Jump to content
rpheus

Help much appreciated - Malware tampering with lsass.exe

Recommended Posts

Hi guys, 

I would really appreciate a bit of help on a malware issue I've been getting on my PC lately. 

I recently started noticing hundreds upon hundreds of Malwarebytes popups about outbound connections to some malicious site that's coming from my personal system32/lsass.exe (over 120+ Malwarebytes notifications a day about these outbound connections. I've attached a screenshot of one such call as reference). Evidently it would seem like some malware has tampered with my lsass.exe to produce this behaviour, so I ran a Malwarebytes scan on all my drives for viruses. The scan returned about ~10 malwares but even after quarantining the 10 files in question, the popups continue to occur (I've attached a copy of the scan results for reference). I ran a couple more MB scans on the PC but none of them found any malwares. I also ran AdwCleaner and FRST but to no avail (results also attached in the post).

Can anyone knowledgeable shed some light on what kind of malware I'm dealing with here and also the severity of the issue? I really don't want to reset my PC due to the sheer volume of programs I'd have to reinstall but if the issue is severe, should I just reset my PC?

spam1.PNG

AdwCleaner[C00].txt AdwCleaner[S00].txt AdwCleaner[S01].txt FRST.txt MalwarebyteScan0524.txt Addition.txt

Share this post


Link to post
Share on other sites

Hello rpheus and welcome to Malwaebytes,

Please download Malwarebytes Anti-Rootkit from here
 
  • Right click on the tool (select "Run as Administrator) to start the extraction to a convenient location. (Desktop is preferable)
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

Let me see those logs in your reply..

Thank you,

Kevin

 

Share this post


Link to post
Share on other sites

One thing I found odd though was that I have over 1 million files on my computer but the scan only covered 200k files (possibly due to the MBAR quick scan). Is there any way I can opt for the 'Threat Scan' option on MBAR so that it scans all the files on my PC? Or is that not necessary

Share this post


Link to post
Share on other sites

Hiya rpheus,

Your system appears to be infected with some kind of rootkit, FRST did flag it but the entry is locked. I want you to run FRST via the recovery environment and see what that log shows us..

Please download Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Plug the flash drive into the infected PC.

If you are using Windows 8 or 10 consult How to use the Windows 8 or 10 System Recovery Environment Command Prompt Here: http://www.howtogeek.com/126016/three-ways-to-access-the-windows-8-boot-options-menu/ to enter System Recovery Command prompt.
 
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 or e:\frst depending on your version. Press Enter Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (frst.txt) on the flash drive. Please copy and paste it to your reply.

Thank you,

Kevin

Share this post


Link to post
Share on other sites

Heyo Kevin!

I had a followup question if you don't mind - Is there any way to determine what the rootkit is trying to achieve, given the outbound connections its trying to make with the malicious site? (i.e. steal personal/financial information, monitoring on user activity etc). And since FRST seems to be struggling with identifying the root cause of the rootkit (no pun intended), are there any alternatives we can try before opting for the system wipe? 

Share this post


Link to post
Share on other sites

Hiya rpheus,

Rootkit infections are normally used to harvest information from your system, that usually will include logins and passwords, specifically any with financial impact. Being hidden usually means the damage is done before you know what is happening.

The identified entry being described as a rootkit also locked service (HKLM\SYSTEM\ControlSet001\Services\O5WDfL2T) <==== ATTENTION (Rootkit!/Locked Service) Is strange as it is located in "ControlSet001" that is not really in use per se, "CurrentControlSet" is the one in use, "ControlSet001" is a backup, as is "ControlSet002" if included..

Also FRST did not identify the associated driver, yet it was shown in error logs. "C:\WINDOWS\SYSTEM32\drivers\R8aGiOqW.sys"

How this got on your system is not easy to find out, usually some kind of Trojan will drop the rootkit in without your knowledge. One entry I did note was an AutoConfig setting, it was however missing its details (AutoConfigURL: [S-1-5-21-1844362408-2978432365-929442045-1001] => ) this may well have been some kind of proxy server access to connect and possibly download the rootkit, after that the proxy is removed to cover tracks....

I`m not 100% sure what is happening at the moment but hopefull more will unfold as we progress.. For now please do the following:

Save the attached file fixlist.txt to your flash drive, same place as FRST.
Now please enter System Recovery Options as you did to get the log.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Next,

Boot back to normal windows and run FRST again for logs...

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"


Thanks,

Kevin...

 

fixlist.txt

Share this post


Link to post
Share on other sites

Heya Kevin, 

Here are the logs as requested - Based on my understanding you wanted me to FRST scan twice after rebooting from the recovery environment, so I've attached both results (not sure if that was what you meant) under FRST_FirstScan/FRST_SecondScan and Addition_FirstScan/Addition_SecondScan. 

Cheers,

rpheus

Addition_FirstScan.txt Addition_SecondScan.txt Fixlog.txt FRST_FirstScan.txt FRST_SecondScan.txt

Share this post


Link to post
Share on other sites

Also forgot to mention that, whilst there was an error with removing HKLM\SYSTEM\ControlSet001\Services\O5WDfL2T according to the fixlog, the popup notifications from Malwarebytes has definitely stopped so far. Not sure what that means but I just wanted to raise that as well

Share this post


Link to post
Share on other sites

Hiya rpheus,

Apologies I did make my request clear, I wanted two logs from FRST meaning frst.txt and addition.txt, not two of each... Anyway the fix via the RE was very successful, If you check the log FRST did remove what was initially posted as an error:

Quote

HKLM\SYSTEM\ControlSet001\Services\O5WDfL2T => Error: No automatic fix found for this entry.
HKLM\System\ControlSet001\Services\O5WDfL2T => removed successfully

We also shifted its driver and other associated files etc... We need another FRST fix from normal boot to clean up remnants etc. Then an indepth AV scan to make sure we caught and removed all of the infection...

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.



Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Thanks,

Kevin..

fixlist.txt

Share this post


Link to post
Share on other sites

Attached as requested! Sophos ended up finding 4 viruses (2 of each were from my external harddrives that hasn't been scanned in years) but it seems like it's mostly been removed (fingers crossed) :) Thank you so much for your help Kevin you're an absolute legend <333 

Fixlog.txt SophosVirusRemovalTool.log

Share this post


Link to post
Share on other sites

Hiya rpheus,

Yes I`m confident we`ve removed the full infection, obviously you must now change any passwords associated to this computer, specifically any with a financial impact. After that you should be ok...

Contnue to clean up:

Uninstall the following program:

Sophos AV Also this folder if still present C:\ProgramData\Sophos

http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Next,

Right click on FRST here: C:\Users\Wesley\Downloads\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...

Next,

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2 <<<--- Very important

Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin...  busy.gif

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.