ISP claims a computer in my network is infected with Torpig / Sinowal

[hernil]

Info: I'm a computer science student. This is about a small office (6-7 people) where I occasionally do freelance IT-work. If it somehow violates forum policy to ask for support for a company, please let me know!

 

Hello!

 

Some time ago our ISP contaced us saying we were "infected with malware and sending out spam". Virus software (Norton Internet Security) had reported nothing. Long story (involving firewall block of SMTP-ports etc.) short, they block our internet access. We take all machines on the network off the net and take in another machine as temporary internet access.

 

I know they have done some attempts at cleaning this without finding anything so now I'm trying. The malware is supposedly of type Torpig / Sinowal, which is a rootkit. I have now done a scan with mbar on machines where I found a Trojan.Vundo on one of them (this has been removed), but no Torpig. What I'm wondering is whether mbar is known for finding Torpig, in which case I can safely assume that the infection is fixed and put the machines back online, or if I have to try another approach for finding this malware.

 

I'm pasting the log where mbar removed Vundo.

 

Apprichiate any help and tips I get!

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org
 
Database version: v2013.07.16.02
 
Windows XP Service Pack 3 x86 FAT32
Internet Explorer 8.0.6001.18702
Perolav :: DAK4XP [administrator]
 
16.07.2013 13:58:00
mbar-log-2013-07-16 (13-58-00).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Kernel memory modifications detected. Deep Anti-Rootkit Scan engaged.
Objects scanned: 227569
Time elapsed: 1 hour(s), 38 minute(s), 6 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 1
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__c00641FC (Trojan.Vundo) -> Delete on reboot.
 
Registry Values Detected: 1
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|A00F20882C35.exe (Trojan.Vundo) -> Data: C:\DOCUME~1\Perolav\LOKALE~1\Temp\_A00F20882C35.exe -> Delete on reboot.
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)

[Psychotic]

Hi there,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

• First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
• Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
• Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
• Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs
DDS.txt
Attach.txt
Save both reports to your desktop.
 
 
 
Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.exe and save it to your desktop

• Execute TDSSKiller.exe by doubleclicking on it.
• Press Start Scan
• If Malicious objects are found, do NOT select Cure. Change the action to Skip, and save the log.
  
• Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
  

Please post the contents of that log in your next reply.

[hernil]

Hi Marius!

Another thing I forgot to mention is that I started a combofix scan on the machine with the Vundo trojan. I'm going to let that finish before starting to follow your instructions. I also have no active internet connection on the potentially infected machines, but I can download software and use a USB-stick to transfer when needed  

 

Should I be doing this on all machines or keep the focus on the one that had the Vundo infection?

[Psychotic]

How many machines seem be infected? This is a forum for home users, not for enterprises.

Also, who told you to run combofix? Do you know what it does to your sensible business data and are you trained to interprete its log?

[hernil]

I do not know the number of machines as they are on the same LAN using the same public IP. There are 8 machines _potentially_ infected but I do not know which one.

 

I ran combofix because I have used it previously for fighting infections, although some years ago. I remembered it as a tool for creating logs, which I figured could only help. And even though I do not have any training in interpreting it I gave it a try. Sorry if this complicates things!

[Psychotic]

Combofix does changes to the system and is one of the most mighty tools out there.

If you don´t exactly know what you are doing, it may turn a computer into a very expensive door stop.

 

Wait it to complete and post up the log...

[hernil]

Ok. wont happen again!

 

