Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Qakbot Infection


  • Please log in to reply
4 replies to this topic

#1 thebouncer

thebouncer

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 18 October 2012 - 03:38 PM

I have several computers that have become infected with Qakbot.C! and also being identified as Qakbot.KY apparently this is a brand new version of this virus.

Microsoft Security Essentials kills the file it spawns in C:\Windows\Temp but the computer still has more infected files

I have scanned with multiple tools and found a constant executable and two dll files located under c:\documents and settings\%username%\App Data\Microsoft\ in a random name folder matching the name of the executable. When I run GMER it is showing that there are two infected library filesand a .text file running JMP commands in C:\Windows\system32\svchost.exe and C:\Program Files\Internet Explorer\iexplore.exe

Please Help - Thank You.

here is the log from GMER
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-18 16:37:05
Windows 5.1.2600 Service Pack 3 
Running: ikdww2fi.exe; Driver: C:\DOCUME~1\boces\LOCALS~1\Temp\awlcyfog.sys


---- System - GMER 1.0.15 ----

SSDT            \SystemRoot\System32\DRIVERS\kmxagent.sys (Agent Driver/CA)                                                          ZwSetInformationProcess [0xF6EFCF5F]

---- User code sections - GMER 1.0.15 ----

.text           C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!NtQuerySystemInformation                                             7C90D92E 5 Bytes  JMP 009A3FA1 C:\WINDOWS\lyfgqilb.dll
.text           C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!NtResumeThread                                                       7C90DB3E 5 Bytes  JMP 009A3F49 C:\WINDOWS\lyfgqilb.dll
.text           C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!GetProcAddress                                                    7C80AE40 5 Bytes  JMP 009A209B C:\WINDOWS\lyfgqilb.dll
.text           C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegEnumValueW                                                     77DD7EED 5 Bytes  JMP 009A40B2 C:\WINDOWS\lyfgqilb.dll
.text           C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegEnumValueA                                                     77DF9BBF 5 Bytes  JMP 009A42A1 C:\WINDOWS\lyfgqilb.dll
.text           C:\WINDOWS\system32\svchost.exe[1292] USER32.dll!TranslateMessage                                                    7E418BF6 5 Bytes  JMP 009A1E95 C:\WINDOWS\lyfgqilb.dll
.text           C:\WINDOWS\system32\svchost.exe[1292] USER32.dll!GetClipboardData                                                    7E430DBA 5 Bytes  JMP 009A1000 C:\WINDOWS\lyfgqilb.dll
.text           C:\WINDOWS\system32\svchost.exe[1292] USER32.dll!CharToOemBuffA                                                      7E431626 5 Bytes  JMP 009A3AA9 C:\WINDOWS\lyfgqilb.dll
.text           C:\WINDOWS\system32\svchost.exe[1292] WS2_32.dll!connect                                                             71AB4A07 5 Bytes  JMP 009A4A9C C:\WINDOWS\lyfgqilb.dll
.text           C:\WINDOWS\system32\svchost.exe[1292] WS2_32.dll!send                                                                71AB4C27 5 Bytes  JMP 009A4BEF C:\WINDOWS\lyfgqilb.dll
.text           C:\WINDOWS\system32\svchost.exe[1292] WS2_32.dll!WSASend                                                             71AB68FA 5 Bytes  JMP 009A4B3F C:\WINDOWS\lyfgqilb.dll
.text           C:\WINDOWS\system32\svchost.exe[1292] WS2_32.dll!WSAConnect                                                          71AC0C81 5 Bytes  JMP 009A49ED C:\WINDOWS\lyfgqilb.dll
.text           C:\WINDOWS\system32\svchost.exe[1292] iphlpapi.dll!GetTcpTable                                                       76D6AC1D 5 Bytes  JMP 009A3B19 C:\WINDOWS\lyfgqilb.dll
.text           C:\WINDOWS\system32\svchost.exe[1292] iphlpapi.dll!AllocateAndGetTcpExTableFromStack                                 76D6F010 5 Bytes  JMP 009A3BFB C:\WINDOWS\lyfgqilb.dll
.text           C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!DialogBoxParamW                                     7E4247AB 5 Bytes  JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!CreateWindowExW                                     7E42D0A3 5 Bytes  JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!DialogBoxIndirectParamW                             7E432072 5 Bytes  JMP 3E3E7217 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!MessageBoxIndirectA                                 7E43A082 5 Bytes  JMP 3E3E7149 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!DialogBoxParamA                                     7E43B144 5 Bytes  JMP 3E3E71B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!MessageBoxExW                                       7E450838 5 Bytes  JMP 3E3E701A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!MessageBoxExA                                       7E45085C 5 Bytes  JMP 3E3E707C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!DialogBoxIndirectParamA                             7E456D7D 5 Bytes  JMP 3E3E727A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[4780] USER32.dll!MessageBoxIndirectW                                 7E4664D5 5 Bytes  JMP 3E3E70DE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[7268] USER32.dll!DialogBoxParamW                                     7E4247AB 5 Bytes  JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[7268] USER32.dll!SetWindowsHookExW                                   7E42820F 5 Bytes  JMP 3E2E9AB5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[7268] USER32.dll!CallNextHookEx                                      7E42B3C6 5 Bytes  JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[7268] USER32.dll!CreateWindowExW                                     7E42D0A3 5 Bytes  JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[7268] USER32.dll!UnhookWindowsHookEx                                 7E42D5F3 5 Bytes  JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[7268] USER32.dll!DialogBoxIndirectParamW                             7E432072 5 Bytes  JMP 3E3E7217 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[7268] USER32.dll!MessageBoxIndirectA                                 7E43A082 5 Bytes  JMP 3E3E7149 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[7268] USER32.dll!DialogBoxParamA                                     7E43B144 5 Bytes  JMP 3E3E71B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[7268] USER32.dll!MessageBoxExW                                       7E450838 5 Bytes  JMP 3E3E701A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[7268] USER32.dll!MessageBoxExA                                       7E45085C 5 Bytes  JMP 3E3E707C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[7268] USER32.dll!DialogBoxIndirectParamA                             7E456D7D 5 Bytes  JMP 3E3E727A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[7268] USER32.dll!MessageBoxIndirectW                                 7E4664D5 5 Bytes  JMP 3E3E70DE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[7268] ole32.dll!CoCreateInstance                                     774FF1BC 5 Bytes  JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\iexplore.exe[7268] ole32.dll!OleLoadFromStream                                    7752983B 5 Bytes  JMP 3E3E757F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\Program Files\Internet Explorer\iexplore.exe[7268] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW]  [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Fastfat \Fat                                                                                             fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device          \FileSystem\Cdfs \Cdfs                                                                                               DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
---- Processes - GMER 1.0.15 ----

