Undeletable browser hijack

[Painkiller667]

Dranfu, you only have 2 posts. Did you register just so you could help me out? Awww... how sweet..

[Painkiller667]

Thanks Zimmer, I can access the link now without a problem, because as I have said and as Sparda does not believe, I COMPLETELY got rid of the malware.

[Sparda]

Thanks Zimmer, I can access the link now without a problem, because as I have said and as Sparda does not believe, I COMPLETELY got rid of the malware.

This is not a matter of belief or up for debate. It is an established fact.

[Painkiller667]

Yes indeed, established fact that I did get rid of it entirely. Why argue, I told you already that every symptom of the problem that was observed is gone now, and the file that caused it was deleted by hijackthis upon reboot, when it wasn't being used by the system yet.

[Sparda]

Yes indeed, established fact that I did get rid of it entirely. Why argue, I told you already that every symptom of the problem that was observed is gone now, and the file that caused it was deleted by hijackthis upon reboot, when it wasn't being used by the system yet.

If you wish to believe that an infected system can be trusted again this is your personal risk. Reinstalling Windows mitigates said risk. You have had fair warning.

Any computing professional will tell you the only way you can possibly trust a known infected computer again is to reinstall.

Your only evidence to counteract this established fact of modern computing is "Google works again". What about the back door it left in your system? What about the patches your computer now silently blocks? What about a million other things that Windows could now be doing that isn't at the user experience level? I guess I'll leave that for you to decide since you obviously know better than me.

[digip]

Now that you know what it was, determine how it got there and PLUG THAT BITCH UP! What is to stop it from coming back? Its good to find out what causes things. I for one don't like to be defeated by malaware, although I have never gotten infected with anything myself, I just fix a lot of other peoples machines all the time.

[Painkiller667]

If you wish to believe that an infected system can be trusted again this is your personal risk. Reinstalling Windows mitigates said risk. You have had fair warning.

Any computing professional will tell you the only way you can possibly trust a known infected computer again is to reinstall.

Your only evidence to counteract this established fact of modern computing is "Google works again". What about the back door it left in your system? What about the patches your computer now silently blocks? What about a million other things that Windows could now be doing that isn't at the user experience level? I guess I'll leave that for you to decide since you obviously know better than me.

Of course it's safer to do a reinstall but when a known malware was found, which is known to cause only a certain kind of problem, and is deleted, it's safe to use the OS again. No backdoors were created as I have a firewall and it never gave me any alerts about that kind of stuff.

Not sure what caused it, must have been some website I visited.

[dranfu]

What is your method of determining if a computer is still infected?

I agree, that it is impossible to determine, with 100% certainty, that a machine is no longer compromised once it has been compromised. But, using the same logic, how can I be 100% sure that my OS did not come pre-packaged with a root kit, if the CD was produced outside the US or Europe? How can I be sure that my mechanic really fixed my car just because it drives better? How can I be sure my wife isn't cheating just because she says she loves me? Honestly, there are no absolutes in life.

On a mission critical server, or on any machine where absolute confidentiality was demanded, I might have to reformat, but for most everyday situations, its overkill. And now to answer your question specifically.

If a machine was, let's say, compromised by some variant of virtumonde, then I would look for BHO objects, DLL injection, search with an ADS scanner, yada, yada, yada. Eventually, once I had searched through the virtumonde dll's and located all its resources, I would finish up by performing probably 3 or four full scans, all with live CD's while the HD is not running. I would perform some packet captures and watch traffic carefully, scan with a port scanner or maybe just run netstat -a -b to determine if any processes have any strange ports open. Make sure no DNS poisoning of any kind has taken place. Look in run once entries, user32.dll injection, yada, yada. And after that, I'd call it a day.

Why? Because the likelihood that I'm still infected is pretty low. Most malware is going to show at least some sign of infection, even if its a spam bot that's trying to push as much spam every one second of every hour(trying not to be noticed), that is enough for me to get suspicious and start looking deeper.

But who can realistically take the time to reformat every time they get infected with every little piece of malware. On mission critical stuff, and on machines that demand absolute confidentiality, then yes, I would reformat. I would also take my backed up files and scan them with as many AV's as I could before putting them on the new machine. I might replace all my backed up files on a FAT32 file system first, just to make sure that no ADS's might still be lingering in some of those files, but I'm not going to do that every time some mid level manager downloads virtumonde from smilingpuppyscreensavers.com.

[dranfu]

Dranfu, you only have 2 posts. Did you register just so you could help me out? Awww... how sweet..

:D

[Sparda]

If a machine was, let's say, compromised by some variant of virtumonde, then I would look for BHO objects, DLL injection, search with an ADS scanner, yada, yada, yada. Eventually, once I had searched through the virtumonde dll's and located all its resources, I would finish up by performing probably 3 or four full scans, all with live CD's while the HD is not running. I would perform some packet captures and watch traffic carefully, scan with a port scanner or maybe just run netstat -a -b to determine if any processes have any strange ports open. Make sure no DNS poisoning of any kind has taken place. Look in run once entries, user32.dll injection, yada, yada. And after that, I'd call it a day.

