Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had something comes back


  • This topic is locked This topic is locked
17 replies to this topic

#1 danvanf

danvanf

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 03 March 2011 - 11:26 PM

Hi I had something on this machine, after doing numerous scans with Malwarebytes AM, Trend, and some other tools, I think there's still a problem. Here's my DDS.txt file. I'm attempting to get a gmer log file, but it dropped off the network a half hour ago, and I'm RDP into it.

The proxy server set to localhost:808 is from me to stop IE from going to sites.
The machine has a Kofax card and Canon scanner. Combofix has been run, most of the time, it's clean looking, sometimes, seems like after I run MBAM and get a clean report, ComboFix says it has detected the presence of rootkit activity, with a list of names, ntos.exe, oembios.exe, twext.exe, twex.exe (12 total) stored in the User's applicationData (no space) folder.

Thanks for the assistance! Dan
Attached File  DDS.txt   7.64KB   3 downloads attached

I just wanted to add, the reason the machine quit responding was it threw a Stop 0x0000007A. I also ran a OTL scan on it, results attached. When it was fully infected the machine has a process 74GqP0H3.exe throwing error events. At address 0x0000985e. Both yesterdays DDS and todays OTL scans were done on fairly clean independent boots.

Thanks,
Dan

Merged posts. ~ OB

Attached Files

  • Attached File  OTL.Txt   89.73KB   0 downloads

Edited by Orange Blossom, 04 March 2011 - 12:18 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:23 AM

Posted 11 March 2011 - 07:39 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 danvanf

danvanf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 11 March 2011 - 07:42 PM

[*]Please reply to this post so I know you are there.[/b][/i]


I am, Thanks for the assistance.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:23 AM

Posted 11 March 2011 - 07:47 PM

Please run TDSSKiller and MBRCheck

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


And

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 danvanf

danvanf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 11 March 2011 - 08:04 PM

Thanks for the instructions, Log files are attached. (I hope)

Thanks,
Dan

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:23 AM

Posted 11 March 2011 - 08:08 PM

Please run Combofix and let's see if we can emulate the malware report.

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Run the program you have, updating it if it requests you to.
Posted Image
m0le is a proud member of UNITE

#7 danvanf

danvanf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 11 March 2011 - 08:22 PM

It did, and currently is rebooting the machine

#8 danvanf

danvanf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 11 March 2011 - 08:24 PM

Sorry Didn't add enough information
It found the list of rootkit activity the same as i mentioned initially, ntos.exe, oembios.exe, twext.ext and so on.

Sorry for the quick submit,
Thanks,
Dan

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:23 AM

Posted 11 March 2011 - 08:27 PM

Please go to Start >Run > and copy/paste the following, then press Enter

C:\QooBox\ComboFix-quarantined-files.txt

A log file should open. Please post that in your next reply.
Posted Image
m0le is a proud member of UNITE

#10 danvanf

danvanf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 11 March 2011 - 09:19 PM

Thanks the log is attached. That folder would not have existed prior to this combofix run. I had deleted it, as well as turning off system restore, to lose some files in that folder. I knew when I did that Combofix used the folder. Just giving full disclosure, so you know. The machine is on a Win 2008 SBS domain, with folder redirection turned on. The files are said to be stored ServerName\RedirectedFolders\%username%\ApplicationData folder. At one point, I copied the %username% folder. Deleted the folder, and copied only sub folders into the a new %username% folder.

Thanks,
Dan

Attached Files



#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:23 AM

Posted 12 March 2011 - 04:34 PM

Please run MBAM and see what it says now

  • Open MBAM
  • You will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Edited by m0le, 12 March 2011 - 04:35 PM.

Posted Image
m0le is a proud member of UNITE

#12 danvanf

danvanf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 12 March 2011 - 05:51 PM

Hi m0le,
MBAM says the scan completed successfully, no malicious items were detected.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6038

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/12/2011 5:45:59 PM
mbam-log-2011-03-12 (17-45-59).txt

Scan type: Full scan (C:\|O:\|R:\|)
Objects scanned: 794414
Time elapsed: 1 hour(s), 9 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:23 AM

Posted 12 March 2011 - 07:54 PM

Can you run ESET's online scanner next

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Posted Image
m0le is a proud member of UNITE

#14 danvanf

danvanf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 12 March 2011 - 10:20 PM

Howdy,
That scan found 1 item in a user folder that hasn't logged in, for a year or more.
The log file contains:

C:\Documents and Settings\PyleM\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\bof.jar-3dc99a47-1cb50751.zip multiple threats deleted - quarantined

Thanks m0le,
Dan

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:23 AM

Posted 13 March 2011 - 05:50 AM

Just a copy of some malware in the Java cache. Nothing to report, danvanf, have you had any problems during the time we've been looking into this?
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users