Overclock.net › Forums › Software, Programming and Coding › Networking & Security › So I found a pretty nasty trojan today..
New Posts  All Forums:Forum Nav:

So I found a pretty nasty trojan today..

post #1 of 9
Thread Starter 
Trojan Horse (or hijacker). Not the other kind.

A long time client of ours came in today describing a bunch of popups appearing on her computer this morning. She ignored them, stood up, and left for 2hr. When she came back, her desktop icons were gone, start menu empty, and documents gone!

We have her on regular ShadowProtect backups (1x a week and incrementals 4x a day), so we had her bring in her external as well. Upon inspecting the computer, I found a few infections that were preventing explorer.exe from working properly. Cleaned that up with a bit of MalwareBytes, and the first desktop icons reappeared (My Computer and Recycle Bin). I then took a look around for all of her stuff. All her programs appeared to be intact, but her entire User folder was gone... or was it? A quick "View hidden files and folders" and BAM! The entire user folder reappeared including her Desktop and Start Menu.

With that all cleaned up, I was still missing a few Start Menu items, so I concluded it would still be a good idea to restore her machine to yesterday. Interestingly enough, her external hard drive had been wiped clean of all but one backup job from this morning (this drive had previously had 6 months of backups), and that backup job was also hidden.


The hero story aside, this job bothers me A LOT! Full anti-virus suites, proactive monitoring, and extensive backup solutions, and still one trojan (or hijacker most likely in this case) can sneak into the system and destroy both the present and the past! mad.gif

I'm still not convinced this morning's backup is uninfected, so we'll be performing a data recovery on the external to see if we can recover some of those previous data backups.
Gaming Monster
(21 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS Rampage IV Extreme EVGA GTX Titan SC 8GB G.SKILL Ripjaws X CL8 1600MHz 
Hard DriveHard DriveHard DriveHard Drive
256GB Samsung 840 Pro 128GB Crucial C300 SSD 60GB OCZ Vertex 3 SSD 1TB Samsung F3 
Hard DriveCoolingOSMonitor
6TB External RAID 0 EK Block, XSPC 3x120mm Radiator Windows 8 64-bit 34" LG 34UC87C-B 21:9 IPS LED Monitor 
MonitorKeyboardPowerCase
27" ASUS VG278H Filco Majestouch Tenkeyless Corsair AX750 Cooler Master HAF 932 
MouseMouse PadAudioAudio
Steelseries Sensei Steelseries 9HD Audio Technica ATH-AD700 Samson C01U Condenser Microphone 
  hide details  
Reply
Gaming Monster
(21 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS Rampage IV Extreme EVGA GTX Titan SC 8GB G.SKILL Ripjaws X CL8 1600MHz 
Hard DriveHard DriveHard DriveHard Drive
256GB Samsung 840 Pro 128GB Crucial C300 SSD 60GB OCZ Vertex 3 SSD 1TB Samsung F3 
Hard DriveCoolingOSMonitor
6TB External RAID 0 EK Block, XSPC 3x120mm Radiator Windows 8 64-bit 34" LG 34UC87C-B 21:9 IPS LED Monitor 
MonitorKeyboardPowerCase
27" ASUS VG278H Filco Majestouch Tenkeyless Corsair AX750 Cooler Master HAF 932 
MouseMouse PadAudioAudio
Steelseries Sensei Steelseries 9HD Audio Technica ATH-AD700 Samson C01U Condenser Microphone 
  hide details  
Reply
post #2 of 9
What antivirus are you guys using there? You should be getting the info of the viruses from Malwarebytes and send it into your antivirus vendor to let the know of it so they can update and prevent it from happening in the future.

Reminds me of when I worked for a consulting company.
post #3 of 9
ShadowProtect is good backup software. We use it on our Servers at work. Being able to run any backup as a VM is great.
post #4 of 9
Click on my sig. Follow the guide. You can send the sample in the quarantine folder to me. I can run it inside dta.
post #5 of 9
Quote:
Originally Posted by Spooony;13872902 
Click on my sig. Follow the guide. You can send the sample in the quarantine folder to me. I can run it inside dta.

this

his guide is very thorough and very good
The Soldier
(13 items)
 
  
CPUMotherboardGraphicsRAM
Core i7 920 evga x58 3 way-sli dual lan evga gtx 280 + 9500 physx/perma fold corsair dominator 6 gig tri channel 1600 
Hard DriveOptical DriveOSMonitor
ocz agility g.1 60, 1tb 7200 WDB, 2tb 5900RPM Sea lite-on bluray combo windows 7, ultimate 64bit philips 230E 
KeyboardPowerCaseMouse
G19 logitech corsair TX 750 watts cooler master haf 932 mx revoulution logitech + R.A.T. 7 
Mouse Pad
goliathus 
  hide details  
Reply
The Soldier
(13 items)
 
