Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

9-11-13 Googleupdate.exe malware on critical server03 server


  • Please log in to reply
5 replies to this topic

#1 si1870

si1870

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 12 September 2013 - 06:06 PM

Path reported as failed backup on server1 of server2:

c:\program files\google\desktop\install\{48db0a27-aaf1-c270-e81531809264}\  \  \.dessecca eb ton dluoc ro ,dnuuof ton saw U:\{46290813518e-072c-fb2c-1faa-72a0bd84}\ ....

 

Actual path found on server2:

c:\program files\google\desktop\install\\{48db0a27-aaf1-c270-e81531809264}\  \  \<symbols>\\{48db0a27-aaf1-c270-e81531809264}\L\  [now deleted]

c:\program files\google\desktop\install\\{48db0a27-aaf1-c270-e81531809264}\  \  \<symbols>\\{48db0a27-aaf1-c270-e81531809264}\U\  [now deleted]

c:\program files\google\desktop\install\\{48db0a27-aaf1-c270-e81531809264}\  \  \<symbols>\\{48db0a27-aaf1-c270-e81531809264}\@  [CANNOT DELETE]

c:\program files\google\desktop\install\\{48db0a27-aaf1-c270-e81531809264}\  \  \<symbols>\\{48db0a27-aaf1-c270-e81531809264}\googleupdate.exe [now deleted]

 

In the registry I found the following 3 keys when searching the word google:

 

<sq.symbol>etadpug\Parameters\ [CANNOT VIEW OR DELETE THIS KEY]

  Default               REG_SZ  (value not set)

  Description        REG_SZ   Keeps your Google software up to date

  DisplayName     REG_SZ   Google Update Service (gpupdate)

  ErrorControl      REG_WORD    0x00000000 (0)

  ImagePath        REG_SZ    "c:\program files\google\desktop\install\\{48db0a27-aaf1-c270-e81531809264}\  \  \<symbols>\\{48db0a27-aaf1-c270-e81531809264 [was able to delete this key]

  ObjectName      REG_SZ  

  Start                   REG_WORD   0x00000002 (2)

  Type                  REG_WORD   0x00000000 (16)

 

<sq.symbol>badentry\Parameters [I was able to delete this key and everything under it]

 

<sq.symbol>etadpug\Parameters\ [CANNOT VIEW OR DELETE THIS KEY]

  Default               REG_SZ  (value not set)

  Description        REG_SZ   Keeps your Google software up to date

  DisplayName     REG_SZ   Google Update Service (gpupdate)

  ErrorControl      REG_WORD    0x00000000 (0)

  ImagePath        REG_SZ    "c:\program files\google\desktop\install\\{48db0a27-aaf1-c270-e81531809264}\  \  \<symbols>\\{48db0a27-aaf1-c270-e81531809264 [was able to delete this key]

  ObjectName      REG_SZ  

  Start                   REG_WORD   0x00000002 (2)

  Type                  REG_WORD   0x00000000 (16)

 

*** this is on a critical server that is not protected and runs our entire company food terminals - 23 or more and it's going to be a busy weekend ***

I've contacted the vendor to see what antivirus software they approve before running one but I really wanted to delete this malware manually. Have you heard of it? The server is currently running fine but for how long? What is this malware stealing from our company? I am the administrator with the highest privileges on our network. I've taken full ownership of these files (the ones that I can) and I've renamed the undeletable file "@" to "bad" but still cannot delete it. What else can I provide for you for help?


Edited by si1870, 12 September 2013 - 06:12 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,906 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:18 PM

Posted 12 September 2013 - 08:44 PM

Hello Looks like The new form of 0access rootkit..

We need you to repost the above with a DDS log from here. We need to get a deeper look. Please follow this Preparation Guide . Do steps 6,7 and 8 and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 si1870

si1870
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 13 September 2013 - 10:22 AM

I just tried to run dds.com on our 2003 server. It's not compatible. Do you have another option?

Edited by si1870, 13 September 2013 - 11:10 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,906 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:18 PM

Posted 13 September 2013 - 11:41 AM

Yes, correct.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 si1870

si1870
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 13 September 2013 - 12:48 PM

Hi again. I got approval from our IT Manager to run Malwarebytes. I apologize but this server is critical and I freaked out slightly. This server was setup by a previous IT Manager who thought it was "OK" to leave it totally unprotected. The software company we use to run it, set it up and said they would not support running AV software on it.

I did find Rootkit.0Access.ED on a quick scan and removed it. I am now running a full scan. I'll keep you posted so if anyone else gets this you will know what I went through. So far the server is still in production. Hopefully, I can remove all remnants and keep it going at least for our busy weekend.

I appreciate this site and when this is over I'll see what I can do to be a better supporter.

For now,
Sue

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,906 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:18 PM

Posted 13 September 2013 - 01:14 PM

Hi sue , you will probably also need to run MBAR

Download Malwarebytes Anti-Rootkit from HERE to your Desktop.
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users