Keep getting re-infected over the LAN?

Toggle sidebar Toggle sidebar
T

techoep

Honorable
Oct 19, 2012
5
0
10,510
Hi everyone,

Sort of hit a wall.

A computer keeps getting re-infected after clean install. It is the only PC that was used to browse the web. My only guess is some other computer(s) on the network that were initially infected by this PC via the network, are re-infecting each other. AVG seems to be finding jpg and png files that are supposedly infected in the Temp Internet Files folder but does not point to any registery or exe files, etc.

I've attached a screenshot here http://imageshack.com/a/img834/849/x7d6.jpg

Now at a later point , the symptom of being unable to browse the PC's on the LAN appears. Internet connection does work though. Any suggestions? Not sure I can run combofix on each pc. If I can pinpoint a registry entry to delete and go from there, that would be of great help. As I've looked through the regular paths, controlset, currentversion\run , etc. HiJackThis doesn't show anything out of the norm either.

Thanks so much!
 
Solution
Tom Tancredi
Okay hold it. We need to establish a baseline, at this moment what you keep tossing out is conjecture and honestly "looking for a problem by finding a reason", because you seem to be 'noob' to any of this and really do not understand what a virus is, malware is, and the different forms they can be in and what those forms do. Your "one of the doc or excel files that could be infected beyond detection" proves what I am saying because that is a ridiculous statement. Those have NOTHING to do with someone using your computer to surf a improper website that has infected materials on it. Further you don't use WORD NOR EXCEL TO OPEN PNG OR BMP files, image files are viewed by a image program, like Paint, or better yet IRFANVIEW, XnView, etc...
Sort by date Sort by votes
T

techoep

Honorable
Oct 19, 2012
5
0
10,510
Tried Malware Bytes but to be sure will re-scan again with updated definitions. Running a SpyBot scan now. We replaced the hard drive. Completely fresh install. Scanned all excel and word docs before transferring them, and only took the bare minimum of those.
 
Upvote 0 Downvote
T

techoep

Honorable
Oct 19, 2012
5
0
10,510
Any recommendations on what scan program needs to be run? It's a live environment, we can turn off the network for all at once but each pc has to be scanned one by one. Currently running all scans on one pc to try and isolate which App could be the most useful one.

This particular PC, has up to date firewall, antivirus and other apps. Why is it being re-infected?

ETA: will run TDSSKiller.exe and report back. Thanks again!

ETA#2: All clean according to Kaspersky's TDSS Killer app
 
Upvote 0 Downvote
Tom Tancredi

Tom Tancredi

Judicious
May 9, 2013
4,999
0
32,960
Okay, first off your doing a false positive. The 'infected' files noted are ones it found in the IE Cache from 'going' to sites with infected files on them. It does not mean the computer itself was infected with that. So AVG was doing it's job and you / whomever needs to stop visiting those websites. This can also occur in the background if you have a bunch of toolbars installed as well. I would (on IE) click the Gear icon top right, Options, then Advanced and run reset with the check mark to remove all personal settings, to clear out the browser.

Now second to that (boosted1g was wrong on how he said it but right on the inference) NO Antivirus will detect Malware, simply put it was never designed to do it. Running Malwarebytes regularly will help remove the malware (like the toolbars) that the AV wont' catch.

Now your talking a LAN of computers. How many are we talking? Because until the 'infected' (there is more then one) computers are also fixed EVERYONE gets reinfected with some of the versions out there, or worse the same 'person' keeps using multiple computers and does it by visiting those websites the person shouldn't be.

If we are talking a business or school, this would be a Management issue to address and potentially terminate / kick out someone whom isn't following the rules. You would also need to install a proper set of safeguards, policies and business level security to combat this or just 'deal' with the issue if everyone (management) isn't going to take it seriously until something big (WHAT do you mean our $1M Contract is gone? How can it be gone!) occurs to prove to them they need to address it properly.
 
Upvote 0 Downvote
T

techoep

Honorable
Oct 19, 2012
5
0
10,510
Malwarebytes is and was run. No browsing that I know was done from the point I emptied out the cache(via ccCleaner) the 1st time this "bug" was detected by the AV, and each consecutive instance reported there after. I thought I'd run ccCleaner and not hear of this again but it keeps coming back. So I was surprised that the IE cache then had a little bit more in it. Something is fishy. Browsing history indicated no browsing. Someone might be trying to cover tracks but the management was told that with every additional case of us re-cleaning(or putting in fresh software/hardware) they would be charged. I doubt they'd be so testing the third time around.

The computer seems to be infected apart from it detecting those files. The failure to browse PC's on the network is a typical symptom. It only appears after browsing? I don't want to point fingers at the management there yet. Just need to gather more info. I also initially thought it was a false positive.
 
Upvote 0 Downvote
Tom Tancredi

Tom Tancredi

Judicious
May 9, 2013
4,999
0
32,960
Your indicating "the computer seems to be infected" but you keep saying all scans, other then a 'cache' file from browsing shows no other infection or malware. So how are you concluding the computer is in fact infected? Is the p[roblem of just unable to browse other PCs's on the network your only symptom, because that is NOT typical symptom of a infection. That is typical for other reasons (DNS not working properly, misconfiguration of WINS, no DMAIN structure in place, conflicting FW (including built in Microsoft FW) settings, etc.). To me your actually disproving yourself and contradicting yourself.

