Jump to content

Removing exploit:win32/cve-2011-0096 AND Win32/Pdfjsc.FP


Recommended Posts

Okay guys, first of all thanks in advance for the assistance. Recentely took over a new network(two actually) and I'm in the process of cleaning up the mess from the previous administrator. No security updates had been applied in over a year, if all to most all of the servers. At any rate, I have a 2003 Server machine that's bugged out on me(Which happens to be my machine that they have POP3 running over (no Exchange :( and my Backup Exec software. Installed M$ Security Essenitals and it keeps giving me the following items detected: 

 

Exploit:Win32/Pdfjsc.FP

and a few instances of

Exploit:Win32/CVE-2010-0188.C

 

I need to get these off this box with as little damage as possible. to rebuild what's on here, lets just say i'd be at a loss as there's no prior documentation. I understand from what I've read these are both two nasty ass Trojans' with rootkits. I've fully updated the server now, however, these obviously keep coming back.

 

 

 

 

Link to post
Share on other sites

  • Replies 63
  • Created
  • Last Reply

Top Posters In This Topic

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )

    [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Link to post
Share on other sites

And here's the ARK file.

Thanks

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-03-10 13:53:34
Windows 5.2.3790 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\00000066 DELL____ rev.1.11 408.38GB
Running: ifpb3yuj(2).exe; Driver: C:\DOCUME~1\ADMINI~1.VRT\LOCALS~1\Temp\1\uwlcypob.sys


---- System - GMER 2.1 ----

SSDT            89DD2050                                                                    ZwAlertResumeThread
SSDT            8A63A050                                                                    ZwAlertThread
SSDT            89DEB1E8                                                                    ZwAllocateVirtualMemory
SSDT            89D57188                                                                    ZwCreateMutant
SSDT            8A03B8B8                                                                    ZwCreateThread
SSDT            8A7F9578                                                                    ZwFreeVirtualMemory
SSDT            89DD6050                                                                    ZwImpersonateAnonymousToken
SSDT            89DC8050                                                                    ZwImpersonateThread
SSDT            8A7F94D8                                                                    ZwMapViewOfSection
SSDT            89DC4050                                                                    ZwOpenEvent
SSDT            8A60C0D8                                                                    ZwOpenProcessToken
SSDT            89D820D0                                                                    ZwOpenThreadToken
SSDT            8B21E7F0                                                                    ZwResumeThread
SSDT            8A646050                                                                    ZwSetContextThread
SSDT            89D82008                                                                    ZwSetInformationProcess
SSDT            89DEED60                                                                    ZwSetInformationThread
SSDT            8A476088                                                                    ZwSuspendProcess
SSDT            8A5EB050                                                                    ZwSuspendThread
SSDT            89DEC450                                                                    ZwTerminateProcess
SSDT            8A6BB050                                                                    ZwTerminateThread
SSDT            8A63D050                                                                    ZwUnmapViewOfSection
SSDT            89DEB158                                                                    ZwWriteVirtualMemory

---- Devices - GMER 2.1 ----

Device                                                                                      mrxsmb.sys
Device                                                                                      rdpdr.sys
Device                                                                                      B74101C2

AttachedDevice                                                                              fltMgr.sys

---- Registry - GMER 2.1 ----

Reg             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability@LastAliveUptime  11910

---- EOF - GMER 2.1 ----
 

Link to post
Share on other sites

Fix with FRST (normal mode)

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
  • Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.

    HKLM\...\Command Processor:  <======= ATTENTIONWinsock: Catalog5 03 %SystemRoot%\System32\mswsock.dll [256000] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"CMD: netsh winsock reset
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

Full System Scan with Malwarebytes Antimalware


  • If not existing, please download
Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.



If the program is already installed:

  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

Link to post
Share on other sites

Much appreciated. Below is the fix log:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-03-2014 02
Ran by administrator at 2014-03-11 08:46:52 Run:1
Running from C:\Documents and Settings\Administrator.VRTECH\My Documents\Downloads
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKLM\...\Command Processor:  <======= ATTENTION
Winsock: Catalog5 03 %SystemRoot%\System32\mswsock.dll [256000] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"

CMD: netsh winsock reset
*****************

HKLM\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.
Winsock: Catalog5 entry 000000000003\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll

=========  netsh winsock reset =========


Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.


========= End of CMD: =========


==== End of Fixlog ====

 

Running Malwarbytes now.

Link to post
Share on other sites

Malwarbytes locked up on me. Running again. Also I should have about 10 pro licenses coming today. Just running the free version now. Again much appreciated. I could read Hijack this logs with the best of them years ago, but got out of it a bit and went a different way in my career, now I'm back sys admin and yeah...back at it cleaning up someone else's mess.

 

I'll report back soon with the malwarebytes scan.

Link to post
Share on other sites

I may need to so I can brush up on all the new crap they've came out with. Damn...Malwarbytes keeps locking up and not responding. I'm going to give it a few and see if it starts responding because I can't keep rebooting this server as our its our outgoing POP3 (sigh) server

Link to post
Share on other sites

Stop Malwarebytes and update Adobe Reader on this machine:

 

 

Adobe Reader out of date

Your Adobe Reader is outdated. We will fix this.


  • Get the actual software from here. Important: Uncheck any optional software (for example Google Chrome, etc.) offered.
  • Run setup and follow the instructions.
  • Click upon Start-->control panel-->add/remove programs.
  • Search for and remove any older reader versions.

 

 

Reboot the system now!

 

 

Tell me if the problem is still detected.

Link to post
Share on other sites

Malwarebytes started running again, going to let it finish.

I'm updating the Adobe now.

 

 

Adobe...REALLY?!! This server isn't even used for anything but backups and our outgoing Pop server. Perhaps I should update all our clients as well I'm guessing?

Link to post
Share on other sites

Re-running it, one of my other admin's didn't know it was running and terminated my damn session. ugh. Lol.

 

Hasn't found anything yet, but MSE did find another instance pop up when I just rebooted. So I'm re running the scan. I wish my pro version licenses would get here.

 

Yesterday when I ran malwarbytes it never found any infection. We'll see, hang with me I appreciate it.

post-158236-0-33092000-1394554572_thumb.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.