QSnatch Malware - What to do?

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Post Reply
ncnmra
Know my way around
Posts: 110
Joined: Sun Oct 10, 2010 8:24 am

Re: QSnatch Malware - What to do?

Post by ncnmra » Sat Nov 09, 2019 12:23 am

xavierh wrote:
Sat Nov 09, 2019 12:19 am
very unlikely that it would be hosted on another (non qnap device). if that were the case... that is a very scary scenario
Agreed. That would be a nightmare. I have about 30 devices on my home network, ranging from Google Chromecasts, a GE stove, WiFi lights, camera systems, phones, tablets, laptops, PCs.

I'm confident (hopeful) that this is limited only to the NAS. However, QNAP has been struggling with Malware issues for a few months (years), and it seems that they have been completely sideswiped by this. Their tools don't seem to fix the issue, and they aren't providing any real solutions or guidance. Their lack of information makes it impossible for the user community to contribute to a solution.

xavierh
Experience counts
Posts: 1072
Joined: Wed Jan 30, 2008 6:15 am
Location: Denton, Texas

Re: QSnatch Malware - What to do?

Post by xavierh » Sat Nov 09, 2019 12:31 am

ncnmra wrote:
Sat Nov 09, 2019 12:23 am
xavierh wrote:
Sat Nov 09, 2019 12:19 am
very unlikely that it would be hosted on another (non qnap device). if that were the case... that is a very scary scenario
Agreed. That would be a nightmare. I have about 30 devices on my home network, ranging from Google Chromecasts, a GE stove, WiFi lights, camera systems, phones, tablets, laptops, PCs.

I'm confident (hopeful) that this is limited only to the NAS. However, QNAP has been struggling with Malware issues for a few months (years), and it seems that they have been completely sideswiped by this. Their tools don't seem to fix the issue, and they aren't providing any real solutions or guidance. Their lack of information makes it impossible for the user community to contribute to a solution.
i agree that qnap should be more forthcoming with information but i think , as you do that, that they do not know how the infection is getting persistence and we are only seeing the effects (cronjobs).

chances are and this is pure speculation: they do not have access to an infected device, so they are relying on user reports to figure out the infection.

QNAP TVS-951x QTS 4.4.1.1117 build 20191109 OS Storage Pool: Samsung 860 EVO 250GB SSD x 4 (RAID 5), Data Storage Pool: WD WD30EFRX (Red) 3TB x 4 (RAID 5), 16GB RAM WD Easystore 10TB External USB 3.0 Services: SMB, Appletalk, QPKG: Container Station, Virtualization Station, Plex Media Server, Hybrid Backup Sync
QNAP TS-453A QTS 4.4.1.1117 build 20191109 Services: SMB, Appletalk,QVPN
Network: UDM, UDM Beacon, Unifi 8 Port Switch x 3

convergent
Know my way around
Posts: 119
Joined: Fri Mar 05, 2010 5:13 am

Re: QSnatch Malware - What to do?

Post by convergent » Sat Nov 09, 2019 12:37 am

Starting to look at processes. The Resource Monitor in QTS on my TS-659 appears to be just showing top, and the one on my TS-231 is way more robust and lists pages of processes... so can't really use that. I'm looking at what I get from the ps command. Here is what my re-infecting box is showing. The first thing I noted below is the manarequest.cgi which is not running on the TS-231. Anyone know if that is legit?

