Jump to content

sully213

Members
  • Posts

    7
  • Joined

  • Last visited

Everything posted by sully213

  1. No, I think we're OK at this point and you can lock things up. Thank you for the help.
  2. Well, I thought we had the files (plural) but it turns out we just have the ini file that the wow.dll file uses for it's connection settings. Sorry, not sure where the dll file got to. Here it is anyway for what it's worth. wow.zip
  3. I believe we may have found the culprit here. After much digging to find the source of the connections (via SysInternals TCPView), we found a file called wow.dll (residing in the users' Temp directories) hooked into explorer.exe. This led us to a Microsoft Malware Protection center article that identified the infection as Trojan:Win32/Alureon.GQ (http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%253aWin32%252fAlureon.GQ&ThreatID=-2147285902&navV3Index=5#tab=2) We found some removal instructions and our logs/alerts have been quiet since yesterday afternoon when we removed the infection. It also appears you've encountered this one before (http://forums.malwarebytes.org/index.php?showtopic=128418). We were able to isolate and make a copy of the malware files. Is there anyway we can send a copy to you to help get a detection signature into MBAM?
  4. RogueKiller log: RogueKiller V8.6.11 [sep 11 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.adlice.com/forum/Website : http://www.adlice.com/softwares/roguekiller/Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits versionStarted in : Normal modeUser : sullivas [Admin rights]Mode : Scan -- Date : 09/17/2013 11:51:39| ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 2 ¤¤¤[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤[Address] SSDT[41] : NtCreateKey @ 0x8062426A -> HOOKED (Unknown @ 0x89CD1B74)[Address] SSDT[43] : NtCreateMutant @ 0x80617822 -> HOOKED (Unknown @ 0x8AF923D4)[Address] SSDT[47] : NtCreateProcess @ 0x805D1280 -> HOOKED (Unknown @ 0x8A3AEC0C)[Address] SSDT[48] : NtCreateProcessEx @ 0x805D11CA -> HOOKED (Unknown @ 0x8A561864)[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805C3A2E -> HOOKED (Unknown @ 0x8A3E3464)[Address] SSDT[53] : NtCreateThread @ 0x805D1068 -> HOOKED (Unknown @ 0x8A2CF0FC)[Address] SSDT[57] : NtDebugActiveProcess @ 0x80643CB2 -> HOOKED (Unknown @ 0x8AF7F1BC)[Address] SSDT[63] : NtDeleteKey @ 0x80624706 -> HOOKED (Unknown @ 0x8A5688D4)[Address] SSDT[65] : NtDeleteValueKey @ 0x806248D6 -> HOOKED (Unknown @ 0x8A56B754)[Address] SSDT[68] : NtDuplicateObject @ 0x805BE03C -> HOOKED (Unknown @ 0x8A3E3424)[Address] SSDT[97] : NtLoadDriver @ 0x80584172 -> HOOKED (Unknown @ 0x8A2CF0BC)[Address] SSDT[122] : NtOpenProcess @ 0x805CB486 -> HOOKED (Unknown @ 0x8A3C0844)[Address] SSDT[125] : NtOpenSection @ 0x805AA420 -> HOOKED (Unknown @ 0x8A38DFA4)[Address] SSDT[128] : NtOpenThread @ 0x805CB712 -> HOOKED (Unknown @ 0x8A3CD84C)[Address] SSDT[192] : NtRenameKey @ 0x80623C8C -> HOOKED (Unknown @ 0x8A568894)[Address] SSDT[204] : NtRestoreKey @ 0x80625C4A -> HOOKED (Unknown @ 0x8A56B794)[Address] SSDT[240] : NtSetSystemInformation @ 0x8060FE98 -> HOOKED (Unknown @ 0x8AF92394)[Address] SSDT[247] : NtSetValueKey @ 0x806227DC -> HOOKED (Unknown @ 0x89CD1B34)[Address] SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (Unknown @ 0x8A3E49EC)[Address] SSDT[258] : NtTerminateThread @ 0x805D2502 -> HOOKED (Unknown @ 0x8A56A9DC)[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805B4400 -> HOOKED (Unknown @ 0x8A38DF64)[Address] Shadow SSDT[548] : NtUserSetWindowsHookAW -> HOOKED (Unknown @ 0x8A5910A4)[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x89A2F0EC) ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost127.0.0.1 lpdpatrol25 # LMS GENERATED LINE ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD1600AAJS-75M0A0 +++++--- User ---[MBR] 8e16af64dad476dcef72b79d55a111e4[bSP] 33011a5e6af84273cc2c64e92fc9f6b2 : Windows Vista MBR CodePartition table:0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 86 Mo1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 176715 | Size: 152499 MoUser = LL1 ... OK!User = LL2 ... OK! Finished : << RKreport[0]_S_09172013_115139.txt >>