Here is the ComboFix log

ComboFix 13-07-15.01 - Perolav 17.07.2013  14:03:22.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.47.1044.18.1014.596 [GMT 2:00]
Kjører fra: c:\documents and settings\Perolav\Skrivebord\0_nils\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
ADVARSEL -DENNE MASKINEN HAR IKKE GJENOPPRETTINGSKONSOLLEN INSTALLERT !!
.
.
(((((((((((((((((((((((((((((((((((((((   Andre slettinger   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Perolav\g2mdlhlpx.exe
.
.
(((((((((((((((((((((((((((   Filer Opprettet Fra 2013-06-17 til 2013-07-17  )))))))))))))))))))))))))))))))))
.
.
2013-07-17 09:45 . 2013-07-17 11:33    --------    d-----w-    c:\documents and settings\All Users\Programdata\Malwarebytes' Anti-Malware (portable)
2013-07-16 11:56 . 2013-07-16 11:56    --------    d-----w-    c:\documents and settings\All Users\Programdata\Malwarebytes
2013-07-16 11:56 . 2013-07-16 11:56    35144    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Rapport   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-15 08:50 . 2012-08-01 09:20    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-05-15 08:50 . 2011-10-02 18:21    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-29 12:49 . 2013-04-29 12:49    94112    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-04-29 12:49 . 2012-08-01 11:37    866720    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-04-29 12:49 . 2010-06-07 07:17    788896    ----a-w-    c:\windows\system32\deployJava1.dll
2013-04-29 12:49 . 2009-08-18 09:03    144896    ----a-w-    c:\windows\system32\javacpl.cpl
.
.
((((((((((((((((((((((((((((((((   Oppstartspunkter I Registeret   )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke   
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaSuite.exe"="c:\programfiler\Nokia\Nokia Suite\NokiaSuite.exe" [2012-05-16 1084840]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"ccApp"="c:\programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"A0"="c:\documents and settings\Perolav\Skrivebord\0_nils\mbar\mbar.exe" [2013-06-01 769096]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start-meny\Programmer\Oppstart\
Microsoft Office.lnk - c:\programfiler\Microsoft Office\Office\OSA9.EXE -b -l [2000-1-21 65588]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [06.05.2006 13:00 642560]
R2 HDDFC;Hard Disk Noise Control;c:\programfiler\Fujitsu Siemens\Hard Disk Noise Control\HDDFC.exe [22.03.2005 11:51 155745]
R2 SavRoam;SAVRoam;c:\programfiler\Symantec AntiVirus\SavRoam.exe [17.04.2005 12:30 124608]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [16.07.2013 13:56 35144]
R3 SMBus_2k;SMBus_2k;c:\windows\system32\drivers\SMBus_2k.sys [23.03.2006 10:29 14208]
.
--- Andre tjenester/drivere lastet i minnet ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - EraserUtilDrv11220
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-05-27 05:17    1165776    ----a-w-    c:\programfiler\Google\Chrome\Application\27.0.1453.94\Installer\chrmstp.exe
.
Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)
.
2013-07-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-01 08:50]
.
2013-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programfiler\Google\Update\GoogleUpdate.exe [2010-01-31 16:50]
.
2013-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programfiler\Google\Update\GoogleUpdate.exe [2010-01-31 16:50]
.
.
------- Tilleggsskanning -------
.



TCP: DhcpNameServer = 217.13.4.24 217.13.7.140 8.8.8.8
.
- - - - TOMME PEKERE FJERNET - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\programfiler\Java\jre7\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-17 15:17
Windows 5.1.2600 Service Pack 3 NTFS
.
skanner skjulte prosesser ...   
.
skanner skjulte autostart-oppføringer ...  
.
skanner skjulte filer ...   
.
skanning vellykket
skjulte filer: 0
.
**************************************************************************
.
--------------------- LÅSTE REGISTERNØKLER ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Tidspunkt ferdig: 2013-07-17  15:21:34
ComboFix-quarantined-files.txt  2013-07-17 13:21
.
Pre-Run: 24 144 744 448 byte ledig
Post-Run: 32 050 188 288 byte ledig
.
- - End Of File - - 6CE5A40E8C5CFFDBB6D224682E2B050B
8F558EB6672622401DA993E1E865C861

[Psychotic]

Scan this computer with the following tools:

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked
• Click on Advanced Settings and ensure these options are ticked:
  • Scan for potentially unwanted applications
• Scan for potentially unsafe applications
• Enable Anti-Stealth Technology

[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

 

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

• Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  
  • Sections
  • IAT/EAT
  • Show All ( should be unchecked by default )
    

  [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.
  

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[hernil]

As mentioned I do not have a working internet connection on the potantially infected machines

 

Also, is this something to do on all of the machines or should I focus on the one where mbar found the Vundo trojan?

 

Thanks for bearing with me btw!

[Psychotic]

Did you do any scans on the other machines yet?

[hernil]

I scanned with mbar (Malwarebytes anti rootkit tool)

[Psychotic]

and this was the only machine with detections?

[hernil]

Yes!

[Psychotic]

Get this machine back to the net.

 

Update Malbware bytes antimalware and run a full system scan.

 

also, run a full system scan with ESET as shown above.

 

Post up both logs

[hernil]

I really would rather not put this machine on the net as my ISP has already blocked access once due to the malware. It's, to put it mildly, not very practical to not have internet access ...

 

Any way I can transfer an update of mbam from one machine to another with my USB stick?

[Psychotic]

As I see the situation, you don´t have a virus on this machine. The ISP detected Vundo, not the sinowal rootkit.

You may get an update here: http://data-cdn.mbamupdates.com/tools/mbam-rules.exe

[hernil]

No, the ISP was contacted by NorCERT with this message:

 

Complaints: 20
Last complaint: Wed Jun 05 06:45:05 CEST 2013
First complaint: Mon Apr 22 06:33:41 CEST 2013
IP: 113.175.128.80
Info: contacted known sinkhole (torpig)

(I scrambled the IP)

 

Do you want me to go ahead with an MBAM scan even though I previously used MBAR?

[Psychotic]

You´ve used MBAM before, so scan with it.

c:\documents and settings\All Users\Programdata\Malwarebytes' Anti-Malware (portable)

In none of the logs I´ve seen from this machine are signs of mebroot/torpig to be seen. Trojan.Vundo may also trigger some ISPs detection functionality so that may be a semi false positive.

 

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!