Quite literally I suspect.

But who can realistically take the time to reformat every time they get infected with every little piece of malware. On mission critical stuff, and on machines that demand absolute confidentiality, then yes, I would reformat. I would also take my backed up files and scan them with as many AV's as I could before putting them on the new machine. I might replace all my backed up files on a FAT32 file system first, just to make sure that no ADS's might still be lingering in some of those files, but I'm not going to do that every time some mid level manager downloads virtumonde from smilingpuppyscreensavers.com.

It will take may be two hours if your slow with getting your computer up and running again using the Windows installer. If you have a image you can put on the computer (like I do at where I work) it will take two hours to have Windows up and running again with all the same applications as before and back on the domain. The applications having been installed separability to the image due to licensing that is.

[dranfu]

Quite literally I suspect.

It will take may be two hours if your slow with getting your computer up and running again using the Windows installer. If you have a image you can put on the computer (like I do at where I work) it will take two hours to have Windows up and running again with all the same applications as before and back on the domain. The applications having been installed separability to the image due to licensing that is.

To each his own, of course. And I have pushed repeatedly for more imaging of users computers, but no, we do not have every users drive imaged. But you bring up an interesting contradiction. If you are simply ghosting all your computers, how do you know, without doing a thorough analysis of the data on the computer, that your images aren't infected. As I'm sure you know, you could have a logic bomb hidden on your computer that only starts truly infecting after some specified counter runs out. How do YOU know that your images aren't corrupt. Perhaps as you keep reinstalling the same images, you keep installing the same malware each time you load the image, then later you notice the virus pop up again, and then you reformat, and then you load another infected image. And now you are in an infinite loop of discovery, reformat, and reload/reinfect.

My point being, there is a time to analyze the system deeply, and a time to simply reformat. But if you are relying solely on images, how can you be sure that the image is clean? Just because you were never aware of any viruses on the system at the time you Ghosted it?

the argument can go both ways.

[VaKo]

I will never understand why people are so attached to their OS installs. Its not like you can't re-deploy it in 3 hrs or so, from scratch.

[Sparda]

To each his own, of course. And I have pushed repeatedly for more imaging of users computers, but no, we do not have every users drive imaged. But you bring up an interesting contradiction. If you are simply ghosting all your computers, how do you know, without doing a thorough analysis of the data on the computer, that your images aren't infected. As I'm sure you know, you could have a logic bomb hidden on your computer that only starts truly infecting after some specified counter runs out. How do YOU know that your images aren't corrupt. Perhaps as you keep reinstalling the same images, you keep installing the same malware each time you load the image, then later you notice the virus pop up again, and then you reformat, and then you load another infected image. And now you are in an infinite loop of discovery, reformat, and reload/reinfect.

My point being, there is a time to analyze the system deeply, and a time to simply reformat. But if you are relying solely on images, how can you be sure that the image is clean? Just because you were never aware of any viruses on the system at the time you Ghosted it?

the argument can go both ways.

You are correct. This actually happened once. A wow password stealer got on to the image at some point. The only way to make an image is to use trusted sources for every thing and to avoid the Internet all together.

[dranfu]

I will never understand why people are so attached to their OS installs. Its not like you can't re-deploy it in 3 hrs or so, from scratch.

We'll the other part of the argument is, if you simply just re-install every time you have a problem, you'll never learn what it is that's making you vulnerable in the first place. If you don't bother to learn about the malware infecting you, then how can you better protect your assets.

If you keep reinstalling the same image, with the same vulnerabilities, you keep getting infected. A little time spent actually identifying vulnerabilities can pay off huge in the future, even if you decide to do a fresh install afterwards, which sometimes you must. Therefore, you may not need to spend 3hrs x so many re installs per month (3hrs x 10 per month? = 30hrs a month x 12 months? == 360hrs? That's 9 days of work lost. In a large organization, it may be much more than that. That's productive time lost. Why do that when you can simply clean and inspect the users system while they are at lunch, and have no down time.

As an example, an AT&T dial up RAS server was recently infected with Conficker. Each time our users would connect, our Enterprise AV would warn that it found conficker. We had to alert AT&T to their infected system. This lasted for a few days until it finally stopped. Now how is it that this giant corporation would allow themselves to be infected (no patching obviously), for three days with conficker, which was talked about damn near everyday on every tech blog in the world. They obviously weren't bothering with trying to find out why they were vulnerable, not just specific vulnerabilities, but the environment that allowed it.

A lot can be learned from analyzing an infection. Reinstalling is not the only solution, and its not always the right one. But sometimes it is. Just my opinion, of course :)

[Painkiller667]

We'll the other part of the argument is, if you simply just re-install every time you have a problem, you'll never learn what it is that's making you vulnerable in the first place. If you don't bother to learn about the malware infecting you, then how can you better protect your assets.

