Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Infection According to ThreatExpert


  • Please log in to reply
1 reply to this topic

#1 BrainFreeze88

BrainFreeze88

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 07 October 2011 - 08:48 AM

Hey Guys,

After noticing a wealth of "odd" entries and files appearing (and seemingly disappearing) on my C drive and doing what I thought was a wipe and clean install I just got the report below after running ThreatExpert's Memory Scanner. I'll avoid too many details to start as I'll invariably wander off topic, but the basics are ::

Win7 Box w/SP1
AMD Phenom Proc
8GB Ram
Connection from Clear WiMax Dongle

PC still runs fine for the most part just very odd file behavior and intermittent issues with connectivity...

Please take a look at the below and let me know your thoughts...

Cheers

John
-

Full Scan Summary:

Scan details:
Scan started: Friday, September 11, 2009 01:26:55
Scan time: 52 seconds
Number of memory objects scanned: 4075
processes: 27
modules: 1475
heap pages: 2573
Number of suspicious memory objects detected: 1
Number of malicious memory objects detected: 1
Overall Risk Level: High
Summary of the detected threat characteristics:
Severity Level What's been found

Capability to block access to several security-related Web sites by modifying the hosts file.

View detected locations
Process "svchost.exe", heap page: [0x00c60000 - 0x00ca0000]

A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.

View detected locations
Process "svchost.exe", heap page: [0x00e00000 - 0x00e40000]

MS04-011: LSASS Overflow exploit - replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots).

View detected locations
Process "svchost.exe", heap page: [0x00e00000 - 0x00e40000]

Capability to delete the network shares C$, ADMIN$, IPC$, etc. A network-aware worm may secure shares in order to protect itself.

View detected locations
Process "svchost.exe", heap page: [0x00e00000 - 0x00e40000]

Summary of the detected memory objects:
Severity Level Memory Object

Process "svchost.exe", heap page: [0x00c60000 - 0x00ca0000]

View detected characteristics
Capability to block access to several security-related Web sites by modifying the hosts file.

Process "svchost.exe", heap page: [0x00e00000 - 0x00e40000]

View detected characteristics
A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.
MS04-011: LSASS Overflow exploit - replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots).
Capability to delete the network shares C$, ADMIN$, IPC$, etc. A network-aware worm may secure shares in order to protect itself.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:58 AM

Posted 07 October 2011 - 04:05 PM

Hello, it appears to have found and removed a network worm. Let's see if there is more.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users