issue has since been cleaned, I promise :) - this was more of a check on what more could be done.  But thank you for the suggestion on checking those updates!

I'll close this out and split the points.
0
 
james_axtonAuthor Commented:
Thanks so much everyone!
0
 
younghvCommented:
As noted in the Best Practices Article, Safe Mode scans are problematic for several reasons.

Note these comments from MS MVP 'rpggamergirl':
"SAFE MODE SCANS

If your computer will boot to “Normal Mode”, then in all cases that is how you should attempt to make the repair.
(The following comments in italics are courtesy of rpggamergirl):

During a Safe Mode boot, most malware processes are not running and Malwarebytes' heuristic detection can't detect them.

Malware processes must be active while doing the scan so scanning in Safe Mode is not going to be as effective.

Malwarebytes’ Direct Disk Access (DDA) is not running so the detection of rootkits and other stealth hidden nasties in this mode is not optimized.

While malware processes are not active in Safe Mode, most rootkits are - so MBAM is disadvantaged and will miss detecting them.

Windows File Protection is not on in Safe Mode in Windows 2000/XP/2003 Server so any patched system files e.g. explorer.exe, winlogon.exe, userinit.exe that are deleted by the scanner will not be replaced."

Naturally, if the system will only boot to "Safe Mode", then you will have to run your scans that way. You should warn people of the inherent problems when doing so and let them know that they need to run a full scan in "Normal Mode" ASAP.

About HijackThis - originally one of the most efficient tools in the malware fight, it has not been maintained/developed to recognize or repair current malware. The original developer (Merjin) sold his product to Trend and now works on the Malwarebytes team.
0
 
james_axtonAuthor Commented:
younghv, that's good advice on Safe Mode, so thank you!  HijackThis is admittedly a habit-application, but it still offers a way to view the registry and services quickly in the initial stage of getting eyes on the workstation.  
0
 
james_axtonAuthor Commented:
younghv, that's good advice on Safe Mode, so thank you!  HijackThis is admittedly a habit-application, but it still offers a way to view the registry and services quickly in the initial stage of getting eyes on the workstation.  
0
 
younghvCommented:
Thank you.

I agree that HJT does give you a look at the applications and registry and it does serve a purpose.

You might also want to take a look at "OldTimer's List" (OTL).
Much more comprehensive - but 'script driven'. The intial run is ONLY a report of what is going on, then you decide what changes you want to make.
http://www.geekstogo.com/forum/topic/277391-otl-tutorial-how-to-use-oldtimer-listit/

Gotta love anything written by an 'Old Timer'.
0
 
Fred MarshallCommented:
I understand the caveats about safe mode.  It's hard to disagree with the logic.
But, I've found a number of cases where:

While the computer *will* boot normally, there are things that just don't work or don't work right and cleanup is stalled as a result.  In this case Safe Mode is one way to reduce the troubles before getting back into normal mode.

I have found that cleanups can move slowly at first and then accelerate as cleanup steps are taken.   It can be discouraging at first because of the slow progress.  In the end if there's a root kit and the tools don't deal with them then more drastic measures are necessary.  I don't use ComboFix unless I feel that I have to.   Perhaps that's overly cautious.
0
 
james_axtonAuthor Commented:
Thanks for the heads-up on OTL as well!  We got a lot out of this, so thanks to everyone again for the back and forth!
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 8
  • 5
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now