Author Topic: Heavy Infection (many hints, no clear statement can be done) (Please stay+read!)  (Read 6001 times)

0 Members and 1 Guest are viewing this topic.

November 02, 2017, 07:17:46 AM

Lobas

  • Newbie

  • Offline
  • *

  • 18
  • Reputation:
    0
    • View Profile
Quote
The relevant information comes in the first reply, here an general overview!


Here, very short, is still the explanation. Finally, I have to put it SOMEWHERE! ;)


Quote
For the possibility that this thread is no longer viewed, I will open up a new one with more concrete description, type of help bidden for and more other Sysinfo including potential other (non-Farbar) logs. At first the two threads can, viewed from my point of action, a certain time co-exist. If the time comes a Mod wants to see everything in one, no problem, too. Just explaining why I am doing this.

Hello,

I'm Lobas and I've got a heavy problem. Just here I'm looking for help already since a while. Everything linked to the topic I will put here for better clarity, too.

There is also an explanation why a new post now.

This was the first query of me.

Quote
Hello,
 
we are having an unknown infection on 7 of 8 computers in our company.
 
I couldn't find much using various AV Programs and Tools.
 
Looked nearer at approximately 50 infected files with Adlice RK PE Viewer, let me see that the most of them are having sandboxes, anti-debugging scanner / debugging blocker and stuff like that to protect itself and hide of AV.
 
At least since beginning of this infection (last Thursday) concrete objects found by AV: (all PC together)
 
G DATA found 6 PSW-Tools and 3 OCS-Tools
ESET found 3 PSW-Tools
RogueKiller found 14 PUM's and 2 Rootkit IAT:Addr(Hook.IEAT)
 
The 8th computer was off and not hanging in the local Intranet by the time of the infection, so he stayed clean. We won't put him back in the network until the other PC are cleaned.
 
Concrete symptoms are: Some files are encrypted (new extensions like .crypt, .crypto, .crypted, .encrypted and so on which aren't possible to open), some files are just renamed or the extension was changed to another normal file type. Some files are damaged, which causes programs to hang often and crash. Some files are just edited shortly ago, which has no visible effect.
 
At least, some programs are completely not working anymore and on 3 PC's there is until now no ability to connect to the Internet.
 
In the hope, someone here can help me, I did scans with Farbar Recovery Scan Tool at the 7 infected PC's.
 

I hope someone here is able to help me with my problem!

PC Names:

 - PCSRV (Main PC)
 - PC01 (Secondary PC)
 - PC201701 ('DESKTOP-NO388OR') (Tertiary PC)
 - PC05 (Tertiary PC)
 - STUMPF-HP (Notebook)
 - NETBOOK (Notebook)
 - TVW-TC-1671 (Auxiliary PC)

 - STUMPF-PC (Notebook) (not affected of infection, so no Farbar Scan)
 - SMARTBOOK (Android tablet, only non-Windows business device) (not affected of infection)
 
Greetings Lobas

The next is a bit of communication over the problem, with an experienced user.

Quote
Hi Lobas,

Could you please attach G-DATA, ESET and RogueKiller reports of the first computer with your next reply ?
Please also attach some of the crypted files (at least one .crypt and one with a "normal" extension type file).

Do you know the following files ?
Code: [Select]
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Fehlerquellen beheben.bat - Verknüpfung.lnk [2017-10-25]
ShortcutTarget: Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Users\praxis\Kurzeinführung Fehlermanagement\Fehlerquellen beheben.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\login.bat - Verknüpfung.lnk [2017-08-02]
ShortcutTarget: login.bat - Verknüpfung.lnk -> C:\Users\login.bat ()

Regards.
« Last Edit: October 31, 2017, 04:50:27 pm by Curson »


Hi,
am I right with that you only want logs with catches or isn't that the point?

Yes if I find one I will, but it feels like them already getting fewer for no known reason.

Yes this files are batches I wrote myself to log on the computer on the Network drives and to automatically wipe out the most common sources of application errors in the company's main work program.

Hi Lobas,

Quote
am I right with that you only want logs with catches or isn't that the point?

Yes, you are perfectly right.

Quote
Yes if I find one I will, but it feels like them already getting fewer for no known reason.

Without an encrypted file, it will be difficult to accurately determine the type of the infection.
Was a ransom demand present with the encrypted files ?

Quote
Yes this files are batches I wrote myself to log on the computer[...]

Thanks for the confirmation.

Regards.

