james_axton
asked on
What have we missed? Network user gets malware in spite of best efforts
The point here is to double-check our work and get advice from the community. A high-level employee frequently gets malware of the "Buy this Antivirus now" variety which - while annoying - is typically easy to clean. A few days ago the malware was much worse and has prompted this question - what are we missing?
The machine is not locked down - the user is an Administrator on the local workstation but not on the server it is attached to. The only other thing we noticed was that Java was slightly out of date. Other than that, things look okay. The machine runs Symantec A/V (corporate) and Microsoft Security Essentials simultaneously. Internet Explorer has been removed and replaced with Firefox so that pop-ups can be disabled, and the Adblock Plus add-on is installed and running. Finally, the websites the user visits test okay on other machines (and server logs document the access). Is the tech staff here missing something or are we simply dealing with (forgive me) one very clueless user?
If the answer is the user, what more can we do to stop future infections based on the information provided here. Thanks.
The machine is not locked down - the user is an Administrator on the local workstation but not on the server it is attached to. The only other thing we noticed was that Java was slightly out of date. Other than that, things look okay. The machine runs Symantec A/V (corporate) and Microsoft Security Essentials simultaneously. Internet Explorer has been removed and replaced with Firefox so that pop-ups can be disabled, and the Adblock Plus add-on is installed and running. Finally, the websites the user visits test okay on other machines (and server logs document the access). Is the tech staff here missing something or are we simply dealing with (forgive me) one very clueless user?
If the answer is the user, what more can we do to stop future infections based on the information provided here. Thanks.
ASKER
itguy565 - I should quickly note that the machine is already fixed and clean, as it was before the incident. I'm not asking what to do to fix it, but rather looking for advice going forward :)
malwarebyte can be downloaded from : http://www.malwarebytes.org
TDSSKILLER can be downloaded from : http://support.kaspersky.com/faq/?qid=208283363
ComboFix can be downloaded from : http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Another tool you could look at would be GMER : http://www.gmer.net/
TDSSKILLER can be downloaded from : http://support.kaspersky.com/faq/?qid=208283363
ComboFix can be downloaded from : http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Another tool you could look at would be GMER : http://www.gmer.net/
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If there is a rootkit on this machine you will have to remove that first. This could very easily prevent your virus detection software from detecting and removing the real threat.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
itguy565, checking for updates is a good suggestion, and there were a small amount that needed to be applied.
fmarshall, no kids at all, just the user. But the introduction of parental controls is another good idea, even for executive employees :) You also backed up the theory that we're just dealing with a single bad user, rather than it being something that someone missed.
younghv, you are right - running the two of those apps against each other is silly. One will be removed. You're also right on both counts with Symantec - it's required, and it is sub-par.
fmarshall, no kids at all, just the user. But the introduction of parental controls is another good idea, even for executive employees :) You also backed up the theory that we're just dealing with a single bad user, rather than it being something that someone missed.
younghv, you are right - running the two of those apps against each other is silly. One will be removed. You're also right on both counts with Symantec - it's required, and it is sub-par.
Thank you for responding.
I am convinced that Malwarebytes (Pro) is the best augmentation program you can run in establishing your 'Defense in Depth'. Regardless of the AV product/suite you are running, you will be providing a much broader breadth of protection.
The "Enterprise" (Server based) product has not been released yet, but you can buy multiple licenses (Server and Workstation) at a substantial discount.
If you don't mind, please list the steps you took while cleaning. I've really had my eyes opened here on EE - and other forums - about how out of date some of my own methods were.
Another EE Article I think worth reading for anyone dealing with malware:
Malware Fighting – Best Practices
I am convinced that Malwarebytes (Pro) is the best augmentation program you can run in establishing your 'Defense in Depth'. Regardless of the AV product/suite you are running, you will be providing a much broader breadth of protection.
The "Enterprise" (Server based) product has not been released yet, but you can buy multiple licenses (Server and Workstation) at a substantial discount.
If you don't mind, please list the steps you took while cleaning. I've really had my eyes opened here on EE - and other forums - about how out of date some of my own methods were.
