Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - mist63

Pages: [1]
1
RogueKiller / Re: Tr.gootkit + Proc.svchost
« on: April 17, 2015, 12:13:20 pm »
I ran roguekiller without "nokill" option, and then I could use Windows update again. I installed .net Framework 4.0 whitout any trouble. Then it found and installed 27 updates... Maybe this will be helpful to prevent the virus coming back? I'll let you know... need to restart the server 1st.

2
RogueKiller / Re: Tr.gootkit + Proc.svchost
« on: April 17, 2015, 09:37:36 am »
Hi Curson,

Thanks for your help and sorry not coming back to you earlier. I was stuck with other matters.
I'm afraid the problem is still there. I could not find the culprit, neither could I disconnect the server off the network, because I'm not at the place where the server is (remote connexion).
I tried to install EMET, but it asks me for .NET Framework 4.0 and I cannot download it (white screen in IE or Firefox when I try). I cannot run Microsoft Update either: white screen.

Maybe Windows 2003 IS the culprit?  :-\
Probably the best solution would be to reinstall this server, though I have no time for this at the moment.

I'll have another try and I'll let you know.

Regards

3
RogueKiller / Re: Tr.gootkit + Proc.svchost
« on: March 16, 2015, 03:43:50 pm »
Hello,

I'm afraid it's back again. The customer told me this morning they have some trouble for a few days. They just "forgot" to tell me about it...

I ran roguekiller and eset poweliks: still the same problem. When  I run TDSSkiller with "loaded modules" option checked, I have to restart the server. Once it's restarted I got the attached message at startup when I log in.
Tried that this morning, seemed fine for a moment, but it was back in the afternoon.  :(

Any clue to get rid of this for good?
Thanks


4
RogueKiller / Re: ===> False Positives <===
« on: March 12, 2015, 02:12:06 pm »
Hello,

ESET File security processus detected :

RogueKiller V10.5.3.0 (x64) [Mar 10 2015] par Adlice Software

Système d'exploitation : Windows Server 2008 R2 (6.1.7601 Service Pack 1) 64 bits version
Démarré en  : Mode normal
Utilisateur : root [Administrateur]
Démarré depuis : C:\Archives Système\anti-spyware\RogueKillerX64.exe
Mode : Scan -- Date : 03/12/2015  10:16:01

¤¤¤ Processus : 1 ¤¤¤
[Proc.Injected] ekrn.exe(37200) -- C:\Program Files\ESET\ESET File Security\x86\ekrn.exe[7] -> Tué(e) [DrvNtTerm]

Best regards

5
RogueKiller / Re: Tr.gootkit + Proc.svchost
« on: March 05, 2015, 09:38:41 am »
Hi Curson,

FYI I had a look this morning and ran a roguekiller -nokill scan: it is still clean.
I will wait some days as you say to make sure it does not come back.

Thanks a lot for your help
Have a nice day

6
RogueKiller / Re: Tr.gootkit + Proc.svchost
« on: March 04, 2015, 09:33:58 am »
Hi Curson,

Yes the OS is Up to Date, I checked Microsoft Update this morning.

Please find attached the last RK 10.5 report. It seems fine to me, what do you think?
Except Symantec false positive submitted already. But no more traces of tr.gootkit or proc.svchost... I hope it will not come back.

Regards

7
RogueKiller / Re: Tr.gootkit + Proc.svchost
« on: March 03, 2015, 06:21:35 pm »
Hi Curson,

Thanks for your reply.
1. These 6 bat files were all created by myself...
- reboot1.bat to reboot5.bat are running NTBackup.exe in order to backup the server datas every day (from monday to friday).
- deltemp.bat runs icsweep utility in order to clean the users TEMP and temporary internet files folders every night.
I use these 6 files as scheduled tasks. Is there still any need to upload them?