  
CPUMotherboardGraphicsRAM
Core i7 920 evga x58 3 way-sli dual lan evga gtx 280 + 9500 physx/perma fold corsair dominator 6 gig tri channel 1600 
Hard DriveOptical DriveOSMonitor
ocz agility g.1 60, 1tb 7200 WDB, 2tb 5900RPM Sea lite-on bluray combo windows 7, ultimate 64bit philips 230E 
KeyboardPowerCaseMouse
G19 logitech corsair TX 750 watts cooler master haf 932 mx revoulution logitech + R.A.T. 7 
Mouse Pad
goliathus 
  hide details  
Reply
post #6 of 9
What it filters down to, stupid users thinking they are doing the "right thing" by installing all of this fake antivirus crap
    
CPUMotherboardGraphicsRAM
E6300 @ 2.3 GHz Foxconn Intel x3100 4.5 Rendition 
Hard DriveOptical DriveOSMonitor
160+500 DVDRW Server 08 x64 Princeton 17'' square 
KeyboardPowerCaseMouse
Unicomp Germanic Model M 250W Dell Vostro 200 Gateway Ball Mouse 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
E6300 @ 2.3 GHz Foxconn Intel x3100 4.5 Rendition 
Hard DriveOptical DriveOSMonitor
160+500 DVDRW Server 08 x64 Princeton 17'' square 
KeyboardPowerCaseMouse
Unicomp Germanic Model M 250W Dell Vostro 200 Gateway Ball Mouse 
  hide details  
Reply
post #7 of 9
Thread Starter 
All of our clients use Kaspersky Internet Security and ShadowProtect.

Spooony: That's a very indepth guide. Cheers! We have our own suite of cleaning and sanitizing utilities, but I'll take a read through the guide and see if there's anything we can add.

I still have a backup of the system right after a first runthrough of MalwareBytes, so once we have her up and running, I can take a closer look at this bugger. If I find anything of note I'll be sure to post about it!
Gaming Monster
(21 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS Rampage IV Extreme EVGA GTX Titan SC 8GB G.SKILL Ripjaws X CL8 1600MHz 
Hard DriveHard DriveHard DriveHard Drive
256GB Samsung 840 Pro 128GB Crucial C300 SSD 60GB OCZ Vertex 3 SSD 1TB Samsung F3 
Hard DriveCoolingOSMonitor
6TB External RAID 0 EK Block, XSPC 3x120mm Radiator Windows 8 64-bit 34" LG 34UC87C-B 21:9 IPS LED Monitor 
MonitorKeyboardPowerCase
27" ASUS VG278H Filco Majestouch Tenkeyless Corsair AX750 Cooler Master HAF 932 
MouseMouse PadAudioAudio
Steelseries Sensei Steelseries 9HD Audio Technica ATH-AD700 Samson C01U Condenser Microphone 
  hide details  
Reply
Gaming Monster
(21 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS Rampage IV Extreme EVGA GTX Titan SC 8GB G.SKILL Ripjaws X CL8 1600MHz 
Hard DriveHard DriveHard DriveHard Drive
256GB Samsung 840 Pro 128GB Crucial C300 SSD 60GB OCZ Vertex 3 SSD 1TB Samsung F3 
Hard DriveCoolingOSMonitor
6TB External RAID 0 EK Block, XSPC 3x120mm Radiator Windows 8 64-bit 34" LG 34UC87C-B 21:9 IPS LED Monitor 
MonitorKeyboardPowerCase
27" ASUS VG278H Filco Majestouch Tenkeyless Corsair AX750 Cooler Master HAF 932 
MouseMouse PadAudioAudio
Steelseries Sensei Steelseries 9HD Audio Technica ATH-AD700 Samson C01U Condenser Microphone 
  hide details  
Reply
post #8 of 9
Quote:
Originally Posted by IBuyJunk;13873187 
What it filters down to, stupid users thinking they are doing the "right thing" by installing all of this fake antivirus crap

its not their fault. Not many people know that you must uninstall the older versions of java when your updating. Now malware can still render the old java with the exploits. So basically you click on a infected link your infected. It normally looks legit and you cant see behind it. You would be suprise some people pay for the program thinking its a full av. A russian company made over 5 million a year with fake avs
post #9 of 9
Quote:
Originally Posted by Xyxyll;13873332 
All of our clients use Kaspersky Internet Security and ShadowProtect.

Spooony: That's a very indepth guide. Cheers! We have our own suite of cleaning and sanitizing utilities, but I'll take a read through the guide and see if there's anything we can add.

I still have a backup of the system right after a first runthrough of MalwareBytes, so once we have her up and running, I can take a closer look at this bugger. If I find anything of note I'll be sure to post about it!

run this program
http://screen317.spywareinfoforum.org/SecurityCheck.exe

Remember your going to back up the malware as well. First fix the exploit. Avs cant help you with a hole somewhere. Java and adobe is your main culprits and get sandboxy to run the browsers in in the future.

If you got any problems just let mw know.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › So I found a pretty nasty trojan today..