Code: Select all

PID  Uid     VmSize Stat Command
    1 admin       500 S   init
    2 admin           SW  [kthreadd]
    3 admin           SW  [ksoftirqd/0]
    6 admin           SW  [migration/0]
    7 admin           SW  [migration/1]
    9 admin           SW  [ksoftirqd/1]
   11 admin           SW  [migration/2]
   13 admin           SW  [ksoftirqd/2]
   14 admin           SW  [migration/3]
   16 admin           SW  [ksoftirqd/3]
   17 admin           SW< [khelper]
  248 admin           SW  [sync_supers]
  250 admin           SW  [bdi-default]
  251 admin           SW< [kintegrityd]
  252 admin           SW< [kblockd]
  357 admin           SW< [tifm]
  363 admin           SW< [ata_sff]
  371 admin           SW< [md]
  384 admin           SW< [cfg80211]
  489 admin           SW< [rpciod]
  515 admin           SW  [kswapd0]
  516 admin           SWN [ksmd]
  517 admin           SW  [fsnotify_mark]
  518 admin           SW< [nfsiod]
  519 admin           SW< [cifsiod]
  522 admin           SW< [crypto]
  545 admin           SW< [kthrotld]
  697 admin           SW< [kmpath_rdacd]
  721 admin           SW  [scsi_eh_0]
  724 admin           SW  [scsi_eh_1]
  727 admin           SW  [scsi_eh_2]
  730 admin           SW  [scsi_eh_3]
  733 admin           SW  [scsi_eh_4]
  736 admin           SW  [scsi_eh_5]
  751 admin           SW  [scsi_eh_6]
  754 admin           SW  [scsi_eh_7]
  776 admin           SW< [dm-block-clone]
  778 admin           SW< [kmpathd]
  779 admin           SW< [kmpath_handlerd]
  794 admin           SW< [deferwq]
  869 admin           SW  [flush-1:0]
  921 admin           SW  [khubd]
  923 admin           SW  [kethubd]
 1257 admin           SW  [scsi_eh_8]
 1258 admin           SW  [usb-storage]
 1556 admin           SW  [md9_raid1]
 1586 admin           SW  [kworker/u:1]
 1598 admin           SW  [md13_raid1]
 1723 admin           SW  [kjournald]
 2133 admin       504 S   /sbin/daemon_mgr.nvr
 2152 admin           SW< [cryptodev_queue]
 2204 admin           SW  [fnotify]
 2211 admin       324 S < qWatchdogd: keeping alive every 5 seconds...
 2434 admin       396 S   /sbin/netwatchdog -d
 2512 admin           SW  [kworker/3:1]
 2720 admin           SW  [kjournald]
 2880 admin       212 S   /sbin/modagent
 2896 admin           SW  [md6_raid1]
 3367 admin         4 S   /sbin/kerrd
 3440 admin           SW  [md0_raid5]
 3470 admin           SW  [jbd2/md0-8]
 3471 admin           SW< [ext4-dio-unwrit]
 3516 admin           SW  [jbd2/md1-8]
 3517 admin           SW< [ext4-dio-unwrit]
 4400 admin      4212 S < /usr/local/apache/bin/apache_proxy -k start -f /etc/apache-sys-proxy.conf
 4583 admin      1236 S   /sbin/hotswap
 4589 admin      1020 S   /sbin/qsmartd -d
 4776 admin           SW< [bond0]
 5761 admin       944 S   /bin/sh /usr/local/mariadb/bin/mysqld_safe --defaults-file=/usr/local/mariadb/my-mariadb.cnf --basedir=
 6136 admin      2452 S   /usr/local/mariadb/bin/mysqld --defaults-file=/usr/local/mariadb/my-mariadb.cnf --basedir=/usr/local/ma
 6291 admin      2360 S   python -m clouddrive.mount start --mountpoint /mnt/rf/cd
 6552 admin     15588 S   python /share/MD0_DATA/.qpkg/CloudDriveSync/bin/daemonmgr.pyc CGId start
 6559 admin      1320 S   /sbin/qpkgd -d0
 7048 admin           SW  [kworker/2:0]
