Jump to content

Recommended Posts

I was recently hit by sometype of Malware. I quickly closed the process and started malwarebytes and that appears to have stabilized this client computer, but I have purchased/activiated the pro version and I cannot check the "Enable Malacious Website Blocking". I read somewhere that this is residue from the rootkit that was or still is, embedded in my computer. A full scan of MBAM returns no errors.

This is a work computer that is a client to a 2011 SBS. For the short time the virus/malware was active, it mail botted out a bunch of spam, enought to get our static IP blacklisted on CBL. The Client seems to be working fine now, but I am still concerned that it might somehow still be infected. I have been keeping it mostly unplugged from the server, even tho MBAM shows it as clean.

1) Am I clean and 2) how do I fixe the enable...

Thank you in advance for your help.

Here are the two files from DDS.COM

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 9.0.8112.16447 BrowserJavaVersion: 10.4.1

Run by BFord at 17:10:53 on 2013-04-02

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8175.5828 [GMT -5:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\taskhost.exe

C:\Program Files\Logitech\SetPointP\SetPoint.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe

C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SavUI.exe

C:\Users\bford\AppData\Local\Temp\Temp1_TCPView.zip\Tcpview.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://google.com/

uDefault_Page_URL = hxxp://companyweb

mWinlogon: Userinit = userinit.exe,

BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

uRun: [] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [noenr] "C:\Windows\System32\rundll32.exe" "C:\Users\bford\AppData\Roaming\noenr.dll",File

uRun: [windo] "C:\Windows\System32\rundll32.exe" "C:\Users\bford\AppData\Roaming\windo.dll",Node_AddChild

mRun: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"

mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

mRun: [uSBDetect] <no file>

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: RunStartupScriptSync = dword:1

IE: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

LSP: mswsock.dll

TCP: NameServer = 192.168.0.111

TCP: Interfaces\{ADC1C232-9923-4789-8399-BDC0820CD17D} : DHCPNameServer = 192.168.0.111

Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} -

SSODL: WebCheck - <orphaned>

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\26.0.1410.43\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

x64-BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -

x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll

x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe

x64-Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming

x64-Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} -

x64-Notify: igfxcui - igfxdev.dll

x64-Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

x64-SSODL: WebCheck - <orphaned>

.

============= SERVICES / DRIVERS ===============

.

R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2012-5-2 55856]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-2-7 398184]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-8-13 682344]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-2-29 382272]

R2 Symantec AntiVirus;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2012-5-15 1768376]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-8-13 138912]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-8-13 24176]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2012-5-2 413800]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 COH_Mon;COH_Mon;C:\Windows\System32\drivers\COH_Mon.sys [2012-5-15 25424]

S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2010-11-21 71168]

S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2012-5-2 158976]

S3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-5-2 317440]

S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2012-2-28 80384]

S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2012-2-28 180736]

S3 Samsung UPD Service2;Samsung UPD Service2;C:\Windows\System32\SUPDSvc2.exe [2012-10-29 158208]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-5-8 1255736]

.

=============== File Associations ===============

.

FileExt: .scr: AutoCADScriptFile="C:\Windows\notepad.exe" "%1"

.

=============== Created Last 30 ================

.

2013-04-01 22:28:13 -------- d-----w- C:\ProgramData\A474D91E02CEAD3E0000A47434ADB121

2013-04-01 22:14:09 -------- d-----w- C:\ProgramData\A47B611E0956AD3E0000A47ABCADB7A9

2013-04-01 22:13:37 735744 ----a-w- C:\Users\bford\AppData\Roaming\windo.dll

.

==================== Find3M ====================

.

2013-03-20 23:28:32 233120 ----a-w- C:\Windows\System32\drivers\WpsHelper.sys

1997-07-22 00:30:54 1045776 --sha-w- C:\Windows\SysWOW64\Msjet35.dll

1997-06-23 08:00:00 123664 --sha-w- C:\Windows\SysWOW64\Msjint35.dll

1997-06-23 17:06:50 24848 --sha-w- C:\Windows\SysWOW64\Msjter35.dll

1997-06-23 17:06:50 252176 --sha-w- C:\Windows\SysWOW64\Msrd2x35.dll

1997-06-23 17:06:50 287504 --sha-w- C:\Windows\SysWOW64\Msxbse35.dll

.

