Questions

Spyware/Trojan/Virus?

Tags:
+
0 Votes
Locked

Spyware/Trojan/Virus?

goldenpirate
I have just been handed a computer, by a client, that displays the following symptons:

1. extremely slow - has had this problem a week ago - did a reg clean and compact and HDD defrag, thought it was fixed;

2. has recuring security/virus/trojan warning pop-up dialog boxes (3). No matter what I do these pop-ups keep recouring. Behaviour: all have the usual "go", "cancel" and righthand top corner "x" (shut down) buttons, however irrespective of which one is clicked Internet Explorer opens at a specific site ie

pcsecuresystem dot com and
virusprotectionproonline dot com.

Closing down IE does not help as the pop-ups return several minutes later.

3. cannot do restore even in safe-mode. Restore points are there but unable to use them;

4. has 3 icons on the desktop that client does not know how they got there, they are iNet shortcuts to

safewebnavigate dot com;

5. there is also a continous popup from what appears to from the Windows Security Centre that the computer is under threat of an imminent internet attack - even tho the computer is not connected to the internet nor to a phone line;

6. also found the file csrss.exe active on the computer - did a search for the file using windows search but came up empty handed, the same result for a registry search;

Remedies tried so far:

installed the following - Norton Security Suite, Ad-Aware, and Javasoft antivirus (?). Have run all three in normal mode and safe mode and removed everything that they found. Pop-ups still continue.

After discussing the problems with a friend (who also knows the client) found out that the client has a habit of installing programs and then uninstalling them after he has had a look.

Questions:

1. are the three sites above genuine sites or are they rogue sites? If they are genuine do they have a habit of installing their software/malware by stealth (at the moment i am not prepared to open the sites on my computer for obvious reasons)?

2. how do i resolve the issues in (2) above short of deleting everything on the HDD and re-installing WindowsXP? Have already suggested this to my client but he seems to be hesitant because of some of the programs that he wants to keep (obviously he has not saved the installation files).

I would welcome any suggestions/help etc as at the moment i feel like handing the computer back to the client with the comment: "Sorry, mate, nothing i can do but you WERE TOLD what NOT to do ........ etc, etc".
  • +
    0 Votes
    Churdoo

    ... is a pain in the a$$

    No those sites are not genuine; that is a result of a nasty malware that is, as you've found, difficult to get rid of.

    We generally use both Spybot and Super antispyware to cleanse infested machines. For this one, since badly infected, you may also have to do some manual cleansing by going into safe mode and manually removing items from HKLM/Software/Microsoft/Windows/Current Version/Run.

    Also manually inspect and remove items from IE, if IE7: Tools / Manage Add-ons / Enable or Disable add-ons; Pre-IE7, Use Windows Explorer to c:\windows\downloaded program files and Remove suspicious items from there.

    You may have to repeat these steps and several reboots, but you'll eventually get it.

    +
    0 Votes
    goldenpirate

    Just spent the afternoon cleaning the machine of all the crap programs the client had loaded and ran a a reg cleaning tool - found over 700 error in the registry. Also found lots of screensavers installed.

    Also ran Microsoft's Malicious Malware Removal Tool - didn't pick anything up - actually gave the computer a clean bill of health.

    These sites have hijacked the IE home page and wont let a reset to "about:blank" or anything else.

    Looks like Nortons Security Suite has reaffirmed my opinion of Norton products - a load of crap (needless to say it was removed).

    And why didnt i think about Spybot and Superantispyware? Thanks, will try both of them.

    Guess i'll now have to tell my client to stop downloading every program he comes across or next time he brings the computer back my charges will suddenly double.

    The other side of the coin is that his worst nightmare might come home to roost - a complete wipe of the hard drive and reisntallation of windows heh, heh :-))

    +
    0 Votes
    goldenpirate

    Just spent 12 solid hours trying your way. Spybot and Superantispyware were absolutely hopeless in this situation - because they had not been installed prior to the infestation - as were a lot of others.

    However, Situation has been resolved by wiping HDD etc.

