Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

bad case of malware/trojan

Posted on 2012-03-21
16
Medium Priority
?
947 Views
Last Modified: 2013-11-29
I have a computer that is infected with some form of malware/trojan. It came from an email and the user click on it. I believe this form of malware/spyware. What the malware/trojan did is transfer fund from bank account out. I spoke to the antivirus company and they now have definition file to protect it, but it was undetected. Since than I have taken the computer offline. Has anyone ran into this and what they have done?


thanks
0
Comment
Question by:officertango
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +3
16 Comments
 
LVL 10

Accepted Solution

by:
pclinuxguru earned 375 total points
ID: 37747709
http://nakedsecurity.sophos.com/2012/01/05/spyeye-bank-trojan-hides-its-fraud-footprint/

the machine was reformatted and the user had to change all their passwords for their financial sites.

Obviously I recommended the user report the fraud.
0
 
LVL 9

Assisted Solution

by:Ashok Dewan
Ashok Dewan earned 375 total points
ID: 37747730
If you have that email address or malware file then you can upload it for analysis.

http://www.comodo.com/home/internet-security/submit.php
http://valkyrie.comodo.com/
http://camas.comodo.com/
http://anubis.iseclab.org/index.php
http://www.xandora.net/upload/
http://apac.pandasecurity.com/autovin/?page_id=27246/
http://www.threatexpert.com/submit.aspx
https://vms.drweb.com/sendvirus/
http://www.sunbeltsecurity.com/sandbox/
http://www.norman.com/security_center/security_tools/
https://www.vicheck.ca/

Or http://contagiodump.blogspot.in/  you can drop your file here for analysis at the bottom.

They can tell you whole description about malware piece which undetetable.

And try differnt Antiviruses to get rid off from it. Other antivirus could have different signature to detect it.
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 375 total points
ID: 37747853
I suggest that you use tools that are designed to disinfect/repair malware damage - and that does NOT include any anti-virus programs. Their function is 'prevention', not repair.

There are basic steps to take as a starting point in treating an infection. Please review the information in these EE Articles:

Rogue-Killer-What-a-great-name
Stop-the-Bleeding-First-Aid-for-Malware

For "RogueKiller", you may substitute TheKiller
Download TheKiller to your Desktop
http://maliprog.geekstogo.com/explorer.exe

Note that TheKiller is renamed as explorer.exe
Run it by double click
Press OK button after program finish
Do not restart your system after this step, but immediately run the next scan: MalwareBytes, TDSSKiller, ComboFix
0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 
LVL 10

Expert Comment

by:pclinuxguru
ID: 37748021
Problem with virii and malware is that they are always morphing.. it is beyond just damage it actually cost someone money. You could spend hours try to "fix" the machine and you may or may not totally clean it.

The hours spent trying to remove it and it possibly never be completely gone could be better spent backing up the user's data, reformat the machine (unwanted software defintaly gone), update the OS with all updates and restore the data if you believe the data is clean.

That is the only way to get it 100% clean.
0
 
LVL 38

Expert Comment

by:younghv
ID: 37748053
"That is the only way to get it 100% clean."

That is a demonstrably incorrect statement. There are known variants of malware that will survive a hard drive format reinstall and continue infecting the new OS.

The "nuclear" option is always a method of last resort and available if needed.

With that said, why not spend 30-45 minutes using known successful methods in an attempt to get the system clean and functional again?
0
 
LVL 10

Expert Comment

by:pclinuxguru
ID: 37748079
Please inform me of one that can withstand a format. I'll install it and see if your correct.
0
 
LVL 10

Expert Comment

by:pclinuxguru
ID: 37748185
I am sorry I should have been more specific

Before fomatting the HD:
 * Boot your system into MS-DOS with a bootable disk or floppy.
* Type fdisk /mbr and press ENTER
* Restart

which normally happens anyways when your doing a clean format.
0
 
LVL 38

Expert Comment

by:younghv
ID: 37748272
officertango,
I'm going to bow out of this question and avoid further useless discussion.

The infection you are dealing with is well over a year old and is primarily caused by users who don't keep their OS and applications fully patched and updated.

There are any number to specialized tools that will clean this for you. In addition to what I've mentioned above, you can also try MSRT from Microsoft (http://www.microsoft.com/security/pc-security/malware-removal.aspx)

You probably already know this, but you might want to check the profiles of those offering you advice (just click on the Expert name at each comment).  

EE doesn't really censor comments/suggestions that are posted, so it is up to you to determine the knowledge/experience levels of those offering advice.

/unsubscribed
0
 
LVL 6

Expert Comment

by:xeroxzerox
ID: 37748445
Never under estimate the human brain....
Virus scan persist after formating the hard drive and recreating the MBR

http://www.globalnet-iti.com/innovations/blog/1st-virus-that-infects-a-computer-s-bios-is-discovered/

Storing the malicious code inside the BIOS ROM could actually become more than just a problem for security software, giv[en] the fact that even if antivirus detect(s) and clean(s) the MBR infection,
0
 
LVL 9

Expert Comment

by:Ashok Dewan
ID: 37748484
Thanks xeroxzerox for this update info of new virus for my knowledge.
0
 
LVL 10

Expert Comment

by:pclinuxguru
ID: 37748497
Frankly I already apologized if what I said came off wrong.

Both younghv and myself are correct.

You can clean it utilizing many tools that do it. If it is a simple malware infection that more than likely will not reappear and doesn't take a week of tracing and posting logs.

If it is something that keeps coming back then formatting the hard drive and MBR is a next step.

For the rare occasion your BIOS is infected. Reflashing the BIOS may work but you would want to contact your manufacturer or purchase a new MB.
0
 

Author Comment

by:officertango
ID: 37750343
Wow, i thought a simple format the hard drive and reinstall the OS does all the trick. I guess not???
0
 
LVL 5

Assisted Solution

by:9660kel
9660kel earned 375 total points
ID: 37753390
I worked with Russell on an infection of zero.access rootkit, which had an MBR component.

In a business setting, I would probably opt for darik's nuke 'n boot, which essentially scrubs the hard drive, but that particular pest is a very nasty piece of work. (most hard drive makers also have a utility to overwrite the entire disk, no need for a floppy drive)

I like to find out which pest is involved before I wipe a system. Part of the reasoning is that a true virus can spread to other machines, while trojans and friends do not. Also, some pests are really easy and fast to remove, which avoids the lengthy and painful re-configuring for the user.

For a bios resident infection, which I thankfully haven't seen in the wild yet, I would call the board maker, and order a new bios chip, they usually run 2-3$, and if the board is fairly new, they may not charge at all. Another note, most modern boards have a bios setting to prevent writing to the bios, which was necessary to stop the Chernobyl (CIH) virus, which would overwrite the bios, making the board too stupid to POST. (most people don't set this option, but all stand alone boards have it, and most Dell, HP,etc.)

My protocol is pretty simple, keep the OS and software up to date. Document the systems regarding installed software. Have a recovery plan in place before bad things happen. If a system appears to be infected, isolate the system immediately and ascertain the nature of infection, if any. Search for the identified pest, and how to remove it. If all else fails, dust off and nuke the site from orbit, it's the only way to be sure.
0
 

Author Closing Comment

by:officertango
ID: 37822353
na
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
What we learned in Webroot's webinar on multi-vector protection.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question