Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Lobas

Pages: [1]
1
Quote
The relevant information comes in the first reply, here an general overview!


Here, very short, is still the explanation. Finally, I have to put it SOMEWHERE! ;)


Quote
For the possibility that this thread is no longer viewed, I will open up a new one with more concrete description, type of help bidden for and more other Sysinfo including potential other (non-Farbar) logs. At first the two threads can, viewed from my point of action, a certain time co-exist. If the time comes a Mod wants to see everything in one, no problem, too. Just explaining why I am doing this.

Hello,

I'm Lobas and I've got a heavy problem. Just here I'm looking for help already since a while. Everything linked to the topic I will put here for better clarity, too.

There is also an explanation why a new post now.

This was the first query of me.

Quote
Hello,
 
we are having an unknown infection on 7 of 8 computers in our company.
 
I couldn't find much using various AV Programs and Tools.
 
Looked nearer at approximately 50 infected files with Adlice RK PE Viewer, let me see that the most of them are having sandboxes, anti-debugging scanner / debugging blocker and stuff like that to protect itself and hide of AV.
 
At least since beginning of this infection (last Thursday) concrete objects found by AV: (all PC together)
 
G DATA found 6 PSW-Tools and 3 OCS-Tools
ESET found 3 PSW-Tools
RogueKiller found 14 PUM's and 2 Rootkit IAT:Addr(Hook.IEAT)
 
The 8th computer was off and not hanging in the local Intranet by the time of the infection, so he stayed clean. We won't put him back in the network until the other PC are cleaned.
 
Concrete symptoms are: Some files are encrypted (new extensions like .crypt, .crypto, .crypted, .encrypted and so on which aren't possible to open), some files are just renamed or the extension was changed to another normal file type. Some files are damaged, which causes programs to hang often and crash. Some files are just edited shortly ago, which has no visible effect.
 
At least, some programs are completely not working anymore and on 3 PC's there is until now no ability to connect to the Internet.
 
In the hope, someone here can help me, I did scans with Farbar Recovery Scan Tool at the 7 infected PC's.
 

I hope someone here is able to help me with my problem!

PC Names:

 - PCSRV (Main PC)
 - PC01 (Secondary PC)
 - PC201701 ('DESKTOP-NO388OR') (Tertiary PC)
 - PC05 (Tertiary PC)
 - STUMPF-HP (Notebook)
 - NETBOOK (Notebook)
 - TVW-TC-1671 (Auxiliary PC)

 - STUMPF-PC (Notebook) (not affected of infection, so no Farbar Scan)
 - SMARTBOOK (Android tablet, only non-Windows business device) (not affected of infection)
 
Greetings Lobas

The next is a bit of communication over the problem, with an experienced user.

Quote
Hi Lobas,

Could you please attach G-DATA, ESET and RogueKiller reports of the first computer with your next reply ?
Please also attach some of the crypted files (at least one .crypt and one with a "normal" extension type file).

Do you know the following files ?
Code: [Select]
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Fehlerquellen beheben.bat - Verknüpfung.lnk [2017-10-25]
ShortcutTarget: Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Users\praxis\Kurzeinführung Fehlermanagement\Fehlerquellen beheben.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\login.bat - Verknüpfung.lnk [2017-08-02]
ShortcutTarget: login.bat - Verknüpfung.lnk -> C:\Users\login.bat ()

Regards.
« Last Edit: October 31, 2017, 04:50:27 pm by Curson »


Hi,
am I right with that you only want logs with catches or isn't that the point?

Yes if I find one I will, but it feels like them already getting fewer for no known reason.

Yes this files are batches I wrote myself to log on the computer on the Network drives and to automatically wipe out the most common sources of application errors in the company's main work program.

Hi Lobas,

Quote
am I right with that you only want logs with catches or isn't that the point?

Yes, you are perfectly right.

Quote
Yes if I find one I will, but it feels like them already getting fewer for no known reason.

Without an encrypted file, it will be difficult to accurately determine the type of the infection.
Was a ransom demand present with the encrypted files ?

Quote
Yes this files are batches I wrote myself to log on the computer[...]

Thanks for the confirmation.

Regards.

No, until now no demand was seen.

Attached are two logs of PCSRV I found: Smadav log from 25th October and ClamWinPortable (screenshot of catches) from 30th October.

EDIT: From ESET logs I can only partial screenshots give. Attached first 3 Logs of 26th/27th October.

Hi Lobas,

Neither ClamAV nor EST did detect a ransomware.
At this point, I think that your files has been corrupted by something non-malware related, so there is little I can do to help you.

Regards.

Let's put in a break here!


