Author Topic: Interesting Case  (Read 42773 times)

0 Members and 1 Guest are viewing this topic.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Interesting Case
« Reply #30 on: January 23, 2014, 04:45:20 PM »
Hi essex. I'm on skype with Hack/Bailey. I'll hand the file over here in a second. He's worried about the malware spreading to his network. Should he be worried?

Most exe files still will not run.
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Interesting Case
« Reply #31 on: January 23, 2014, 04:46:11 PM »
I would recommend that he disconnect from the network.  What are the current symptoms

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Interesting Case
« Reply #32 on: January 23, 2014, 04:58:03 PM »
Most EXE's will not run, mostly skype and games. Random refresh of all .ico files on desktop.


VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Interesting Case
« Reply #33 on: January 23, 2014, 06:48:09 PM »
OK lets get a full analysis on the system
This is a two part run.  First we will get a second opinion scan then run an analysis on the remnants.  The zip file will need to be uploaded to a file sharing site for collection 

 Download AVPTool from Here to your desktop
 
Run the programme you have just downloaded to your desktop ( it will be randomly named )
 
First we will run a virus scan
Select the cog to access scan areas


On the first tab select all elements down to OS C and then select start scan 


 Once it has finished select reports and post the detected threats
.

Now an analysis scan
Select the Manual Disinfection tab 
Press the Gather System Information button 
 


Once it has completed then click Step 2 Report sending


Click avptool.sysinfo.zip
And you will be taken to the zip file that needs to be attached

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Interesting Case
« Reply #34 on: January 23, 2014, 07:12:43 PM »
That leads to a setup file for Kaspersky
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Interesting Case
« Reply #35 on: January 23, 2014, 07:15:57 PM »
Yep they make AVP which has a nice analysis mode (basically an updated version of AVZ)

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Interesting Case
« Reply #36 on: January 23, 2014, 07:36:12 PM »
Is it supposed to take 12 hours?
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Interesting Case
« Reply #37 on: January 23, 2014, 07:38:42 PM »
Depends on how large the drive is.  You can let it run for 20 minutes or so and see if it reports anything and then stop and go direct to the analysis scan (that takes about 5 minutes )

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Interesting Case
« Reply #38 on: January 23, 2014, 07:56:43 PM »
Okay, he stopped the scan at 30mins. However, there is no Manual Disinfection. Any other ideas?

Edit: I've given Temp access to my account for Bailey. After this is done, I'll change my password.
« Last Edit: January 23, 2014, 07:58:36 PM by alan1998 »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Interesting Case
« Reply #39 on: January 23, 2014, 08:30:52 PM »
This is the analysis scan and will take but a few minutes

From the scan I will be able to generate a disinfection script

Now an analysis scan
Select the Manual Disinfection tab 
Press the Gather System Information button 
 


Once it has completed then click Step 2 Report sending


Click avptool.sysinfo.zip
And you will be taken to the zip file that needs to be attached

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Interesting Case
« Reply #40 on: January 23, 2014, 08:34:17 PM »
yes i understand the problem is in the top left corner by automatic scan there is no manual disinfection scan as it shows in the pic info u posted BTW this is Bailey

also to clarify their is no manual disinfection scan and sorry for bad spelling
« Last Edit: January 23, 2014, 08:39:51 PM by alan1998 »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Interesting Case
« Reply #41 on: January 23, 2014, 08:36:42 PM »
Intriguing..  Did it detect anything whilst running ?

Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
 
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from. 
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Interesting Case
« Reply #42 on: January 23, 2014, 08:42:20 PM »
no it did not find anything i stopped it at 32:25 it was 45 min ago and 511105 objects were scanned
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Interesting Case
« Reply #43 on: January 23, 2014, 08:45:23 PM »
When you try to run an exe what error do you get ?

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Interesting Case
« Reply #44 on: January 23, 2014, 08:50:45 PM »
um.... i don't know what you mean sorry im not the best at this but im getting better :) so can u explain how i can find it? thanks

BTW im talking about the error thing im currently running FARBAR
« Last Edit: January 23, 2014, 08:54:06 PM by alan1998 »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.