|
|||||||
 |
|
|
Thread Tools | Display Modes |
|
#2
06-20-2012, 05:15 PM
|
||||
|
||||
Can you tell what port its using ? If not get smartsniff from nirsoft.net and start it up and watch what its trying to do.
I would also use a kaspersky boot disk so you can get around the O/S completely. 
|
|
#4
06-20-2012, 06:30 PM
|
||||
|
||||
|
+1 for Kaspersky rescue disk, or slave the drive to a computer with Kaspersky on it and scan it from there. Also, mbam will find more in regular mode than it will in safe mode. You may want to try hitman pro too.
__________________
Compudoc Computer Repair
|
|
#5
06-21-2012, 11:43 AM
|
|||
|
|||
|
Server IP: 112.175.243.23
Country: KoreaKorea, Republic Of Region: Kyonggi-do City: Seoul Internet Service Provider: Korea Telecom Server Host Name 112.175.243.23 http://www.bizimbal.com/odb/details.html?id=917600 Seems this site is used alot for ddos attacks. If kaspersky rescue cd dos not find anything then try vba32 rescue cd it seems to find more malware than any other boot cd. Last edited by Galdorf; 06-21-2012 at 11:51 AM.
|
|
#6
07-07-2012, 08:23 PM
|
|||
|
|||
|
This is what aswMBR detected:
08:42:39.791 Service scanning 08:42:50.259 Service Mcx2Svc C:\Windows\SysWOW64\Mcx2Svc.dll **INFECTED** Win32:Sirefef-YL [Trj] 08:42:58.152 Service RemoteAccess C:\Windows\SysWOW64\mpreim.dll **INFECTED** Win32:Sirefef-YL [Trj] 08:43:09.665 Modules scanning I manually removed both files in safe mode. Do you guys think that is enough ?
|
|
#7
07-08-2012, 01:47 PM
|
||||
|
||||
|
Not familiar with that variant perhaps if you still had a copy of the file you could post some where to take a look at it?
If the symptoms are gone I would try to check back with the client in a week or 2 (im going with the assumption of a new variant just to be on safe side) I believe Sirefef alias is zero access isnt it? I would just setup some way to remote in and check it in a week.
|
|
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
