Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware removed.. but should i reformat?


  • This topic is locked This topic is locked
57 replies to this topic

#1 mindful

mindful

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 30 July 2010 - 03:19 AM

unsure.gif How best to proceed from here?

Description of the PC that was infected, the network and infection symptoms and combofix log as follows:
  • PC is on business network XP Pro OS, SBS 2003, wired w/remote access, SonicWALL tz180+McAfee Enforced AV
  • Server & all other client PC's worked normally-
  • infected PC use is primarily Accounting w/remote deposit/check scanning- & Banking- accessed remotely via logmein or SSL VPN via GETMyLAN-BarracudaWebDrive

    Initial symptoms networking issues:
    • PC getting disconnected from internet and/or server randomly
    • PC reboot would reset connections to begin with- as progressed reboot did not fix.
  • Investigation discovered services stopping while PC running (and not restarting with reboot as problem progressed) (PC's remain online 24/7 for remote access).
  • As time passed more and more automatic services were affected.
  • Upon investigation & trouble shooting (web search) i saw aggressive redirects of browser- knew that was malware.
  • McAfee had not identified and quarantined the threat(s).
Long story short- ran combo fix 7/12/2010 and this resolved all issues for the affected PC (network/internet connections & browser redirects)

However- i feel VERY uneasy not knowing what it was - and since it was the primary accounting/banking PC infected.

After combofix i finally got GMER to run and it reported no problems, repeated scans since w/MBAM, ESTE are clean-
combo fix log:
2010-07-12 00:12:22 . 2010-07-12 00:12:22 1,130 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-MVS.reg.dat
2010-07-12 00:12:06 . 2010-07-12 00:12:06 306 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-NavLogon.reg.dat
2010-07-12 00:11:58 . 2010-07-12 00:11:58 194 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-sknbvyyy.reg.dat
2010-07-12 00:11:57 . 2010-07-12 00:11:57 189 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-McAfee Managed Services Tray.reg.dat
2010-07-12 00:03:43 . 2010-07-12 00:03:43 5,735 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-07-11 23:43:38 . 2010-07-11 23:54:45 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-07-09 15:37:09 . 2010-07-09 15:37:10 37,888 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\0052.DLL.vir
2010-07-02 09:12:10 . 2010-07-02 09:12:10 37,376 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\0051.DLL.vir
2010-07-02 09:12:09 . 2010-07-09 15:37:08 44,544 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wexe.exe.vir
2010-06-27 22:46:00 . 2010-07-11 17:07:07 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wupd.dat.vir
2008-01-21 21:14:07 . 2008-01-21 21:14:07 391 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\xpsp1hfm.log.vir
2008-01-21 00:06:54 . 2010-07-11 23:55:29 57,600 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\redbook.sys.vir
  • Scans on all other Desktops and remotes are clean,
  • McAfee is reporting combofix quarantine files now- did not in few days following combofix when i checked it.
  • I Ran temp file removal, registry backup & MBAM on all LAN & remotes- all report no issues- 7/12/2010
  • Ran GMER on one other LAN PC- 7/12/2010 no issues found & since it was very difficult to run successfully - so i opted not to run on server and all other PC's.
I will be VERY grateful for any advice regarding the best way to clean up and move forward.
I have not been able to find via web search any definitive information regarding the files quarantined- so i do not understand the nature of the threat.

I have been using (owing/maintaining/supporting) computers in business since 1980. This is my first infection.
I have been pressed into service supporting & learning on the fly SBS, Exchange Server, SonicWALL and network maintenance & security on a network I did setup and I want to do my best to insure that the owner & his business are properly protected.
  • For now i have asked them to move to another PC for accounting & change banking passwords using another PC.
  • Do i need to reformat or use F11 recovery to restore OS on PC that was infected?
  • Do I need to run of GMER on all PC's local & remote?
  • I think i got all Java, Adobe updated as i scanned other PC's- (i update as I logon- not sure if other users can, due to limited privileges- most programs are set to auto-update)
  • I am thinking of moving all PC's to FireFox & uninstall all IE 8, FireFox is already installed on 2 PC's and I updated them & added no script & McAfee SiteAdviser per your recommendations.
Thank you for your help!


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:53 PM

Posted 07 August 2010 - 08:09 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 mindful

mindful
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 07 August 2010 - 10:12 PM

Hi m0le,

I am here/subscribed.

The only updates to the PC since my posting are Windows & McAfee auto updates.

i understand your constraints and GREATLY appreciate your help.

I await your instructions... thank you.. mindful thumbup2.gif

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:53 PM

Posted 08 August 2010 - 05:05 AM

QUOTE
1. Do i need to reformat or use F11 recovery to restore OS on PC that was infected?
2. Do I need to run of GMER on all PC's local & remote?
3. I am thinking of moving all PC's to FireFox & uninstall all IE 8, FireFox is already installed on 2 PC's and I updated them & added no script & McAfee SiteAdviser per your recommendations.


First, the main infection was TDL3, a variant of the TDSS rootkit. There is also traces of trojan/backdoor in some of the files.

1. For business computers I would recommend that you should reformat as the TDSS rootkit and backdoors can be a major problem. See this article

This is the warning I post when something like that is found on the PC.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

2. You can run Gmer but the logs need to be read to find the infection.
3. Firefox is a more secure browser. Mainly because IE is the most popular and therefore the most attractive to malware writers. Whether it is really as safe as IE is debateable but FF is a better option at present.
Posted Image
m0le is a proud member of UNITE

#5 mindful

mindful
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 August 2010 - 10:54 AM

thank you m0le

i have removed the PC from the LAN and brought home to reformat it.

