Hi all,
I have a client who’s computer is full of pornography and we are arguing that this may be due to a virus. He had AVAST software installed but had not been updating it (I know I have have told he’s an idiot) and I notice that in the event viewer (windows XP) there are references like the following suggesting that your software has been picking it up. I also include a screen shot of the Avast setup.
Eg. Sign of JS-ADOB-V (Expl) has been found in http://picshunter.info http%3A//teen-nymphos.net/” file
Similar things are found in reference to the temporary internet files and point to specific images in the cache?
Can you help me?
Whatever it is has been making the machine act in a crazy way and he cannot understand where all the favourites and images have come from as well as the fact there is no longer a control panel.
That is a web shield detection as it is detecting it on a site not his HDD so in those instances avast stopped his system from becoming infected at those sites.
The ones in the temporary internet files can get there depending on the browser in use, avast tries to drop the connection for the item, but some browsers complete the download before dropping it. Then avast would detect it in his system and he would have to choose what action to take.
I would say there is a high chance his system is highly compromised, trojan backdoor or downloader perhaps, so I’m not that surprised he is no longer in control of his system. Given the obvious lack of keeping his anti-virus up to date I would say there are other areas he hasn’t kept up to date, and a firewall that is capable of blocking unauthorised outbound Internet Connections. - What is your firewall ?
I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.
If you/he haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
SUPERantispyware On-Demand only in free version. - 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
Thanks David,
Can suggest a specific threat that I could look for that has disabled basic things like control panel in all accounts? He had no firewall and hadn’t updated his AV ever!! He knows he’s an idiot but the porn is all over his temp internet files (IE 6) as well as a load of favorites that were created when he was not at the PC? I’m sure some of this is malware but it is tough to prove unless I get some specific names and then look for them or services or artifacts that relate to this activity. You may have guess I am a forensic investigator but I do not specialise in Malware.
Not a specific threat as there are a number of malware variates that try to disable system function to make it harder for the user to remove the malware.
Without an active firewall any malware that manages to get past your defences (an absolut doddle with an out of date AV) will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
His OS is almost certainly just as out of date which is why I gave the secunia inspector link, to ensure every thing is up to date as this closes vulnerabilities closed by either security updates or program updates. All of which contribute to system security.
First thing it to clear the temp internet files, second install a firewall to protect against unauthorised outbound connections or as fast as you can clean things more of the same could be being downloaded.
David,
Thanks again for your reply. Perhaps I should have been more clear in my initial post and I apologise for this. The situation is that I am not trying to fix it and I am running it as an image in VM Ware. It is more important in this case to understand what caused the downloading of the images. I notice from the IE History visits to trustedvirus.com, advancedcleaner.com and then to things like s2fnew.com which I have looked up using archive.org and it looks like a random very short lived search page. All the images are in the IE Cache and appear very quickly
Hope this is more clear
Thanks
It is a little clearer, unfortunately I don’t use VM ware so have no experience in that regard.
Running the malware tools even in a virtual environment should still work and produce logs that may yield some clues as to what is responsible. The problem being there are many possibilities as to what type of malware might download p-o-r-n images.
This system at a guess is so compromised that there will be so much on it that you may never pin down exactly what does what and it may be better to consider the nuclear option with a back-up of whatever data he doesn’t want to lose, format and reinstall, as it sounds like this could possibly be quicker.
Then ensure that he has the security tools (firewall with outbound protection, AV, the two other applications suggested earlier and firefox or opera browsers) to help prevent a recurrence of this. Add to this a flea in the ear to keep them and his system up to date and do periodic scans or be prepared to pay the price of your service on a regular basis ;D
These trustedvirus.com, advancedcleaner.com domains make me think rogue applications that pump out fake security alerts, etc. and google searches on these domains returns many such suspect hits. There are many temporary sites set-up to serve malware and these would have a short lifespan as they are likely to become blocked or shutdown.
but I do not specialise in Malware.