  5. Here are the first logs as requested, gathering the other info now: DDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 8.0.6001.18702Run by sullivas at 11:18:53 on 2013-09-17Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3292.2511 [GMT -4:00].AV: Trend Micro Security Agent *Enabled/Updated* {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}.============== Running Processes ================.C:\WINDOWS\system32\spoolsv.exeC:\Program Files\Olympus\DeviceDetector\DM1Service.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Intel\AMT\LMS.exeC:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exeC:\Program Files\Google\Update\1.3.21.153\GoogleCrashHandler.exeC:\Program Files\Purgos 3.0\PurgosAgent.exeC:\WINDOWS\System32\snmp.exeC:\WINDOWS\System32\snmptrap.exeC:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exeC:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exeC:\Program Files\UPHClean\uphclean.exeC:\Program Files\UltraVNC\WinVNC.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exeC:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exeC:\WINDOWS\system32\wbem\unsecapp.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exeC:\Program Files\Trend Micro\BM\TMBMSRV.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exeC:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exeC:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exeC:\Program Files\DYMO\DYMO Label Software\DLSService.exeC:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exeC:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exeC:\WINDOWS\system32\rdpclip.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k NetworkServiceC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\WINDOWS\System32\svchost.exe -k HPZ12C:\WINDOWS\System32\svchost.exe -k HPZ12.============== Pseudo HJT Report ===============.uWindow Title = Windows Internet Explorer provided by Lancaster City Bureau of PoliceuSearch Page = http://www.bing.comBHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\program files\trend micro\client server security agent\TmIEPlg.dllBHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dllBHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllTB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dllmRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exemRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [Persistence] c:\windows\system32\igfxpers.exemRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exemRun: [picon] "c:\program files\common files\intel\privacy icon\PIconStartup.exe" -startupmRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exemRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"mRun: [uSCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exemRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"mRun: [DLSService] "c:\program files\dymo\dymo label software\DLSService.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindowStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tdmnot~1.lnk - c:\program files\wave systems corp\trusted drive manager\TdmNotify.exeuPolicies-Explorer: NoDriveTypeAutoRun = dword:145uPolicies-Windows\System: ExcludeProfileDirs = Local Settings;Temporary Internet Files;History;TempmPolicies-Explorer: NoDriveTypeAutoRun = dword:255mPolicies-Explorer: NoAutorun = dword:1mPolicies-System: dontdisplaylastusername = dword:1mPolicies-Windows\System: AddAdminGroupToRUP = dword:1mPolicies-Explorer: NoDriveTypeAutoRun = dword:145IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeTrusted Zone: docstarTrusted Zone: lpdprintnewTrusted Zone: docstarTrusted Zone: lpdprintnewTCP: NameServer = 10.17.8.21 10.17.8.22TCP: Interfaces\{DFB5C8E0-1D2D-4EDF-9D59-B803C231C2FF} : DHCPNameServer = 10.17.8.21 10.17.8.22Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\client server security agent\TmIEPlg.dllNotify: AtiExtEvent - Ati2evxx.dllNotify: igfxcui - igfxdev.