Another EE Article I think worth reading for anyone dealing with malware:
Malware Fighting – Best Practices
Yes, even with protection, there are "rules".
And even with "rules" there are "bad actors" ... but I would not label them "bad" really, just inquisitive, adventurous.
I'd not go so far as to say "naive" but naivete does factor into this type of problem.
For example, if you get a flashing popup that says FIX IT NOW !!!! FLASH FLASH FLASH CLICK HERE NOW!!!
Some folks will hasten to click at the first opportunity. Others will be more cautious. Others will run like hell and do nothing or exit out as best possible. So a lot depends on temperament and some on training.
Try to download Free AVG or Malwarebytes and see how many opportunities you're presented with to, by default, select the Trial version instead of the Free version. That's a good example of where temperament comes into play. The more adventurous a person is, the more likely they are to encounter such things. I really believe there is *no* protection good enough under those circumstances. That's what I see in practice; fortunately not very often. (I live in a small community where customer loyalty and repeat business is high - so I get a good chance to see the repeat cases).
And even with "rules" there are "bad actors" ... but I would not label them "bad" really, just inquisitive, adventurous.
I'd not go so far as to say "naive" but naivete does factor into this type of problem.
For example, if you get a flashing popup that says FIX IT NOW !!!! FLASH FLASH FLASH CLICK HERE NOW!!!
Some folks will hasten to click at the first opportunity. Others will be more cautious. Others will run like hell and do nothing or exit out as best possible. So a lot depends on temperament and some on training.
Try to download Free AVG or Malwarebytes and see how many opportunities you're presented with to, by default, select the Trial version instead of the Free version. That's a good example of where temperament comes into play. The more adventurous a person is, the more likely they are to encounter such things. I really believe there is *no* protection good enough under those circumstances. That's what I see in practice; fortunately not very often. (I live in a small community where customer loyalty and repeat business is high - so I get a good chance to see the repeat cases).
James,
I left several applications at the top, did you get a chance to run them?
I left several applications at the top, did you get a chance to run them?
ASKER
Thanks all! More replies tomorrow and we'll close this out as well.
ASKER
younghv, we agree with you about MalwareBytes. Very quickly here are the usual cleaning steps (they match very closely with what itguy565 said): 1) Task Manager to stop the offending process; 2) HijackThis to remove rogue entries; 3) Reboot to Safe Mode; 4) Malwarebytes update and scan; then if necessary 5) Combofix / TDSSkiller. That's it. Anything still present gets a Google search afterward, but that's rare.
itguy565, as I stated earlier the issue has since been cleaned, I promise :) - this was more of a check on what more could be done. But thank you for the suggestion on checking those updates!
I'll close this out and split the points.
itguy565, as I stated earlier the issue has since been cleaned, I promise :) - this was more of a check on what more could be done. But thank you for the suggestion on checking those updates!
I'll close this out and split the points.
ASKER
Thanks so much everyone!
As noted in the Best Practices Article, Safe Mode scans are problematic for several reasons.
Note these comments from MS MVP 'rpggamergirl':
"SAFE MODE SCANS
If your computer will boot to “Normal Mode”, then in all cases that is how you should attempt to make the repair.
(The following comments in italics are courtesy of rpggamergirl):
During a Safe Mode boot, most malware processes are not running and Malwarebytes' heuristic detection can't detect them.
Malware processes must be active while doing the scan so scanning in Safe Mode is not going to be as effective.
Malwarebytes’ Direct Disk Access (DDA) is not running so the detection of rootkits and other stealth hidden nasties in this mode is not optimized.
While malware processes are not active in Safe Mode, most rootkits are - so MBAM is disadvantaged and will miss detecting them.
Windows File Protection is not on in Safe Mode in Windows 2000/XP/2003 Server so any patched system files e.g. explorer.exe, winlogon.exe, userinit.exe that are deleted by the scanner will not be replaced."
Naturally, if the system will only boot to "Safe Mode", then you will have to run your scans that way. You should warn people of the inherent problems when doing so and let them know that they need to run a full scan in "Normal Mode" ASAP.
