Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Network Wide Infection conficker/dwnadup.B


  • Please log in to reply
12 replies to this topic

#1 moneydukes

moneydukes

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 22 July 2011 - 01:12 PM

Greetings, I am having some trouble removing an infection that is spreading throughout my small business network.
Symantec Corporate Edition 10.5 is in use and continues to catch threats but is unable to remove the core of the virus. I have thrown several programs and utilized several cleaning methods but to no avail. The virus remains undetectable by any of the means I normally use to remove malware. Any help would be appreciated. Due to the nature of our business, I would prefer to keep our internal setup as private as possible during this process, however I understand certain details are important.

Operating Systems in use:
WinXp 15 workstations
SBS 2003 R2 Sp2 Domain Controller
Server 2003 Enterprise Edition SP2

Other servers are Linux/Citrix based and do not seem to be affected.

The following symptoms are regularly present:
Automatic creation of tasks running a random named dll, if left unchecked this will add 20 to 30 tasks
Symantec will regularly report file infection cleaned by deletion:
C:\windows\system32\ofhjc.e ; c:\windows\tasks\at1.job ; Browser Cache

BC AdBot (Login to Remove)

 


#2 moneydukes

moneydukes
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 22 July 2011 - 01:25 PM

Full scans with MBAM, ESET online scanner have been done with no luck.
I have run RootRepeal, SysInternals RootKit Revealer, GMER with no luck but could use help interpreting results
I have run conficker removal tool by Enigma as well as Norton's removal tool for Conficker neither were succesful.
Rootkit scanners detect SBSexe.exe but I believe this file is hidden by Microsoft - confirmation of this would be helpfull.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:46 PM

Posted 22 July 2011 - 01:49 PM

Hello, I am moving this to the Am I Infected forum from Windows NT/2000/2003/2008.

Lets try 2 tools.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.5.9.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.





I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


[color="#8B0000"]NOTE: In some instances if no malware is found there will be no log produced.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 moneydukes

moneydukes
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 22 July 2011 - 05:11 PM

Server scan:
TDSSkiller.exe (the download was 2.5.11)- No threats found
Eset Online scan
E:\Users Shared Folders\xxxxxx\My Documents\Downloads\fdminst.exe Win32/OpenCandy application deleted - quarantined
E:\Users Shared Folders\yyyyyy\My Documents\Downloads\fp2006-final-3.00-setup.zip JS/BadJoke.KillFiles.A application deleted - quarantined

One Xp Workstation
TDSSkiller.exe - No threats found
Eset Online scan - No threats found
(however Norton still reports malware tasks mentioned above have been deleted again)

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:46 PM

Posted 22 July 2011 - 07:03 PM

I'm sorry I never asked for the GMER log...
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 moneydukes

moneydukes
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 22 July 2011 - 08:17 PM

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-22 21:15:01
Windows 5.2.3790 Service Pack 2 Harddisk0\DR0 -> \Device\00000066 DELL____ rev.1.00
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1\uwtdqpob.sys


---- System - GMER 1.0.15 ----

SSDT FF1ADD00 ZwAlertResumeThread
SSDT FF362A80 ZwAlertThread
SSDT FE582230 ZwAllocateVirtualMemory
SSDT FF175810 ZwCreateMutant
SSDT FF684CA0 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF4A36350]
SSDT FE582168 ZwFreeVirtualMemory
SSDT FF1ADC08 ZwImpersonateAnonymousToken
SSDT FF1ADC40 ZwImpersonateThread
SSDT FE70B250 ZwMapViewOfSection
SSDT FF3599E0 ZwOpenEvent
SSDT FED20058 ZwOpenProcessToken
SSDT FF772750 ZwOpenThreadToken
SSDT FF359910 ZwQueryValueKey
SSDT FF1AD650 ZwResumeThread
SSDT FE74C3B8 ZwSetContextThread
SSDT FF7197D0 ZwSetInformationProcess
SSDT FF1A22D8 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF4A36580]
SSDT FF359850 ZwSuspendProcess
SSDT FF362B88 ZwSuspendThread
SSDT FF367480 ZwTerminateProcess
SSDT FF14D4B0 ZwTerminateThread
SSDT FF700758 ZwUnmapViewOfSection
SSDT FE5821A0 ZwWriteVirtualMemory

