Jump to content

Removing Snake malware remnants


Recommended Posts

I discovered an old Snake malware instance on my home Windows 10 PC (using Aurora) and it appears to be inactive since the DOJ took down the Command-and-Control network. but some of the pieces still seem to be present (e.g. the FIFO and other files).  There are a lot of variants, and I would prefer to have Malwarebytes cleanly remove the remnants.  Any suggestions?  Leaving hu8nks of malware on your system is rarely a good idea, even if it is not currently active.

Thanks,

Neil

Link to post
Share on other sites

  • Root Admin

Hello @neilw12 and :welcome:

 

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes:

  • If you have not done so already - Enable System Protection and create a NEW System Restore Point
  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

Please run the following scans:

  1. Click the following link and run a  Scan with AdwCleaner
  2. Click the following link and run a  Scan with Malwarebytes 
       RESTART the computer
  3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 
     

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

 

Thank you

 

Link to post
Share on other sites

I appreciate such a thorough and comprehensive response.  I believe I completed all of the steps above and am attaching the logs you mentioned.  I looked, but am not familiar enough with these tools to determine if there was anything significant in them.

Thanks!

Neil

AdwCleaner[S00].txt Addition.txt FRST.txt Malwarebytesscanlog.txt AdwCleaner[C00].txt

Link to post
Share on other sites

  • Root Admin

Thank you for the logs. Please follow the steps below

[ 1 ]

Please go to Control Panel, Programs, Programs and Features, Uninstall a program

Then right-click and uninstall the following

  • Bonjour (This program is rarely needed on Windows and causes network issues)
  • CCleaner (computer experts no longer recommend this program)
     

[ 2 ]

Please follow the directions from this topic

Your Current DNS Server:  192.168.0.1

Change DNS to Secure DNS
 

[ 3 ]

I notice you have LastPass installed. Please do some reading and decide for yourself if you still want to use them or not.

Bad news - LastPass owner confirms customer backups were stolen
https://www.techradar.com/news/bad-news-lastpass-owner-confirms-customer-backups-were-stolen

LastPass owner GoTo shares more bad news about November’s security breach
https://www.theverge.com/2023/1/24/23569109/goto-hack-lastpass-breach-encrypted-backups-key

Why You Should Stop Using LastPass After New Hack Method Update
https://www.forbes.com/sites/daveywinder/2023/03/03/why-you-should-stop-using-lastpass-after-new-hack-method-update/?sh=26eade0c28fc

 

[ 4 ]

Did you setup this Firefox Proxy on purpose?

FF NetworkProxy: Mozilla\Firefox\Profiles\897c2ody.default -> socks_remote_dns", true

 

[ 5 ]

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.

CHR Notifications: Default -> hxxps://app.zoom.us; hxxps://calendar.google.com; hxxps://chatsupport.apple.com; hxxps://www.thephoblographer.com

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

[ 6 ]

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   D:\Neil\Documents\eBooks\FRST64.exe

Save the attached file:  FIXLIST.TXT to this folder D:\Neil\Documents\eBooks\

NOTE. It's important that both files, FRST64.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
                Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

I appreciate your efforts on this.

1.  I removed Bonjour as suggested.  I am keeping CCleaner since it does some tasks that I want done well.

2. 192.168.0.1 is a secure DNS instance (I run PiHole at home and fallback to 8.8.8.8)

3. I am still using LastPass.  I read the articles.  I may migrate eventually, but not right now.  My Master Password is over 20 characters long and has very high entropy.

4. The Firefox proxy is for TORbrowser.

5.  I disabled the push notifications as suggested.

6.  I ran the Farbar program and am attaching the log.  The runtime was not bad at all.

Thank you for the help so far.

Fixlog.txt

Link to post
Share on other sites

  • Root Admin
4 hours ago, neilw12 said:

I am keeping CCleaner since it does some tasks that I want done well.

Your choice but many other tools that don't belong to a company well known for abusing privacy.

3. I am still using LastPass.  I read the articles.  I may migrate eventually, but not right now.  My Master Password is over 20 characters long and has very high entropy.

I hear you but access to the vault through a mishap in coding wouldn't matter if you had a 200 character password. I'm "hopeful" that could not happen, but I'm not putting my personal security on the line based on "hope".

 

 

Thanks for the log. It ran pretty well and the SFC found and corrected some Windows issues as well.

Windows Resource Protection found corrupt files and successfully repaired them.

 

What specific file, folder, or registry entry of this older object are you talking about? Have you already fully removed it?