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllLSA: Authentication Packages = msv1_0 wvauth.============= SERVICES / DRIVERS ===============.R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2010-3-17 24064]R2 PurgosAgent;Purgos Remote Agent;c:\program files\purgos 3.0\PurgosAgent.exe [2009-9-30 1773568]R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2013-8-19 62728]R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\TmXpflt.sys [2012-12-4 264504]R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\TmPreflt.sys [2012-12-4 36664]R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2010-3-17 2066968]R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2012-5-30 1589704]R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-3-17 166568]R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2013-9-17 105176]R3 TmProxy;Trend Micro Security Agent NT Proxy Service;c:\program files\trend micro\client server security agent\TmProxy.exe [2012-8-8 689712]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]S4 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\clt-inst\vpremote.exe --> c:\temp\clt-inst\vpremote.exe [?].=============== Created Last 30 ================.2013-09-17 13:52:00 105176 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys2013-09-17 13:52:00 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)2013-09-17 13:50:31 48728 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys2013-09-10 16:14:21 -------- d-----w- c:\documents and settings\all users\application data\RICOH2013-08-23 18:47:46 279040 ----a-w- c:\windows\system32\RICFAXJC32.DLL2013-08-19 15:45:31 74600 ----a-w- c:\windows\system32\drivers\tmactmon.sys2013-08-19 15:45:31 62728 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys.==================== Find3M ====================.2013-07-18 19:57:46 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2013-07-18 19:57:46 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe.============= FINISH: 11:20:02.15 =============== .UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01).Microsoft Windows XP ProfessionalBoot Device: \Device\HarddiskVolume2Install Date: 3/21/2010 6:05:23 PMSystem Uptime: 9/12/2013 10:42:59 AM (121 hours ago).Motherboard: Dell Inc. | | 0C27VVProcessor: Intel® Core2 Duo CPU E8400 @ 3.00GHz | CPU | 1974/1333mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 149 GiB total, 126.468 GiB free.D: is CDROM ()E: is CDROM ()F: is RemovableG: is RemovableH: is RemovableI: is RemovableJ: is NetworkDisk (NTFS) - 4657 GiB total, 1590.087 GiB free.L: is NetworkDisk (NTFS) - 5589 GiB total, 2705.916 GiB free.P: is NetworkDisk (NTFS) - 5589 GiB total, 2705.916 GiB free.R: is NetworkDisk (NTFS) - 5589 GiB total, 2705.916 GiB free.S: is NetworkDisk (NTFS) - 5589 GiB total, 2705.916 GiB free.V: is NetworkDisk (NTFS) - 5589 GiB total, 2705.916 GiB free.Z: is NetworkDisk (NTFS) - 4657 GiB total, 1590.087 GiB free..==== Disabled Device Manager Items =============.==== System Restore Points ===================.No restore point in system..==== Installed Programs ======================.32 Bit HP BiDi Channel Components InstallerAcrobat.comAdobe AIRAdobe Flash Player 11 ActiveXAdobe Reader 9.5.5Adobe Shockwave Player 11.5Archive PlayerBackup CD PlayerBDEBioAPI FrameworkCamStudioCatalyst Control Center InstallProxyCCleanerCody6CutePDF Writer 2.8DCP32MMWrapperDell Control PointDell ControlPoint Security ManagerDell Embassy Trust Suite by Wave SystemsDell Security Device Driver PackDivar XF 2.56 PC SoftwareDocument Manager LiteDYMO Label v.8Easy Street Draw Internet ActiveX Control 2.1EMBASSY Security CenterEMBASSY Security SetupESC Home Page PluginFileNet IDM Viewer 3.3GemaltoGeovision CodecGoogle EarthGoogle SketchUp 7Google Toolbar for Internet ExplorerGoogle Update HelperGPL Ghostscript 8.70HiJackThisHotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)Hotfix for Windows XP (KB2756822)Hotfix for Windows XP (KB2779562)Hotfix for Windows XP (KB952287)Hotfix for Windows XP (KB953955)Hotfix for Windows XP (KB954434)Hotfix for Windows XP (KB954550-v5)Hotfix