INT 0x51 ? FE583674
INT 0x73 ? FE60A674
INT 0x83 ? FE620674
INT 0xA2 ? FE70DE54
INT 0xA3 ? FED10E54

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\Drivers\PROCEXP141.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Exchange\bin\store.exe[5616] kernel32.dll!TerminateProcess 77E42014 5 Bytes JMP 005F3C9A C:\Exchange\bin\store.exe (Microsoft MDB Store/Microsoft Corporation)
.text C:\Exchange\bin\store.exe[5616] kernel32.dll!ExitProcess 77E668F9 5 Bytes JMP 005F3C6B C:\Exchange\bin\store.exe (Microsoft MDB Store/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Exchange\bin\exmgmt.exe[4216] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [4B761B7E] C:\Exchange\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT C:\Exchange\bin\exmgmt.exe[4216] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [4B761AC7] C:\Exchange\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT C:\Exchange\bin\mad.exe[4508] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [4B761B7E] C:\Exchange\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT C:\Exchange\bin\mad.exe[4508] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [4B761AC7] C:\Exchange\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[5144] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [4B761B7E] C:\Exchange\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[5144] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [4B761AC7] C:\Exchange\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT C:\Exchange\bin\store.exe[5616] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [4B761B7E] C:\Exchange\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT C:\Exchange\bin\store.exe[5616] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [4B761AC7] C:\Exchange\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ghmon.sys (Ghost Enterprise client - volume mount filter/Symantec Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device F18C11C2

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice ghmon.sys (Ghost Enterprise client - volume mount filter/Symantec Corporation)
AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\sbscrexe.exe (*** hidden *** ) [AUTO] SBCore <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Type 16
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ErrorControl 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ImagePath %SystemRoot%\System32\sbscrexe.exe
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@DisplayName SBCore Service
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Description Provides core server services.
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@Type 16
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@ErrorControl 3
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@ImagePath %SystemRoot%\System32\sbscrexe.exe
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@DisplayName SBCore Service
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@Description Provides core server services.
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore\Security@Security 0x01 0x00 0x14 0x80 ...

---- EOF - GMER 1.0.15 ----

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:46 PM

Posted 22 July 2011 - 08:23 PM

Yep we havwe a rootkit and need special instructions to remove it.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Include the GMER log you posted earlier.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 moneydukes

moneydukes
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 22 July 2011 - 08:48 PM

DDR will not run, it says

This operating system is not supported
DDS only runs on:
*Windows 2000
*Windows XP(32 bit)
*Windows Vista(32/64 bit)
*Windows 7 (32/64 bit)

The OS is SBS 2003 R2 SP2

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:46 PM

Posted 23 July 2011 - 07:27 PM

Hello, I had ask fir some info on this situation.
I am wonfering how many machines are on the network.
SBCore is normal on servers, and not a rootkit.
We can run a tool here to get a log.

This can be a problem in a public forum.

Any help would be appreciated. Due to the nature of our business, I would prefer to keep our internal setup as private as possible during this process,



A colleague of mine would post this in this situation.

Is this a business/institution computer?
If it is, are you the domain administrator? If you are not, have you informed your domain administrator, (business manager, Systems Analyst, or Information Technology (IT) Specialist)?
I ask this for several reasons:
•There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.

•Any infection could jump terminals in a computer network.

•There may also be legal issues regarding any loss of business data that I do not wish to deal with.

•Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.

•There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.

•Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.

•The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.

•In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 moneydukes

moneydukes
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 24 July 2011 - 03:50 PM

I'd be concerned if you did not ask these questions :)

I am the domain admin. It is a small business network. I would be willing to add additional information through a private medium if you are willing. I fully understand the risks involved, however we have a very small budget and I would prefer not to hire outside help. My intentions coming to this forum are to be sure I have not overlooked something simple. I have a strong background in computer repair including virus removal as well as a degree and various industry certification, however I do not consider myself all knowing by any means, that is why I am reaching out for new ideas on how to tackle this infection. In regards to liability, I am sure the forums terms of service covered this.

I can and will if necessary forcefully wipe this system with an OS reload, however I would prefer to identify and remove the infection. I am especially concerned with the removal process as this infection seems to be targeting network shares including the current backup drives, as well as any removable media that is connected to the network. If we can identify the core file/files responsible I intend to take the network down over the next weekend to prevent reinfection during the removal process. I have actually run a gauntlet of tests and scans but I have come up short on this particular infection. I feel this shows signs of rootkit activity, however none of the programs I would traditionally use to battle rootkits have detected anything (or I simply have overlooked something in the log).

The network consists of about 15 Workstations running XP sp3 as well as a few servers providing various services, some Windows based, some not.

Edited by moneydukes, 25 July 2011 - 10:31 AM.


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:46 PM

Posted 25 July 2011 - 07:58 PM

I really don't think this is going to work. With infected network shares/backup drives/removable media, You really should isolate each computer, re-image them, and in the end clean the server if you cannot reinstall that. Since you also only can take the network down over the next weekend, I really don't see how we can accommodate you, for one because by next weekend his topic will not be picked up in the first place (servers are not popular among the team) and just our regular DDS log list is over 7 days in waiting..

It makes no sense to work with logs (OTL) on the server, because whatever we fix there, will be reinfected as soon as s network share/removable device is accessed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 moneydukes

moneydukes
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 25 July 2011 - 08:00 PM

understood, thank you for your time

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:46 PM

Posted 25 July 2011 - 08:09 PM

You're welcome.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users