Jump to content

Recommended Posts

Hello all,

 

I have a very weird case to submit.
I went to remove some adwares poping up on a pc for a cousin. It is a notebook Toshiba (I don't have the model right now on my hand), but it is running under vista 32bit home connected by wifi. On his network there are 2 others computers: 1 on ethernet,another on wifi and 2phones. And none of them seemed infected. (no threat found by any of the software I used bellow.) and not ads.

 

To removes the ads, I used all these different tools:

 

-malwarebytes, full scan (including rootkit), hundreds of infections

-adwcleaner, many infections too

-Junkware removing tool, like 20 infections

-eset nod online scanner. 12 infections

-TDSSKiller (using rkill before all of them)

All found some different elements including some usual stuff like optimizer pro and other regular infections. (TDSSKiller found none)
I cleaned all of them, rebooted the computer everytime.

-After this I used ccleaner to clean perform a clean of the system and registry.

 

-Then I reseted the web browsers.

 

-I rebooted many times and the computer was working just fine after that.

 

But it only lasted 2 weeks.
During this time nothing has been installed on the computer. Then he calls me back to say the ads are back.

This time to clean his computer we used teamviewer that I installed on a standart live usb of GNU/Linux mint 17.1 cinnamon 32 bit.

 

I spent almost the night running all these utilities I used two weeks ago but it was keeping coming back every reboot, whether it was firefox, google chrome or internet explore + at the end I used Rogue Killer.

 

Rogue killer showed me in the antispyware tab that there were 2 oranges IRP Hook. It also opens a page explaining how the agents works. The software does not have the function to remove it.

Only informations I got typing IRP hook on google was showing almost only fake blogs, fakes articles, fake websites, and many leading to a software called SPYHUNTER. All theses pages looks almost normal appart all the ads for fake anti malwares and spyware tools.

 

 

 

I say to my cousin i will later format his computer to be sure. But BIG PROBLEM here. I shutdown the computer with the live usb i used for teamviewer (which i have to install every boot). Also because I am a bit paranoiac and also because there is my personnal computer that was also on the same network the whole night. I decide to reboot my internet box and acquire new ip, using the web interface.

 

==>This point maybe be important for further interpretation of the malware/virus whatever. I am not 100% sure that it rebooted my ip. But I disconneted from my ISP, and reconnected via web interface.

Now is the big point.

The day after this teamviewer session  I start the pc I use for testing live usb of linux distro and also for teamviewer (the one i used the night before).
I precise that on this computer there is 1 harddrive with dual boot windows xp/ubuntu studio and that is is never connected on internet appart from  live usb. (I only plug ethernet cabble for this purpose)

 

I started it on the same usb I used the night before (GNU/Linux Mint 17.1 Cinnamon 32bit), and because I am curious I think I could maybe give a go for other scanning on his pc. So I type on firefox on the live usb "www.google.fr" to get to teamviewer, but it does not open google!! what pops up are the tabs of same type of ads that were installed on the computer of my cousin!!!!

I could not believe it from my eyes. I got ads poping when I typed www.google.fr. And the whole night I spent on teamviewer for my cousin's computer  it was on this liveusb on which i was surfing all the time to try to find information about this type of viruse/malware that where found in the scan result with the software installed on HIS COMPUTER. 0 ad have poped during that time on firefox from my usb stick.

 

It is only the day after all has been shot down, computer (which means removing usb stick for shutdown, and repluging it after shutdown) and theorically ip reset through web interface of the router.

So how did i got contamined from teamviewer, because I check the md5 of the usb key which seems "perfectly" fine.
Why only the computer I used for teamviewer received ads, no even the other computers of my domestic network neither the ones of my cousin's network.

 

Is it using MAC adress? or router cache for each computer to trace back? Or is it abble to hide on hidden parts of UNMOUNTED hard drive .