for Windows XP (KB958347)Hotfix for Windows XP (KB959252)Hotfix for Windows XP (KB961118)Hotfix for Windows XP (KB968764)Hotfix for Windows XP (KB969084)Hotfix for Windows XP (KB976098-v2)ImageVault PlaybackIntel® Graphics Media Accelerator DriverIntel® Network Connections 14.8.43.0Intel® Active Management TechnologyIntel® Matrix Storage ManagerIntellex CD-PlayerInternet ExplorerJava Auto UpdaterJava 6 Update 24K-Lite Codec Pack 3.1.5 FullLAN-Fax UtilitiesMicrosoft .NET Framework 1.1Microsoft .NET Framework 1.1 Security Update (KB2698023)Microsoft .NET Framework 1.1 Security Update (KB2833941)Microsoft .NET Framework 1.1 Security Update (KB979906)Microsoft .NET Framework 2.0 Service Pack 2Microsoft .NET Framework 3.0 Service Pack 2Microsoft .NET Framework 3.5 SP1Microsoft .NET Framework 4 Client ProfileMicrosoft .NET Framework 4 ExtendedMicrosoft Application Error ReportingMicrosoft Choice GuardMicrosoft Office 2007 Service Pack 3 (SP3)Microsoft Office Access MUI (English) 2007Microsoft Office Access Setup Metadata MUI (English) 2007Microsoft Office Excel MUI (English) 2007Microsoft Office File Validation Add-InMicrosoft Office InfoPath MUI (English) 2007Microsoft Office Outlook MUI (English) 2007Microsoft Office PowerPoint MUI (English) 2007Microsoft Office Professional Plus 2007Microsoft Office Proof (English) 2007Microsoft Office Proof (French) 2007Microsoft Office Proof (Spanish) 2007Microsoft Office Proofing (English) 2007Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)Microsoft Office Publisher MUI (English) 2007Microsoft Office Shared MUI (English) 2007Microsoft Office Shared Setup Metadata MUI (English) 2007Microsoft Office Word MUI (English) 2007Microsoft SilverlightMicrosoft Software Update for Web Folders (English) 12Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161Mocha W32 TN5250 -- software from MochaSoftMSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 (KB973688)MSXML 4.0 SP3 Parser (KB2721691)MSXML 4.0 SP3 Parser (KB2758694)MSXML 4.0 SP3 Parser (KB973685)MSXML 6.0 Parser (KB927977)NTRU TCG Software StackOGA Notifier 2.0.0048.0Olympus DSS Player ProPaint.NET v3.5.4PDFCreatorPlayback 2.3.0.4PowerDVD DXPreboot ManagerPrivate Information ManagerPurgos 3.0 AgentRMSRoxio Creator AudioRoxio Creator CopyRoxio Creator DataRoxio Creator DE 10.3Roxio Creator ToolsRoxio Express Labeler 3Roxio Update ManagerSecurity Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)Security Update for Microsoft .NET Framework 4 Client Profile (KB2832407)Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)Security Update for Microsoft .NET Framework 4 Extended (KB2416472)Security Update for Microsoft .NET Framework 4 Extended (KB2487367)Security Update for Microsoft .NET Framework 4 Extended (KB2656351)Security Update for Microsoft .NET Framework 4 Extended (KB2736428)Security Update for Microsoft .NET Framework 4 Extended (KB2742595)Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2596792) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2596871) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2597969) 32-Bit EditionSecurity Update for Microsoft Office 2007 suites (KB2687309) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit EditionSecurity Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit EditionSecurity Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition Security Update for Windows Internet Explorer 8 (KB2510531)Security Update for Windows Internet Explorer 8 (KB2544521)Security Update for Windows Internet Explorer 8 (KB2647516)Security Update for Windows Internet Explorer 8 (KB2699988)Security Update for Windows Internet Explorer 8 (KB2722913)Security Update for Windows Internet Explorer 8 (KB2744842)Security Update for Windows Internet Explorer 8 (KB2761465)Security Update for Windows Internet Explorer 8 (KB2797052)Security Update for Windows Internet Explorer 8 (KB2799329)Security Update for Windows Internet Explorer 8 (KB2809289)Security Update for Windows Internet Explorer 8 (KB2817183)Security Update for Windows Internet Explorer 