Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zeus zbot WSNpoem infection server 2012 r2


  • This topic is locked This topic is locked
5 replies to this topic

#1 monkeyhouserodge

monkeyhouserodge

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 08 December 2015 - 03:56 PM

I have a server that I believe is infected with Zeus. I have not been able to detect it, but I can see the ip addresses that the server is connecting to and I'm pretty certain this server is the culprit. We keep getting blacklisted because after I scan every computer on the network, I find nothing and I apply for blacklist removal. Here are my logs.

 

 

Attached File  Addition.txt   41.16KB   6 downloads

Attached File  FRST.txt   28.44KB   6 downloads



BC AdBot (Login to Remove)

 


#2 Black_Bird

Black_Bird

  • Malware Response Team
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:40 PM

Posted 10 December 2015 - 02:28 PM

Hi monkeyhouserodge,

Welcome to the BleepingComputer support forums! I'm sorry for the response delay.

An important WARNING to all individuals reading this topic:
All advice in this topic was given specifically for this user and this computer!! Performing instructions given by me in this topic on other computers may harm your computer's infrastructure and can cause serious damage to them!!
Please don't perform the steps given by me or other Helpers in this topic when you are not the original Topic Starter, but start your own topic with a question for help. You will get help from a trained and qualified Helper to clean up your computer from any present malware when you do so.


General rules:
  • From now on, don't use this computer anymore to access your bank account or any other serious business where you have to login for, untill I've told you your computer is clean from malware.
  • Be patient waiting for my answer. I'm doing the best I can to answer to logs as soon as possible, but I'm handling multiple topics at the same time. Please feel free to remind me of your topic by sending a link to it by private message, when I didn't get back to you after 24 hours.
  • Don't change anything on your computer in the period I'm helping you, except when I tell you to do so. So don't add/remove any software (programs, drivers, etc.) and don't change any hardware. If you really need to change something that can't wait, please inform me directly, by posting it in this topic or - if private - send me a private message containing an explanation of the changes made by you. This gives me the possibility to give you good advice.
Rules about advices from me:
  • The Helpers active on this board first got a full training in removing malware and providing support to people who got infected. Also they were trained to resolve any problems caused by malware infections. Please use the programs I provide to you only when under supervision of a trained Helper. This, because using these programs without supervision can cause damage to your computer.
  • It's possible that your virus scanner, anti-spyware program or any other malware protection program or policy tries to block one or more of the programs provided by us. If that is the case, please always allow those programs to run and/or allow the provided changes to be made. If needed to run our tools properly, temporarily disable your anti-malware programs.
  • Always Save tools provided by me to your Desktop, unless I give you other instructions. Don't ever run tools directly from the internet, because this can stop them from working properly. Also never save tools to any other locations than your Desktop.
  • If you have any problems while following my instructions, stop there and tell me the exact nature of the issue.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • You can check here if you're not sure if your computer is 32-bit or 64-bit.
Things I want you to do before performing the steps below:
  • Please enable your system to show hidden files: How to see hidden files in Windows.
  • Make sure you're subscribed to this topic. Click on the Follow This Topic button at the top right of this page, make sure that the Receive Notification box is checked and that it is set to Instantly.
  • Even though we do the best we can to help you, removing malware includes risks. Therefor I advise you to back-up all of your important files to a CD/DVD, external drive or flash drive. For instructions/help, take a look here.
-------------------------------------------------------------------------------------------------------------------------------------------------------
Thanks in advance for keeping above rules in mind. :)
Maybe they look like unnecessary rules, but practice teaches us they are needed to help.

Now, let's continue with the steps you need to do:
-------------------------------------------------------------------------------------------------------------------------------------------------------

First I have got some questions for you. :)

1. Do you recognize this .bat-file that executes while booting?:

C:\Users\administrator.LANDISOFFICE\Downloads\BGInfo\bginfo.bat


2. Can you please post the following logfiles, that I noticed within the FRST logfiles?:

C:\TDSSKiller.3.1.0.7_08.12.2015_15.11.54_log.txt
C:\TDSSKiller.3.1.0.6_08.12.2015_15.11.11_log.txt


########## Now let's continue resolving your issues.

