I do have Adobe Flash Player installed in Slackware so I attempted
to scan the /home folder with Kaspersky Rescue CD.
That did not go over too well. I tried to only scan the /home folder
but it would still try to scan the whole partition where Slackware
is installed, folders such as /proc and /sys, along with
the drive where Windows is installed.
And after a couple of hours it gets stuck in a loop
with messages similar to the following repeating in the log:
So instead of just unchecking the drive in Kaspersky Rescue CD
I also added exclusions for folders such as /proc /sys /mnt
and attempted to scan just /home again and it would still
attempt to scan the whole partition and eventually got stuck
with the same messages in the log file.
At this point I have to stop the scan or it will just sit
there repeating the same messages in the log.
I'm not sure why I could not get it to scan just the /home folder.
It did however come across the following adware on a data partition on machine A
which contains an old backup copy of the /home folder from machine B.
I also ran aswMBR.exe and submitted the MBR.dat file to virustotal:
MBR.dat scan results
And speaking of log files, I had not looked at Windows' event logs.
I only scanned the drive for files created/modified on the date of the incident.
So I went in and looked at the Windows' event logs and on machine A
there are only entries in there between the hours of 2-3am (no entries
around the time of the incident). Machine B had no entries for the
date in question.
I even browsed through the logs in Slackware and the last entry in messages
with that date has a timestamp of 12:23pm. The last entry in syslog with that
date has a timestamp of 10:45am. The incident took place at 1:21pm.
In Slackware I have two files created around the time of the incident.
One created at 12:42pm and another created at 1:24pm.
So at least three minutes after the incident I was in Slackware.
I just don't get it.
They claim one of my machines is infected with bancos and connected
to a bot net @ 1:21pm on Easter Sunday (04/08/12).
I was force routed to the notice page (while in Firefox on Slackware) around
4pm (04/09/12) the next day.
None of the tools I've tried has been able to pick up a bancos infection.
There are no files created/modified around the time of the incident in Windows.
There are no entries in Windows' log files around the time of the incident.
It would seem as if my machine was not even in Windows around the time of the incident.
And I know I was in Slackware a few minutes after the incident.
2012-04-08 12:23:44 emachinesw3503 syslog -- MARK --
I would probably feel a little more comfortable had one of the tools actually detected bancos.
Anyway, thank you so much for your assistance in this matter.
If you have any other ideas on what else I could try please let me know.
Cheers and Thanks
P.S. will look into running rkhunter or chkrootkit on Slackware.
rkhunter log http://sprunge.us/SMAJ
chkrootkit log http://sprunge.us/KDMj
Edited by alphaomega, 15 April 2012 - 03:02 PM.