Jump to content

Unknown, persistent malware (3rd System)


pallino
 Share

Recommended Posts

How probale is it that my router got hacked and so all other devices on the network?  I m loosing trust in all devices right now....

 

Can we test deeply the router?

 

After all the scans we did, how restoring the system to an earlier point would help to detect a today still undetected malware? What do I do after restoring, can I update all (windows, AV, programs... ) or what do you want me to do? To scan immediately with FBAR and AVZ ad EMSI of after all is updated?

 

Can you please check all my questions? Since we have only one contact per day it's best to save time/days as much as possible.

 

 

thank you again for your help and time!

Link to comment
Share on other sites

I have no way to test the router. The best thing to do is disconnect it from everything and reset it to factor defaults and reconfigure it.

Do a system restore can and probably will bring back some of the malware, but we can deal with that after the system restore.

Once the System Restore has completed run fresh scans with EEK and FRST. I'll take a look and figure what to do next.

Link to comment
Share on other sites

I have good and bad news..

The good news are that the backups were created on 19 and 20th of November....the "bad" that EMSI IS (paranoia mode, custom scan with direct access) doesn't find anything suspect nor infected.

Where, in what folder should vhjrap.sys and icquni.sys and other suspect file be?

 

I run Combofix, please find attached the new report.

How does it look like?

What do we do now?

thank you!

 

 

I just checked the FBAR log and saw that now also in this laptop we have IE policy restrictions....there were not there on my last scan on the 11th.....is this related to the other laptop and a sign of a particlar kind of infection?

I also saw that the system corrupted files as the policies restrictions appeared out of the blue on the 15th...can this be relate on his laptop to combofix so caused by it or by a still present malware after combofix was run)?

 

If I restore windows to november we might get some deleted malware/files back but will still have the undetected one that we might have now (maybe not if they were dowloaded/"updated" later)....just to understand, if we didn't find the malware till now, how shoud it be easyer to find it with/after a restore?

 

Does this make sense?

thank you

Link to comment
Share on other sites

:wacko::(

 

What about OTL, DDS, are they similar to FBAR?  What are the advantages/disadvantages of these tools?

If I reset to Novemebr and we use the same tool as we did before, why should the result be different?

I m asking since it's a time consuming work to reset and updae all. ..but'm redy and more than happy to do it if it helps to find unknown malware!

Link to comment
Share on other sites

Hi Kevin,

 

I restored to the 20th of november and run the scans.

 

What do we do now? I hope, we can get it this time and "by name"! :)

 

Thank you

 

P.S> To save time I already scanned with Tdsskiller and Roguekiller...

Addition.txt

FRST.txt

a2scan_150202-122000.txt

virusinfo_syscheck.zip

RKreport_SCN_02022015_132354.log

TDSSKiller.3.0.0.44_02.02.2015_13.14.20_log.txt

Link to comment
Share on other sites

What/ where are these corrupted files?

Since we had them only after mid January and not before and now we have them also after restoring, can t it be that something malicious is corrupting them as it did in January.

Laptop is runnong "fine", crashes nor blue screen.

What do we do now to find this malware?

I saw the 2 removed entries, Service('vhjrap') and Service('icquni')as the files ('icquni.sys','32')and ('vhjrap.sys','32')  reappeared.

Can t we investigate them more this time?

Link to comment
Share on other sites

What/ where are these corrupted files?

R2 AMD External Events Utility; C:\Windows\SysWOW64\atiesrxx.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)
R2 EFS; C:\Windows\SysWOW64\lsass.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)
R2 hpsrv; C:\Windows\SysWOW64\Hpservice.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)
R3 KeyIso; C:\Windows\SysWOW64\lsass.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)
S3 Netlogon; C:\Windows\SysWOW64\lsass.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)
R3 ProtectedStorage; C:\Windows\SysWOW64\lsass.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)
R2 SamSs; C:\Windows\SysWOW64\lsass.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)
R2 Spooler; C:\Windows\SysWOW64\spoolsv.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)
R2 UI0Detect; C:\Windows\SysWOW64\UI0Detect.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)
R3 VaultSvc; C:\Windows\SysWOW64\lsass.exe [0 2013-11-13] () <==== ATTENTION (zero size file/folder)


