Fatdcuk
-
Posts
20,705 -
Joined
Content Type
Events
Profiles
Forums
Posts posted by Fatdcuk
-
-
Ok Mike thanks for the patience and persistance i love a challenge!
There's a couple of suspicious entries showing in CF output log that warrant further investigation.
If possible can you upload me the the following 2 files.They can be retrieved if they are still present on disk using IceSword file explorer as you did earliar in the topic.
2009-03-05 c:\windows\Tasks\ngyaixhv.job
- c:\windows\system32\pmnlkljJ.dll[]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab7b5447-2053-11dd-a8f8-806d6172696f}]
\Shell\AutoRun\command - D:\Autorun.exe root.ini
Thanks in advance B)
Also have you been running MBAM in quick scan mode or full scan of all drives ?
-
Confirmed as F/P.
Please add to your ignore list and or restore from quarantine.
This should be fixed shortly in defs update.
-
Confirmed as F/P.
Please add to your ignore list and or restore from quarantine.
This should be fixed shortly in defs update.
-
Ok well HJT is showing clear so will throw a couple more tricks at the PC to see if there is a culprit behind the redirects.
1.If you have Internet Explorer available can you check to see if the same symptons persist whilst using IE ?
2. Please download GooredFix and save it to your Desktop.
http://jpshortstuff.247fixes.com/GooredFix.exe
Select "2. Fix Goored" by typing 2 and pressing Enter.
Make sure all instances of Firefox are closed at this point.
Type y at the prompt and press Enter again.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.
3. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.
Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.
Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply.
-
Confirmed as F/P.
Please add to your ignore list and or restore from quarantine.
This should be fixed shortly in defs update.
-
Confirmed as F/P.
Please add to your ignore list and or restore from quarantine.
This should be fixed shortly in defs update.
-
/Ok well good that Rootkit has finally been exorcised.
Can you please post a fresh HJT log for review.
-
Confirmed as F/P.
Please add to your ignore list and or restore from quarantine.
This should be fixed shortly in defs update.
-
Confirmed as F/P.
Please add to your ignore list and or restore from quarantine.
This should be fixed shortly in defs update.
-
Confirmed as F/P.
Please add to your ignore list and or restore from quarantine.
This should be fixed shortly in defs update.
-
Hi ya,
The new detection is GUID hit for Trojan.BHO
As for takedown i sent off to HQ having checked inside todays DB locally it has not been added yet.
I will chase this up so hopefully it will be there shortly.
-
Thankyou very much for uploading.
I am sending new takedown defs for this driver off to HQ so hopefully total cleanup will be achieved on the next Database update cycle(1816).
-
Hi ya,
I think we have a suspect...
kqgximat Microsoft IP Test Driver (Not verified) Microsoft Corporation c:\windows\system32\drivers\kqgximat.sys
I would be very interested in seeing a copy of this file.Could you please upload it to the topic where you originally uploaded the other file.
Thanks in advance.
-
Hi ya again,
There is another element at play that is reloading the whole infection.Based on previous encounters with this infection then there is going to be another driver(.sys) file doing the restoration job.Unfortunetly HJT is very limited so if possible can you use the following daignostic tool to assist me in catching the culprit.
Download and install Autoruns.
http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx
When you first run it it will generate an extensive listing and the word "Ready" will appear in the bottom left of the sofware GUI.
At this point goto options and place check(tick) against verify coded signatures and hide Microsoft & windows entries.Next press F5 button to refresh.
Once Ready status by software is gained then goto File option.Select "Export as" and save output file as Autoruns.txt
Can you please then copy and paste the contents of that text file into your next reply for analysis.
Thanks in advance
-
Hi, this is indeed a driver from the AVZ tool (got the uploaded file). AVZ is an antivirus recently bought by Kaspersky.
AVZ antivirus uses this driver with random name (file and service keys). Bagle's coder added this driver to the infection, in order to kill antivirus processes.
srosa.sys was the first driver, and then came srosa2.sys (first avz variant), in november, with driver sK9Ou0s. Alone, the file is not harmful, but it has been part of bagle.
