Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC infected by Win32.Brontok.NB (B)


  • This topic is locked This topic is locked
12 replies to this topic

#1 Avijit2015

Avijit2015

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India, Calcutta
  • Local time:11:10 AM

Posted 04 November 2015 - 01:33 AM

Respected Moderators and members,

 

I am struggling with a nasty malware since last week. I have posted the issue here - http://www.bleepingcomputer.com/forums/t/595105/trojan-creates-files-in-public-folder-randomly/#entry3855473

 

The Moderators suggest to post the issue here. here is the scenario - the malware activated and creates .exe files to C:\USERS/PUBLIC folder and its all sub-folders. Hangs mouse or stuck mouse pointer. I am using Windows 7 ultimate 32 bit with ZoneAlarm Antivirus + Firewall. I have tested with Avira, MBAM and other tools - they detect it and delete it but again it come back within 24 hours!

 

Please check the attachment.



 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Avijit2015

Avijit2015
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India, Calcutta
  • Local time:11:10 AM

Posted 07 November 2015 - 02:18 AM

Hello members and Moderators..Any help ?



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:40 AM

Posted 07 November 2015 - 10:56 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please run the fix and after a restart of the System fix this.

ATTENTION: System Restore is disabled
How to: Turn System Restore ON - Windows
http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

EmptyTemp:
CloseProcesses:

SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL =
SearchScopes: HKU\S-1-5-21-1394207271-1882865165-2684296705-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1394207271-1882865165-2684296705-1000 -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL =
SearchScopes: HKU\S-1-5-21-1394207271-1882865165-2684296705-1000 -> {CC0529EC-EB9D-4C65-8528-87A3448BF10B} URL =
BHO: No Name -> {0877c1fc-19c6-4fe2-8e3d-699d8edb2964} -> No File
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\PROGRAM FILES\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\PROGRAM FILES\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre1.8.0_25\bin\new_plugin\npjp2.dll [No File]
S3 avchv; system32\DRIVERS\avchv.sys [X]
S3 netr28u; system32\DRIVERS\netr28u.sys
C:\Users\Public\Public.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

What issues persists.

#4 Avijit2015

Avijit2015
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India, Calcutta
  • Local time:11:10 AM

Posted 07 November 2015 - 03:37 PM

Thanks. Unfortunately I forgot to turn on system restore. can i run the tool again after system restore? Please suggest. Here is the log file attached.

 

also - after running the process - the virus still in its place -

 

1. C:\Users\Public\Videos\Videos.exe

2. C:\Users\Public\Recorded TV\Recorded TV.exe

3. C:\Users\Public\Recorded TV\TempRec\TempRec.exe

4. C:\Users\Public\Recorded TV\Sample Media\Sample Media.exe

5. C:\Users\Public\Pictures\Pictures.exe

6. C:\Users\Public\Pictures\Sample Pictures\Sample Pictures.exe

6.1 C:\Users\Public\Pictures\Pictures.exe

7.C:\Users\Public\Music\Music.exe

8. C:\Users\Public\Music\Sample Music\Sample Music.exe

9. C:\Users\Public\Downloads\Downloads.exe

10. C:\Users\Public\Documents\Documents.exe

12. C:\Users\Public\Libraries\Libraries.exe

13. C:\Users\Public\Public.exe

 

 

and sorry again ..i missed one step.

Attached Files


Edited by Avijit2015, 07 November 2015 - 03:47 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:40 AM

Posted 08 November 2015 - 09:21 AM

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
<<<>>>

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
process;
installer-list;
installedprogs;
startupall;
firefoxlook; 
chromelook;
srinfo;
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply. It`s very big.

In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.

#6 Avijit2015

Avijit2015
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India, Calcutta
  • Local time:11:10 AM

Posted 08 November 2015 - 11:40 AM

Thanks. Here are the log files.

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:40 AM

Posted 08 November 2015 - 12:45 PM

Run the RogueKiller tool and fix this.
It will be replaced if needed

¤¤¤ Registry : 1 ¤¤¤
[PUM.SearchPage] HKEY_USERS\S-1-5-21-1394207271-1882865165-2684296705-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Found


==

This program FormatFactory 3.5.0.0 is not getting a good review from Symantec. Potentially Unwanted App your call if you want to keep it.
https://www.symantec.com/security_response/writeup.jsp?docid=2015-072910-1148-99&tabid=2

It can be remored using the Control Panel > Programs and Features applet.

==============

The file in bold is suspicious

C:\Windows\system32\lsass.exe

Please go to Virus Total and submit the file for a review.
https://www.virustotal.com/

Post the log for my review

#8 Avijit2015

Avijit2015
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India, Calcutta
  • Local time:11:10 AM

Posted 08 November 2015 - 11:58 PM

Thanks.

- Format Factory Uninstalled and registry fixed using this tool. Still Virus in Place :(

- C:\Windows\system32\lsass.exe is scanned using virus total. it is clean. here is the details -

 

==

 

SHA256:     29b0a8889857cebfa6cbd795d5eecddffa04e794bd3c73fc488725b2a160f326
File name:     lsass.exe
Detection ratio:     0 / 54
Analysis date:     2015-11-04 19:29:52 UTC ( 4 days, 8 hours ago )

Trusted source! This file belongs to the Microsoft Corporation software catalogue.

=====

- I have scanned a virus using virustotal. Please check attachment for that details.

 

Attached Files



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:40 AM

Posted 09 November 2015 - 09:20 AM

If you did not installed this \public folder with all the others sub-folders underneath please delete it.

C:\Users\Public <- delete the folder.

How is the computer running now?

#10 Avijit2015

Avijit2015
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India, Calcutta
  • Local time:11:10 AM

Posted 11 November 2015 - 12:02 AM

Thanks for the help. The system is working fine. Perhaps I figured Out :) I just change the permission of the entire Public folder and voila! since last day no viruses are coming!

 

Now I remember what happen - my elder brother mis-configure the system and keep the public folder open and the virus coming from different computers. I have change the permission from - Network >Network & Sharing Center > Change Advance Sharing Settings and change both - Home OR WORK and Public.

 

Here are the screenshots -

 

 

Attached Files



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:40 AM

Posted 11 November 2015 - 08:49 AM

Good catch.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#12 Avijit2015

Avijit2015
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India, Calcutta
  • Local time:11:10 AM

Posted 11 November 2015 - 10:21 AM

Thanks but i didn't find any permission related post out there. before this attack i thought - this kind of attack can only take place in Linux (the permission issue). Please update the post along with it :)



#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:40 AM

Posted 18 November 2015 - 09:36 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users