2. TDSSKILLER
I ran it and followed your process but it did not find any threat.
Please find attached the log file.

Best regards

8
RogueKiller / Re: ===> False Positives <===
« on: March 03, 2015, 02:51:52 pm »
Hi Curson,

Same issue with RK v10.5.0 and Symantec:

RogueKiller V10.5.0.0 [Mar  2 2015] par Adlice Software
¤¤¤ Processus : 1 ¤¤¤
[Suspicious.Path] (SVC) IDSxpx86 -- \??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150302.011\IDSxpx86.sys[7] -> [NoKill]

¤¤¤ Registre : 25 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IDSxpx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150302.011\IDSxpx86.sys) -> Trouvé(e)
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150302.019\NAVEX15.SYS) -> Trouvé(e)
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDSxpx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150302.011\IDSxpx86.sys) -> Trouvé(e)
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVEX15 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150302.019\NAVEX15.SYS) -> Trouvé(e)
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IDSxpx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150228.011\IDSxpx86.sys) -> Trouvé(e)
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAVEX15 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150302.002\NAVEX15.SYS) -> Trouvé(e)

Regards

9
RogueKiller / Tr.gootkit + Proc.svchost
« on: March 02, 2015, 10:46:30 am »
Hello,
I just cannot get rid of Tr.gootkit and Proc.svchost on a customer's server. I have been working on it for weeks. Roguekiller removes it fine, but after a couple of hours it is already back and detected again.  :-\
- Server Windows 2003 + SP2 with Terminal Services installed.
- Symantec Endpoint Protection v12 installed as a client. A full scan does not detect anything wrong (fileless infection).
- attached: roguekiller last reports (this morning and last friday)

I tried to follow these instructions:
http://malwaretips.com/blogs/svchost-exe-virus-removal/
- Eset find and removes the infection, but it keeps on coming back (same as roguekiller)
- MalwareBytes hangs during pre-scan ("SDKDatabaseLoadDefaults failed with code: 2")

There are actually about 15 users working daily on this server, so re-installing the OS would be my last choice indeed.
Is there anything I can do to prevent this infection from coming back, and finaly solve this problem?
Please let me know if you need any futrher information.

Thanks for your help

10
RogueKiller / Re: ===> False Positives <===
« on: February 27, 2015, 02:55:27 pm »
Hi,
I think there is something wrong when Symantec Endpoint Protection is installed:

[Suspicious.Path] (SVC) BHDrvx86 -- \??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20150224.015\BHDrvx86.sys[7] -> [NoKill]
[Suspicious.Path] (SVC) IDSxpx86 -- \??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150226.013\IDSxpx86.sys[7] -> [NoKill]

[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BHDrvx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20150224.015\BHDrvx86.sys) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IDSxpx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150226.013\IDSxpx86.sys) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVENG (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150226.018\NAVENG.SYS) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NAVEX15 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150226.018\NAVEX15.SYS) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BHDrvx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20150224.015\BHDrvx86.sys) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDSxpx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150226.013\IDSxpx86.sys) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVENG (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150226.018\NAVENG.SYS) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAVEX15 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150226.018\NAVEX15.SYS) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\BHDrvx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20150224.015\BHDrvx86.sys) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IDSxpx86 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150225.012\IDSxpx86.sys) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAVENG (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150226.002\NAVENG.SYS) -> Non sélectionné
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NAVEX15 (\??\C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150226.002\NAVEX15.SYS) -> Non sélectionné

 full scan attached

11
RogueKiller / Re: ==> Crash/Hang/Block, please come here <==
« on: February 27, 2015, 02:48:34 pm »
Hi Curson,
Thanks for your answer, it works fine with the -nokill option.
To do a full system reinstall would be my last choice...
It found Tr.gootkit and proc.svchost once again, though I do not think it's the right place to post here?

12
RogueKiller / Re: ==> Crash/Hang/Block, please come here <==
« on: February 27, 2015, 10:39:32 am »
Hello,
I'm stuck with TR.Gootkit and proc.svchost found on a w2003 SP2 server for at least 2 weeks. At 1st it used to scan correctly and remove those infections. Trouble is that these virus kept on coming back, I just can't get rid of them.
But since I updated to the newest version 10.4.3.0 (and even with 10.4.1 I believe), Roguekiller hangs during pre-scan at 80%, always.
I also get an "error opening process" when I try to get a full dump with Process Explorer.
I used to hang on NAVENG service, and now it hangs on NAVEX15 service.
FYI Symantec Endpoint Protection client v12 is installed and running on this server. Roguekiller seems to detect Symantec as false positive as well.
Find attached screenshots (doc file) and logs, though no more logs since the 19th of february, since roguekiller hangs during prescan.
I hope you can help me since I'm stuck?
Best regards

Pages: [1]