So let's address the current problem logically, is there a infection or not?
IF your only evidence is cache browser data then yes someone is trying to cover their tracks. BTW CCleaner works ONLY on the 'logged in user' profile not on 'all profiles', which each profile individually has their own IE Caches separate. So running CCleaner wouldn't' really clear ALL IE caches. Further if they used a Pen/Thumb Drive with Portable Apps, then yes a cache would be left behind, but the actually application wouldn't be detected because it actually was on the user's Pen / Thumb drive only.

What you should have in place is a Domain Structure, securing down all assets with require ID and passwords. This limits the capabilities of people messing (covering tracks) with the assets, and allows a detail log of who was on, when and what assets they accessed. Further this protects sensitive materials (i.e. ask the Managers if they like people knowing what their pay rate is, or the credit cards numbers and other data used on the recent business expense?). This would be the first research data to know whom was using (logged on) that infected PC during that time the file was created.

Next would be to setup a Proxy server forcing ALL Internet Access through it. This can tie into the Domain Account, so that you can limit say people from using Torrent or preventing access to Sluts.Com websites. Which is something you can EASILY provide for management, simply provide ANY recent case on 'Sexual Harassment in the Workplace' lawsuits about porn images being seen on Company assets. Just provide the 'compensation' cost (not even the legal fees) and see how quickly they will demand that the proxy server be installed pronto. This will provide proof positive of who access what website, and allow (for a fee) constant updated lists to be 'blacklisted' preventing such access and the cost for all the repairs being done.

Lastly the only FireWalls needed are for your LAN built into the Router connected to your ISP. It also should be using IDS (Intrusion Detection System) with the Proxy to provide specialized rule handling and 24x7 monitoring of the communications for any issues. This would also improve through the ability to 'browse PC's on the network' as the Domain (Active Directory) is managing all the communications, and thus knows all the assets that are 'browserable'.
 
Upvote 0 Downvote
T

techoep

Honorable
Oct 19, 2012
5
0
10,510
Thanks again for your time. The proxy server is an interesting idea. Currently any browsing being done is on one personal laptop, isolated from the other pc's. The PC in question was the one doing the browsing before.

The network problem is intermittent. Not a typical "infection" symptom in general but more to this specific location. No portable apps either.

I'm trying to find the pattern and how it's related to those bmp/png files. Open Excel, then the browser. Or browser then Excel. There is only one user account/profile. What's weird is that these bmp files have very odd random names. Just like what a virus/trojan would create in the windows system folders. I cleared the temp folder. Opened IE , which goes to google.com and closed the browser. Some time later the AV would be displaying a message that two weird named BMP files are infected. Browsing via Windows Explorer. Those files were indeed there and Paintbrush would not open them. Hide extensions for known file types is unchecked. I'll do some more digging.

ETA: There's a similar problem reported here http://forums.majorgeeks.com/showthread.php?t=211553 (the difference is I get no suspicious behavior in the system32 folder) . After the fresh install. We bought and scanned a fresh thumbdrive and copied a few important documents to it. Then re-scanned it. So it's either one of the doc or excel files that could be infected beyond detection or the other pc's on the network are re-infecting this PC. Post fresh install, that was the first and last time an external device was used. Will run ATF Cleaner. But still very curious to which entry or file is the culprit. Will try ComboFix as a last resort.
 
Upvote 0 Downvote
Tom Tancredi

Tom Tancredi

Judicious
May 9, 2013
4,999
0
32,960
Okay hold it. We need to establish a baseline, at this moment what you keep tossing out is conjecture and honestly "looking for a problem by finding a reason", because you seem to be 'noob' to any of this and really do not understand what a virus is, malware is, and the different forms they can be in and what those forms do. Your "one of the doc or excel files that could be infected beyond detection" proves what I am saying because that is a ridiculous statement. Those have NOTHING to do with someone using your computer to surf a improper website that has infected materials on it. Further you don't use WORD NOR EXCEL TO OPEN PNG OR BMP files, image files are viewed by a image program, like Paint, or better yet IRFANVIEW, XnView, etc. Lastly, you don't try to VIEW the files in Temp Internet, these are temporary files, which means they may not be fully downloaded, erased when the page is changed, etc. and aren't there like a folder to view files in. These are there 'TEMPORARILY', as in the length of time your on the webpage, nothing more.

Now the link your using to suggest is relative IS NOT, because that is about a Root Kit, which a "fresh install' would wipe out as you wipe the HDD to install the OS. But the only "infection" you keep 'finding' is just that SINGLE Internet Temp File, you do not show / stated / find anything else. Basically it looks like your 'looking' for a infection that doesn't exist at all just because the AV detected, stopped, and reported that one Internet file it came across as someone surfed a website was a infected file.

Sort of like, we all know using DIRTY Syringes is a high risk for AIDS or any other number of diseases. You find a syringe on the ground near your home, you use a plastic glove and pick it up, putting it in the trash. Now you keep going to the Doctor/Emergency Room demanding new tests because your surely infected, you must have caught something when in fact you didn't. If you experience anything (a cough from dust in the air) your running back to the Dr/ER again getting more testing because it MUST be that needle infecting you that caused the cough.

Again your looking for a problem that doesn't exist. Your machine is NOT doing anything, nor SCANS anything infected YOUR antivirus did it's job, and you need to stop overthinking this issue.

As for the 'browsing other PCs issues' that is a separate discussion and I would make a separate thread with NOTHING to mention what the ONE stopped infected file was removed. I would more focus on the network topology, the specific PCs involved, what versions of hardware / OS they each have, and most of all the equipment connecting them together. Could be as simple dumb a issue as the cable to that one PC is wrapped under the desk leg and everytime he/she bumps it, the wire is damaged a bit more.
 
Upvote 0 Downvote
Solution
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom