What to make of this? 2

[Noway2]

Last Friday, I received an email forwarded to me with the data below. I am not sure about the details of the detection system in play here, but it looks like some form of packet sniffing that picked up some malware signature of an Windows executable. My PC is behind a proxy server, and the proxy was flagged as the "host" in this case, but it apparently mapped the connection to my PC. What is particularly interesting is the SRC and DST address of the packet, neither of which are mine or the anywhere near our network(s). At the time of the alert, I was probably doing some random browsing as I had a heavy processing task working in the background. I did not download this file.

In response, I captured a process output and a network connection output and correlated the two via PID. I did not see any unusual network connections or processes. I ran a scan with Symantec and Malwarebytes. The former found a very-low risk category Java trojan in the Internet temp folder and deleted it (killing the time stamp, (thanks Symantec)) and MB came up completely clean.

I've Googled the 'strings' in the email below and have come up blank. Dshield, KB Bot Hunter, and a few other sites report no threats associated with these IP other than one is on a couple of spamhaus RBLs for SPAM and the other has a lot of MX records associated with it and different domain names. To me this looks like some form of XSS, especially given the odd source and destination that aren't mine. Any thoughts as to what this may have been or might be?

Body: FILE-IDENTIFY Portable Executable binary file magic detection (1:1000207) T=
imestamp : 2012-06-07 11:31:46
Internet Protocol, Src: 91.205.74.64 (91-205-74-64.arpa.teredo.pl), Dst: 15=
2.2.91.188 (Cannot Resolve) Transmission Control Protocol, Src Port: 80 (80=
), Dst Port: 8775 (8775), Seq: 1, Ack: 1, Len: 1460  Packet Text
........
._@..E....u@.7...[.J@..[..P"G....@...P.. .&..HTTP/1.1 200 OK
Server: nginx/1.2.0
Date: Thu, 07 Jun 2012 15:30:37 GMT
Content-Type: application/octet-stream
Content-Length: 117760
Connection: close
X-Powered-By: PHP/5.3.13-1~dotdeb.0
Content-Disposition: inline; filename=3DGXMtPBIs.exe

MZ......................@.

 

[Noway2]

Follow up:

Subsequent to this incident, I have been having a strange side effect. Upon startup, I started getting reports that the file "C:\Documents and Settings\myuser\Local Settings\Application Data\{FC7C2735-B0B5-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul" has been deleted/quarantined as it supposedly contains Infostealer. From what I can tell, this malware is designed to mask itself in a manner to make Firefox think that is a valid plugin, that then launches a keylogger when certain, mostly banking, sites are accessed.

Repeated anti-malware scans, including Symantec and MB are showing no issues. Deleting this item, and rebooting causes it to reappear. This occurs after synchronization to the network drives, and if the network connection is left undone, the folder reappears but no alert is generated.

Any suggestions for how to get rid of this bug?

 

[goombawaho]

Your first post blew me away (the how and why analysis), but onto removal of the bug.

I'd do these three scans in this order with a reboot in between as called for.
1. TDSSKiller
2.

http://anywhere.webrootcloudav.com/antizeroaccess.exe

3. With anti-virus software uninstalled, followed by a temp file and registry cleanup using CCleaner and then a reboot, run COMBOFIX

This occurs after synchronization to the network drives, and if the network connection is left undone, the folder reappears but no alert is generated.

Network drive possibly infected itself causing this to reoccur?
Perhaps a false alarm also?

 

[Noway2]

Thank you for your help!

So far, I have run the TDSSKiller and Anti-zero. Both of these have come up clean. I have pasted the log files here, but it will expire on (7-14-12):

http://pastebin.com/mHiUg3M7

The next step will be to run combofix. In order to that, I will need to get the AV disabled but I am pretty sure this will take an admin account higher than my credentials (even though I have admin privilege, I think this is overridden in GP), which I am currently working on.

 

[goombawaho]

I wasn't really expecting the first two to find anything, but I like to run them (plus malwarebyte's which you've already done) just to rule out some of the common infections.

I don't know if DISABLING the Norton will be enough to keep Combofix from complaining that (loosely quoted) "an anti-virus program is active, please deactivate before proceeding".

Give it a shot though. If not, it will have to be removed and perhaps you will even have to use the Norton remover to flush everything out.

Verify for me two things:
1. You are in IT and not "just" a user
2. This is not a server you are working on.

If you were a user, I would say leave it to IT
If this was a server, I would hesitate to run Combofix on it. Just for CYA purposes.

 

[Noway2]

I am more than a normal user being one of two domain level admins, but were not part of the IT department. This is a university and we have a joint-split authority with IT that services our department. On certain areas of the system, such as our dept servers, I and one other individual have absolute authority and IT stops at the building switch (they don't even want to touch them). The machine in question is a laptop workstation (mine, which makes it all the more embarrassing) and for these situations, I and the other person are the primary domain admins / support people for our department. When things go outside of our realm or ability to handle, such as group policy or campus wide network shares, we work jointly with the IT. I'm am pretty close knit with them and I have been keeping them in the loop, but they are overloaded right now, so I am doing as much of the legwork as I can while keeping them appraised of the progress (or lack thereof).

I do most of my normal work as a non-privileged user, which is what would have been running when this issue occurred, which to be honest makes it all them ore puzzling how it could entrench this deep. I have been avoiding logging in as an admin as this will give network wide privileges, so I am going to take this machine off network before I do. What I am not 100% sure of, but will find out momentarily is if my admin privilege is sufficient to disable the anti-virus.

 

[Noway2]

Followup:
My admin credentials let me disable the symantec and I can bring up the add/remove programs and it lets me select it for removal, so it looks like my privileges may be sufficient. I will need to double check where I can get the copy of it to re-install post combo-fix, but running combo fix is my next step. Stay tuned.

 

[goombawaho]

Yeah, good call on disconnection from network unless combofix asks to be connected for some reason. But disconnect initially unless it needs the connection AND once the scan begins.

It's a bit scary not knowing what this is and if it could venture out of your box and into the network.

 

[Noway2]

Update:

I was able to uninstall Norton/Symantec and then run Combofix. Combofix seems to have removed the nasty. I then ran CC and had it clear the stuff like temp, cache, etc and then also run a free space wipe. I then ran a registry cleaner on it. Upon a reboot, the "C:\Documents and Settings\myuser\Local Settings\Application Data\{FC7C2735-B0B5-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul" folder stopped appearing. Interestingly, the combofix seems to have targeted some things associated with this piece of funware. Here are some log snips, key ones in bold:

Upon reboot, I started getting rundll errors about rfdtrs.dll and seltwm.dll. A simple regedit took care of these. The malware is apparently designed to embedded into Firefox and appear as a valid plugin that then keylogs when the right sights are hit. Combofix definately targeted some mozilla oriented items, which I suspect were the problem.

I also discovered that Windows Defender wasn't running (I noticed this the other day too). I suspect that the malware may have disabled, actually destroyed it as it wouldn't restart and complained about not being able to start the service. I removed and re-installed Windows Defender. Unfortunately, it isn't wanting to update. It may use IE settings for the proxy and couldn't connect. I logged in as a normal user, which normally ran it just fine and it is giving me the castle with a ! and not checking for updates. When ran as an admin, the Mr. Fixit says that there are some problems with the Windows Update, but it can't resolve them. Again, I suspect that the malware tries to kill updates and defender to prevent detection and removal.

So, that is where things stand at the moment. I need to see if I can get updates to run and see if I can get defender to run, but the malware seems to be gone.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\myuser.local\GoToAssistDownloadHelper.exe
[b]c:\documents and settings\myuser\Application Data\rfdtrs.dll
c:\documents and settings\myuser\Application Data\seltwm.dll[/b]
(((((((((((((((((((((((((   Files Created from 2012-05-14 to 2012-06-14  )))))))))))))))))))))))))))))))
.
.
2012-06-14 14:02 . 2012-06-14 14:02	--------	d-----w-	C:\TDSSKiller_Quarantine
2012-06-13 14:01 . 2012-06-13 14:01	--------	d-----w-	c:\documents and settings\myuser\Local Settings\Application Data\{FC7C2735-B0B5-11E1-8270-B8AC6F996F26}
2012-06-12 12:29 . 2012-05-08 16:40	6737808	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{B47811D8-ED91-4D47-A416-3459EADD8675}\mpengine.dll

....

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 13:22 . 2008-04-14 09:41	599040	----a-w-	c:\windows\system32\crypt32.dll
2012-05-15 15:39 . 2008-04-14 09:42	832512	----a-w-	c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2008-04-14 05:00	1863168	----a-w-	c:\windows\system32\win32k.sys
2012-05-08 16:40 . 2010-07-19 21:14	6737808	----a-w-	[b]c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll[/b]
2012-05-04 13:16 . 2008-04-14 04:54	2148352	----a-w-	c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2008-04-14 00:01	2026496	----a-w-	c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2010-07-19 12:50	139656	----a-w-	c:\windows\system32\drivers\rdpwd.sys
2012-04-23 14:46 . 2008-04-14 09:42	1830912	------w-	c:\windows\system32\inetcpl.cpl
2012-04-23 14:46 . 2008-04-14 09:41	78336	----a-w-	c:\windows\system32\ieencode.dll
2012-04-23 14:46 . 2008-04-14 09:41	17408	----a-w-	c:\windows\system32\corpol.dll
2011-10-26 14:53 . 2011-09-22 19:02	134104	----a-w-	[b]c:\program files\mozilla firefox\components\browsercomps.dll[/b]

 

[DrZogg]

Thanks for logging your finds. I have seen a few interesting virus. In one instance a rootkit had replaced the original winlogon.exe and the time efficient method of repair was to reimage. I have seen others that have hidden downloaders etc, that are compiled locally and again hide in %appdata% location. In these instances the computers would seem to hang for hours while rebooting.
Is there also the possibility of browser jacking.

 

[goombawaho]

Ok - cool. Glad things are better. rfdtrs.dll and seltwm.dll don't come back with anything meaningful from a Google search, so they are most certainly VARIABLE file names used by malware to hide itself. Keep a close watch on the system for the next week or so.

I use combofix as the last step before saying "format, reload". You kind of have to have faith when you run it because it's like turning a dog loose in the neighborhood. You hope it plays well with others and doesn't bite anyone. In other words, very rarely it may disable your computer from booting and thus is not recommended for use by non-IT types that couldn't undo the changes.

 

[kjv1611]

[ROFL2]

You kind of have to have faith when you run it because it's like turning a dog loose in the neighborhood. You hope it plays well with others and doesn't bite anyone.

Gave me a good laugh for the day.

"But thanks be to God, which giveth us the victory through our Lord Jesus Christ." 1 Corinthians 15:57

 

[Noway2]

It looks like I have been chasing a poltergeist in the recovery process. Prior to this event, I had been running Windows Defender and Symantec. I saw the defender was disbabled and spent the last several hours trying to restore it, only to learn that this was by design:

http://www.symantec.com/business/support/index?page=content&id=TECH103119

A little bit ago, I spoke with one of the guys in the IT department to follow up on this series of events. Sometime this evening he is going to come by with an XP disk and run a check to verify the system binaries and a couple of other things for me. Hopefully with any luck, this thing is in the clear.

 

[2ffat]

Did you save any of the files? Did you think about sending them to Symantec for dissecting?


James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]

 

[Noway2]

Yes, I still have them in a quarantine directory. That is a good thought about sending them in for analysis as it obviously able to sneak in past the existing Symantec that had been recently updated (less than a week).

 

[goombawaho]

able to sneak in past the existing Symantec that had been recently updated (less than a week)

Comments:
- Why NOT updated DAILY?? Limitation in your environment?
- I've seen malware get by EVERY brand of A/V (paid, unpaid, corporate, home user)

Interesting about the defender disabling.

http://www.symantec.com/business/support/index?page=content&id=TECH103119

 

[Noway2]

@goombawaho,you might want to take a look at this link:

http://www.techsupportforum.com/forums/f100/solved-windows-xp-firewall-wont-649930.html#post3769577

In particular posts #6 and #9. It looks like my timing for running CF may have been bad as apparently it was released with a bug that causes it to rename some DLL files preventing windows updates from running. The answer is to download the updated (fixed) version, which I did. I haven't run it yet. My plan was to image the HDD first in case I wind up with a proverbial brick and once I get a successful copy, I will rerun it.

So far, I've done a repair install of Win-XP, which dind't help and then subsequently updated IE which got reverted back to rev 6 in the process. My Windows updates and remote desktop don't work. Re-running CF may fix the updates and I am going to try to re-install the TS client.

 

[goombawaho]

A cautionary tale. Well, that's why somewhere I posted something like "buyer beware because it's free" - both my advice and combofix. Reminds me of the Pink Panther movie - "Does your dog bite?".

But seriously, that's unfortunate timing and sorry it happened to you. I really don't understand why re-running CF will FIX the problem, but that would be nice if they cleaned up the mess for you.

Good call on imaging first. That would ALWAYS be a good step for ANY malware removal, but I'm sure it's only done about 1% of the time.