    Cheers & thanks

    +
    0 Votes
    douglasemc

    the best thing you can do is to copy all of his file to an external harddrive (don't use the network) and wipe out clean the computer
    reinstall the os and applications and start from scratch, if you are in a corporate network, remove his admin privileges so he wont install any more programs
    i recomend a good tool called spybot seek and destroy along with AVG antivirus (both freeware)


    sincerely

    -D

    +
    0 Votes
    goldenpirate

    Checked the home page for Spybot seek & destroy but unfortunately it seems to have gone commercial you now have to pay for it. That's not surprising considering how good it is.

    But I think that I will be wiping the hard drive and starting from scratch again. This seems to be the general opinion where ever i've looked on the net. Considering the low fee i'm charging this person i've already spent too many hours on this problem.

    It's 5:07 in the morning here and i've been at this all night.

    thanks

    +
    0 Votes
    mjd420nova

    I just recently cleaned a laptop of these nasty programs. First I ran a disk cleanup, Adware, spybot and then MacAfee virus scan. This cleaned it out after the internet options was checked and the homepage set properly. Some infections also flash the BIOS and can't be cleaned until the BIOS is set to default to get rid of them. I wish that someone would come down hard on these sites and close them down.

    +
    0 Votes
    goldenpirate

    not only should the people responsible be prosecuted but their IPs as well.

    But I also think that a bit of responsibility must lie with the computer owners particularly yhose people who run Outlook Express with the view pane open, or who open every email that they get even though they dont know the sender.

    Every system i setup i make sure that the view pane is closed and i stree in no uncertain terms that if they get email from an unknown sender to bin that immediately.

    I also stress that they dont ever download "free" screensavers because a lot of them, particularly those with the .exe extention, usually have hidden malware/viruses/trojans hidden in them.

    but what can you do when some computer owners wont even take the most basic of precautions before going on the net?

    Maybe I shouldn't complain after all, tho not my bread-and-butter, it does get me a little bit of cash to upgrade my own equipment now and again.

    Cheers

    +
    0 Votes
    goldenpirate

    Thanks everyone for your input - problem now resloved - HDD wiped clean and windows reinstalled. moral of the episode being: when all else fails do the obvious (that should have been done in the first place).

    Also now without those files secretly dropped on our computers recently by Microsoft - but that will probably be another story.

    cheers and thanks

    +
    0 Votes
    douglasemc

    the best thing you can do is to copy all of his file to an external harddrive (don't use the network) and wipe out clean the computer
    reinstall the os and applications and start from scratch, if you are in a corporate network, remove his admin privileges so he wont install any more programs
    i recomend a good tool called spybot seek and destroy along with AVG antivirus (both freeware)


    sincerely

    -D

    +
    0 Votes
    mjd420nova

    I just recently cleaned a laptop of these nasty programs. First I ran a disk cleanup, Adware, spybot and then MacAfee virus scan. This cleaned it out after the internet options was checked and the homepage set properly. Some infections also flash the BIOS and can't be cleaned until the BIOS is set to default to get rid of them. I wish that someone would come down hard on these sites and close them down.

    +
    0 Votes
    goldenpirate

    Thanks everyone for your input - problem now resloved - HDD wiped clean and windows reinstalled. moral of the episode being: when all else fails do the obvious (that should have been done in the first place).

    Also now without those files secretly dropped on our computers recently by Microsoft - but that will probably be another story.

    cheers and thanks

  • +
    0 Votes
    Churdoo

    ... is a pain in the a$$

    No those sites are not genuine; that is a result of a nasty malware that is, as you've found, difficult to get rid of.

    We generally use both Spybot and Super antispyware to cleanse infested machines. For this one, since badly infected, you may also have to do some manual cleansing by going into safe mode and manually removing items from HKLM/Software/Microsoft/Windows/Current Version/Run.

    Also manually inspect and remove items from IE, if IE7: Tools / Manage Add-ons / Enable or Disable add-ons; Pre-IE7, Use Windows Explorer to c:\windows\downloaded program files and Remove suspicious items from there.

    You may have to repeat these steps and several reboots, but you'll eventually get it.

    +
    0 Votes
    goldenpirate

    Just spent the afternoon cleaning the machine of all the crap programs the client had loaded and ran a a reg cleaning tool - found over 700 error in the registry. Also found lots of screensavers installed.

    Also ran Microsoft's Malicious Malware Removal Tool - didn't pick anything up - actually gave the computer a clean bill of health.

