Help Identifying malware from network perspective
#1
Posted 26 August 2011 - 06:02 PM
#2
Posted 27 August 2011 - 01:42 PM
http://www.microsoft...n/ms11-017.mspx
http://www.microsoft...n/ms11-065.mspx
http://securityrespo...y.jsp?bid=49040
Port 53 is DNS so they may be looking up IP addresses for some reason or trying to use this exploit:
http://blogs.technet...-execution.aspx
You can probably tell the firewall to block port 3389 traffic in both directions. Port 53 may be a problem depending on how they get their dns. I assume they have a local DNS so you would just have to allow it to use 53.
Can you get them to run an OTL
scan on one of the infected machines?
Download OTL from
http://www.geekstogo...timers-list-it/
and Save it to your desktop.
Run OTL (Vista or Win 7 => right click and Run As Administrator)
select the All option in the Extra Registry group then Run Scan.
You should get two logs. Please copy and paste both of them.
Ron
#3
Posted 27 August 2011 - 02:09 PM
http://www.networkst...d=25570&Posts=6
Appears this is a brand new one.
Apparently it is hiding in one of the svchost.exe services. OTL will see that better with a custom scan:
Copy and Paste the following text into the Posted Image textbox.
netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
Push Quick Scan
A report will open. Copy and Paste that report in your next reply.
Ron
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users