Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need to Sanitize my computer / Confirm it is clean


  • Please log in to reply
7 replies to this topic

#1 theothersimon

theothersimon

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 25 June 2011 - 07:31 AM

Hi,

I'm hoping someone might be kind enough to walk me through the process of checking if my machine is compromised and if so, to help sanitize it.

Background to problem
I admin several websites which have just been subject to the hack outlined here: http://frazierit.com/blog/?p=103 The attackers seem to have acquired the FTP username & passwords for the hosting, which suggests that possibly my machine is compromised. There are of course other ways they could have acquired them but I need to start by checking if my own house is in order.

If anyone would be able to help me run some tests to ascertain if the problem lies with my machine, and help me fix it I would be very very grateful.

System: XP V2002 SP3

I have run malwarebytes, superantispyware, spybot search & destroy, no problems found

I am running a full scan with Avira (my resident antivirus) as I write this post.
I also have comodo firewall running.

Thanks in advance

Simon

Avira came back clean but with 9 'hidden objects' I can post the details if requested.

Edited by theothersimon, 25 June 2011 - 07:41 AM.


BC AdBot (Login to Remove)

 


#2 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:09:45 AM

Posted 25 June 2011 - 08:21 AM

Hi theothersimon.

You can scan your pc with a online scanner, as ESET Online Scanner, following this steps:

  • Disable your Antivirus and other security software
  • Hold down Control and click on the above link to open ESET Online Scanner in a new window
  • Click the Posted Image button
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer and Save it to your desktop
    • Double click on the Posted Image icon on your desktop
  • Check Posted Image
  • Click Posted Image
  • Accept any security warnings from your browser
  • Under scan settings, check Posted Image and Uncheck Remove found threats
  • Click Advanced settings and select:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will download updates and install itself, then begin the scan. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Click Posted Image, and save the file to your desktop using a unique name, such as ESETScan
  • Click Posted Image
  • Click Posted Image
then clean temp files with Temp File Cleaner:

  • Double click on TFC.exe to run the program
  • Click on Start button to begin cleaning process
  • TFC will close all running programs, and if ask you to restart computer allow it
and next download Security Check, save it to your Desktop and:

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box
  • A Notepad document should open automatically called checkup.txt; save it to you desktop
Finally, rember to re enable the protections that you have disabled .

Include the contents of the reports in your reply, and even the information on hidden objects detected by Antivir.



#3 theothersimon

theothersimon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 26 June 2011 - 08:36 AM

Hi Clairvoyant,

Thanks for your help.

The results of the scans are as follows:

Avira scan

KEY_USERS\S-1-5-21-2025429265-1035525444-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E08DEB76-79B0-1CCF-D330-DFB84CA89D22}\nacflpeinniogoaeemjfhhlcdggo
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-2025429265-1035525444-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E08DEB76-79B0-1CCF-D330-DFB84CA89D22}\mamfnkpcddoddgfelkkccpffjd
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-2025429265-1035525444-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E08DEB76-79B0-1CCF-D330-DFB84CA89D22}\dbgeejdnigkhciglkmfdjjghllmbknfankdakbbp
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-2025429265-1035525444-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E08DEB76-79B0-1CCF-D330-DFB84CA89D22}\cbgeejdnigkhciglkmfdjjghlljklaofjojkah
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-2025429265-1035525444-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E08DEB76-79B0-1CCF-D330-DFB84CA89D22}\cbgeejdnigkhciglkmfdjjghllcbehljakegdk
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E08DEB76-79B0-1CCF-D330-DFB84CA89D22}\InProcServer32\ebifabmpfagbaefdjaoadmoiimjmegglffnhgejdoi
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E08DEB76-79B0-1CCF-D330-DFB84CA89D22}\InProcServer32\dbifabmpfagbaefdjaoadmoiimjmjgbofpoobbia
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E08DEB76-79B0-1CCF-D330-DFB84CA89D22}\InProcServer32\dbifabmpfagbaefdjaoadmoiimjmcgibokelkoaa
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc\Config\Standalone\drivelist
[NOTE] The registry entry is invisible.





