Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zbot/Root kit


  • This topic is locked This topic is locked
2 replies to this topic

#1 activateit

activateit

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:29 PM

Posted 17 March 2012 - 02:26 AM

I have a client that got hit with the zbot, on some machines on the network. They have been cleaned and fixed. I have now started to work on the server.

The owner of this business wants me to to clean the server, of any infections (I have said to them that the best option with the server is to reformat and reload from scratch, but he doesn't want to go down that path.) As most of the tools wont run on SBS Server 2003, I'm having limited luck. I have run and included Mailwarebytes, Hijackthis, and gmer. I have run and cleaned using spybot, but dont have a log from it. I have also looked at installing drweb server ver, but it keeps on crashing.

Can one of the guru's here point me in the right direction please.



Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.16.02

Windows Server 2003 Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 7.0.5730.13
Administrator :: SERVER [administrator]

16/03/2012 10:17:29 PM
mbam-log-2012-03-16 (22-17-29).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 274487
Time elapsed: 10 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Ihciepovzo (Trojan.LVBP) -> Data: "C:\Documents and Settings\Administrator\Application Data\Ciemd\fiosp.exe" -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Documents and Settings\Administrator\Application Data\Ciemd\fiosp.exe (Trojan.LVBP) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Apule\ahtis.exe (Trojan.LVBP) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Buosli\dagy.exe (Trojan.LVBP) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\533H1ZUO\logo2[1].exe (Trojan.LVBP) -> Quarantined and deleted successfully.

(end)





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:07:01 PM, on 17/03/2012
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.17108)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Loyalty Magic\LMPOS_SERVER\LMPOSManager.exe
C:\Program Files\MMQ\mmq.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\Program Files\WinGate\WinGate.exe
C:\WINDOWS\System32\wins.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TeamViewer\Version7\TeamViewer.exe
C:\Program Files\ScreenConnect Guest Client\Elsinore.ScreenConnect.GuestClient.exe
C:\Program Files\TeamViewer\Version7\tv_w32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Optemizer\OptScheduler.exe
C:\Activateit\HiJackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Symantec Backup Exec System Recovery 8.5] "C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProTray.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: OptScheduler.exe.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SHOP.local
O17 - HKLM\Software\..\Telephony: DomainName = SHOP.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{02F82B88-A360-4CBC-93CB-78FFF78137DA}: NameServer = 10.0.0.1,10.0.0.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{801C60F4-D6EE-4197-AEDA-61D5B5C6EE81}: NameServer = 10.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = SHOP.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{02F82B88-A360-4CBC-93CB-78FFF78137DA}: NameServer = 10.0.0.1,10.0.0.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SHOP.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{02F82B88-A360-4CBC-93CB-78FFF78137DA}: NameServer = 10.0.0.1,10.0.0.2
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Backup Exec System Recovery - Symantec Corporation - C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LMPOSManager - Loyalty Magic - C:\Program Files\Loyalty Magic\LMPOS_SERVER\LMPOSManager.exe
O23 - Service: MailBee Message Queue - AfterLogic Corporation - C:\Program Files\MMQ\mmq.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapService.exe
O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
O23 - Service: Qbik WinGate Engine (WinGateEngine) - Qbik Software NZ Ltd - C:\Program Files\WinGate\WinGate.exe

--
End of file - 6596 bytes



Gmer log.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-17 17:57:01
Windows 5.2.3790 Service Pack 2 Harddisk0\DR0 -> \Device\Scsi\MegaSR1Port2Path2Target0Lun0 Intel rev.1.0
Running: 0f45nvll.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uftdypob.sys


---- System - GMER 1.0.15 ----

INT 0x51 ? F7AF8674
INT 0x52 ? F7AF9674
INT 0x53 ? F7B10674
INT 0x93 ? F7C44674
INT 0xB3 ? F7AFA674

---- Kernel code sections - GMER 1.0.15 ----

? labs.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.)
AttachedDevice \Driver\Tcpip \Device\Ip dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.)
AttachedDevice \Driver\Tcpip \Device\Tcp dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.)
AttachedDevice \Driver\Tcpip \Device\Tcp VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Udp dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.)
AttachedDevice \Driver\Tcpip \Device\Udp VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.)
AttachedDevice \Driver\Tcpip \Device\RawIp VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\sbscrexe.exe (*** hidden *** ) [AUTO] SBCore <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Type 16
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ErrorControl 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ImagePath %SystemRoot%\System32\sbscrexe.exe
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@DisplayName SBCore Service
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Description Provides core server services.
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\SBCore@Type 16
Reg HKLM\SYSTEM\ControlSet002\Services\SBCore@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\SBCore@ErrorControl 3
Reg HKLM\SYSTEM\ControlSet002\Services\SBCore@ImagePath %SystemRoot%\System32\sbscrexe.exe
Reg HKLM\SYSTEM\ControlSet002\Services\SBCore@DisplayName SBCore Service
Reg HKLM\SYSTEM\ControlSet002\Services\SBCore@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\SBCore@Description Provides core server services.
Reg HKLM\SYSTEM\ControlSet002\Services\SBCore\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SBCore\Security@Security 0x01 0x00 0x14 0x80 ...

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:29 AM

Posted 17 March 2012 - 04:42 PM

Good evening. :)

I have said to them that the best option with the server is to reformat and reload from scratch

I'm afraid that you are unlikely to get any better advice than you have already given to your client.

As i'm sure you are aware, with a backdoor there is the possibility that files have been replaced and/or patched or changes made to the system to make reinfection easier in the future. While a home user may offer what they think is a convincing argument that they do no home banking or shopping that could leave them open to financial loses, the possibility that the machine will be used for such in the future, either by the current or a future owner, coupled with the risk of spamming or ddos involvement makes trying to clean the machine a questionable course of action, and with a business machine the potential for harm is that much greater.

I think this is one occasion where "the customer is always right" isn't true.

So long, and thanks for all the fish.

 

 


#3 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:29 AM

Posted 21 March 2012 - 03:53 PM

As this issue appears to have been resolved, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users