HI! I need help. My network at work and at home continue to get hit by the same viruses over and over again. I have reinstalled windows over and over again over the last several months and it's just not working out. I need help patching my network or system to prevent these attacks. I have all firewall ports blocked on windows host but the bare min like DNS, HTTP, HTTPS, DHCP.
Running Windows 10.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe (Security.Hijack) -> Quarantined and deleted successfully.
Will making a Cisco ASA Access Control List HTTP Protocol Inspection for these file names block these attacks from transferring across my network? Will making a ACL protocol inspection with "char code" or "var shellcode" which is used in alot of shellcode payloads block most attacks or do a lot of normal programs use that line of code?
Avira Command Line Scanner from hirens 15.2: = scan.log
I run a IT Repair shop and almost 98% of the computers coming into the shop, doesnt matter what AV they use, or Windows OS they are running are coming up with TR/Crypt.Xpack versions. Is this a massive worm? Because we scan a wipe and reloaded system with this tool and find nothing, but if you connect a computer with fresh OS install in a network that has this trojan on it, it spreads to the computer. Systems come in with issues with this virus on it, and after reinstall windows, issue is gone.
Common issues on this computer while infected, websites will simply not load.
FRST logs attached:
Hitman pro logs attached:
RKill log attached, usually way worse and saying something about ajrouter i think?
I tried to Netcat into the virus but couldn't find the port i guess?
Edited by knubble, 30 March 2017 - 11:08 PM.