Some zero byte size files/folders:
==========================
C:\Windows\SysWOW64\atieclxx.exe
C:\Windows\SysWOW64\atiesrxx.exe
C:\Windows\SysWOW64\conhost.exe
C:\Windows\SysWOW64\csrss.exe
C:\Windows\SysWOW64\dwm.exe
C:\Windows\SysWOW64\hkcmd.exe
C:\Windows\SysWOW64\hpservice.exe
C:\Windows\SysWOW64\igfxpers.exe
C:\Windows\SysWOW64\igfxtray.exe
C:\Windows\SysWOW64\lsass.exe
C:\Windows\SysWOW64\lsm.exe
C:\Windows\SysWOW64\services.exe
C:\Windows\SysWOW64\smss.exe
C:\Windows\SysWOW64\spoolsv.exe
C:\Windows\SysWOW64\taskhost.exe
C:\Windows\SysWOW64\UI0Detect.exe
C:\Windows\SysWOW64\winlogon.exe
C:\Windows\SysWOW64\WUDFHost.exe

Since we had them only after mid January and not before and now we have them also after restoring, can t it be that something malicious is corrupting them as it did in January.

Laptop is runnong "fine", crashes nor blue screen.

What do we do now to find this malware?

I saw the 2 removed entries, Service('vhjrap') and Service('icquni')as the files ('icquni.sys','32')and ('vhjrap.sys','32')  reappeared.

Can t we investigate them more this time?

Your logs give me no hint or clue where to look for Malware. They do not show any.
Link to comment
Share on other sites

Since you deleted these before and we had issues you couldn t expalin (LSA, restriction policies, sudden corrupted files...) we decided to restore the laptop to an earlier point to try to find the cause of all of this.

I thought we could isolate and analize the 2 files and find out what they are.

 

If the laptop is and was infected and this malware wasn't completely deleted/detected I thought it would be more than impotant to find out what it is, for me as for other users...maybe I was wrong.

 

The system is wrking and ddnt have all of the above before..if it's malware related I would really prefer to find out what caused it instead of just reinstall all since NO AV/ nor AV TOOL detected anything before.

Link to comment
Share on other sites

Thread Closed

Reason: Clean Install of Windows Recommended

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Link to comment
Share on other sites

Hello Kevin,

 

thank you for reopening the thread! :)

 

I reinstalled all from cds created as soon as I git the laptop. Updated windows and HP programs as AV.

 

How does it look like for a fresh install? I see weird error messages....are these normal for a fresh install?

 

If all looks 100% fine and without concerns I'll connect the first laptop to internet and update that too...but only if this one is safe and clean...if not it means there is some malware somewhere that keeps infectiong the laptops and the router (although it was resetted and psw as u\ser name changed before).

I uploaded 2 AVZ logs, the one I did yesterday and the one I did today....today explorer crashed when I opened Cdburner xp (open candy free one)....and programs start slowlier.... :wacko:

 

 

Thank you :excl:

FRST.txt

Addition.txt

virusinfo_syscheck10-2-15.zip

virusinfo_syscheck.zip

a2scan_150210-201613.txt

Link to comment
Share on other sites

I just thought, these wete errors that shouldn't be in a fresh install, so your answer us the best news I got in the ladt 2 months!thank you

Can I now restore my files (pst, doc, exl) from my back up?

-just to be sure, it is safe to connect the usb backup drive andto scan it with all av I have(unless I have a bad usb malware), or?

thank you

Link to comment
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM-x32\...\Run: [] => [X]
2015-02-13 13:36 - 2015-02-13 13:36 - 00000000 ____H () C:\Users\angel\BITB48F.tmp
2015-02-09 13:39 - 2015-02-09 13:39 - 00000000 ____D () C:\ProgramData\{65AB91D4-DDD0-48D4-804D-C24E1FC90D44}
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to comment
Share on other sites

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
  • Click the Run button.
When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad.

Empty the Recycle Bin

Download to your Desktop:

- CCleaner Portable

  • UnZip CCleaner Portable to a folder on your Desktop named CCleaner
Run CCleaner
  • Open the CCleaner Folder on your Desktop and double click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
  • Click "Options" and choose "Advanced"
  • Uncheck "Only delete files in Windows Temp folders older than 24 hours"
  • Then go back to "Cleaner" and click the "RunCleaner" button.
  • Exit CCleaner.
Turn off System restore to flush all your restore points then turn system restore back on. See How To Enable and Disable System Restore.