I big worry is the server and other LAN PC's and remotes that have been connected to the LAN.

what is the beat way to go about checking the other?

on the 11/12 of July I ran scans using installed av (mcAfee or Avast depending upon PC), insured all updated as well as windows, java, etc.
and I installed and ran malwarebytes on all-
I found nothing but cookies and/or items deeded low risk by McAfee then and since.

the owner has or is changing all banking passwords.. and i asked him to review steps in the links you sent re: banking.
i checked user accounts on SBS made sure that only current users have enabled accounts and i changed all passwords for all users and plan to do same for hosted exchange and logmein accounts.

the PC i put in place of infected PC that i removed- i tired to test by running gmer
logged on as administrator
downloaded and renamed to test.exe
disconnected PC from LAN/internet & turned off AV and evey other process running that i knew what not necessary
but it seemed to lock up (maybe screen protector kicking in is a problem?) the hard drive appeared to be running but only desktop background showed when i jogged to view screen from screen saver.

when i ran gmer successfully before i always had a view of gmer and the files as it processed... so i find this troubling.
When I scanned another PC on 7/12 the scan ended with a notification that there was no problem found.. but it took a couple of attempts to get it to run.
I can upload that log if it would be helpful.

Again.. thank you VERY much and please advise me how to proceed w/LAN PC's.
I will reformat the PC that had known infection.


#6 mindful

mindful
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 August 2010 - 12:03 PM

huh.gif after thought

The infected PC is a client on SBS LAN w/My Docs redirect to server and all shared data on server shared folders.
so the only data is on the client is the users' desktop, favorites & settings- is it safe to save & transfer any of this data?

Thank you!

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:53 PM

Posted 08 August 2010 - 04:49 PM

QUOTE
when i ran gmer successfully before i always had a view of gmer and the files as it processed... so i find this troubling.


TDL3 does lock up Gmer so it is concerning.

Try running Gmer with only the SECTIONS option checked. You are looking for the end of the log showing atapi.sys suspicious modification and possibly another system file with the same warning, which would confirm TDL3. If this also fails, try running Gmer in safe mode.

With regards your last point, shared folders are safe from rootkit activity as the rootkit must dwell within the root of the PC. However, trojans can find their way through this security. I would scan the My Documents folder with MBAM before allowing saving or transferral of data.
Posted Image
m0le is a proud member of UNITE

#8 mindful

mindful
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 August 2010 - 05:46 PM

Thank you for your reply-

I will try as you suggested on the PC on which i already tried to run gmer & any transfer of user data files from the infected PC for restoring their work.

The gmer log from 7/12 from another PC on teh LAN has no mention of any suspicious modification or similar phrasing regarding any file
However... whould it be best if i run gmer on all PC's - clients & server?

and/or anything else?

Again thank you very munch!!!

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:53 PM

Posted 08 August 2010 - 06:05 PM

If you can get a Gmer log on all the PCs it would be a start. Just to add to your problems Gmer sometimes doesn't flag TDL3 but see what the logs come up with first.
Posted Image
m0le is a proud member of UNITE

#10 mindful

mindful
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 August 2010 - 06:16 PM

medieval.gif OK.. I will go for Gmer on all!
is there an additonal rootkit program that I might want to run on them while i am there?
I am arranging to have all workers except the owner off the network so i can spend monday rootkit scanning.

ty! smile.gif

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:53 PM

Posted 08 August 2010 - 06:26 PM

The other way to do this would be to run a first scan with Combofix. This would take out the infected system file and would show on the log.

If you have any problems with Gmer then I would switch to Combofix. If you plan to download the program then do that as late as possible as the program is updated very regularly, daily.

I can help you with reading the logs but you are looking for something similar to this to ID the malware:
CODE
Infected copy of c:\windows\system32\drivers\SYSTEM FILE NAME.sys was found and disinfected

Restored copy from - Kitty had a snack :p

Edited by m0le, 08 August 2010 - 06:26 PM.

Posted Image
m0le is a proud member of UNITE

#12 mindful

mindful
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 08 August 2010 - 06:38 PM

Excellent!!
I will do it.. ty!! sorcerer.gif

#13 mindful

mindful
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 09 August 2010 - 06:58 PM

Hi m0le-

attached please find gmer scans for server and wkstn 07.
I am still running gmer on 3 other LAN workstns- but it is running on all.. cool.gif
I will upload others when the are complete

ty!

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:53 PM

Posted 09 August 2010 - 07:19 PM

The scan on the server shows the MBR rootkit and not the suspected TDL3. Reformatting/reinstalling won't work for this rootkit but we have MBRCheck which can overwrite the bad MBR.

On the server you will need to run MBRCheck, the following is a home PC instruction but you should be able to adapt it for the server.


Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to
them.


Important Note: While fixing the Master Boot Record (MBR) is generally safe, there is a small risk of damaging the operating system so that it will not boot up or the partitions may become corrupted. I recommend you have your Windows CD available which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the XP Recovery Console before proceeding with the above fix. Then if any problems occur, the links below explain how to use and repair the MBR:If you do not have a recovery disk then please burn one as shown here


Run MBRCheck.exe
  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter 2 and press the Enter key
  • Now the program will ask you [b]"Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter the correct number for your operating system, and then press Enter.
  • when asked Do you want to fix the MRB code? type in YES and press enter
  • Restart your PC.
After you restart the PC
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

The Workstation 7 scan is clean.
Posted Image
m0le is a proud member of UNITE

#15 mindful

mindful
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 09 August 2010 - 09:07 PM

Hi m0le-

Thank you for your help. I will do as you advise.

Before I wipe out this MBR rootkit, is there anyway i can tell from files on the server how long this has been installed on the server?

Can you advise me of the best source for me to find out more info re: how these specific rootkits install themselves, how to better prevent, and a better solution than McAfee if there is one for future prevention?

ty!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users