Question About Computer Viruses

Drachen · 06-22-2008, 03:07 PM

Alright, well just this past Thursday, it seems that my work computer got infected with spyware, among other things. Mind you, four other people use this same computer (I work in a warehouse), so we were stumped as to who was on it at the time that it all started up. I was off the day it started, and only two of the others were working.
Though after I was going through the computer to try and sweep the viruses and such, I noticed the time, and date that a few new programs were installed. It seems like these programs are more than likely the spyware/viruses.
I went through the properties of the actual shortcuts on the desktop, and realized that it was at a time that only one person works at.

My question is, does that time that it says in the program properties mean that's when whoever was on the computer doing inappropriate things at work, that's a good judge at "who dunit" kind of thing?
It just so happens that I believe that our manager was the one that made it happen. And now he's threatening to possibly fire "whoever is responsible". I know it's not right, but am I right to think it was him who did it? And if so, would that be a (however lame it may be) form of job security?

CrazyBoy78 · 06-22-2008, 03:18 PM

It depends on what it is. Some viruses, etc... pop up later but many of the more recent ones are more immediate. If it's one like you're describing, it's usually pretty immediate.

So whoever was using it at that time would've been the one who clicked on a bad link and unwittingly installed the bad stuff. It's not something that necessarily means you were surfing porn or anything.

Lemme guess, there's 3 new programs that were installed, right? Uninstalling them won't do much to help. You can try d/l Spybot-Search & Destroy and Adaware 2008.

Try to install them and update them, then restart the computer, keep hitting F8 until you get the option to go to "Safe Mode". Run them both in there and if it's not the rootkit version of what I'm thinkin (very bad juju) then it might just do the trick.

LoopyDood · 06-22-2008, 03:32 PM

Oh jeeze, you'd better hope it's not a rootkit. If it was one of the better designed ones you probably wouldn't have known it was there.

Also, install Gipo@MoveOnBoot. It's a very useful program that's gotten me out of tight spots multiple times. If there are any files left over after the scanners have dealt with the spyware, you can delete them even if they're 'System Protected' or 'In Use'. Gibin Software House

like CrazyBoy said, the times would usually be a good judge but it's not 100%.

arpie · 06-22-2008, 09:04 PM

Look at it this way: Get him fired and get his job. Higher pay means more for paintball!

Seriously, follow the above two posters. If it happens to be a rootkit get back to us because as said before rootkits are 'bad jujus (seems like some of us didn't get past childhood hhmmm?

)'.

Arpie

Wycke · 06-23-2008, 08:30 AM

And, once it's cleaned up (if that's possible), for the love of all that is good and holy, create a "limited" account on the computer for everyday use so that this doesn't happen again.

That being said, the "created on" timestamp on the shortcut isn't infallible. In fact, it's an extremely unreliable bit of metadata and so easily spoofed or modified that it's generally disregarded in most forensic data analyses. I've seen many spyware-esque programs that don't install right away, but rather wait for the system to be restarted. So, if this is a computer that stays on 24/7 (or most of the time, anyway) it's just as likely that the bad stuff got downloaded days or even weeks prior but didn't get installed until the boss had to reboot it after, say, a MS update was installed.

Also, the above posts have most of the info you need to clean this up (most likely). However, I've had many cases where the automated tools either wouldn't run or failed to locate the culprits.

In that case, you need to boot into safe mode, go into the \Windows\system32 folder and set the "Folder Options" (under the tools menu) to show hidden and system files. Click the View menu and select "Details", then sort by the "type" and look at everything that's an "application". I first look for any strange names (like a string of random characters - LOTS of the nasty buggers out there randomly generate the executable name when they install) and make note of them. Then, check the properties for those files. If the "Vendor" field is blank, rename or delete it (or just move it somewhere other than the system32 folder). You can also try to Google the filename. If you get zero (or very few) hits, then it's probably one of those above-mentioned "nasty buggers".