Because, that's the point I recognized I'm providing not enough of information somebody can proper work with.
That's also the reason why I insisted so to the user, who was intending to let my topic behind. This insist, like said, is of course open to everybody who has the ability, the time and is up for it to help me!


From now I planned to go into the problem another way!


Quote
Maybe Ransom-/Crypto-/Doxware plays a role in this, maybe a smaller one. But it's completely clear that a heavy malware infection is taking place.

For this I can give you more concrete facts.

I will try to deliver as much as possible of useful information.

First, please let's stay with the Farbar logs. Still looking mostly at PCSRV (also because the 5 holidays ago are now over and today normal business is starting again. PCSRV plays a central role for the proper work of the Network and all attached devices. Furthermore PCSRV is one of the PC's since beginning of infection has got no working Internet connection anymore. That's a big problem looking forward to normal work should be possible again.)

Under the given circumstances I am pleading at you, Curson, and surely any other person which may is able to provide any form of help, to please stay at this topic and try to help / find solutions / correct & complete my proposals for what to do next.

Please just stand by.

Thanks.

'I will start to ask concrete questions about Farbar and how to deal with it starting in the next post.'

Some talking of mine again, but now the interesting part begins!
+Looking for help, at doing the disinfection of our network alone with the information provided by Farbar and at some points requesting help here in the forum+


Quote
The relevant information comes in the first reply, here an general overview!


Quote
For the possibility that this thread is no longer viewed, I will open up a new one with more concrete description, type of help bidden for and more other Sysinfo including potential other (non-Farbar) logs. At first the two threads can, viewed from my point of action, a certain time co-exist. If the time comes a Mod wants to see everything in one, no problem, too. Just explaining why I am doing this.

The Farbar logs are in the same sequence as the PC's in the table "PC Names" somewhere above. Alternatively, the Computer Name is already written in the heading of each log.

2
Hello,
 
we are having an unknown infection on 7 of 8 computers in our company.
 
I couldn't find much using various AV Programs and Tools.
 
Looked nearer at approximately 50 infected files with Adlice RK PE Viewer, let me see that the most of them are having sandboxes, anti-debugging scanner / debugging blocker and stuff like that to protect itself and hide of AV.
 
At least since beginning of this infection (last Thursday) concrete objects found by AV: (all PC together)
 
G DATA found 6 PSW-Tools and 3 OCS-Tools
ESET found 3 PSW-Tools
RogueKiller found 14 PUM's and 2 Rootkit IAT:Addr(Hook.IEAT)
 
The 8th computer was off and not hanging in the local Intranet by the time of the infection, so he stayed clean. We won't put him back in the network until the other PC are cleaned.
 
Concrete symptoms are: Some files are encrypted (new extensions like .crypt, .crypto, .crypted, .encrypted and so on which aren't possible to open), some files are just renamed or the extension was changed to another normal file type. Some files are damaged, which causes programs to hang often and crash. Some files are just edited shortly ago, which has no visible effect.
 
At least, some programs are completely not working anymore and on 3 PC's there is until now no ability to connect to the Internet.
 
In the hope, someone here can help me, I did scans with Farbar Recovery Scan Tool at the 7 infected PC's.
 

I hope someone here is able to help me with my problem!

PC Names:

 - PCSRV (Main PC)
 - PC01 (Secondary PC)
 - PC201701 ('DESKTOP-NO388OR') (Tertiary PC)
 - PC05 (Tertiary PC)
 - STUMPF-HP (Notebook)
 - NETBOOK (Notebook)
 - TVW-TC-1671 (Auxiliary PC)

 - STUMPF-PC (Notebook) (not affected of infection, so no Farbar Scan)
 - SMARTBOOK (Android tablet, only non-Windows business device) (not affected of infection)
 
Greetings Lobas

3
RogueKiller PREMIUM / [IAT:Inl (Hook.IEAT)] Detection
« on: June 27, 2017, 03:04:13 pm »
Hi,

in my office, where I work as Software-, Hardware- and Network representative, at one workstation, RogueKiller PREMIUM detected 8 Rootkits from the type named in the title.

So, now I'm not sure what to do, how dangerous they are, and how to remove them, etc...

GMER proved the detection, but didn't marked them as dangerous.

Kaspersky TDSS Killer and Malwarebytes Anti-Rootkit BETA detected nothing, Dr. Web CureIt! and Comodo Cleaning Essentials nothing, too.

A lot of other Rootkit-Tools I read from in the Internet, didn't work properly, detected nothing and one even carried Malware with it.

I attach the Logs of RogueKiller and GMER.

I hope somebody is able to help me with that problem.

Thanks to you

Greetings

Lobas

Pages: [1]