 

 

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply

 

Thank you

 

 

Link to post
Share on other sites

The comadmin.dat file in the C:\Windows\System32\Com directory is gone now, but {02D4B3F1-FD88-11D1-960D-00805FC79235}.{343C9811-37CB-4475-8A62-C6320A682486}.crmlog is still in C:\Windows\Registration (though this can be a false alarm).  There were some Registry keys I found matching the specified entries in the cisa.gov Snake report, but I lost the file where I was recording them.  Snake was disabled by CISA capturing the command and control servers and disabling the endpoints, but the pieces weren't cleanly removed by disabling and I was concerned with leaving any functional parts.

Thanks for all of the help you have given so far.

Neil

Link to post
Share on other sites

  • Root Admin

Please run the Dr. Web scan and post back the log.

 

Then also run a command prompt with Admin rights and the copy and paste the following and press the Enter key and let me see the results.

dir /a /s "C:\Windows\System32\Com"

 

Then do the same using this command

dir /a /s "C:\Windows\Registration"

 

Thanks

 

Link to post
Share on other sites

  • Root Admin

Can you please zip this file and attach it?

{02D4B3F1-FD88-11D1-960D-00805FC79235}.{343C9811-37CB-4475-8A62-C6320A682486}.crmlog

 

The folder "C:\Windows\System32\Com\" looks normal to me. I have the same files on other computers.

 

Let's go ahead though and run another AV scan.

 

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

[ 2 ]

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

Link to post
Share on other sites

Sorry, I originally thought I still had to attach the two directory listings you requested so I drafted the response, not knowing it would take over a day to complete the safety scan.  In the mean time, I reviewed the thread and discovered that I had already sent them to you and removed the enclosures from the post.  I forgot to edit the reference to them out of the text of my response.   When the Safety scan finally finished I attached it and hit send.  Sorry for the confusion.

Link to post
Share on other sites

  • Root Admin

Please run the following @neilw12

 

SecurityCheck by glax24              


I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.
CheckSecurity is a utility for quickly checking for the presence of vulnerable applications

  • Temporarily disable Microsoft SmartScreen to download the software
  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • This tool is safe.   Smartscreen is overly sensitive. You can check the VirusTotal scan of the tool from here
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheckC:\SecurityCheck\SecurityCheck.txt

Items checked:

  1. User Account Control (UAC).
  2. Service pack.
  3. IE version.
  4. Automatic OS update. Sets of critical KB patches when updating is disabled.
  5. Antivirus, firewall, other security utilities.
  6. Versions of Java, Oracle Virtualbox.
  7. Version of Adobe Flash Player, Adobe AIR.
  8. Versions of Adobe Reader, Acrobat Reader DC, Foxit Reader.
  9. Versions of media players (iTunes, AIMP, foobar2000).
  10. Versions of messengers (Skype, Pidgin).
  11. Versions of installed browsers (Chrome, Opera, Firefox, Yandex, SeaMonkey).
  12. Versions of mail programs (The Bat, Thunderbird).
  13. Checking running processes and security program services
  14. Searching for installed Adware programs and optimizer programs (More than 5000).

Thank you

 

Link to post
Share on other sites

  • Root Admin

Please uninstall, update, or otherwise address the following as appropriate for your system.

 


Please uninstall the following

---------------------------- [ UnwantedApps ] -----------------------------
CCleaner v.6.20 (Computer experts no longer recommend this program)


Then RESTART the computer and check for Windows Updates and install any Security updates found.

Let me know if there are still any signs of infection or any other unresolved issues

 

Link to post
Share on other sites

I uninstalled many of these, and updated the rest, then re-did the Windows Updates.  I am not uninstalling CCleaner.  I have uses for it.  I don't let it go crazy and "optimize" my PC, nor install drivers for me.  It has powerful functions for managing cookies, free space overwriting, etc. and I want to keep using it for that.  Is there some specific criminal activity that CCleaner is performing that would drive me to uninstall it while I am actively using it?

The only bad thing I have been experiencing is the system "stuttering" where it seems to lock up for 5 seconds or so, and even suspends disk writes, then catches up with them when the "pause" is over.  The screen, mouse, and keyboard lock up at the same time.  I am moving off of this system to a new one, but am still working on it and still need this one for a few weeks (after which it will become a proxmox host in my cluster).

 

Thanks for all of the help so far.  Unless you know something specific about the short lock-ups, I think I am ok at this point. and we can consider this closed.

Link to post
Share on other sites

  • Root Admin

Sounds good. No, don't know what would cause the stalls. That would require a bit of performance analysis work probably to try to track down.

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.