malware removal

[reaper]

Recently I removed some malware from a system, however it appears to be back.

It's like it modified operating system components:

telnet localhost any_listening_port and the system hangs, where normally you could interact with services. this happens about once every 3 days

the system is windows 2003 server sp2

One of the first things I did was disable and renable both network adapters to see if that somehow "refreshed" the tcp/ip.  It didn't work.  I manually looked at the registry entries that "net sh int reset" alters.  Microsoft says to use this command to set the tcp/ip configuration parameters back to default.  Nothing is there, no "hooks/filters" for drivers, no crazy configuration.  It referenced a couple dll's, like "winsock32.dll".

I checked the md5 hash against known good versions, and it's the same, on all the drivers I know are tcp/ip related, like tcpip.sys.  Oh, before this I ran hijack this, root kit revealer, and process monitor.  Hijack this and rootkit revelear showed nothing, and process monitor shows a lot, to much maybe..

I'm thinking maybe I can find out what files are related to tcp and see if they're modified, or something may intercept function calls and be in some other dll.  Maybe I have to look at filemon and process monitor very closely, because it will be a legitmate process running like the shell.dll for the OS.

I wish there was a file comparison on system files, you'd think hijack this could do that if you picked the OS.

Anyways, any suggestions? it's very frustrating  Although I guess you could migrate the machine to a virtual machine, depending on if the virtual machine recreates the os, or just copies a couple system files.  Anyways where's the fun in that

edit:
I also ran an updated trend-micro. the malware was removed a few months ago. hopefully I can find the malware making a connection with snort, and then trace the socket connection.

 

anyways, hopefull this malware can be

 

 

 

[jägermonsta]

i normally run malwarebytes, works pretty well

[Slayer :D]

Could you give me the malware name and what it was detected as?

I could probably help if you did! (Hard to help when I don't know what the malware is! )

BTW, McAfee, Norton, F-Secure, Nod32, and Kaspersky are all better malware scanners than Trend Micro. See PC World's site for details.

If you could PM me or post the process list--with their descriptions!--right after cold booting I can take a look at possible malware processes. (Not necessary, but sometimes helpful.)

Try rebooting in safe mode then running the antivirus scan. Many malware processes don't load then.

The keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\<huge string of gibberish>\Software\Microsoft\Windows\CurrentVersion\Run

NOTE: Do not post that string of gibberish here, as it might be related to your product key. I don't know, but it looks like a key.
NOTE: Some of these keys may be OS-specific. Do not be surprised if some are not there.

You can look at the contents of these keys for any suspect entries.

WARNING: DO NOT DELETE ANYTHING UNTIL YOU KNOW WHAT IT IS!!! YOU CAN WRECK YOUR COMPUTER BY DELETING REGISTRY KEYS OR VALUES!!!

BTW, You can also post the contents of these keys and the data in the values.

(Registry editor can be started by starting Command Prompt, typing "Regedit.exe", and pressing [ENTER].)

Hope I can help,
Eternity

[reaper]

I don't know what malware is/was on the system.

I will try running malware bytes soon.


Nothing is in the registry to startup when the system boots under run,runonce,etc..msconfig doesn't show anything.

As far as Trend Micro goes, I know they have had some problems, such as being owned by security exploits, and detection rate, but in my opinion they have one of the more advanced systems.

I will see if Malware bytes and AVG find anything, hopefully they do but I don't think they will.  If they don't i'm going to script checking out every file in the i386 directory and see if the md5 hash is different on the files on this system.

[Whirlingdervish]

I've had pretty good luck with google's free version of Spyware Doctor.

It picks up a lot of shit and has a realtime memory state scanner and other useful features.
I'll run it and Spybot S&D to get most of the stuff off when I get a fuxored rig in my office.

[reaper]

Malware bytes did not fix the issue

I copied the i386 directory but i'm not sure how many files are different with the patches.  Good news is Microsoft has a utility to look for modified system files.  http://support.microsoft.com/kb/310747

I think it's checking the creation and modified date, not an md5 hash of the files, but i'm not sure.  I might get an accurate comparison some other way.

uggg, any ideas?

[jägermonsta]

wipe it out, start over!

[reaper]

The problem with wiping it, is migrating the applications over again.  There are backups of the application data, but it's not something you'd want to migrate.  You'd be dealing with IIS and the metabase, using the IIS migration tool, so you'd have to go in again and setup databases, asp components, alter asp.net configuration, since not all IIS configuration will be migrated.  Setup permissions and file structures.  It wouldn't be fun either.

I'm not sure what happens when you attempt to repair the system with the Windows disk, does it still keep the applications in tact, or is it like reinstalling?  But i'm not sure what the repair fixes if the Microsoft tool to check for problem system files, shows no issues.

There are more ways to debug this i'm sure, just not sure how to go about it.

edit:
looks like the windows tool checks the signed signatures of the system files
http://support.microsoft.com/kb/222193/EN-US/

So you'd think if one was altered say shell32.dll, it would show, even if it was a couple bits difference?

[jägermonsta]

IIS migrating is a blast ! I've migrated several of our physical web servers to VMs this past year.

how did it get spyware on it to begin with lol

[reaper]

IIS migrating is a blast ! I've migrated several of our physical web servers to VMs this past year.

how did it get spyware on it to begin with lol

I'm not sure, the machine probably got infected through the conflicker vulnerability, or through sql injection.  I know it was definitely vulnerable to sql injection, and someone can turn on the stored procedure that ties to the cmd.exe shell, so through sql injection you can pretty much do whatever you want.  It's not always limited to putting bs .js links that get pushed to the html, you can actually take over the server.

[ReCycled]

I've had pretty good luck with google's free version of Spyware Doctor.

It picks up a lot of shit and has a realtime memory state scanner and other useful features.
I'll run it and Spybot S&D to get most of the stuff off when I get a fuxored rig in my office.

It's not free. The first time I ran it, it would only delete the adware if I "subscribed" or bought it. I've uninstalled it.

 

[|iR|Focalor]

AVG obviously isn't worth a fuck. I've gotten this "XP Defender" bullshit TWICE while running the paid version of AVG. AVG has been great for anti-virus so far, no problems at all. But it doesn't have any real-time protection against rootkits. I believe the paid version of MalwareBytes does though. This last time when I was hit with it, I ran the scan-on-demand rootkit component of AVG and it did not locate the specific malware (actually classified as "ransomware" I think). I ran the MalwareBytes full scan and it found it. I got it from clicking a link in some search results through Yahoo. I was NOT looking for pirated software OR porn... for once. Be careful out there. Wear a condom, kids.