No, until now no demand was seen.

Attached are two logs of PCSRV I found: Smadav log from 25th October and ClamWinPortable (screenshot of catches) from 30th October.

EDIT: From ESET logs I can only partial screenshots give. Attached first 3 Logs of 26th/27th October.

Hi Lobas,

Neither ClamAV nor EST did detect a ransomware.
At this point, I think that your files has been corrupted by something non-malware related, so there is little I can do to help you.

Regards.

Let's put in a break here!


Because, that's the point I recognized I'm providing not enough of information somebody can proper work with.
That's also the reason why I insisted so to the user, who was intending to let my topic behind. This insist, like said, is of course open to everybody who has the ability, the time and is up for it to help me!


From now I planned to go into the problem another way!


Quote
Maybe Ransom-/Crypto-/Doxware plays a role in this, maybe a smaller one. But it's completely clear that a heavy malware infection is taking place.

For this I can give you more concrete facts.

I will try to deliver as much as possible of useful information.

First, please let's stay with the Farbar logs. Still looking mostly at PCSRV (also because the 5 holidays ago are now over and today normal business is starting again. PCSRV plays a central role for the proper work of the Network and all attached devices. Furthermore PCSRV is one of the PC's since beginning of infection has got no working Internet connection anymore. That's a big problem looking forward to normal work should be possible again.)

Under the given circumstances I am pleading at you, Curson, and surely any other person which may is able to provide any form of help, to please stay at this topic and try to help / find solutions / correct & complete my proposals for what to do next.

Please just stand by.

Thanks.

'I will start to ask concrete questions about Farbar and how to deal with it starting in the next post.'

Some talking of mine again, but now the interesting part begins!
+Looking for help, at doing the disinfection of our network alone with the information provided by Farbar and at some points requesting help here in the forum+


Quote
The relevant information comes in the first reply, here an general overview!


Quote
For the possibility that this thread is no longer viewed, I will open up a new one with more concrete description, type of help bidden for and more other Sysinfo including potential other (non-Farbar) logs. At first the two threads can, viewed from my point of action, a certain time co-exist. If the time comes a Mod wants to see everything in one, no problem, too. Just explaining why I am doing this.

The Farbar logs are in the same sequence as the PC's in the table "PC Names" somewhere above. Alternatively, the Computer Name is already written in the heading of each log.
« Last Edit: November 02, 2017, 10:28:18 AM by Lobas »

Reply #1November 02, 2017, 08:01:23 AM

Lobas

  • Newbie

  • Offline
  • *

  • 18
  • Reputation:
    0
    • View Profile
Ok, let's start with PCSRV. It's disinfection is the most urgent.

Like said, please correct me if I'm thinking wrong, complete what I try to concern about and help me if I'm just asking questions against the background of limited knowledge! I would be very pleased if you could manage it to support me trying to get to the problem starting somewhere.  :)

Processes:

Is it right to do nothing at this point or should the following process maybe be kicked? Or are there potential signs of bad processes I completely not recognized?
Quote
- () C:\Windows\System32\igfxTray.exe



Registry:

I'm somewhat irritated of the following objects. Should they be deleted?
Quote

 - HKLM\...\Run: [bg-info] => [X]
 - HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer: [DisallowRun] 1
 - HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer\DisallowRun: [1] Mshta.exe
 - HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer\DisallowRun: [2] powershell.exe
 - HKU\S-1-5-21-3146790960-243109670-543054657-1000\...\Policies\Explorer\DisallowRun: [3] bitsadmin.exe


At next, these objects should(!) all be legit, but why are they getting into that list? Also they would be not uncommon places for infection (Startup/Bootsectors, Shortcuts & .bat, .vbs & .exe files).
Should I still trust them, like I did until, (prophylactic) remove or just stay watching them?
Quote


Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Fehlerquellen beheben.bat - Verknüpfung.lnk [2017-10-25]
ShortcutTarget: Fehlerquellen beheben.bat - Verknüpfung.lnk -> C:\Users\praxis\Kurzeinführung Fehlermanagement\Fehlerquellen beheben.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\hevos.lnk [2017-08-08]
ShortcutTarget: hevos.lnk -> C:\Program Files (x86)\henova GmbH\hevos\Hevos.GUI.Client.exe (Henova GmbH)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\login.bat - Verknüpfung.lnk [2017-08-02]
ShortcutTarget: login.bat - Verknüpfung.lnk -> C:\Users\login.bat ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NetScaler Gateway.lnk [2017-10-18]
ShortcutTarget: NetScaler Gateway.lnk -> C:\Program Files\Citrix\Secure Access Client\nsload.exe (Citrix Systems, Inc)
Startup: C:\Users\praxis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\An OneNote senden.lnk [2017-08-18]
ShortcutTarget: An OneNote senden.lnk -> C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE (Microsoft Corporation)


Internet:


1st: Why the hell is the hosts file not in it's normal folder? How can something like that happen? A problem I never heard of before, but IMO, that sounds alarming.