About HijackThis - originally one of the most efficient tools in the malware fight, it has not been maintained/developed to recognize or repair current malware. The original developer (Merjin) sold his product to Trend and now works on the Malwarebytes team.
Note these comments from MS MVP 'rpggamergirl':
"SAFE MODE SCANS
If your computer will boot to “Normal Mode”, then in all cases that is how you should attempt to make the repair.
(The following comments in italics are courtesy of rpggamergirl):
During a Safe Mode boot, most malware processes are not running and Malwarebytes' heuristic detection can't detect them.
Malware processes must be active while doing the scan so scanning in Safe Mode is not going to be as effective.
Malwarebytes’ Direct Disk Access (DDA) is not running so the detection of rootkits and other stealth hidden nasties in this mode is not optimized.
While malware processes are not active in Safe Mode, most rootkits are - so MBAM is disadvantaged and will miss detecting them.
Windows File Protection is not on in Safe Mode in Windows 2000/XP/2003 Server so any patched system files e.g. explorer.exe, winlogon.exe, userinit.exe that are deleted by the scanner will not be replaced."
Naturally, if the system will only boot to "Safe Mode", then you will have to run your scans that way. You should warn people of the inherent problems when doing so and let them know that they need to run a full scan in "Normal Mode" ASAP.
About HijackThis - originally one of the most efficient tools in the malware fight, it has not been maintained/developed to recognize or repair current malware. The original developer (Merjin) sold his product to Trend and now works on the Malwarebytes team.
ASKER
younghv, that's good advice on Safe Mode, so thank you! HijackThis is admittedly a habit-application, but it still offers a way to view the registry and services quickly in the initial stage of getting eyes on the workstation.
ASKER
younghv, that's good advice on Safe Mode, so thank you! HijackThis is admittedly a habit-application, but it still offers a way to view the registry and services quickly in the initial stage of getting eyes on the workstation.
Thank you.
I agree that HJT does give you a look at the applications and registry and it does serve a purpose.
You might also want to take a look at "OldTimer's List" (OTL).
Much more comprehensive - but 'script driven'. The intial run is ONLY a report of what is going on, then you decide what changes you want to make.
http://www.geekstogo.com/forum/topic/277391-otl-tutorial-how-to-use-oldtimer-listit/
Gotta love anything written by an 'Old Timer'.
I agree that HJT does give you a look at the applications and registry and it does serve a purpose.
You might also want to take a look at "OldTimer's List" (OTL).
Much more comprehensive - but 'script driven'. The intial run is ONLY a report of what is going on, then you decide what changes you want to make.
http://www.geekstogo.com/forum/topic/277391-otl-tutorial-how-to-use-oldtimer-listit/
Gotta love anything written by an 'Old Timer'.
I understand the caveats about safe mode. It's hard to disagree with the logic.
But, I've found a number of cases where:
While the computer *will* boot normally, there are things that just don't work or don't work right and cleanup is stalled as a result. In this case Safe Mode is one way to reduce the troubles before getting back into normal mode.
I have found that cleanups can move slowly at first and then accelerate as cleanup steps are taken. It can be discouraging at first because of the slow progress. In the end if there's a root kit and the tools don't deal with them then more drastic measures are necessary. I don't use ComboFix unless I feel that I have to. Perhaps that's overly cautious.
But, I've found a number of cases where:
While the computer *will* boot normally, there are things that just don't work or don't work right and cleanup is stalled as a result. In this case Safe Mode is one way to reduce the troubles before getting back into normal mode.
I have found that cleanups can move slowly at first and then accelerate as cleanup steps are taken. It can be discouraging at first because of the slow progress. In the end if there's a root kit and the tools don't deal with them then more drastic measures are necessary. I don't use ComboFix unless I feel that I have to. Perhaps that's overly cautious.
ASKER
Thanks for the heads-up on OTL as well! We got a lot out of this, so thanks to everyone again for the back and forth!
I would suggest running malwarebytes on this workstation as well as TDSSKILLER and Combofix
The problem you are describing makes me believe there is a rootkit on this machine that is masking the real problem from your antivirus scanner.