 7060 admin       828 S   /usr/sbin/cupsd -C /etc/config/cups/cupsd.conf -s /etc/config/cups/cups-files.conf
 7445 admin      1584 S   /usr/local/sbin/_thttpd_ -p 58080 -nor -nos -u admin -d /home/httpd -c **.* -h 127.0.0.1 -i /var/lock/.
 7506 admin       344 S   /usr/sbin/SCREEN -dmS MYTRANSCODE /usr/local/medialibrary/bin/mytranscodesvr -u -debug -db /share/MD0_D
 7509 admin       604 S   /usr/local/medialibrary/bin/mytranscodesvr -u -debug -db /share/MD0_DATA
 7652 admin      3536 S < /usr/local/apache/bin/apache_proxy -k start -f /etc/apache-sys-proxy.conf
 7745 admin       820 S   php-fpm: master process (/etc/php-fpm-sys-proxy.conf)
 7746 admin       620 S   php-fpm: pool www
 7747 admin       680 S   php-fpm: pool www
 7762 admin      1576 S < /usr/local/apache/bin/apache_proxy -k start -f /etc/apache-sys-proxy.conf
 8010 admin      1396 S   /usr/local/sbin/remote_folder_daemon --reset
 8068 httpdusr    596 S   /sbin/lpb_scheduler -d
 8123 admin      1072 S   /sbin/genthd
 8266 admin      1112 S   /usr/sbin/upsutil
 8284 admin       488 S   /usr/sbin/ntpdated
 8346 admin      1568 S   /usr/local/apache/bin/apache_proxys -k start -f /etc/apache-sys-proxy-ssl.conf
 8675 admin       520 S   /usr/sbin/sshd -f /etc/config/ssh/sshd_config -p 22
 8684 guest       388 S   /usr/sbin/dbus-daemon --system
 8822 admin       332 S   /usr/sbin/bluetoothd
 8831 admin       264 S   /usr/sbin/agent --adapter hci0
 8850 guest       932 S   avahi-daemon: running [NAS-CM1.local]
 9553 admin           SW  [kworker/u:2]
 9609 admin      2420 S   sshd: admin@pts/1
 9689 admin      1604 S   -sh
10963 admin      1144 S   php-fpm: master process (/etc/config/apache/php-fpm.conf)
10964 httpdusr    432 S   php-fpm: pool www
10965 httpdusr    432 S   php-fpm: pool www
11022 admin       440 S   /usr/bin/lunportman
11026 admin       816 S   /usr/local/sbin/Qthttpd -p 80 -nor -nos -u admin -d /home/Qhttpd -c **.*
11068 admin      1292 S   /sbin/bcclient
11242 admin      1176 S   /sbin/gpiod
11245 admin      1232 S   /sbin/picd
11251 admin      1492 S   /sbin/hwmond
11261 admin       440 S N /sbin/acpid
11550 admin       524 S   /sbin/gen_bandwidth -r -i 5
11555 admin      1472 S   /sbin/hd_util
11658 admin           SW< [iscsi_eh]
11666 admin           SW  [qnap_et]
11677 admin       352 S   /sbin/iscsid --config=/etc/config/iscsi/sbin/iscsid.conf --initiatorname=/etc/iscsi/initiatorname.iscsi
11679 admin      2148 S < /sbin/iscsid --config=/etc/config/iscsi/sbin/iscsid.conf --initiatorname=/etc/iscsi/initiatorname.iscsi
11690 admin       968 S   /sbin/vdd_control -d
11692 admin       588 S   /sbin/lcdmond
11721 admin           SW  [kworker/3:2]
11830 admin       720 S   /sbin/qShield
11848 admin       504 S   /sbin/qsyslogd
11856 admin      1420 S   qLogEngined: Write log is enabled...
11858 admin       936 S   /bin/sh /etc/init.d/klogd.sh start
11862 admin       968 S   qNoticeEngined: Write notice is enabled...
12084 admin       184 S   /bin/dd if=/proc/kmsg of=/mnt/HDA_ROOT/.logs/kmsg bs=1 count=1024000
12177 admin           SW  [kworker/2:1]
12263 admin      2256 S   /usr/local/samba/sbin/smbd -l /var/log -D -s /etc/config/smb.conf
12283 admin      1544 S   /usr/local/samba/sbin/smbd -l /var/log -D -s /etc/config/smb.conf
