Classic British Flight Sim

Last week I noticed that odd things were happening with my work laptop, emails/web pages/directories closing and opening without intervention from me - then characters and parts of sentences appearing in the middle of my typing that were nothing to do with me either. The characters became more random as I yanked the server connection out of the back of the laptop, but it still was showing un-nerving indications of me not being in control of what was happening.

The company symantec anti-virus found nothing but Malwarebyte said that I had a Rootkit.Agent infection and also another nasty that I managed to destroy quite quickly. The rootkit beast took two days to finally pin down and delete as it kept re-appearing after a re-boot. The system we have refused to let me restart in safe mode, every time I put in my password the damn thing promptly returned to normal mode and re-infested itself.

While Malwarebyte at least spotted the infestation, the following were useless at best and made the matter worse in two instances.

Blacklight and Threatfire spotted nothing, neither did PC Tools Spyware Doctor, but the evil bar stewards proved to be Noadware - which loaded a Trojan of it's own but at least spotted one of the other problems, and Spy Emergency 2008 - may their authors rot in Hades. The latter piece of toxic waste tried to load half a dozen nasties but spybot spotted them and allowed me to abort the loading.

It now seems I have got rid of the problem, but tomorrow I will have the acid test of reconnecting to the server and outside world. I am also likely to have an exchange of words with our IT guy who insists that the only way the beast got in was through me opening a spam email and following a link to the source of the infestation. This is the same guy who will do nothing about the volume of spam we are receiving in case it eliminates an email from a client by mistake. This means that I am getting 30-40 nasties a day and some staff are getting over 100.

Now while I can't guarantee to have always avoided opening a spam email, I have never been so dumb as to then follow a link in one.

Anyone know if there is any other way of getting this sort of problem, and it won't help if the answer is looking at flightsim or aviation related sites in my lunchhour!

Hi Allan,

If you can... I'd really recommend rebuilding the box. Or at worst, schedule a time in the near future to rebuild it.

XR219 wrote:Hi Allan,

If you can... I'd really recommend rebuilding the box. Or at worst, schedule a time in the near future to rebuild it.

I concur.

I say we take off and nuke the site from orbit. It's the only way to be sure.

Hi Allan,

If you have access to another PC - I guess you have, then I can thoroughly recommend this site http://www.techguy.org/. You will need to register on the forum and then post in the security and malware forums with your symptoms. Someone will take your 'case' on board and try and give you a remedy. You will be requested to download various tools to diagnose the problems and then you will report back on the forum with results. It may take a day or two as the one person sticks with your case. I've used them a couple of times when my pc got infected with a persistant virus and they got me clean within a short time. The instructions they gave were very clear and step by step.These guys are current or retired IT experts who run this site as a free/optional donation service.

Regards

John

Hi Folks

Allan -
Rootkit.Agent is from ~ mid 2006.
Detetectable and repairable by pre 08/07/2006 products.

Recommend installing a quality alternative AV/Spyware toolset.

Surprised Symantec didn't pick it up, -
- is it a current version ?
- are all services running ?

Unless its some new rootkit variant,
which is being incorrectly detected as Rootkit.Agent.

Meantime -
McAfee/NAI have free tools to remove rootkits.
Please see - http://vil.nai.com/vil/averttools.aspx

HTH
ATB
Paul

on the sides of the email, if its works email its most prob that you yourself will be responisble to deny spam in a rule on your email software... Surposidly its easy to set up on outlook. If the spam is company wide then the IT guy may have to look further onto blocking the emails...

Thanks for the suggestions, on Friday it was agreed to replace the hard drive with a larger unit and reload Office, 40gig of work files, etc.

I've been away for the weekend, but managed to grab the McAfee tool at my daughters and then gave it a run earlier today on the way home. It came up with some hidden registry keys but not too much else. The symantec is on a corporate licence and is regularly updated whenever I'm connected to the server, as for the emails well the bulk of them go straight to the junk folder and the ones that do make it to the Inbox folder are usually so blatant that they just get deleted instantly. One of the ones that does get into the Inbox even though it is marked as spam is the variations on the CNN10 beast - but again I'd never open them anyway. Basically if I don't recognise the source it goes straight in the bin.

The replacement hard drive had the wrong connectors, so reformatted the original drive, reloaded XP and the relevant hardware drivers from the manufacturer's site. As soon as I accessed the web to get some other software from a known source the "ghost" typing started up again.

Now I'm just going to upload my data files onto a completely new machine.

Access to the web is via a server which only has the windows firewall (as do our laptops) - could the system integrity be being breached through the server - not that anyone else in the office is owning up to having any problems?

It sounds like you have some infection elsewhere on your network. Are the machines part of a domain? I'm going to be away for a weeks, so I may not be here for the answer. If they are, build the machine up completely without joining it to the domain and see if you get the same problem. Something has definately been compromised somewhere.