2nd: This object should be removed immediately, is that correct? I'm remembering stuff like DHCPNameServers as very dangerous.

Quote
Tcpip\..\Interfaces\{3AADAA47-6D23-471E-B154-362A0384390D}: [NameServer] 192.168.2.1

3rd: Browsers:

The following stuff hanging in IE, FF & Chrome.
It wouldn't be a mistake to wipe out this junk, would it?

Quote
Internet Explorer:
 - HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
 - HKU\S-1-5-21-3146790960-243109670-543054657-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-de/?ocid=iehp
 - BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2017-10-19] (Microsoft Corporation)
 - BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\URLREDIR.DLL [2017-10-19] (Microsoft Corporation)
 - BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\ssv.dll [2017-08-08] (Oracle Corporation)
 - BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\URLREDIR.DLL [2017-10-19] (Microsoft Corporation)
 - BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\jp2ssv.dll [2017-08-08] (Oracle Corporation)
 - Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)
 - Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)
 - Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)
 - Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-19] (Microsoft Corporation)

Mozilla Firefox:
 - FF DefaultProfile: 1u3d5r8x.default
 - FF ProfilePath: C:\Users\praxis\AppData\Roaming\Mozilla\Firefox\Profiles\1u3d5r8x.default [2017-10-26]
 - FF Plugin: @Citrix.com/npagee64,version=11.0.70.12 -> C:\Program Files\Citrix\Secure Access Client\npagee64.dll [2017-03-15] (Citrix Systems, Inc.)
 - FF Plugin-x32: @Citrix.com/npagee,version=11.0.70.12 -> C:\Program Files\Citrix\Secure Access Client\npagee.dll [2017-03-15] (Citrix Systems, Inc.)
 - FF Plugin-x32: @java.com/DTPlugin,version=11.144.2 -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\dtplugin\npDeployJava1.dll [2017-08-08] (Oracle Corporation)
 - FF Plugin-x32: @java.com/JavaPlugin,version=11.144.2 -> C:\Program Files (x86)\Java\jre1.8.0_144\bin\plugin2\npjp2.dll [2017-08-08] (Oracle Corporation)
 - FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-10-19] (Microsoft Corporation)
 - FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
 - FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-02] (Google Inc.)
 - FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-08-01] (Adobe Systems Inc.)
 - FF Plugin ProgramFiles/Appdata: C:\Users\praxis\AppData\Roaming\mozilla\plugins\npagee.dll [2017-03-15] (Citrix Systems, Inc.)
 - FF Plugin ProgramFiles/Appdata: C:\Users\praxis\AppData\Roaming\mozilla\plugins\npagee64.dll [2017-03-15] (Citrix Systems, Inc.)

Google Chrome:
 - CHR Profile: C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default [2017-10-26]
 - CHR Extension: (Präsentationen) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-16]
 - CHR Extension: (Docs) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-16]
 - CHR Extension: (Google Drive) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-08-02]
 - CHR Extension: (YouTube) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-08-02]
 - CHR Extension: (Tabellen) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-16]
 - CHR Extension: (Google Docs Offline) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-08-02]
 - CHR Extension: (Chrome Web Store-Zahlungen) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-10-10]
 - CHR Extension: (Google Mail) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-08-02]
 - CHR Extension: (Chrome Media Router) - C:\Users\praxis\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-10-10]

Quote
For the possibility that this thread is no longer viewed, I will open up a new one with more concrete description, type of help bidden for and more other Sysinfo including potential other (non-Farbar) logs. At first the two threads can, viewed from my point of action, a certain time co-exist. If the time comes a Mod wants to see everything in one, no problem, too. Just explaining why I am doing this.
« Last Edit: November 02, 2017, 09:21:12 AM by Lobas »

Reply #2November 02, 2017, 02:12:03 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Hi Lobas,

This thread is locked as duplicate.
Please continue here.

Regards.