12396 admin      1520 S   /usr/local/samba/sbin/nmbd -l /var/log -D -s /etc/config/smb.conf
12501 admin       568 S   /usr/local/bin/qb_daemon -d 7
12698 admin       740 S   /usr/local/sbin/cnid_metad -F /etc/afp.conf
12701 admin           SW  [kworker/3:3]
13279 admin      1204 S   /usr/local/sbin/afpd -F /etc/afp.conf -p /var/afpd3.pid
13685 admin       584 S   /sbin/daemon_mgr
13873 admin           SW  [kworker/1:0]
14346 admin      1060 S   /bin/sh /sbin/qdesk_soldier
15874 admin      1120 S < /usr/local/apache/bin/apache_proxy -k start -f /etc/apache-sys-proxy.conf
15876 admin       912 S < /usr/local/apache/bin/fcgi-pm      -k start -f /etc/apache-sys-proxy.conf
15891 admin       944 S   /usr/local/apache/bin/apache_proxys -k start -f /etc/apache-sys-proxy-ssl.conf
15892 admin       844 S   /usr/local/apache/bin/fcgi-pm       -k start -f /etc/apache-sys-proxy-ssl.conf
15912 admin       812 S   /usr/local/apache/bin/apache_proxys -k start -f /etc/apache-sys-proxy-ssl.conf
15913 admin       812 S   /usr/local/apache/bin/apache_proxys -k start -f /etc/apache-sys-proxy-ssl.conf
15914 admin       812 S   /usr/local/apache/bin/apache_proxys -k start -f /etc/apache-sys-proxy-ssl.conf
16604 admin      1340 S   /sbin/upnpcd -i 300
16661 admin           SW  [kworker/0:0]
17021 admin       420 S   /sbin/getty 115200 tty1
17022 admin       420 S   /sbin/getty 115200 tty2
17071 admin      7620 S   python /share/MD0_DATA/.qpkg/CloudBackupSync/backup/bin/daemonmgr.pyc CGId start
17274 admin      1804 S   python /usr/local/network/nmd/nmd.pyc
17717 admin     17648 S   python /share/MD0_DATA/.qpkg/CloudBackupSync/sync/bin/daemonmgr.pyc CGId start
18050 admin      3984 S   python /share/MD0_DATA/.qpkg/CloudBackupSync/bin/daemonmgr.pyc Routerd start
18281 admin       708 S   /usr/bin/RTRR_MANAGER
18311 admin       408 S N /usr/bin/rsyncd --daemon --sever-mode=1 --qnap-bwlimit
18608 admin           SW  [kworker/1:1]
19841 admin           SW  [kworker/3:0]
20147 admin           SW  [flush-9:9]
20351 admin           SW  [kworker/3:5]
21250 admin           SW  [kworker/0:2]
21979 admin           SW  [kworker/2:3]
22551 admin           SW  [kworker/2:4]
23593 admin           SW  [kworker/3:4]
24615 admin           SW  [kworker/0:1]
25663 admin       276 S   /bin/sleep 1
25665 admin           Z   [chartReq.cgi]
25668 admin      2060 S   manaRequest.cgi
25669 admin           Z   [manaRequest.cgi]
25670 admin           Z   [_thttpd_]
25671 admin           Z   [manaRequest.cgi]
25672 admin       772 S   /usr/local/sbin/_thttpd_ -p 58080 -nor -nos -u admin -d /home/httpd -c **.* -h 127.0.0.1 -i /var/lock/.
25673 admin           Z   [_thttpd_]
25674 admin           Z   [_thttpd_]
25675 admin           Z   [_thttpd_]
25676 admin           Z   [_thttpd_]
25677 admin      1952 R   chartReq.cgi
25678 admin      2056 S   manaRequest.cgi
25679 admin           Z   [_thttpd_]
25680 admin       772 S   /usr/local/sbin/_thttpd_ -p 58080 -nor -nos -u admin -d /home/httpd -c **.* -h 127.0.0.1 -i /var/lock/.
25681 admin           Z   [_thttpd_]
25682 admin       772 S   /usr/local/sbin/_thttpd_ -p 58080 -nor -nos -u admin -d /home/httpd -c **.* -h 127.0.0.1 -i /var/lock/.
25687 admin       820 S   /usr/bin/top -Q 0
25690 admin       760 R   ps
29069 admin           SW  [kworker/2:2]

