Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Botnet's Have been detected by my firewall on my LAN


  • Please log in to reply
11 replies to this topic

#1 shanwilder

shanwilder

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 06 June 2013 - 04:53 PM

I have received botnet detection warnings from my firewall. I get about one warning every 3 days. They are always found on one of my 5 Citrix servers or on a Windows XP used by my tech employee. Additionally, my public IP address used for sending email has been blacklisted twice by spamhaus. I managed to bandaid this issue by blocking all outbound port 25 traffic from my LAN except for from my email Spam Filter appliance which is where all email is routed from my Exchange server for delivery.

 

What I have done so far:

 

I have run Malwarebytes, Spybot, and TrendMicro ServerProtect. Malwarebytes found an infection in one of the roaming profile directories of one of my users and deleted it. However, I am still getting a botnet detection every 3 days or so. My TrendMicro antivirus is not finding anything and the above mentioned scan tools have not been able to fully remove the bot.

 

Below is the output that I received from MalwareBytes when it found the infection in a roaming userprofile:

 

C:\Program Files\Trend\SProtect\x64\Virus\58cb65c7-20955042 (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Program Files\Trend\SProtect\x64\Virus\d5LSAoeSjME_79c.VIR (Trojan.Agent.ZB) -> Quarantined and deleted successfully.
C:\Users\nbarcl\AppData\Local\uejxchpr.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\nbarcl\AppData\Local\wwtgxebf.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\nbarcl\AppData\Local\xhxkvtfo.exe (Trojan.Zbot.ED) -> Quarantined and deleted successfully.

 

Additionally, MalwareBytes seems to find the below item on about every machine I have scanned on my network:

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop|NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

 

 

Thank you for your help,

Steve

 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 07 June 2013 - 12:19 AM

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop|NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

 

 

This is harmless as it just disables the users ability to change its wallpaper.

 

But the other findings mean you have the Zeus trojan in your network.

We should fix each computer on its own to avoid a logfile mayhem here in this topic.

 

So, do the following on the first computer (your citrix server or the tech´s machine:)

 

 

 

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs
DDS.txt
Attach.txt
Save both reports to your desktop.

 

 

 

 

Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.

Pleae attach the gmer.txt to your reply:
  • Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, browse to where you saved the file, and
  • Click Upload.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 shanwilder

shanwilder
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 07 June 2013 - 01:12 PM

Hello Marius, 

 

Thank you for your time in helping me with this Bot. 

 

I have followed you instructions and have run the DDS as well as GMER. The GMER scan didn't intially find any rootkits, so I just ran the typical scan.

 

This scan was run on my tech's Win XP machine which has shown Bot activity in the past.

 

I have attached the gmer.txt file.

Thanks, 

Steve  

Attached Files

  • Attached File  gmer.txt   22.79KB   2 downloads


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 08 June 2013 - 06:11 PM

Well, post up the DDS logs, too.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 shanwilder

shanwilder
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 09 June 2013 - 12:38 AM

I have attached the two DDS output logs. 

Thanks, 

Steve

Attached Files



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 09 June 2013 - 05:55 AM

I see you ran combofix. Please post up the content of C:\combofix.txt.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 shanwilder

shanwilder
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 10 June 2013 - 10:21 AM

Yes, my tech ran combofix late last week. Results have been attached.

Thanks

 

Steve

Attached Files



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 10 June 2013 - 10:33 AM

That looks good so far...
Let´s cross check...


Please go to here to run the online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 12 June 2013 - 03:05 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 12 June 2013 - 08:34 AM

This topic has been re-opened at the request of the person who originally posted.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 12 June 2013 - 08:34 AM

Please post up the eset log! :)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 shanwilder

shanwilder
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 12 June 2013 - 09:09 AM

I went ahead and scanned the XP machine we were working on as well as a number of Cirix servers and a server that holds roaming profiles. The log with the findings is attached.

 

Thanks!
Steve

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users