Thanks for the info.
The driver was targeted because it was installed with Bagle(srosa2.sys).
Mindyou not the first time i seen similar to this before with Partizan driver(UnHackMe)being used by ITW malware:(
-
Ok can you please upload the file for inspection.
http://www.malwarebytes.org/forums/index.php?showforum=55
A quick google search of the MD5 appears to point towards it being a valid hash hit.
-
This is definetly a F/P detection,please add to ignore for now but it will be addressed shortly.
-
Hi ya,
Please can you add these to your ignore list as it is known issue we are currently investigating.
http://www.malwarebytes.org/forums/index.php?showtopic=11492
-
Ok as suspected you have a new variant of known Rootkit.Sentinel on your machine.
Path: C:\Documents and Settings\Mikee\Local Settings\Temp\yodjbrfy.dat
Status: Locked to the Windows API!
I would very much like to have a copy of it for further analysis so we will need to do some fancy footwork to bag this this sample as it is extremely well entrenched and will resist being attacked by conventional methods.
Please download IceSword and use only as directed.
http://majorgeeks.com/Icesword_d5199.html
Extract it from ZIP and run icesword.exe.
In the bottom left corner of the main software GUI is a file option/button.Please select this.
Navigate using the file explorer tree to C:\Documents and Settings\Mikee\Local Settings\Temp folder.next look to file list in the middle of the screen and locate the line with yodjbrfy.dat listed.
highlight the line with your mouse and rightclick and select *copy file* only
You will need to rename it to *suspect.old* and save it to my documents.
Close Icesword at this point.
Next locate *suspect.old* and then zip(compress it) it up,
Please upload in a fresh topic at the following part of these forums.
http://www.malwarebytes.org/forums/index.php?showforum=51
As soon as i have the copy i can then get defs written up and updated MBAM will nuke this Sentinel variant.
Thanks in advance.
-
Happy Birthday Sho-Dan,hope you have a good'un
-
Hello and welcome to te MBAM forums.
I suspect you might have a new rootkit variant at play behind these re-occuring detections so if possible could you run a diagnostic routine for me on your computer.This should help me access what is going on,possibly collect new suspect RK files and then help assist you in removal of RK if there is one present.
Please download the following software and install it.
http://rootrepeal.googlepages.com/
Select report button in the bottom right of software GUI then goto and select scan.
Place a check(tick) in all box's except SSDT option.
Next select OK.
Please copy and paste the output log then generated by Rootrepeal to your reply.
Thanks in advance.
-
Hi ya,
I believe we added targeting defs for AntiVirus1 yesterday>>>
http://www.malwarebytes.org/malwarenet.php...ogue.AntiVirus1
and 2010 was quite sometime ago
http://www.malwarebytes.org/malwarenet.php...e.Antivirus2010
I will revisit av2010 to see if the infection pattern has altered.
If you update the software and run quick scan are producing any kind of detections versus either now? If you can upload a sample scan log it would be very much appreciated.
Thanks in advance.
-
Thanks. I'm operating under the assumption that I'm infected with SOMETHING but it just can't be nailed down at the moment. I look forward to what the developer comes up with. Thanks again!
No they are definetly bad detections by MBAM on your pc probaly being caused by some kind of software conflict.Hence why adding them to the ignore list is a tempory fix until we can track down the conflict causing them to occur.
-
OK i have reported your this topic back to the developer.For now please keep these items in the ignore list.
Trojans return after Malware removes
in Resolved Malware Removal Logs
Posted
Right,
I cant locate suspect1.zip lol can you upload it again to the upload topic you have.
With reguards autorun.exe was trying to see if the file exists on disk(using IceSword file function) as oppososed to the registry entry listed.
The fullscan suggestion was that we have heuristic flags for some Autorun worms and the possibity of it being hit.
Thanks in advance.