8 (KB2829530)Security Update for Windows Internet Explorer 8 (KB2838727)Security Update for Windows Internet Explorer 8 (KB2846071)Security Update for Windows Internet Explorer 8 (KB2847204)Security Update for Windows Media Player (KB2834904)Security Update for Windows Media Player (KB952069)Security Update for Windows Media Player (KB954155)Security Update for Windows Media Player (KB968816)Security Update for Windows Media Player (KB973540)Security Update for Windows XP (KB2655992)Security Update for Windows XP (KB2659262)Security Update for Windows XP (KB2676562)Security Update for Windows XP (KB2685939)Security Update for Windows XP (KB2686509)Security Update for Windows XP (KB2691442)Security Update for Windows XP (KB2695962)Security Update for Windows XP (KB2698365)Security Update for Windows XP (KB2705219)Security Update for Windows XP (KB2707511)Security Update for Windows XP (KB2712808)Security Update for Windows XP (KB2718523)Security Update for Windows XP (KB2719985)Security Update for Windows XP (KB2723135)Security Update for Windows XP (KB2724197)Security Update for Windows XP (KB2727528)Security Update for Windows XP (KB2731847)Security Update for Windows XP (KB2753842-v2)Security Update for Windows XP (KB2757638)Security Update for Windows XP (KB2758857)Security Update for Windows XP (KB2761226)Security Update for Windows XP (KB2770660)Security Update for Windows XP (KB2778344)Security Update for Windows XP (KB2779030)Security Update for Windows XP (KB2780091)Security Update for Windows XP (KB2799494)Security Update for Windows XP (KB2802968)Security Update for Windows XP (KB2807986)Security Update for Windows XP (KB2808735)Security Update for Windows XP (KB2813170)Security Update for Windows XP (KB2813347)Security Update for Windows XP (KB2820197)Security Update for Windows XP (KB2820917)Security Update for Windows XP (KB2829361)Security Update for Windows XP (KB2834886)Security Update for Windows XP (KB2839229)Security Update for Windows XP (KB2845187)Security Update for Windows XP (KB2850851)Security Update for Windows XP (KB923561)Security Update for Windows XP (KB938464-v2)Security Update for Windows XP (KB941569)Security Update for Windows XP (KB946648)Security Update for Windows XP (KB950762)Security Update for Windows XP (KB950974)Security Update for Windows XP (KB951066)Security Update for Windows XP (KB951376-v2)Security Update for Windows XP (KB951748)Security Update for Windows XP (KB952004)Security Update for Windows XP (KB952954)Security Update for Windows XP (KB954459)Security Update for Windows XP (KB954600)Security Update for Windows XP (KB955069)Security Update for Windows XP (KB956572)Security Update for Windows XP (KB956744)Security Update for Windows XP (KB956802)Security Update for Windows XP (KB956803)Security Update for Windows XP (KB956844)Security Update for Windows XP (KB957097)Security Update for Windows XP (KB958644)Security Update for Windows XP (KB958687)Security Update for Windows XP (KB958690)Security Update for Windows XP (KB958869)Security Update for Windows XP (KB959426)Security Update for Windows XP (KB960225)Security Update for Windows XP (KB960803)Security Update for Windows XP (KB960859)Security Update for Windows XP (KB961371-v2)Security Update for Windows XP (KB961373)Security Update for Windows XP (KB961501)Security Update for Windows XP (KB963027)Security Update for Windows XP (KB968537)Security Update for Windows XP (KB969059)Security Update for Windows XP (KB969897)Security Update for Windows XP (KB969898)Security Update for Windows XP (KB969947)Security Update for Windows XP (KB970238)Security Update for Windows XP (KB970430)Security Update for Windows XP (KB971486)Security Update for Windows XP (KB971557)Security Update for Windows XP (KB971633)Security Update for Windows XP (KB971657)Security Update for Windows XP (KB971961)Security Update for Windows XP (KB972260)Security Update for Windows XP (KB973346)Security Update for Windows XP (KB973354)Security Update for Windows XP (KB973507)Security Update for Windows XP (KB973525)Security Update for Windows XP (KB973869)Security Update for Windows XP (KB973904)Security Update for Windows XP (KB974112)Security Update for Windows XP (KB974318)Security Update for Windows XP (KB974571)Security Update for Windows XP (KB975025)Security Update for Windows XP (KB975467)Security Update for Windows XP (KB976325)Security WizardsSO32MMWrapperST Microelectronics TPM Driver InstallerTrend Micro Worry-Free Business Security AgentTrusted Drive Managertsp patchUpdate for 2007 Microsoft Office System (KB967642)Update for Microsoft .NET Framework 3.5 SP1 (KB2836940)Update for Microsoft .NET Framework 3.5 SP1 (KB963707)Update for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2473228)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Update for Microsoft .NET Framework 4 Client Profile (KB2600217)Update for Microsoft .NET Framework 4 Client Profile (KB2836939)Update for Microsoft .NET Framework 4 Extended (KB2468871)Update for Microsoft .NET Framework 4 Extended (KB2533523)Update for Microsoft .NET Framework 4 Extended (KB2600217)Update for Microsoft .NET Framework 4 Extended (KB2836939)Update for Microsoft Office 2007 Help for Common Features (KB963673)Update for Microsoft Office 2007 suites (KB2596620) 32-Bit EditionUpdate for Microsoft Office 2007 suites (KB2596660) 32-Bit EditionUpdate for Microsoft Office 2007 suites (KB2596802) 32-Bit EditionUpdate for Microsoft Office 2007 suites (KB2596848) 32-Bit EditionUpdate for Microsoft Office 2007 suites (KB2687493) 32-Bit EditionUpdate for Microsoft Office 2007 suites (KB2767916) 32-Bit EditionUpdate for Microsoft Office Access 2007 Help (KB963663)Update for Microsoft Office Excel 2007 Help (KB963678)Update for Microsoft Office Infopath 2007 Help (KB963662)Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit EditionUpdate for Microsoft Office Outlook 2007 Help (KB963677)Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2817563) 32-Bit EditionUpdate for Microsoft Office Powerpoint 2007 Help (KB963669)Update for Microsoft Office Publisher 2007 Help (KB963667)Update for Microsoft Office Script Editor Help (KB963671)Update for Microsoft Office Word 2007 Help (KB963665)Update for Windows Internet Explorer 8 (KB2598845)Update for Windows Internet Explorer 8 (KB2632503)Update for Windows XP (KB2661254-v2)Update for Windows XP (KB2718704)Update for Windows XP (KB2736233)Update for Windows XP (KB2749655)Update for Windows XP (KB2808679)Update for Windows XP (KB951618-v2)Update for Windows XP (KB951978)Update for Windows XP (KB955759)Update for Windows XP (KB967715)Update for Windows XP (KB968389)Update for Windows XP (KB971737)Update for Windows XP (KB973687)Update for Windows XP (KB973815)UPEK TouchChip Fingerprint ReaderUSB Playback ConsoleUser Profile Hive Cleanup ServiceVLC media player 1.0.5Wave Infrastructure InstallerWave Support SoftwareWaveReader Ver 4-0WebFldrs XPWindows Driver Package - Dell Inc. PBADRV System (09/11/2009 1.0.1.6)Windows Driver Package - STMicroelectronics (stmtpm) System (05/24/2007 1.00.04.15)Windows Genuine Advantage Notifications (KB905474)Windows Genuine Advantage Validation Tool (KB892130)Windows Internet Explorer 8Windows Management Framework CoreWindows Media Format 11 runtimeWindows Media Player 11Windows Presentation FoundationXML Paper Specification Shared Components Pack 1.0.==== Event Viewer Messages From Past Week ========.9/17/2013 10:30:02 AM, error: TermServDevices [1111] - Driver Foxit Reader PDF Printer Driver required for printer Foxit Reader PDF Printer is unknown. Contact the administrator to install the driver before you log in again.9/12/2013 4:02:20 AM, error: Tcpip [4199] - The system detected an address conflict for IP address 10.17.8.130 with the system having network hardware address 00:24:81:00:10:BE. Network operations on this system may be disrupted as a result.9/11/2013 3:32:49 PM, error: Dhcp [1002] - The IP address lease 10.17.8.99 for the Network Card with network address 002564C9A060 has been denied by the DHCP server 10.17.8.25 (The DHCP Server sent a DHCPNACK message).9/11/2013 3:17:29 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 10.17.8.99 with the system having network hardware address 00:25:64:BD:E9:B4. Network operations on this system may be disrupted as a result.9/10/2013 6:19:39 PM, error: Print [22] - Failed to ugrade printer settings for printer \\lpdprint01\AdminCopier,LocalOnly driver C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\ricA2Mui.dll error 6..==== End Of File ===========================