============= FINISH: 17:11:10.65 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 5/7/2012 3:44:05 PM

System Uptime: 4/1/2013 7:36:07 PM (22 hours ago)

.

Motherboard: Dell Inc. | | 0GDG8Y

Processor: Intel® Core i5-2400 CPU @ 3.10GHz | CPU 1 | 3101/100mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 219 GiB total, 165.051 GiB free.

D: is FIXED (NTFS) - 14 GiB total, 7.259 GiB free.

E: is CDROM (UDF)

F: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

64 Bit HP CIO Components Installer

Adobe Acrobat 8 Professional

Adobe Acrobat 8.1.1 Professional

AutoCAD Civil 3D 2010

AutoCAD Civil 3D 2010 Language Pack - English

AutoCAD Express Tools Volumes 1-9

Autodesk Design Review 2010

Autodesk Express Viewer

Autodesk Land Desktop 2004

Autodesk Network Installation Wizard

Conexant HD Audio

CyberLink PowerDVD 9.5

DYMO LabelWriter Drivers

eReg

Google Chrome

Google Toolbar for Internet Explorer

Google Update Helper

Hotfix for Microsoft .NET Framework 4 Client Profile (KB2461678)

Intel® Processor Graphics

Java Auto Updater

Java 7 Update 4

JavaFX 2.1.0

LiveUpdate 3.3 (Symantec Corporation)

Logitech SetPoint 6.32

Malwarebytes Anti-Malware version 1.70.0.1100

Microsoft .NET Framework 4 Client Profile

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Office 64-bit Components 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Professional 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared 64-bit MUI (English) 2007

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft Visual Basic Power Packs 3.0

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable (x64)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

NVIDIA 3D Vision Controller Driver 296.10

NVIDIA 3D Vision Driver 296.10

NVIDIA Control Panel 296.10

NVIDIA Graphics Driver 296.10

NVIDIA HD Audio Driver 1.3.12.0

NVIDIA Install Application

NVIDIA PhysX

NVIDIA PhysX System Software 9.12.0213

NVIDIA Stereoscopic 3D Driver

NVIDIA Update 1.7.11

NVIDIA Update Components

Samsung Universal Print Driver

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition

Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition

Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition

Symantec Endpoint Protection Client

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition

Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687310) 32-Bit Edition

VBA

WebLinkActiveX

Windows Small Business Server 2011 Standard ClientAgent

Windows Small Business Server 2011 Standard WMI Provider

.

==== Event Viewer Messages From Past Week ========

.

4/2/2013 9:25:38 AM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain REHDER due to the following: The RPC server is unavailable. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

4/2/2013 4:36:49 PM, Error: Service Control Manager [7000] - The COH_Mon service failed to start due to the following error: This driver has been blocked from loading

4/2/2013 3:17:02 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

4/2/2013 3:17:01 PM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain REHDER due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

4/1/2013 8:36:59 PM, Error: Application Popup [875] - Driver COH_Mon.sys has been blocked from loading.

4/1/2013 5:49:13 PM, Error: Microsoft-Windows-GroupPolicy [1055] - The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

4/1/2013 5:26:50 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.

4/1/2013 5:26:50 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

4/1/2013 5:26:50 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

3/29/2013 6:31:54 AM, Error: Microsoft-Windows-TerminalServices-Printers [1111] - Driver Samsung ML-1250/ML-250 required for printer !!FORDFAMILY-PC!Samsung Mono is unknown. Contact the administrator to install the driver before you log in again.

3/28/2013 10:28:34 PM, Error: TermDD [56] - The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 192.168.0.111.

.

==== End Of File ===========================

Link to post
Share on other sites

Hy there.

You have a nasty infection on this system, called Zero Access.

As this is a company used computer, the securest, fastest solution is Reformat and Reinstall.

We can try to clean it but this will restore a lot of settings to their default and I wont be responsible if some things wont work after the cleanup process.

Also, you must have Administratior permsissions for this PC, otherwise you have to contact the SysAdmin.

