Need opinions on virus/trojan attack last night

Discussion in 'Networking and Security' started by DeltaSpread, Jan 19, 2011.

  1. Live and learn. I have a small network comprised of a wireless modem/router combo device. Plugged in are a Mac, a laptop, and a Sony for my trading. Only the Mac was turned on during this attack.

    Last night my girlfriend plugged in her PC laptop for some legit research. She had a facebook page open and a google page where she was doing key word searches and clicking random links. Her PC laptop is running Windows XP Pro with latest updates and also AVG free software with latest patches.

    When clicking on a google search link, the internet browser froze. Then after 30 seconds or so, the web page had gone totally white while frozen and a pop up window appeared saying that windows had recognized a virus and that I should abort the page; something like this. I feared clicking OK or cancel because I figured that pop up window itself was the culprit faking me out. I could not CTRL ALT DELETE out of it either.

    So I clicked on the "X" in the right hand corner of the box. The pop-up went away and then a screen shot of what appeared to be as if I clicked on My Computer showed up imbedded in the web page.

    There a windows pop up box came again showing me 5 separate trojan/viruses files that had been discovered including a bloodhound exploit.

    But the number 5 decreased as if a countdown to 0. And then the webpage turned into how it would appear as if you had no internet connection.

    I immediately unplugged the modem/router. Ran an AVG scan of the whole harddrive. No viruses were found.

    I will most likely securely wipe the laptop harddrive and reformat everything with a fresh install because I am quite paranoid.

    What should I do with my MAC?? I have it running in stealth mode with a separate firewall. But when I checked my log; it did show 4 connection attempts and UDP denials at the same time of the attack. Should I wipe the MAC too or am I just being too OCD? Would you do anything with the PC trading machine as well or because it was turned off, nothing to worry about.

    Any thoughts or input greatly appreciated. Thanks
  2. tlow


    It sounds like you have a bit better security hooked up to your Mac also...Mac's are more secure in general than Windows machines.

    I wouldn't worry about your MAC, Im sure its fine, especially if you see the blocked attack attempts. Also, you are talking about a virus jumping across different OS...that would be extremely complex and Im sure it would be effecting a ton of people if that were the case.

    Lastly, AVG is not the best virus checker IMO. I've seen plenty of bad things slip through AVG scanners on customers/friends/peer's computers. I would try something else, or maybe do a free internet scan from one of the other guys if you don't feel like wiping the drive.

    To be safe, I would do the same thing as you said..make sure everything is backed up and then wipe the drive and reinstall windows. It sounds like you know what you are doing so Im sure you'll be fine.

    EDIT: Sorry wasn't very specific...I was referring to your GF's computer...the one that got attacked, any computer turned off...dont worry about, just dont turn them on in the same network until either a.) you isolate that computer or 2.) wipe the drive
  3. Thanks tlow for taking time to post in this thread and for your input.

    I have never seen anything like this. I will definitely not reconnect the attacked laptop until its totally wiped & reformatted.

    Do you think I should be worried about changing my ISP address in a case like this?

    Also I am still on the fence as to whether or not that was the Windows OS jumping in and detecting the 5 trojan/virus files for me. It happened so fast it was tough to tell for sure.

    I am glad though that we have each machine segregated for integrity purposes. I.E. One computer is just for trading. One computer is just for paying bills, online transactions, etc. One computer is for media music video, etc. It makes situations like this allot easier to deal with.
  4. promagma


    It was not Windows, it was a spoof trying to infect you. You did the right thing to close it, but this spoof uses multiple avenues of attack, so it is still possible that you were infected. I was - one method it uses is taking advantage of outdated Java, so make sure your Java is updated ( or disable Java.
  5. Bob111


    your setup should be fine.. but! i would cascade routers. this way you will have 2 separate networks, reducing probability of spreading viruses across the networks even more. routers are dirt cheap now.
    basically-if router address is different-all you have to do is just plug one into another. what i would do- fist router, that connected to the internet should be wireless(for your own convenience) and all "common" PC in the house will be connected to this router. then-you plug into LAN of this router another cable and connect the other end to another router(wired) WAN port and all your trading PC's will be connected to this router. you can also try free comodo antivirus and firewall. their approach is a bit different than AVG's. firewall will allow you investigate all connections. antivirus is a bit paranoid-be careful,if it's catch something. sandbox feature is really good one,once you get use to it.investigate,before you delete this entry. could be false alert.

    good luck!
  6. Thanks so much for the info. I bet that is it. I believe the Java is definitley outdated on that laptop.
  7. I appreciate your input. Thanks!

    I actually have a spare wired router sitting around right now. I will definitley do this later today.
  8. tlow


    Ya I agree with Bob if you want to add another layer of note, I would never plug my computer directly into the Modem/router that your ISP provides...those things are always total crap and are pretty easy to hack...and you are directly connected to the internet.

    somewhat similar to what Bob mentioned, just run a line from your ISP modem into a router..almost all routers now days have firewalls (also I would recommend turning UpnP off). Then on your router, set your your DHCP or Static IPs to send out something different than or like may not do anything but it adds a simple layer in case the viruses are hunting for easy ways to get into your router/network.

    If you really want to do a proper scan of your harddrives...pull them out of your box, put them in an external enclosure...i would then hook it up to your mac and run the scanner thru the mac since it probably wont jump across OS. however there is always the added risk of plugging a possibly infected hard drive into a good machine.

    If it were me, I would just wipe the computer that got attacked, and then any computer that was on, but I didn't see an attack, I would just monitor closely and make sure everything (especially java and flash) are updated.

    Dont worry about changing your ISP address. Im sure you were one of a million different addresses. Just take the proper security measures...again, don't hook directly into your ISP modem.
  9. CET


    My neighbor was having trouble with his PC randomly shutting down and eventually the internet connection would not work. After some searching and some input from others I finally followed the suggestions in this link on the bleepingcomputer site.

    They created Rkill, which kills malicious processes currently running on a PC. It does not have an update feature so you need to download it again if you want to run it later if much time has passed since the last download. They update it often.

    They then suggest running MalwareBytes, SuperAntispyware and Dr. Web CureIt, which are all free. Some infections prevent you from downloading or updating some malware/spyware/virus software, but Rkill should prevent that problem. FWIW, the Dr. Web CureIt is Russian, so you may need to change the language selection in the upper right corner if it comes up in Russian.

    Running these solved the problem on my neighbor's PC, as we found several trojans. I would do this as a check before I would reinstall the OS. Also, these scans take quite a while depending on the speed of the computer, but I highly recommend them. Good luck.
  10. Unless you downloaded something specific, you got into a spoof lope. They are websites designed to make you think you are infected then you download something that actually infects you. A few things you can do right now to clean up. But based on what you said, you dont not have a virus.

    Delete all temp internet files and history from all browsers.
    Run malwarebytes(free)
    Switch to Avast(free) over AVG
    Run Ccleaner(free) to remove even more unnecessary files
    Use the free deep root scanner at

    I do like superanitspyware, but it puts itself into the startup which is unnecessary.

    All of this is making the assumption that you are not using IE6
    #10     Jan 19, 2011