If you keep reinstalling the same image, with the same vulnerabilities, you keep getting infected. A little time spent actually identifying vulnerabilities can pay off huge in the future, even if you decide to do a fresh install afterwards, which sometimes you must. Therefore, you may not need to spend 3hrs x so many re installs per month (3hrs x 10 per month? = 30hrs a month x 12 months? == 360hrs? That's 9 days of work lost. In a large organization, it may be much more than that. That's productive time lost. Why do that when you can simply clean and inspect the users system while they are at lunch, and have no down time.

As an example, an AT&T dial up RAS server was recently infected with Conficker. Each time our users would connect, our Enterprise AV would warn that it found conficker. We had to alert AT&T to their infected system. This lasted for a few days until it finally stopped. Now how is it that this giant corporation would allow themselves to be infected (no patching obviously), for three days with conficker, which was talked about damn near everyday on every tech blog in the world. They obviously weren't bothering with trying to find out why they were vulnerable, not just specific vulnerabilities, but the environment that allowed it.

A lot can be learned from analyzing an infection. Reinstalling is not the only solution, and its not always the right one. But sometimes it is. Just my opinion, of course :)

That's my opinion too, and I agree with you. And now I'm proud that someone "from the industry" has confirmed that you don't need to reformat at every POS spyware that you get. If you're using your XP disk like a whore and use your computer only for surfing then ok. But my pc has a lot of shit on it from many years which I wouldn't want to transfer back and forth.

[dranfu]

If you're using your XP disk like a whore and use...

Now that was funny

[VaKo]

I used to spend time picking crap out of Windows installs but in the end I decided I had better shit to do. If you keep you machine updated, be careful about the sites you visit, secure your browser and use AV software you will be fine. Unfortunately a large part of the problem is user behaviour, I deal with lots of laptop rebuilds for staff at the company I work at and compared to the hour it takes me to re-image, lock down and port the profile over, spending an afternoon clearing up the aftermath of a lonely salesman in a hotel with unfiltered internet access is boring compared to building ESXi clusters and learning about iSCSI or switched fibre channel stuff. Plus, if you have one problem on a machine there will probally be more. The staff I support sell software so we have a lot of power users who think they know what they are doing and usually wind up doing more damage than good in there attempts to fix stuff.

Don't get me wrong, I do see the value of using tools that remove the shit, but if its stubborn I really can't be arsed. In short, been there, done that, got the t-shirt and shrunk it in the wash.

(BTW, it takes me 3hrs to build a fresh image, deploying it takes 20mins at most)

[Painkiller667]

I used to spend time picking crap out of Windows installs but in the end I decided I had better shit to do. If you keep you machine updated, be careful about the sites you visit, secure your browser and use AV software you will be fine. Unfortunately a large part of the problem is user behaviour, I deal with lots of laptop rebuilds for staff at the company I work at and compared to the hour it takes me to re-image, lock down and port the profile over, spending an afternoon clearing up the aftermath of a lonely salesman in a hotel with unfiltered internet access is boring compared to building ESXi clusters and learning about iSCSI or switched fibre channel stuff. Plus, if you have one problem on a machine there will probally be more. The staff I support sell software so we have a lot of power users who think they know what they are doing and usually wind up doing more damage than good in there attempts to fix stuff.

Don't get me wrong, I do see the value of using tools that remove the shit, but if its stubborn I really can't be arsed. In short, been there, done that, got the t-shirt and shrunk it in the wash.

(BTW, it takes me 3hrs to build a fresh image, deploying it takes 20mins at most)

You sound to be very cool, and the ESXi and iSCSI, whatever that is, also sounds really cool... espesically with the X and the "i's" that aren't capitalized. Those things all sound very cool. Contrary to what you say, I did watch the sites I visited, do keep a firewall and updated AVG running, and somehow still got that problem.

[VaKo]

Shit happens my friend. If you have time to work out what the problem is then it can be academically interesting to locate the weak spots and address the issues. But if you already know what caused it (i.e. a paranoid ex-KGB software dev who disabled updates and av for god only knows what reason) and need your time for other things (i.e. the cute girl in finance who needs lots of deskside support...) then its quicker to blast it and start again.

Take a look at virtual machines and sandbox apps like sandboxie for an additional layer of protection.

[nicatronTg]

Here's a solution: look at why re-installs are better:

1) Fresh start. Any malware that you didn't know about is now gone.

2) You learn from your mistakes. Look for the same ways the last thing got in and close off those holes. God only knows how many patches for patches Microshaft has released.

3) No more shit that you don't use on your box.

Unfortunately, most of my re-installs were made because I had no other choice, but it needed to be done. I usually reformat every year, just to keep anything that I don't want in out for good.

@VaKo mostly because nobody backs up their data. Then they re-install they have nothing(like me and Win7).