Finally, after you've cleaned up the system32 folder, while you're still in Safe Mode, go into the "Temp" and "Temporary Internet Files" folders under the "Local Settings" folder of all the user profiles on the machine and clear them out ENTIRELY. A great many lazy malware authors just let their stuff run from the temp folder because they know that nobody ever clears that out (and Windows & IE do a HORRIBLE job of clearing them, even when you specifically set them to).

And, of course, worst-case scenario, you can back up any important files and do a nuke & pave. Make sure to install & update your AV software before you start copying the backed-up files back to the machine.

Lrrpie-CT · 06-23-2008, 11:45 AM

Depending upon the level of infection, the best solution is to back up and then nuke and pave. These little buggers now hide all over the place and modify registry settings in sneaky ways so they are nearly impossible to eradicate. It's an inelegant approach yet very effective and less stressful. The damning thing is that by the time you resign yourself to nuke and pave, you've put so much time into the surgical approach that you hate to admit defeat.

15 minutes for most data backup
45 minutes for XP reinstall
another hour for updates and applications
back in business

Many scans take forever and never fully clean the machine or damage some system/registry settings. The date and time stamp of the earliest malware in \system32 isn't a guarantee of the infection time but it highly likely to be correct. You can probably correlate with data in the browser cache if it still exists.

So, like the rest of the resident know-it-alls here, I'll vote for decent attempt at cleaning using a good antivirus/malware tool in safe mode. Avast does a VERY good boot time cleaning (before Windows GUI kernel). I've had great success with it in a non-managed network environment for an emergency cleaner. No sense wasting too much time. If that doesn't do it, nuke and pave.

Good luck!

Wycke · 06-23-2008, 01:30 PM

Quote:

Originally Posted by Lrrpie-CT

The damning thing is that by the time you resign yourself to nuke and pave, you've put so much time into the surgical approach that you hate to admit defeat.

On the flip side, if you're a professional and getting paid by the hour....

But seriously, as aggravating as this kind of situation is, it's the one thing I miss after getting out of the desktop-support side of things at work. I used to liken it to a good game of checkers (I'd say chess, but I suck at and therefore hate chess); sort a battle of wits, trying to outsmart the bastards who write this crap. Sure, the nuke & pave is the most expedient and effective solution is most cases, but when you're dealing with users who are resistant to change (and let's face it, it's a royal PITA to get their computer back to the way it was after a reinstall), it's not necessarily the only or best way to go.

CrazyBoy78 · 06-23-2008, 01:32 PM

Quote:

Originally Posted by Wycke

But seriously, as aggravating as this kind of situation is, it's the one thing I miss after getting out of the desktop-support side of things at work. I used to liken it to a good game of checkers (I'd say chess, but I suck at and therefore hate chess); sort a battle of wits, trying to outsmart the bastards who write this crap. Sure, the nuke & pave is the most expedient and effective solution is most cases, but when you're dealing with users who are resistant to change (and let's face it, it's a royal PITA to get their computer back to the way it was after a reinstall), it's not necessarily the only or best way to go.

Plus, some users can't afford to just wipe everything out and rebuild. It's one thing I kinda miss about working the help desk at the college... always a few students coming in with a nasty... something to break the monotony of the usual crap.

Shrub · 06-24-2008, 06:56 AM

Go to download.com

I had the same crap happen. I downloaded spybot search and destroy but it wouldn't remove everything...so I downloaded avg 7.5 and the avg anti root kit and cleared it all right up...it takes it a while to scan but still it works great. Since then I always lock my computer but you probably don't have that option.

Drachen · 06-25-2008, 09:48 PM

Well, I guess they called the IT guy to come out and fix it. I wasn't here, so I'm not sure what happened. Though now I got the authorization to change things

, or well, fix things when the stuff hits the fan again. Fortunatly, the manager (the one I figured did the no-no) got in trouble. lol I guess someone monitors what's going on on the computer from elsewhere. Tisk tisk. Though everything turned out OK.

