Jump to content

Fatdcuk

Staff
  • Content Count

    20,723
  • Joined

Posts posted by Fatdcuk

  1. Right,

    I cant locate suspect1.zip lol can you upload it again to the upload topic you have.

    With reguards autorun.exe was trying to see if the file exists on disk(using IceSword file function) as oppososed to the registry entry listed.

    The fullscan suggestion was that we have heuristic flags for some Autorun worms and the possibity of it being hit.

    Thanks in advance.

  2. Ok Mike thanks for the patience and persistance i love a challenge!

    There's a couple of suspicious entries showing in CF output log that warrant further investigation.

    If possible can you upload me the the following 2 files.They can be retrieved if they are still present on disk using IceSword file explorer as you did earliar in the topic.

    2009-03-05 c:\windows\Tasks\ngyaixhv.job

    - c:\windows\system32\pmnlkljJ.dll[]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab7b5447-2053-11dd-a8f8-806d6172696f}]

    \Shell\AutoRun\command - D:\Autorun.exe root.ini

    Thanks in advance B)

    Also have you been running MBAM in quick scan mode or full scan of all drives ?

  3. Ok well HJT is showing clear so will throw a couple more tricks at the PC to see if there is a culprit behind the redirects.

    1.If you have Internet Explorer available can you check to see if the same symptons persist whilst using IE ?

    2. Please download GooredFix and save it to your Desktop.

    http://jpshortstuff.247fixes.com/GooredFix.exe

    Select "2. Fix Goored" by typing 2 and pressing Enter.

    Make sure all instances of Firefox are closed at this point.

    Type y at the prompt and press Enter again.

    A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

    Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

    3. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Double click the ComboFix icon to run it.

    If ComboFix askes you to install the Recovery Console, please do so..

    The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.

    Once the Recovery Console is installed, continue with the malware scan.

    Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

    Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply.

  4. Hi ya again,

    There is another element at play that is reloading the whole infection.Based on previous encounters with this infection then there is going to be another driver(.sys) file doing the restoration job.Unfortunetly HJT is very limited so if possible can you use the following daignostic tool to assist me in catching the culprit.

    Download and install Autoruns.

    http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx

    When you first run it it will generate an extensive listing and the word "Ready" will appear in the bottom left of the sofware GUI.

    At this point goto options and place check(tick) against verify coded signatures and hide Microsoft & windows entries.Next press F5 button to refresh.

    Once Ready status by software is gained then goto File option.Select "Export as" and save output file as Autoruns.txt

    Can you please then copy and paste the contents of that text file into your next reply for analysis.

    Thanks in advance

  5. Hi, this is indeed a driver from the AVZ tool (got the uploaded file). AVZ is an antivirus recently bought by Kaspersky.

    AVZ antivirus uses this driver with random name (file and service keys). Bagle's coder added this driver to the infection, in order to kill antivirus processes.

    srosa.sys was the first driver, and then came srosa2.sys (first avz variant), in november, with driver sK9Ou0s. Alone, the file is not harmful, but it has been part of bagle.

    Thanks for the info.

    The driver was targeted because it was installed with Bagle(srosa2.sys).

    Mindyou not the first time i seen similar to this before with Partizan driver(UnHackMe)being used by ITW malware:(

  6. Ok as suspected you have a new variant of known Rootkit.Sentinel on your machine.

    Path: C:\Documents and Settings\Mikee\Local Settings\Temp\yodjbrfy.dat

    Status: Locked to the Windows API!

    I would very much like to have a copy of it for further analysis so we will need to do some fancy footwork to bag this this sample as it is extremely well entrenched and will resist being attacked by conventional methods.

    Please download IceSword and use only as directed.

    http://majorgeeks.com/Icesword_d5199.html

    Extract it from ZIP and run icesword.exe.

    In the bottom left corner of the main software GUI is a file option/button.Please select this.

    Navigate using the file explorer tree to C:\Documents and Settings\Mikee\Local Settings\Temp folder.next look to file list in the middle of the screen and locate the line with yodjbrfy.dat listed.

    highlight the line with your mouse and rightclick and select *copy file* only

    You will need to rename it to *suspect.old* and save it to my documents.

    Close Icesword at this point.

    Next locate *suspect.old* and then zip(compress it) it up,

    Please upload in a fresh topic at the following part of these forums.

    http://www.malwarebytes.org/forums/index.php?showforum=51

    As soon as i have the copy i can then get defs written up and updated MBAM will nuke this Sentinel variant.

    Thanks in advance.

  7. Hello and welcome to te MBAM forums.

    I suspect you might have a new rootkit variant at play behind these re-occuring detections so if possible could you run a diagnostic routine for me on your computer.This should help me access what is going on,possibly collect new suspect RK files and then help assist you in removal of RK if there is one present.

    Please download the following software and install it.

    http://rootrepeal.googlepages.com/

    Select report button in the bottom right of software GUI then goto and select scan.

    Place a check(tick) in all box's except SSDT option.

    Next select OK.

    Please copy and paste the output log then generated by Rootrepeal to your reply.

    Thanks in advance.

  8. Hi ya,

    I believe we added targeting defs for AntiVirus1 yesterday>>>

    http://www.malwarebytes.org/malwarenet.php...ogue.AntiVirus1

    and 2010 was quite sometime ago

    http://www.malwarebytes.org/malwarenet.php...e.Antivirus2010

    I will revisit av2010 to see if the infection pattern has altered.

    If you update the software and run quick scan are producing any kind of detections versus either now? If you can upload a sample scan log it would be very much appreciated.

    Thanks in advance.

  9. Thanks. I'm operating under the assumption that I'm infected with SOMETHING but it just can't be nailed down at the moment. I look forward to what the developer comes up with. Thanks again!

    No they are definetly bad detections by MBAM on your pc probaly being caused by some kind of software conflict.Hence why adding them to the ignore list is a tempory fix until we can track down the conflict causing them to occur.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.