 

I do not mount the drives on my liveusb linux usb, at least it is my understanding but it can be wrong: it does not automount them unless you try to open it on a file explorer of mint cinamon, (maybe i'm wrong on this point.) I'm not a tech expert at all.

 

But it would mean the software through teamviewer can cross from windows to linux and changes some DNS stuff or either installed itslef on any hard drive? I have no clue on how this happened. What i can say, after that is  that i have turned of my router (remove electric plug), plug it back, then turned on my computer and the add did not appear this time when I typed www.google.fr on my live mint. But will it appear again later? Will it trace back? I can really not be sure about it.

 

Other detail:

 

-When the ads poped on my usb stick the day after the teamviewer session were only displayed once at the first time I opened firefox and type google.fr. I am not even sure if I pressed enter before the ads poped. After I closed the two adds it was "working alright" when I was typing google. But I turned of the computer straight after the few tries so as the router. I scared me a lot.

 

-My motherboard (Asus P5K) neither his motherboard have EFI bios.

 

My observations of the adware/malware/virus:

 

-It display ads often when typing an adresse. Often it is adverstising for software for pc fix. (unfortunatly it was late and I don't remember the name of software and different ads domain appart I think www.first.com or something like that.
-When opening a webpage of trust like bleeping computer, it will put ads everywhere, which for instance fake video that cannot load due "to a plugin missing, click here to install" sort of trap.

-Other windows or tabs will opens with advertisings. For instance if the word "download" without a link to it appears on a sentence, it will put hyperlink to other crapware or advertisings on this word like any words that could logically lead to a hyperlink which is very tricky.

- Toggle many downloads buttons which looks safe.
-Doing research on google display lot of false results and normal results can only be found in the middle of all these fakes.
-Typing the name of the domain of the one of these ads +virus or +threat +malware or +adware etc.. on google only led me to fake virus information webpages/blog/articles or nothing related by recognized antivirus/malwarebytes or other official well known software. Many of them recommanding spyhunter or giving manual steps which seems suspicious. (like removing UAC..)

- I only found one topic on a italian forum relating to this problem but with no solution.

-The only good tools I know did not get completly rid of it. (only for two weeks)

-The computer of my cousin has all the .txt from some of the scan I performed on this computer.

- It crossed through teamviewer on my computer while I was on a usb stick of Mint Cinnamon 17.1

- It looks very powerfull, and very well hidden.

- I never heard anywhere on this threat, but maybe it is already know.

 

I am willing to find an answer, and also a solution to this very powerfull virus/adware/malware:

-Therefore I prefer to mention that I will also post this message to Kaspersky and Nod32 forums see if they can help as well.

-The computer of my cousin is now shutdown, if you are interested in finding more, it has not be formated yet (not even sure this will get rid of it if it is related to network card), and if someone of you guys want to check to teamviewer , my cousin completly agrees to provide access to his computer if you guys want to check about this new threat on which I never heard, but seems to me as exremly powerfull.
- I also performed a frst.exe scan and the reports are on his computer as well.

Honestly I am to scared and I don't want anymore to connect myself to his computer. I don't have the competence neither the knowledge on these matters.
 

Thanks you for reading this, and thank you in advance for any advices, but also for your free software which in so many cases solve problems for uncountable beings on this planet.

Link to post
Share on other sites

Sorry in advance I that I'm really not sure on which category to put this case.

I now remember one of the so numerous ads, that was in french. Iphone pour 1 euros (Iphone for 1 euros).

 

Also on my usb stick, one of the two windows with ads that opened, the one I remember was a well setup trap: the page was looking like some magazine article about discovering how most of the french only buy their iphone spending 1€.. I did not click on any of them and closed it straight away. Just try a few more google, I guess because I was so shocked to be contamined.
 

Link to post
Share on other sites
  • 1 month later...

We're sorry. It looks like your topic was somehow overlooked. Due to the length of time we'll go ahead and close this topic now but if you still actually need help please send a private message to one of the Moderators and we'll assist you.

Thank you and sorry we missed your topic.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.