xavierh
Experience counts
Posts: 1072
Joined: Wed Jan 30, 2008 6:15 am
Location: Denton, Texas

Re: QSnatch Malware - What to do?

Post by xavierh » Sat Nov 09, 2019 12:49 am

convergent wrote:
Sat Nov 09, 2019 12:37 am
Starting to look at processes. The Resource Monitor in QTS on my TS-659 appears to be just showing top, and the one on my TS-231 is way more robust and lists pages of processes... so can't really use that. I'm looking at what I get from the ps command. Here is what my re-infecting box is showing. The first thing I noted below is the manarequest.cgi which is not running on the TS-231. Anyone know if that is legit?

my suggestion would be to disable services on the nas that keeps getting infected. first apps set them to disable and on the nas itself stop things like ftp web, etc.

clean the nas using malware (reboot if you want)

then run ps and netstat (use the link below for some useful commands)

https://www.tecmint.com/20-netstat-comm ... anagement/

https://ma.ttias.be/how-to-identify-the ... linux-box/

NOTE: QNAP does not have lsof so you will need to use ps for this .

and then start checking services, process of elimination here: enable one look, enable another, look, etc.etc.etc )

QNAP TVS-951x QTS 4.4.1.1117 build 20191109 OS Storage Pool: Samsung 860 EVO 250GB SSD x 4 (RAID 5), Data Storage Pool: WD WD30EFRX (Red) 3TB x 4 (RAID 5), 16GB RAM WD Easystore 10TB External USB 3.0 Services: SMB, Appletalk, QPKG: Container Station, Virtualization Station, Plex Media Server, Hybrid Backup Sync
QNAP TS-453A QTS 4.4.1.1117 build 20191109 Services: SMB, Appletalk,QVPN
Network: UDM, UDM Beacon, Unifi 8 Port Switch x 3

ncnmra
Know my way around
Posts: 110
Joined: Sun Oct 10, 2010 8:24 am

Re: QSnatch Malware - What to do?

Post by ncnmra » Sat Nov 09, 2019 12:51 am

Watching netstat to see what process is trying to "call out" would be great.

xavierh
Experience counts
Posts: 1072
Joined: Wed Jan 30, 2008 6:15 am
Location: Denton, Texas

Re: QSnatch Malware - What to do?

Post by xavierh » Sat Nov 09, 2019 12:54 am

i owuld put the nas in an isolated vlan and start looking at established connections with netstat to see if we can get the C2 URL

QNAP TVS-951x QTS 4.4.1.1117 build 20191109 OS Storage Pool: Samsung 860 EVO 250GB SSD x 4 (RAID 5), Data Storage Pool: WD WD30EFRX (Red) 3TB x 4 (RAID 5), 16GB RAM WD Easystore 10TB External USB 3.0 Services: SMB, Appletalk, QPKG: Container Station, Virtualization Station, Plex Media Server, Hybrid Backup Sync
QNAP TS-453A QTS 4.4.1.1117 build 20191109 Services: SMB, Appletalk,QVPN
Network: UDM, UDM Beacon, Unifi 8 Port Switch x 3

ncnmra
Know my way around
Posts: 110
Joined: Sun Oct 10, 2010 8:24 am

Re: QSnatch Malware - What to do?