Library         c:\windows\system32\z (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [776]                                     0x6A300000                                                                                                                      
Library         C:\WINDOWS\lyfgqilb.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1292]                                   0x009A0000                                                                                                                      


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:04:23 AM

Posted 18 October 2012 - 08:30 PM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here.If you get crashes in normal mode,run it in safemode with networking

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#3 thebouncer

thebouncer
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 18 October 2012 - 08:53 PM

Thank you narenxp for your quick reply, I dont have the log file but I did run TDSS Killer prior to posting this with the option to have the TDLFS checked and it found absolutely nothing. I have dealt with TDSS previously so it was one of the first things I tried sorry that I forgot to mention that.

I also ran the following tools although I know normally an expert is supposed to guide you I have used these tools previously:
Rkill - found no malicious processes to kill
Combofix - did not find these malicious files at all and found no rootkit
Superantispyware - found nothing but a single registry entry unrelated to this.
I ran Gparted and saw no malicious partition.
I ran MBR check which came back clean.

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:04:23 AM

Posted 18 October 2012 - 09:05 PM

This infection has nothing to do with malicious partition.

Read the guide here

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here with logs

http://www.bleepingcomputer.com/forums/forum22.html

Good luck

#5 thebouncer

thebouncer
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 21 October 2012 - 04:23 PM

Thank you Narenxp for your help.

Sophos updated their definitions and is now catching this threat.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users