Malware

For all those techno questions

Malware

Postby TheOstrich » 31 Jul 2016, 19:06

I have been infected with a rather nasty piece of malware called "goac". Typically, this launches spurious ads when opening new tabs on Chrome, and AVG has also detected and blocked attempts to download a different virus, XDL or XDT from memory. Neither AVG, Malwarebytes or SpyHunter are detecting goac in itself.

My computer guru is having very little success at eradicating it. And the problem is - it's on both the laptop and the PC Tower. So, where's the common source of infection?

The laptop is pretty new and little used. There is no transfer of information (i.e USB drive) between them. The only websites/services accessed from both machines AFAIK are AVG, Chrome, Daily Mail and Vocal Voices .... could VV be an issue?

Opening VV has never triggered the malware. Opening the soccer forum I'm on does frequently trigger the launch of goac - but I've not accessed that forum from the laptop (again AFAIK).

Alternatively, the machines use the same router. Can viruses infect routers?

I've just paid for the laptop to be cleaned by a different computer guru - but that's not eradicated goac. On return, goac almost immediately launched itself alongside the Daily Mail ....

Just trying to understand what's going on here ....... any thoughts gratefully received.
User avatar
TheOstrich
 
Posts: 7581
Joined: 29 Nov 2012, 20:18
Location: North Dorset

Re: Malware

Postby Workingman » 31 Jul 2016, 20:45

From what you have put, Ossie, there two points of commonality: your router and Chrome.

Your router can indeed be infected by malware and without getting all deep and meaningful a quick way to sort things out is to reset it to factory defaults. Most people do not go in to their router settings, they just plug in, turn on, and accept their ISPs configuration. If you are one of them the solution is simple. With the router turned on find the reset button, you might need a paperclip in order to reach it through its small aperture. When pressing the pin in you will see all the lights changing, keep the pin pressed in for about 20 seconds before releasing it. the router should now be reset. A reboot, turning it off and then on again, should sort things out - for now.

Chrome is a different kettle. You will probably need to remove all of chrome - everything - so before you do so make sure that you have a list of all your password/login pairs and any bookmarks and favorites. C&P them to a simple text file. Then use an uninstaller such as Geek or Revo to remove traces form C:\ and the registry. Revo or Geek I prefer Geek.

Now got to Windows Explorer>>>Tools>>>Folder Options>>>View and tick mark Show hidden files, folders and drives. Aply the change and OK your way out. Now got to C:\Program Files (x86)\Google and using a shredder get rid of the Chrome folder. Your AVG might have a shredder or you can download one. Now go to C:\Users\Whatever your personal folder is\AppData\Local\Google and if there are any Chrome files or folders erase them. Do the same in Local Low and Roaming folders for and Chrome files or folders. Go back to Tools>>>Folder Options>>>View, and tick mark Don't show hidden files, folders and drives then OK your way out. Chrome is now gone. Go online and download and install the latest version of Chrome. Once you are sure it is OK you can put back the things in the text file you created earleir.

It all sounds like a job but it does not take that long.
User avatar
Workingman
 
Posts: 21740
Joined: 26 Nov 2012, 15:20

Re: Malware

Postby TheOstrich » 31 Jul 2016, 22:11

Thanks for that information, Frank, and I'll give it a go tomorrow, starting with the router reset.
User avatar
TheOstrich
 
Posts: 7581
Joined: 29 Nov 2012, 20:18
Location: North Dorset

Re: Malware

Postby Workingman » 31 Jul 2016, 22:24

Once you have the router reset there are other things to do with it, I will post tomorrow.

I will also have a look at rootkits and hidden BHO's for Chrome. I'll explain later.
User avatar
Workingman
 
Posts: 21740
Joined: 26 Nov 2012, 15:20

Re: Malware

Postby Suff » 01 Aug 2016, 00:53

A quick look tells me that goac infect usb media too. Useful to scan any of those if you need to.

I'd try the Kaspersky offline rescue disk. Download, burn to CD/DVD and boot from it.

Goac seems to be agile and the best way to get rid of an agile virus is to kill it from outside Windows. I had a Trojan I needed to kill on my SIL's PC. it was one that shrank the hard drive partition and wrote to the empty space, invisible to almost all anti Virus software and also blocked almost all removal programs from running.

I'd try the Kaspersky disk first. The last time I had to use it I burned an entire day trying to sort the Trojan and it was the Kaspersky disk that did it in the end.
There are 10 types of people in the world:
Those who understand Binary and those who do not.
User avatar
Suff
 
Posts: 10785
Joined: 26 Nov 2012, 08:35

Re: Malware

Postby Workingman » 01 Aug 2016, 08:49

I hope that I am here early enough. :lol:

Regarding the router, have a look at this. Try some or all of the things from the 'Start with this' section and the details that follow. It explains quicker than I can.

When it comes to Chrome you might want to run this and this before you start just to make sure that Chrome does not get hooked up again once it is replaced.
User avatar
Workingman
 
Posts: 21740
Joined: 26 Nov 2012, 15:20

Re: Malware

Postby Suff » 01 Aug 2016, 09:45

I was late.... :lol: :lol:
There are 10 types of people in the world:
Those who understand Binary and those who do not.
User avatar
Suff
 
Posts: 10785
Joined: 26 Nov 2012, 08:35

Re: Malware

Postby admin » 12 Aug 2016, 20:19

I’ve had a look around the site and the database and can see no issue

I’ve accessed each thread using a Bt laptop VM running mcafee desktop. Routing via a proxy running Bluecoat web filter and Kaspersky gateway scanning so strength in depth. Then I have policy on the proxy to block the download of executables based on their apparent data type, so even if an executable pretends to be something else it gets detected

I also ran PF12 developer to check on what was being downloaded the bulk of the links are Hosted on the site itself with a few jpg and gifs from external sites. The site itself is locked down so only I have access to the underlying code, so the normal attack vector on phpbb, ftp access, is locked out. Gifs can contain malware but the signature of goac is quite well known so would be picked up by at least one of the av’s

By the nature of phpbb it is difficult to embed malicious javascript into a post the only tags permitted are implemented by BBCode in addition of <script /> or <iframe/> tags are not permitted and the phpbb parser will not recognise them and will display as text in the post. it is unlikely to have been attempted as the board is closed

Normally drive by malware is deployed from an iframe with a link to one or more staging servers which then links eventually to an exploit server, I see no evidence of any such behaviour in the access logs

I have seen no alerts from the AV of any indication of a blocked url on the proxy either by malware category or detected virus

So the site looks clean
admin
Site Admin
 
Posts: 7
Joined: 25 Nov 2012, 09:02

Re: Malware

Postby Suff » 15 Aug 2016, 00:49

Thanks for the update Mick.

I didn't expect that VV was infected, but it is always worth checking.

I take it inline SQL attacks are also blocked by the refusal to recognise anything other than BBCode??

I never get a threat warning off VV so assume it's fine. Although I must admit that my latest tablet is currently only protected by Mickeysoft protection. Something I have to sort out as a matter of urgency...
There are 10 types of people in the world:
Those who understand Binary and those who do not.
User avatar
Suff
 
Posts: 10785
Joined: 26 Nov 2012, 08:35


Return to Computers etc

Who is online

Users browsing this forum: No registered users and 89 guests