Post by ncnmra » Sat Nov 09, 2019 12:59 am

While I don't have a report of the latest one, the ISP CS agent told me that the malware was targetting the same URI (/qnap_firmware.xml)

Here is what I got a few months ago, I suspect it is similar this time:

Code: Select all

INFECTION: caphaw
URL: /qnap_firmware.xml?t=1570716515
CC_IP: 208.100.26.251
CC_PORT: 443
CC_DNS: jpu0zn.ga
NAICS: 517311
SIC: 737415
SECTOR: Communications
PUBLIC_SOURCE: SecurityScorecard

xavierh
Experience counts
Posts: 1072
Joined: Wed Jan 30, 2008 6:15 am
Location: Denton, Texas

Re: QSnatch Malware - What to do?

Post by xavierh » Sat Nov 09, 2019 1:14 am

it will be something similar for sure.... nd yes i would expect ssl traffic (443).

i am assuming that the IP shown is the ip of your ISP (since it is in chicago) definitely the dns is in the republic of Georgia so not much to do there

QNAP TVS-951x QTS 4.4.1.1117 build 20191109 OS Storage Pool: Samsung 860 EVO 250GB SSD x 4 (RAID 5), Data Storage Pool: WD WD30EFRX (Red) 3TB x 4 (RAID 5), 16GB RAM WD Easystore 10TB External USB 3.0 Services: SMB, Appletalk, QPKG: Container Station, Virtualization Station, Plex Media Server, Hybrid Backup Sync
QNAP TS-453A QTS 4.4.1.1117 build 20191109 Services: SMB, Appletalk,QVPN
Network: UDM, UDM Beacon, Unifi 8 Port Switch x 3

dolbyman
Guru
Posts: 15245
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QSnatch Malware - What to do?

Post by dolbyman » Sat Nov 09, 2019 1:17 am

so now that you know domain and file target, you could test your ISP warning system by combining one and one (literally) and do a http(s) request towards that URL

(That is more of a joke.. don't do it as your ISP could block you)

Jaginix
Starting out
Posts: 42
Joined: Fri Dec 29, 2017 1:08 am

Re: QSnatch Malware - What to do?

Post by Jaginix » Sat Nov 09, 2019 1:25 am

P3R wrote:
Thu Nov 07, 2019 4:04 am
In case you think Synology are immune to malware it may interest you to know that Synology had a brand-specific malware outbreak even before Qnap was hit the first time.

That's true. But Synology advised its customers to shut down the NAS for security reasons until there is a solution. Qnap is wrapped in silence again. Qnap is finally history for me ...

jo4114
Starting out
Posts: 14
Joined: Thu Sep 22, 2011 9:29 am

Re: QSnatch Malware - What to do?

Post by jo4114 » Sat Nov 09, 2019 1:36 am

xavierh wrote:
Sat Nov 09, 2019 12:54 am
i owuld put the nas in an isolated vlan and start looking at established connections with netstat to see if we can get the C2 URL
If anyone is really interested I can post a comprehensive list of the C2 servers but it's over 100. Here is a partial list from my DNS proxy: viewtopic.php?f=50&t=151402&start=15#p732426

xavierh
Experience counts
Posts: 1072
Joined: Wed Jan 30, 2008 6:15 am
Location: Denton, Texas

Re: QSnatch Malware - What to do?

Post by xavierh » Sat Nov 09, 2019 1:52 am

Jaginix wrote:
Sat Nov 09, 2019 1:25 am
P3R wrote:
Thu Nov 07, 2019 4:04 am
In case you think Synology are immune to malware it may interest you to know that Synology had a brand-specific malware outbreak even before Qnap was hit the first time.