    These sites have hijacked the IE home page and wont let a reset to "about:blank" or anything else.

    Looks like Nortons Security Suite has reaffirmed my opinion of Norton products - a load of crap (needless to say it was removed).

    And why didnt i think about Spybot and Superantispyware? Thanks, will try both of them.

    Guess i'll now have to tell my client to stop downloading every program he comes across or next time he brings the computer back my charges will suddenly double.

    The other side of the coin is that his worst nightmare might come home to roost - a complete wipe of the hard drive and reisntallation of windows heh, heh :-))

    +
    0 Votes
    goldenpirate

    Just spent 12 solid hours trying your way. Spybot and Superantispyware were absolutely hopeless in this situation - because they had not been installed prior to the infestation - as were a lot of others.

    However, Situation has been resolved by wiping HDD etc.

    Cheers & thanks

    +
    0 Votes
    douglasemc

    the best thing you can do is to copy all of his file to an external harddrive (don't use the network) and wipe out clean the computer
    reinstall the os and applications and start from scratch, if you are in a corporate network, remove his admin privileges so he wont install any more programs
    i recomend a good tool called spybot seek and destroy along with AVG antivirus (both freeware)


    sincerely

    -D

    +
    0 Votes
    goldenpirate

    Checked the home page for Spybot seek & destroy but unfortunately it seems to have gone commercial you now have to pay for it. That's not surprising considering how good it is.

    But I think that I will be wiping the hard drive and starting from scratch again. This seems to be the general opinion where ever i've looked on the net. Considering the low fee i'm charging this person i've already spent too many hours on this problem.

    It's 5:07 in the morning here and i've been at this all night.

    thanks

    +
    0 Votes
    mjd420nova

    I just recently cleaned a laptop of these nasty programs. First I ran a disk cleanup, Adware, spybot and then MacAfee virus scan. This cleaned it out after the internet options was checked and the homepage set properly. Some infections also flash the BIOS and can't be cleaned until the BIOS is set to default to get rid of them. I wish that someone would come down hard on these sites and close them down.

    +
    0 Votes
    goldenpirate

    not only should the people responsible be prosecuted but their IPs as well.

    But I also think that a bit of responsibility must lie with the computer owners particularly yhose people who run Outlook Express with the view pane open, or who open every email that they get even though they dont know the sender.

    Every system i setup i make sure that the view pane is closed and i stree in no uncertain terms that if they get email from an unknown sender to bin that immediately.

    I also stress that they dont ever download "free" screensavers because a lot of them, particularly those with the .exe extention, usually have hidden malware/viruses/trojans hidden in them.

    but what can you do when some computer owners wont even take the most basic of precautions before going on the net?

    Maybe I shouldn't complain after all, tho not my bread-and-butter, it does get me a little bit of cash to upgrade my own equipment now and again.

    Cheers

    +
    0 Votes
    goldenpirate

    Thanks everyone for your input - problem now resloved - HDD wiped clean and windows reinstalled. moral of the episode being: when all else fails do the obvious (that should have been done in the first place).

    Also now without those files secretly dropped on our computers recently by Microsoft - but that will probably be another story.

    cheers and thanks

    +
    0 Votes
    douglasemc

    the best thing you can do is to copy all of his file to an external harddrive (don't use the network) and wipe out clean the computer
    reinstall the os and applications and start from scratch, if you are in a corporate network, remove his admin privileges so he wont install any more programs
    i recomend a good tool called spybot seek and destroy along with AVG antivirus (both freeware)


    sincerely

    -D

    +
    0 Votes
    mjd420nova

    I just recently cleaned a laptop of these nasty programs. First I ran a disk cleanup, Adware, spybot and then MacAfee virus scan. This cleaned it out after the internet options was checked and the homepage set properly. Some infections also flash the BIOS and can't be cleaned until the BIOS is set to default to get rid of them. I wish that someone would come down hard on these sites and close them down.

    +
    0 Votes
    goldenpirate

    Thanks everyone for your input - problem now resloved - HDD wiped clean and windows reinstalled. moral of the episode being: when all else fails do the obvious (that should have been done in the first place).

    Also now without those files secretly dropped on our computers recently by Microsoft - but that will probably be another story.

    cheers and thanks