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Install and run the Secunia Personal Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:

How to Protect Your Computer From Malware

How to keep you and your Windows PC happy

Web, email, chat, password and kids safety

10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!

Link to comment
Share on other sites

Hello Kevin,

 

unfortunately the system is running "strange"....outlook restarts 1 time after I close it, every time.

KIS 95% of time gets less database records after an update (I had 8500000+ and now 8350000)

I cannot use firefox in sandboxie since KIS tells me that he cannot confirm the authenticity of the server I'm connecting to (or of the certificate).

Yesterday I didn't pass the test on

https://filippo.io/Badfish/    and had certificate issues also on firefox in normal (not sandboxed ) mode...

 

I deleted KIS certificate and restarted the laptop.

Today I had the problem with outlook that didn't trust the server certificate.

After disabling scanning of SSL connections outlook managed to connect and download mails and I passed the test above.

Still have  the issue with firefox sanboxed.

Opening download folder took very long many times...

 

 

Can you please check the logs one more time?

 

thank you!!!!

 

 

 

Addition.txt

FRST.txt

virusinfo_syscheck.zip

a2scan_150225-000606.txt

post-34031-0-48031800-1424890244_thumb.png

TDSSKiller.3.0.0.44_25.02.2015_12.52.23_log.txt

RKreport_SCN_02252015_133350.log

Link to comment
Share on other sites

It could very well be the Firefox NoScript extension that is responsible for breaking SSL in Firefox.  In order for it to determine the content of an encrypted data stream, it has to snoop on it.  That is just wrong on so many levels.  SSL data streams are encrypted for a reason, and any tool that snoops on that data stream, is rendering your system vulnerable to attack.

Link to comment
Share on other sites

I didn t yry yo disable noscript yet..i chevked the daq and appare tly nosctipt doesn t block/scan https...

apparently is a Kis isdue..i said apparrntly since dissbling ssl scan didn t vhange the athenticuty certificate issue.

the tedt faoled when i accrpted the connection with google, ....informaction.com in sanboxed firefox..the test failed then in normal firefox too.

Isn't that weird?

Link to comment
Share on other sites

I disabled noscript and restarted te pc....still get the warnings about KIS not being able to guarantee the authenticity of the domain to which encrypted connection is established.

Same if I disable ssl check in KIS , if I put google as trusted site, if I import KIS certificate in firefox as suggested on KIS forum.(also after restarting the pc).

 

I saw that in AVZ, all ping test are OK, the only ones that didn't pass are the one to kaspersky sites...

in FBARs addition.txt  a opensource (x32 Version: 1.0.14960.3876 - Your Company Name) Hidden...

C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\b2363cf94faf59386ab4778a39c16e2b\IsdiInterop.ni.dll  are these safe?

 

today I have

//./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Now I have a security issue with the virustotal check in process explorer as in autoruns...pls check attached image.

 

What do you think, what can it be and what do we do?

 

Does it make sense to disinstall KIS and to insyall EMSI? I wanted to have 2 different AVs on my 2 laptops just in case one detects something the other doesn't yet...

 

thank you

 

P.S. Today I saw that KIS installs his certificate in Firefox even if I disabled to scan secure connections.

Now I get warnings in firefox (not sandboxed), also for emsi forum page.

 

:angry: :angry: :angry::excl:

Does EMSI IS and/or EAM scan for bad CA certificates?

 

 

 

post-34031-0-52429400-1425015173_thumb.png

Addition.txt

FRST.txt

post-34031-0-55452500-1425062541_thumb.png

post-34031-0-37429300-1425062550_thumb.png

post-34031-0-35212700-1425062567_thumb.png

Link to comment
Share on other sites

Certificates are handled by the browser, and each has its own certificate store.

I do not believe KIS is functioning properly. Parts of it are not loading correctly.

Error: (02/23/2015 08:38:55 PM) (Source: Application Popup) (EventID: 1060) (User: )

Description: \??\C:\Windows\SysWow64\Drivers\uteyndy4.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Date: 2015-02-14 11:56:30.324

Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.

Date: 2015-02-14 11:56:30.288

Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.

IsdiInterop.ni.dll is a valid MS DLL.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...