Root Admin AdvancedSetup Posted May 16, 2016 Root Admin ID:1040167 Share Posted May 16, 2016 Sounds good. Let me know Link to post Share on other sites More sharing options...
Jurionx Posted May 17, 2016 Author ID:1040338 Share Posted May 17, 2016 Hey Ron, I am not too sure how to use WinPatrol, I had it running in the background, supposedly monitoring stuff, but the malware is back but no notifications. I have attached both the hijack log and winpatrol log just in case. Could you advise? Thanks! HijackPatrol.log WinPatrolLog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 17, 2016 Root Admin ID:1040371 Share Posted May 17, 2016 Well that was an interesting evening of research. WinPatrol does not monitor it in the free version. So I went out looking for other tools that might be able to do it in real time and so far could not find any others that actually work. There are a couple of other tools out there but development stopped on them years ago and they don't seem to work too well on Windows 10 or at least did not provide even close to real time reporting that I was looking for. If you think you can get the autoconfig entry to load on demand or quickly then you could monitor it in real time using Process Monitor from Microsoft.https://technet.microsoft.com/en-us/sysinternals/bb896645 This program will save very large files quickly as it monitors everything going on with the system. Extract the files from the zip into their own folder. Then run Procmon.exe with Admin rights by right clicking over it and choose "Run as administrator" With it running try to get the autoconfig change to happen if you can. Then click on File Save and save the Process Monitor Log file so some location you can find. Then zip fhat file up and if it's 30MB or less send it to me in a PM. Link to post Share on other sites More sharing options...
AlexSmith Posted May 17, 2016 ID:1040397 Share Posted May 17, 2016 Sounds like you have a variant of this: https://labs.bitdefender.com/2016/05/inside-the-million-machine-clickfraud-botnet/ Now we need to uncover the Scheduled Task that appears legit that is doing this. Link to post Share on other sites More sharing options...
Jurionx Posted May 17, 2016 Author ID:1040433 Share Posted May 17, 2016 4 hours ago, AlexSmith said: Sounds like you have a variant of this: https://labs.bitdefender.com/2016/05/inside-the-million-machine-clickfraud-botnet/ Now we need to uncover the Scheduled Task that appears legit that is doing this. @AlexSmith yep it sounds exactly like that.@AdvancedSetup I'll try my best Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted May 17, 2016 ID:1040434 Share Posted May 17, 2016 @AlexSmith Bitdefender blogged about older variant. The one @Jurionx has is newer. Link to post Share on other sites More sharing options...
Jurionx Posted May 17, 2016 Author ID:1040443 Share Posted May 17, 2016 @AdvancedSetup The malware injects itself at 0200 hrs my time, and I had Procmon running and saved the file, however, it's 69MB in size. Here's a Drive link for you to get the file. https://drive.google.com/file/d/0B93uw01hFu8yUG9odWZsTTdBa3c/view?usp=sharing Link to post Share on other sites More sharing options...
AlexSmith Posted May 17, 2016 ID:1040451 Share Posted May 17, 2016 (edited) 41 minutes ago, Jurionx said: @AdvancedSetup The malware injects itself at 0200 hrs my time, and I had Procmon running and saved the file, however, it's 69MB in size. Here's a Drive link for you to get the file. https://drive.google.com/file/d/0B93uw01hFu8yUG9odWZsTTdBa3c/view?usp=sharing BINGO!! This is exactly what was needed. The program that is launching nslookup AND creating the registry key is what appears to be a compromised/hijacked version of Install Shield at C:\Program Files (x86)\Common Files\InstallShield\updateservice\ISUSPM.exe. That also happens to be one of your Scheduled Tasks. Edited May 17, 2016 by AlexSmith Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 17, 2016 Root Admin ID:1040455 Share Posted May 17, 2016 Please delete the scheduled task for this. If you need help or want me to write a script to remove it let me know but you should be able to manually remove it. Task: {BB5B6B42-5F41-4F73-86AE-40E646634EDC} - System32\Tasks\InstallShield® Update Service Scheduler => C:\Program Files (x86)\Common Files\InstallShield\updateservice\ISUSPM.exe [2016-04-21] (InstallShield®) C:\Program Files (x86)\Common Files\InstallShield\updateservice Then restart the computer and let me know if that has taken care of it. Link to post Share on other sites More sharing options...
Jurionx Posted May 18, 2016 Author ID:1040512 Share Posted May 18, 2016 I am not very sure how to go about deleting the compromised task, could you give me a hand? Thanks! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 18, 2016 Root Admin ID:1040523 Share Posted May 18, 2016 No problem. Please run the following. Then monitor the situation and let me know how things are now. Please download the attached fixlist.txt file and save it to the Desktop.NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. fixlist.txt Thanks Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 18, 2016 Root Admin ID:1040525 Share Posted May 18, 2016 Can you please zip or rar this file and attach as well so that we can examine it. C:\Program Files (x86)\Common Files\InstallShield\updateservice\ISUSPM.exe Link to post Share on other sites More sharing options...
Jurionx Posted May 18, 2016 Author ID:1040546 Share Posted May 18, 2016 here ya go. Will continue to monitor the situation. ISUSPM.zip Fixlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 18, 2016 Root Admin ID:1040548 Share Posted May 18, 2016 (edited) Thanks. The file scans clean 0/56 detections from Virus Total https://www.virustotal.com/en/file/ac8eb654b491c3c321938307893469a1a78067e828981f2269093517cf158a9d/analysis/1463554376/ Reboot the computer a couple times and keep an eye on it and let me know. Edited May 18, 2016 by AdvancedSetup Link to post Share on other sites More sharing options...
Jurionx Posted May 22, 2016 Author ID:1041327 Share Posted May 22, 2016 So far so good, @AdvancedSetup, @AlexSmith. I think the issue's been fixed. If only I knew where it came from though. Thank you guys so much for the patience and help, I always knew I could count on MBAM and the people behind it! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 22, 2016 Root Admin ID:1041427 Share Posted May 22, 2016 Great, glad to hear it. Where it came from is difficult as one needs to actually be more concerned and spend a significant amount of time in forensic study which we typically don't have time for and thus try to detect and remove it instead. At this time there are no more signs of an infection on your system.However if you are still seeing any signs of an infection please let me know. Let's go ahead and remove the tools and logs we've used during this process. Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time. They are often updated daily so if you went to use them again in the future they would be outdated anyways. The following procedures will implement some cleanup procedures to remove these tools. Download Delfix from here and save it to your desktop. (you may already have this) Ensure Remove disinfection tools is checked. Click the Run button. Reboot Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete) IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall. If there are any other left over Folders, Files, Logs then you can delete them on your own. Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.How to Delete System Protection Restore Points in Windows 7 and Windows 8 Remove all but the most recent Restore Point on Windows XP As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsersHow do I disable Java in my web browser? - Disable Java A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data. Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor. How Malware Spreads - How did I get infected Best Practices for Safe Computing - Prevention of Malware Infection Avoiding those unwanted free applications A close look at how Oracle installs deceptive software with Java updates IAC / Ask.com toolbars Malwarebytes Unpacked Blog If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection. Link to post Share on other sites More sharing options...
Jurionx Posted May 23, 2016 Author ID:1041471 Share Posted May 23, 2016 Noted, will proceed with the cleanup. Thank you so much Ron for giving me all the help and advice I needed. Thank goodness I got premium and will continue to support MBAM! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 23, 2016 Root Admin ID:1041473 Share Posted May 23, 2016 You're quite welcome. Take care and stay safe out there. I'll go ahead now and close your topic. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 23, 2016 Root Admin ID:1041474 Share Posted May 23, 2016 Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts