Hello, I hope I am not posting in the wrong place or broke any rules if I did I am sorry.
I am desperate for help. We have a network wide infection in a school district I work in. The infection was identified by Total Defense as Qakbot.KY.
Suddenly as of monday systems began to slow down. We then started to get alerts from the anti virus that JS/Qakbot.KS was being found. Upon looking at one of the computers it is hooking and injecting itself into the following services. The AV company is not finding the entire thing and it is evading even their latest definition builds.
svchost.exe, iexplore.exe, explorer.exe
It goes out to the internet to random remote servers. The variant of this changed 3 times yesterday according to Total Defense. All we can get them is the executables it is spawning.
It goes out through the network on port 445 querying other computers and infecting them.
it creates a folder located under C:\documents and settings\%username%\App Data\Microsoft\RANDOM 5 character folder
Inside this folder could be one or more executable files with at least one matching the name of the folder. It also will have two dll files named after that same executable with one bearing the name followed by 32.
It puts a process in Scheduled Tasks to Launch everyday at 9am (this is another executable file) located in C:\Windows\Temp
I have tried to run
Combofix - found nothing
Malwarebytes - Found nothing
TDSSKiller - found nothing
Rkill - found nothing
When I run GMER I do get two results of two or more malicious files residing in the C:\Windows directory marked as hidden some are just "library files" others include a process and service. When I try to go to the location with a Linux BootCD nothing is there to be found. I tried command lines for OTL, the command prompt and I cannot find the file either. I am sure their is a rootkit component as deleting these files in c:\documents and settings\%username%\app data\microsoft they are regenerated.
I have attached the executable and dll's along with GMER screenshot i hope that someone can shed some light on this
*WARNING I COULD NOT SET A PASSWORD FOR THE ZIPPED ARCHIVE, BUT THE ACTUAL FILES ARE BURIED 1 LEVEL BELOW THE ROOT FOLDER*
I am desperate for help. We have a network wide infection in a school district I work in. The infection was identified by Total Defense as Qakbot.KY.
Suddenly as of monday systems began to slow down. We then started to get alerts from the anti virus that JS/Qakbot.KS was being found. Upon looking at one of the computers it is hooking and injecting itself into the following services. The AV company is not finding the entire thing and it is evading even their latest definition builds.
svchost.exe, iexplore.exe, explorer.exe
It goes out to the internet to random remote servers. The variant of this changed 3 times yesterday according to Total Defense. All we can get them is the executables it is spawning.
It goes out through the network on port 445 querying other computers and infecting them.
it creates a folder located under C:\documents and settings\%username%\App Data\Microsoft\RANDOM 5 character folder
Inside this folder could be one or more executable files with at least one matching the name of the folder. It also will have two dll files named after that same executable with one bearing the name followed by 32.
It puts a process in Scheduled Tasks to Launch everyday at 9am (this is another executable file) located in C:\Windows\Temp
I have tried to run
Combofix - found nothing
Malwarebytes - Found nothing
TDSSKiller - found nothing
Rkill - found nothing
When I run GMER I do get two results of two or more malicious files residing in the C:\Windows directory marked as hidden some are just "library files" others include a process and service. When I try to go to the location with a Linux BootCD nothing is there to be found. I tried command lines for OTL, the command prompt and I cannot find the file either. I am sure their is a rootkit component as deleting these files in c:\documents and settings\%username%\app data\microsoft they are regenerated.
I have attached the executable and dll's along with GMER screenshot i hope that someone can shed some light on this
*WARNING I COULD NOT SET A PASSWORD FOR THE ZIPPED ARCHIVE, BUT THE ACTUAL FILES ARE BURIED 1 LEVEL BELOW THE ROOT FOLDER*
Attachments
pass: infected
(176.58 KiB) Downloaded 96 times
(176.58 KiB) Downloaded 96 times
GMER RESULT
GMER RESULT.jpg (213.23 KiB) Viewed 1008 times
GMER RESULT.jpg (213.23 KiB) Viewed 1008 times
Last edited by EP_X0FF on Mon Mar 11, 2013 3:04 pm, edited 3 times in total.
Reason: password added