Jump to content

CNC machine windows operator interface infected


Recommended Posts

Win XP on peer to peer network with DSL modem

Recently had an OEM tech "ghost" the harddrive on a CNC machine so in the event of a hard drive failure we'd be OK.

Ghost software was "achronis". he did do some downloading which may have been the very 1st time that machine ever accessed the www.

Now, a week later, we have the "security Suite" malware. I had this several months ago on my home PC and was able to get rid of it by running malwarebytes from a flash drive but in this instance it is being blocked by the malware which says malwarebytes is infected.

couple questions:

0. will booting up in SAFE mode allow me to run malwarebytes from the flash drive and remove the infection?

1. how do I determine if the ghost drive is also infected? if it isn't how do I insyure it doesn't become infected. I know Norton, which I usually use, won't prevent it.

2. the CNC machine is on a peer to peer network. can I run Malwarebytes on another computer on the network and remove the malware that way? (this assumes I can access the CNC drive remotely and I don't know if the malware will allow me to share the drive)

3. if I pay the extortion does the problem go away?

4. is there a way to torture and kill the hackers responsible?

I REALLY need to do this right as if both hard drives end up trashed it'll cost me thousands to get it repaired and my machine back on line.

help, help, help!

Link to post
Share on other sites

Hi,

0. will booting up in SAFE mode allow me to run malwarebytes from the flash drive and remove the infection?

I think so, but please DO NOT try it (see below).

1. how do I determine if the ghost drive is also infected? if it isn't how do I insyure it doesn't become infected. I know Norton, which I usually use, won't prevent it.

We can run some scans that should show us when the infected files were created on your XP system. Running Malwarebytes' Anti-Malware would ruin this plan, so please DO NOT use Malwarebytes' Anti-Malware.

Important: When was the Achronis image made? On what date?

2. the CNC machine is on a peer to peer network. can I run Malwarebytes on another computer on the network and remove the malware that way? (this assumes I can access the CNC drive remotely and I don't know if the malware will allow me to share the drive)

No, that way the infection won't be completely removed. DO NOT try it (see above).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The only think I need to know about the CNC is when the Achronis image was created. You have to run all my instructions on the Windows XP computer.

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Check the box that says Scan All Users.
  • Under the Custom Scan box paste this in
    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %PROGRAMFILES%\Internet Explorer\*.dat
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Double click GMER.exe.
    gmer_zip.gif
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      GMER_thumb.jpg
      Click the image to enlarge it

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

    [*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.