Your choice :)

Link to post
Share on other sites

Hi,

Thanks for your response. Reformat and reinstall it is. You can see, there is not much on this machine. Very few installed programs and no data, to speak of.

I am the de facto system admin with some help from an outside consultant. Our system is about 8-clients with an SBS server running exchange.

Big question: could Zero Access have moved to other client or, heaven forbid, the server. They all scanned clean, but so did the infected computer. The mailbot appears to have been stopped. The infected computer was connected to the network for some of the day yesterday, but has been disconnected from the network for the last 14-hours.

Thank you.

Link to post
Share on other sites

Hy there.

Good choice.

ZA is a backdoor which will work as a client and server via the P2P protocol. I am not aware that it will spread via network to different clients or servers. The possibility exists but never read or heard that.

I can look over a different client if you want.

btw, if this system has not been reformated yet, could you check if these 2 files still exists ?

C:\Users\bford\AppData\Roaming\noenr.dll
C:\Users\bford\AppData\Roaming\windo.dll

Link to post
Share on other sites

Thanks for your continued help.

C:\Users\bford\AppData\Roaming\noenr.dll does not exist in that directory

C:\Users\bford\AppData\Roaming\windo.dll does exist in that directory

Why is this interesting?

Regarding other clients - The immediate recognized response to this infection was turning the client into a spambot. We were almost immediately blacklisted on CBL, Spamhaus, etc. It appears that running MBAM immediately stopped the spambot. I went to all of the clients, including the infected computer and ran and watched TCPview. None had shown any activity to :SMTP or :25, so I think the spambot is temporarily dead on the infected and is not operating on any of the other clients.

What was the signature for ZA that you saw in the printout of the infected computer? Can I simply check for the signature on other clients?

Finally, I have been watching the server and MBAM pro and been denying access to several known "bad" mail IPs (204.12.225.74) that are trying to gain access to edgetransport.exe, which I think is some part of the stmp engine for exchange. We have now restricted all outbound port 25 traffic to only traffic coming from exchange. Probably should have done that long ago.

Thanks again.

Link to post
Share on other sites

I learned from my Network Prof.

First thing when setting up a firewall is to disallow everything. ;)

ZA is very good in hiding itself and there was a lot of hard work from some of our developers to create a tool which is able to find and kill it.

It is known to killsome security related services ( most times BFE which is needed for the firewall ) and in combination with this entry LSP: mswsock.dll, I'll see that ZA is working here.

I doubt that ZA is responsible for your Email Spam. It often drops different kind of malware on your system and the files I asked for are very interesting for me. But as written in the link. It is a backdoor bot controlled by somebody and may he wanted to spam a little bit :D

In these days, Malware can jump on your system on a lot of ways. Simply visiting a compromised site ( called Drive By Infection ) would be enough and there is an ongoing attack on a lot of popular sites.

You can read about this here --> http://arstechnica.c...ks-20000-sites/

Link to post
Share on other sites

Thanks.

Would MBAM Pro running with "Enable Malacious Website Blocking" have prevented this infection?

If not, is there software that would? If not, what can a user do to keep this from happening, especially since the infections can come from legitimate sites that have been compromised (i.e. LATimes)?

How do you personally protect your computer from such attacks when browsing?

Link to post
Share on other sites

Would MBAM Pro running with "Enable Malacious Website Blocking" have prevented this infection

Nope, Website Blocking wont let you ( or a file ) connect to known bad sites. This list will be updated very often.

If not, is there software that would?

A sandboxed browser can help. As far as I am aware, Chrome runs sandboxed but if you really want to be sure, I would install Sandboxie.

To keep all your software up to date is very important to. Exploits uses vulnerabilities in browsers, PDF readers, Java ....

Unknown Exploits are very dangerous in these days. Some Security Suits offers a protection against them but if they are new, there are no signatures till they got it.

How do you personally protect your computer from such attacks when browsing?

In my situation, I dont protect my research machine against anything :D ( well, will only be used for this ) and with my main system I rarely surf on other sites than the Security Forums and Facebook.

Our work here is very time consuming to stay updated.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.