Thanks for all the input guys. I really appretiate it.

06-22-2008, 03:07 PM	#1 (permalink)
Drachen Seasoned Member Join Date: Jan 2007 Location: Maplewood, MN Posts: 598	Question About Computer Viruses Alright, well just this past Thursday, it seems that my work computer got infected with spyware, among other things. Mind you, four other people use this same computer (I work in a warehouse), so we were stumped as to who was on it at the time that it all started up. I was off the day it started, and only two of the others were working. Though after I was going through the computer to try and sweep the viruses and such, I noticed the time, and date that a few new programs were installed. It seems like these programs are more than likely the spyware/viruses. I went through the properties of the actual shortcuts on the desktop, and realized that it was at a time that only one person works at. My question is, does that time that it says in the program properties mean that's when whoever was on the computer doing inappropriate things at work, that's a good judge at "who dunit" kind of thing? It just so happens that I believe that our manager was the one that made it happen. And now he's threatening to possibly fire "whoever is responsible". I know it's not right, but am I right to think it was him who did it? And if so, would that be a (however lame it may be) form of job security? __________________ Pumpker'd; (V.) When a pump player runs up and shoots you at point blank range because you thought 20bps made you good. BLARG! Feedback {+12/-0} PBN ~ MCB ~ Special Ops

06-22-2008, 03:18 PM	#2 (permalink)
CrazyBoy78 www.tacobuilders.com Join Date: May 2006 Location: Mississauga, ON Posts: 1,857	It depends on what it is. Some viruses, etc... pop up later but many of the more recent ones are more immediate. If it's one like you're describing, it's usually pretty immediate. So whoever was using it at that time would've been the one who clicked on a bad link and unwittingly installed the bad stuff. It's not something that necessarily means you were surfing porn or anything. Lemme guess, there's 3 new programs that were installed, right? Uninstalling them won't do much to help. You can try d/l Spybot-Search & Destroy and Adaware 2008. Try to install them and update them, then restart the computer, keep hitting F8 until you get the option to go to "Safe Mode". Run them both in there and if it's not the rootkit version of what I'm thinkin (very bad juju) then it might just do the trick. __________________ Later........ Andry : ) Proud member of The Peacekeepers, UMSG JTF7, Rogue Cell #12 and CCABB My Feedback Stuff for Sale

06-22-2008, 03:32 PM	#3 (permalink)
LoopyDood Active Member Join Date: Mar 2008 Posts: 122	Oh jeeze, you'd better hope it's not a rootkit. If it was one of the better designed ones you probably wouldn't have known it was there. Also, install Gipo@MoveOnBoot. It's a very useful program that's gotten me out of tight spots multiple times. If there are any files left over after the scanners have dealt with the spyware, you can delete them even if they're 'System Protected' or 'In Use'. Gibin Software House like CrazyBoy said, the times would usually be a good judge but it's not 100%. __________________ Boycotting Smart Parts since 06/18/92 Last edited by LoopyDood; 06-22-2008 at 03:40 PM.

