This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Malware detected but i couldn't find the source

Hi,

i have a pc where "sophos endpoint" detecte periodically a malware. This malware has been cleaned. Here the log.

Feb 11, 2019 2:16 PM Malware cleaned up: 'Mal / Generic-R' at 'C: \ Windows \ System32 \ cbdglkue.bo'
Feb 11, 2019 2:15 PM Malware detected: 'Mal / Generic-R' at 'C: \ Windows \ System32 \ cbdglkue.bo'

I execute "sophos clean" but it does not find any risk.

Which is the source of this malware?



This thread was automatically locked due to age.
Parents Reply Children
  • Hi Christian,

    the tools give me this log

    2019/02/12 14:09:54,"C:\Windows\System32\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50","Process","C:\Windows\System32\services.exe"
    2019/02/12 14:56:46,"C:\Windows\System32\config\netlogon.ftl","Process","C:\Windows\System32\lsass.exe"
    2019/02/12 15:06:15,"C:\Windows\System32\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50","Process","C:\Windows\System32\services.exe"
    2019/02/12 15:48:38,"C:\Windows\System32\Tasks\At8","Process","C:\Windows\System32\svchost.exe"
    2019/02/12 15:48:38,"C:\Windows\System32\Tasks\At8","Process","C:\Windows\System32\svchost.exe"

    Unfortunately is not helpful for me. Any idea?

    The file checked as bad is

    Path:
    c:\windows\system32\cbdglkue.bo
    Name:
    cbdglkue.bo
  • Hello Fonderia Corra,

    which options did you use for SOI?

    Christian

  • Hi,

    i used -p -a "folder"

  • Hi, i find  at8.job in C:\Windows\Tasks\At8 and not in C:\Windows\System32\Tasks\At8.

    I try to delete it.

    I'm waiting for sophos end point response

  • Hello Fonderia Corra,

    I'd use neither -p nor -n, maybe restrict it with -ext bo, and use -loglevel 1. It has to run until you get the detection.
    BTW: Mal/Generic-R is not necessarily malicious

    Christian

  • Hi Christian,

    your suggestions were useful. 
    This is the log
     
     
    2019/02/19 10:50:53 1 User2Kernel, user: \\?\C:\Windows\System32\cbdglkue.bo kernel: \Device\HarddiskVolume2\Windows\System32\cbdglkue.bo

    2019/02/19 10:50:53 1 File \Device\HarddiskVolume2\Windows\System32\cbdglkue.bo written by PC-SIMONATO\Administrator from 192.168.4.178

    2019/02/19 10:50:53 1 FileClose N 4 \Device\HarddiskVolume2\Windows\System32\cbdglkue.bo C:\Windows\System32\cbdglkue.bo 192.168.4.178
     
     
    So, is the problem the pc with IP 192.168.4.178?
     
  • Hello Hello Fonderia Corra,

    is the problem the pc with IP 192.168.4.178?
    not only, I'd say. Yes, the file is written from this PC. But furthermore the connection is made as PC-SIMONATO\Administrator, PC-SIMONATO's local administrator it seems. How is 192.168.4.178 to do this?
    You should try to obtain a sample of cbdglkue.bo and submit it. Can't say what you'll find on 192.168.4.178 and how to deal with it. Perhaps it's better to ask for some advice.
     
    Christian