That's true. But Synology advised its customers to shut down the NAS for security reasons until there is a solution. Qnap is wrapped in silence again. Qnap is finally history for me ...
Love these "I had it with QNAP" posts :DD

QNAP TVS-951x QTS 4.4.1.1117 build 20191109 OS Storage Pool: Samsung 860 EVO 250GB SSD x 4 (RAID 5), Data Storage Pool: WD WD30EFRX (Red) 3TB x 4 (RAID 5), 16GB RAM WD Easystore 10TB External USB 3.0 Services: SMB, Appletalk, QPKG: Container Station, Virtualization Station, Plex Media Server, Hybrid Backup Sync
QNAP TS-453A QTS 4.4.1.1117 build 20191109 Services: SMB, Appletalk,QVPN
Network: UDM, UDM Beacon, Unifi 8 Port Switch x 3

ncnmra
Know my way around
Posts: 110
Joined: Sun Oct 10, 2010 8:24 am

Re: QSnatch Malware - What to do?

Post by ncnmra » Sat Nov 09, 2019 2:23 am

Will netstat show the process that is trying to establish the connection?

I'm happy to experiment with my "infected" nas before I blow it away.

convergent
Know my way around
Posts: 119
Joined: Fri Mar 05, 2010 5:13 am

Re: QSnatch Malware - What to do?

Post by convergent » Sat Nov 09, 2019 2:30 am

xavierh wrote:
Sat Nov 09, 2019 12:49 am
convergent wrote:
Sat Nov 09, 2019 12:37 am
Starting to look at processes. The Resource Monitor in QTS on my TS-659 appears to be just showing top, and the one on my TS-231 is way more robust and lists pages of processes... so can't really use that. I'm looking at what I get from the ps command. Here is what my re-infecting box is showing. The first thing I noted below is the manarequest.cgi which is not running on the TS-231. Anyone know if that is legit?

my suggestion would be to disable services on the nas that keeps getting infected. first apps set them to disable and on the nas itself stop things like ftp web, etc.

clean the nas using malware (reboot if you want)

then run ps and netstat (use the link below for some useful commands)

https://www.tecmint.com/20-netstat-comm ... anagement/

https://ma.ttias.be/how-to-identify-the ... linux-box/

NOTE: QNAP does not have lsof so you will need to use ps for this .

and then start checking services, process of elimination here: enable one look, enable another, look, etc.etc.etc )
I've already disabled just about every service on it. The only thing still running is hybrid backup, which I didn't want to disable because its syncing to the other QNAP and to Amazon Drive. It took a very long time for those to get synced up so I've left that running and just disabled the sync jobs. But at this point if I'm considering a factory reset there is nothing to lose to kill those and remove the hybrid backup app.

A lot of posts about network traffic, isolation, etc. This one is not accessible from the outside at this point. It has an invalid default gateway. I'm just trying to figure out how after its clean, that a couple of times a day it gets re-infected. Its happening from within the machine so "clean" isn't really clean, but more like "pushed into hiding in a place that MR can't see it". As soon as it comes into the light again, MR squelches it... but its not squelching the source of it.

ncnmra
Know my way around
Posts: 110
Joined: Sun Oct 10, 2010 8:24 am

Re: QSnatch Malware - What to do?

Post by ncnmra » Sat Nov 09, 2019 2:41 am

convergent wrote:
Sat Nov 09, 2019 2:30 am
A lot of posts about network traffic, isolation, etc. This one is not accessible from the outside at this point. It has an invalid default gateway. I'm just trying to figure out how after its clean, that a couple of times a day it gets re-infected. Its happening from within the machine so "clean" isn't really clean, but more like "pushed into hiding in a place that MR can't see it". As soon as it comes into the light again, MR squelches it... but its not squelching the source of it.
I'm right there with you, exactly the same scenario. Something has to be running to "reinfect" it. My suspicion at this point is that it is a system process. If you do a full factory restore, are you going to restore the DOM also?

Post Reply

Return to “Miscellaneous”