ESET Scan Results:

C:\Program Files\Winamp\Plugins\ml_ipod\Process.exe Win32/PrcView application
C:\System Volume Information\_restore{7E65CD23-951D-4241-9741-1B5C1174B020}\RP486\A0070274.exe a variant of Win32/1AntiVirus application


Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 26
Java™ 6 Update 22
Out of date Java installed!
Adobe Flash Player 9 (Out of date Flash Player installed!)
Adobe Flash Player 10.3.181.26
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
Mozilla Thunderbird (3.1.11) Thunderbird Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Comodo Firewall cmdagent.exe
Comodo Firewall cfp.exe
``````````End of Log````````````


Not sure about flagging up re Firefox and Thunderbird - FF is V5 & Thunderbird is also latest release (afaik)

#4 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:09:45 AM

Posted 28 June 2011 - 04:34 PM

Hi Simon,

sorry for the delay.

About ESET scan, the entry C:\Program Files\Winamp\Plugins\ml_ipod\Process.exe if you have installed the Winamp plugin it's ok, otherwise please check it with Virustotal or similar service.
The second entry instead is a part of malware but for now leave it there.

Now you should re install the JRE ( out of prevention ):

  • Go here
  • Read the License Agreement, and then check the box that says: "Accept License Agreement"
  • From the list, select your OS and Platform
  • Download for an Offline Installation and save the file to your desktop
  • Close any programs you may have running
  • Uninstall JRE from Start => Control Panel => Programs and Features => click Java 22 => click on Unistall
  • Repeat the step above for Java 26
  • Double click on downloaded file and install it

and Flash Player:

  • Download the updated version from here and save the file to your desktop
  • Uninstall outdate version from Start => Control Panel => Programs and Features => click Adobe Flash Player => click on Unistall
  • Double click on downloaded file and install it

Next let's go for hidden file.

Have you Daemon Tools or other similar software installed?
If yes, disable it and disable even your security software, then scan your computer with GMER following the point 8 of this guide .
Finally, rember to re enable the protections that you have disabled and then include the contents of the report in your reply.

About FireFox and Thunderbird, if you have installed the latest versions of them may be Security Check don't recognize it yet, imho.



Regards

Edited by Clairvoyant, 28 June 2011 - 04:35 PM.


#5 theothersimon

theothersimon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 30 June 2011 - 09:00 AM

Hi Clairvoyant,

Thanks for coming back.

Regarding C:\Program Files\Winamp\Plugins\ml_ipod\Process.exe => I did install it, but will remove it as I hardly ever use it and I can find another solution easily enough.

Virustotal scan results come back ambiguous => http://bit.ly/j2V5RR

I have uninstalled JRE & Flash and will run new installers in due course.

Problem: The forum wont allow me to post the full GMER log as it is too long and it also wont allow me to attach the txt .file so I have placed it here temporarily

Thanks for the ongoing help, its appreciated.

#6 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:09:45 AM

Posted 30 June 2011 - 04:13 PM

Hi Simon,

about C:\Program Files\Winamp\Plugins\ml_ipod\Process.exe I think should be ok.

Regarding the GMER log, have you follow the guide?
It' s very big Posted Image, anyway it seems good, and if in the GMER main screen ( reference to Figure 14 in the Guide ) you haven't seen red entries your computer should be clean.


Regards.


#7 theothersimon

theothersimon
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 01 July 2011 - 04:09 AM

Clairvoyant, thanks. Its good to know.

Re GMER log, yes did follow the guide, and no, nothing came back highlighted in red.

After doing my homework on the site hacks, it seems that the received wisdom is that the hack is most likely a Man in the middle attack - so next step is setting up SecureFTP cleaning up the files on the servers..

Once more, thanks for the help.

#8 Clairvoyant

Clairvoyant

  • Malware Response Team
  • 1,564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere in time
  • Local time:09:45 AM

Posted 01 July 2011 - 12:59 PM

You're welcome.Posted Image

Regards.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users