06-23-2008, 08:30 AM	#5 (permalink)
Wycke Supernatural Anaesthetist Join Date: Apr 2006 Location: The Plaines of Celestia Posts: 1,394	And, once it's cleaned up (if that's possible), for the love of all that is good and holy, create a "limited" account on the computer for everyday use so that this doesn't happen again. That being said, the "created on" timestamp on the shortcut isn't infallible. In fact, it's an extremely unreliable bit of metadata and so easily spoofed or modified that it's generally disregarded in most forensic data analyses. I've seen many spyware-esque programs that don't install right away, but rather wait for the system to be restarted. So, if this is a computer that stays on 24/7 (or most of the time, anyway) it's just as likely that the bad stuff got downloaded days or even weeks prior but didn't get installed until the boss had to reboot it after, say, a MS update was installed. Also, the above posts have most of the info you need to clean this up (most likely). However, I've had many cases where the automated tools either wouldn't run or failed to locate the culprits. In that case, you need to boot into safe mode, go into the \Windows\system32 folder and set the "Folder Options" (under the tools menu) to show hidden and system files. Click the View menu and select "Details", then sort by the "type" and look at everything that's an "application". I first look for any strange names (like a string of random characters - LOTS of the nasty buggers out there randomly generate the executable name when they install) and make note of them. Then, check the properties for those files. If the "Vendor" field is blank, rename or delete it (or just move it somewhere other than the system32 folder). You can also try to Google the filename. If you get zero (or very few) hits, then it's probably one of those above-mentioned "nasty buggers". Finally, after you've cleaned up the system32 folder, while you're still in Safe Mode, go into the "Temp" and "Temporary Internet Files" folders under the "Local Settings" folder of all the user profiles on the machine and clear them out ENTIRELY. A great many lazy malware authors just let their stuff run from the temp folder because they know that nobody ever clears that out (and Windows & IE do a HORRIBLE job of clearing them, even when you specifically set them to). And, of course, worst-case scenario, you can back up any important files and do a nuke & pave. Make sure to install & update your AV software before you start copying the backed-up files back to the machine. __________________ Porch Monkey 4 Life! s'ok...I'm takin' it back... My Feedback Thread

06-24-2008, 06:56 AM	#9 (permalink)
Shrub Active Member Join Date: Feb 2007 Location: S.C. Posts: 151	Go to download.com I had the same crap happen. I downloaded spybot search and destroy but it wouldn't remove everything...so I downloaded avg 7.5 and the avg anti root kit and cleared it all right up...it takes it a while to scan but still it works great. Since then I always lock my computer but you probably don't have that option. __________________ On the journey of life I chose the Psycho path... Silence is Golden but Duct Tape is silver... www.carolinariot.com www.gzpaintball.com Planet Eclipse NXe Draxxus www.pbpumpshop.com

06-23-2008, 11:45 AM	#6 (permalink)
Lrrpie-CT See Matt Mod. Join Date: Mar 2006 Location: Bethlehem CT Posts: 2,738	Depending upon the level of infection, the best solution is to back up and then nuke and pave. These little buggers now hide all over the place and modify registry settings in sneaky ways so they are nearly impossible to eradicate. It's an inelegant approach yet very effective and less stressful. The damning thing is that by the time you resign yourself to nuke and pave, you've put so much time into the surgical approach that you hate to admit defeat. 15 minutes for most data backup 45 minutes for XP reinstall another hour for updates and applications back in business Many scans take forever and never fully clean the machine or damage some system/registry settings. The date and time stamp of the earliest malware in \system32 isn't a guarantee of the infection time but it highly likely to be correct. You can probably correlate with data in the browser cache if it still exists. So, like the rest of the resident know-it-alls here, I'll vote for decent attempt at cleaning using a good antivirus/malware tool in safe mode. Avast does a VERY good boot time cleaning (before Windows GUI kernel). I've had great success with it in a non-managed network environment for an emergency cleaner. No sense wasting too much time. If that doesn't do it, nuke and pave. Good luck!

06-25-2008, 09:48 PM	#10 (permalink)
Drachen Seasoned Member Join Date: Jan 2007 Location: Maplewood, MN Posts: 598	Well, I guess they called the IT guy to come out and fix it. I wasn't here, so I'm not sure what happened. Though now I got the authorization to change things , or well, fix things when the stuff hits the fan again. Fortunatly, the manager (the one I figured did the no-no) got in trouble. lol I guess someone monitors what's going on on the computer from elsewhere. Tisk tisk. Though everything turned out OK. Thanks for all the input guys. I really appretiate it. __________________ Pumpker'd; (V.) When a pump player runs up and shoots you at point blank range because you thought 20bps made you good. BLARG! Feedback {+12/-0} PBN ~ MCB ~ Special Ops