  6. I forgot to mention that if you look at the Fiddler logs, the entries that end at ads.featurelink.com appear to contain some obfuscated javascript code. Who knows what that's trying to accomplish....
  7. Last month (2013-Aug-06) we first encountered an alert from our Trend Worry-Free Business Security server of a URL that was being blocked by the Web Reputation rules (95.211.194.79). Trend is blocking this IP, so there must be some knowledge of what lies on the other side, but I have been unable to find any documentation on what is causing these connections at the rate of several per minute (leading to the Web Reputation limit striking the alert of >200 hour). This morning (2013-Sep-06) the URL Filtering alarm went off again. Checking the logs showed me the same computer that was infected (and thought to have been cleaned) from the August alarm as well as an additional infection coming from someone else. Googling this IP has led me to several other forums that describe the same kind of infection to this IP that traces back to an IP owned by LeaseWeb in Amsterdam, Netherlands but no one seems to have found a root source of these connections. Here's what I've found so far.... When the initial infection occurred I did full offline system scans with multiple anti-malware programs, including Trend, MBAM, Kaspersky, ClamWin, and Windows Defender. All found and removed different things and after returning the system to live running Windows status the alarms did not return until this morning. Now that they've returned and I've searched elsewhere I think I can assume that this is not a well-known piece of malware at this point. Which leads me to wonder if Trend (and apparently MBAM pro) are blocking access to this particular IP, but are there others that this malware is attempting to use that are NOT being blocked that are allowing malicious payloads to be deposited (and re-deposited) on these systems? I should also note that the second computer showing up in the URL blocking this morning showed activity a few days ago and I again ran all of the above scans, but this time came back with nothing found. The two attachments to this post are a combined log from the URL filtering events and some data I captured from Fiddler2 about those URLs. As you can see from the Trend logs, the IP address is always the same (95.211.194.79) and then followed by a /d/{8 random alphanumeric}/{32 random alphanumeric}/AA/{single digit 0-9}. Analyzing the 452 samples I have in the log, there are only 3 unique 8-length alphanumeric strings, but 126 unique 32 length alphanumeric strings. Combined, there are 382 unique URLs out of the 452 samples. Moving on to the Fiddler2 logs, I obviously wasn't going to test all 382 unique URL's so you will only see the first 10 out of the Trend logs. However, you can still start to see a pattern emerge with just those 10 samples. The initial (blocked) URL redirects you to 46.229.165.122, which in turn redirects you to 46.229.165.121, which in turn redirects you to another page. Nine out of the 10 URL's in the Fiddler log finish at ads.featurelink.com with the 10th (3rd on in the log) having one more redirect to c.tdsgo.com which then dumps you at acuerdos.info. So.....what can I do to find this, clean it, and prevent it from getting back into our systems so I can sleep a bit easier and not worry about (this threat) potentially stealing our data/passwords or some other nefarious activity it may be doing? 1_Full (Fiddler log).txt DesktopServerWRS.csv.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.