Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Interesting malware...


  • Please log in to reply
3 replies to this topic

#1 T3chN0manc3r

T3chN0manc3r

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:35 AM

Posted 21 October 2013 - 10:22 PM

I work for a security company and was working on one of our customers computer when I stumbled upon this interesting malware. I was remotely connected to a Windows 7 64-bit machine with 4GB of RAM. While I was running the removal process, I found and removed all known variants of zeroaccess and the associated run keys. After I was done, I ran Hitman Pro to see if there was anything left. I got quite an interesting list. The ZeroAccess has been removed and is no longer present in the computer, and the recycle bin has ceased to become corrupted. Not really looking for a removal guide, just input from other technicians. From what I can tell about the machine there are no longer any malicious processes running, and the computer is now running normally. However the antivirus software that we provide was freaking out and quarantining tons of other stuff as well. It quarantined and removed their printer drivers, started quarantining some updates for programs such as bing desktop and the google updater. Not really looking for a removal guide, just input from other techs. 

Our software also ended up quaranting the legitimate dllhost.exe out of the %systemroot% directory. Luckily it restored with no issues... That could have been messy.

I did run the repairs associated with ZeroAccess (i.e. permissions, WMI, reset winsock) and they all went through successfully. Everything is looking like the machine should be clean but it is still showing those files as infected, and the AV on the computer is still spazzing about stuff it shouldn't worry about.

I'm not used to the forums here so if I am posting in the wrong area please forgive me and send me to the right place, I am just looking for some outside input.

Also I do not have access to the machine, and these were pulled from my notes.

These are the files that were detected as malicious by hitman pro and how it rated them.

C:\program files (x86)\microsoft\bingdesktop\bingdesktopupdater.exe  - virus
C:\program files\hewlett-packard\hp auto\hpauto.exe   - malware
C:\windows\ehome\ehsched.exe   - virus
C:\windows\system32\msiexec.exe   - virus
C:\program files (x86)\symantec\Norton Online Backup\nobuagent.exe - malware
C:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe - virus
C:\program files (x86)intel\intel® management engine components\uns\uns.exe - virus
C:\windows\system32\vssvc.exe - virus
C:\windows\servicing\trustedinstaller.exe  - virus
C:\windows\system32\vds.exe   - virus
C:\windows\syswow64\dllhost.exe -  virus
C:\windows\syswow64\svchost.exe   - virus
C:\windows\syswow64\msiexec.exe   - virus
C:\windows\syswow64\searchindexer.exe  - virus
C:\program files\common files\microsoft shared\windows live\WLIDSVC.exe   - malware

Edited by T3chN0manc3r, 21 October 2013 - 10:42 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:35 AM

Posted 22 October 2013 - 11:30 AM

Hi, this is a stubborn malware and we need to get a deeper look. Please follow this Preparation Guide, do steps 6,7 and 8 and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 T3chN0manc3r

T3chN0manc3r
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:35 AM

Posted 22 October 2013 - 02:33 PM

I can't really get you a deeper look on this issue, as I was remotely connected to the machine and this customer is not available again until tomorrow. As I had mentioned I was just looking for outside input, however I think I figured out what it was, and got rid of it. It appears as though this is the Sality infection. Specifically it appeared to have been running from trojan.hello.A1 which was residing in the %appdata% folder of the current user profile. Upon removing this, the modified files were still being displayed as infected, and the antivirus software was still trying to remove everything that had already been altered. After removing the infection, I simply ran ComboFix from you guys, and it replaced the primary system files that were being shown as infected. Some of the altered executables in program files were still showing, but a simple uninstall/reinstall of said programs resolved the issue. I am now waiting until they are available tomorrow to see if the fixes took, but it appears this infection has been dealt with. In the future, if I am just looking for input on something, and not a removal guide, I am guessing I'm in the wrong section of the forums for that? Is there a place on these forums where techs just share ideas on some of the infections or is it just the free removal that you guys offer?



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:35 AM

Posted 22 October 2013 - 03:25 PM

Is there a place on these forums where techs just share ideas on some of the infections or is it just the free removal that you guys offer?[/size][/font][/color][/background]

Regular members can start new topics for discussions in any of these sub-forums.
General Security
Anti-Virus and Anti-Malware Software
Firewall Software and Hardware

There are private forums where trained experts also discuss various security issues, infections, specialized tools but they are only for those who have graduated from one of the various online Unite Schools.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users