1. Please download Attached File  fixlist.txt   1.57KB   4 downloads to your Desktop.
  • Please make sure to put fixlist.txt in the same location as where FRST.exe/FRST64.exe is located!
2. Download RKill and save it to your Desktop.
  • Right-click RKill.exe and select Run as Administrator....
  • If a Windows Security prompt shows up, please allow the program to start.
  • The program will start immediately with it's tasks. When the program has finished, a logfile will appear.
    Please copy the contents of this logfile in your next reply.
3. Start Farbar Recovery Scan Tool by right-clicking it and selecting Run as Administrator.
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called fixlog.txt. Please include this logfile in your next reply.
4. Please remove fixlist.txt from your PC.

5. Please reboot your PC.

6. Start Farbar Recovery Scan Tool
  • If asked, click Yes at the Disclaimer window.
  • Click Scan once the program has opened.
  • It will create a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
7. Please give me an update on your PC problems. Also please include the results from the following tools in your next reply:
  • RKill
  • Farbar Recovery Scan Tool - using fixlist.txt
  • Farbar Recovery Scan Tool - regular scan
Also please post the requested TDSSKiller logfiles in your next reply, together with the answer on question #1.

Good luck! Don't hesitate to ask any questions! :)

~ Black_Bird
Kind regards,
Black_Bird
 

What to do when your computer is infected? Read here!

The Bleeping Computer Board Rules - The Moderating Team


If I am directly helping you on a topic and I've not replied within 24 hours please send me a Private Message with a link to your topic.


#3 monkeyhouserodge

monkeyhouserodge
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 10 December 2015 - 02:42 PM

Yes, bginfo is a tool included with sysinternals. It displays helpful information on the desktop of the server. If you have more than a few servers to manage and you manage them remotely, it can get confusing just remembering what server you are currently working on, so I use it for that purpose. The batch file simply starts the service on boot. The tdsskiller is "supposed" to identify Zeus, but it did not on any of the 30 or so machines I used it on. unfortunately, I couldn't wait any longer. I found that this server was connecting to ip addresses that were too close in range to the sinkholes that blacklisted us. So, even though I couldn't find one product that would detect there was something there, I went ahead and setup another hyper-v host and live-migrated the virtual servers that were hosted there to the temporary server and then replaced the operating system on the infected server. Of course I couldn't do that during normal hours, so I ended up working 34 hours straight. It's too soon to tell yet, but so far, no blacklist.



#4 Black_Bird

Black_Bird

  • Malware Response Team
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:40 PM

Posted 10 December 2015 - 02:45 PM

Hi,

Allright.. No problem at all. Do you still want this topic to be kept open? Or don't you need our help any longer? Please let me know. :)
Kind regards,
Black_Bird
 

What to do when your computer is infected? Read here!

The Bleeping Computer Board Rules - The Moderating Team


If I am directly helping you on a topic and I've not replied within 24 hours please send me a Private Message with a link to your topic.


#5 monkeyhouserodge

monkeyhouserodge
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 11 December 2015 - 09:59 AM

I'm gonna cross my fingers and say everything is better. Two days now and no blacklist. Unless you can tell me how all my servers clocks were 3 hours off this morning? lol. No idea, but everything is good now. Thanks!



#6 Black_Bird

Black_Bird

  • Malware Response Team
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:40 PM

Posted 12 December 2015 - 06:01 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Kind regards,
Black_Bird
 

What to do when your computer is infected? Read here!

The Bleeping Computer Board Rules - The Moderating Team


If I am directly helping you on a topic and I've not replied within 24 hours please send me a Private Message with a link to your topic.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users