bluecirlce
asked on
Computers with virus spreading through network
Hi Guys,
We believe there is a virus spreading through our network but we are not able to locate the exact location of the virus and where its coming from.
On all the servers affected, we can find the following files/services when running virus scans (Malwarebytes, Norton Antivirus, Trend Micro etc...):
- 1sass.exe
- sysdrv32.exe
- x[1], x[2], x[3] etc...
- 1.scr, 2.scr, 3.scr etc...
The symptoms are:
- slow computer speed.
- tends to crash
- services are stopping or not running when system boots up.
Even after a full computer format, the files come back pretty much straight away.
We've tried doing a windows recovery setup which seems to make the computers/servers run fine but the files are still there.
So not 100% sure if these files are the actual cause of it.
These files are on computers that are running perfectly fine as well.
We had an attack last Tuesday on 3 of our servers and after the Recovery suggested by you guys, they seem to be stable now. But this Tuesday, another few servers were attacked with exactly the same symptoms.
I have run Hijackthis on one of the computers affected:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:29 AM, on 13/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\ATKKBService.ex e
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\xwntse rv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.ex e
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.e xe
C:\WINDOWS\System32\igfxtr ay.exe
C:\WINDOWS\System32\hkcmd. exe
C:\WINDOWS\System32\igfxpe rs.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre1.6.0_07\bin \jusched.e xe
C:\Program Files\Common Files\Real\Update_OB\reals ched.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.e xe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.e xe
C:\Program Files\ATI Technologies\ATI.ACE\cli.e xe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Java\jre1.6.0_07\bin \jucheck.e xe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\WISPTI S.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ntvdm. exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll 32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ndong\Desktop\HiJ ackThis.ex e
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://smapp01/intranet
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://smapp01/intranet
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = 203.110.136.172:8080
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = 192*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_07\bin \ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.ex e
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.e xe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtr ay.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd. exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpe rs.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs ync.exe /logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin \jusched.e xe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr ay.dll,NvT askbarInit
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.e xe" runtime -Delay
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\system\1232sass .exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra y.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON .EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON .EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON .EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON .EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_07\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_07\bin \ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~3\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://smapp01/intranet
O16 - DPF: {44990301-3C9D-426D-81DF-A AB636FA434 5} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178512284989
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = bluecircle.com.au
O17 - HKLM\Software\..\Telephony : DomainName = bluecircle.com.au
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = bluecircle.com.au
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev xx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sg ag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.ex e
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\HPB PRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\HPB OID.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU P~1\LUCOMS ~1.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntse rv.exe
--
End of file - 9013 bytes
Is there anything we can do to stop the virus from spreading?
Please give us some tips on how to diagnose and resolve the problem once and for all.
Thanks.
We believe there is a virus spreading through our network but we are not able to locate the exact location of the virus and where its coming from.
On all the servers affected, we can find the following files/services when running virus scans (Malwarebytes, Norton Antivirus, Trend Micro etc...):
- 1sass.exe
- sysdrv32.exe
- x[1], x[2], x[3] etc...
- 1.scr, 2.scr, 3.scr etc...
The symptoms are:
- slow computer speed.
- tends to crash
- services are stopping or not running when system boots up.
Even after a full computer format, the files come back pretty much straight away.
We've tried doing a windows recovery setup which seems to make the computers/servers run fine but the files are still there.
So not 100% sure if these files are the actual cause of it.
These files are on computers that are running perfectly fine as well.
We had an attack last Tuesday on 3 of our servers and after the Recovery suggested by you guys, they seem to be stable now. But this Tuesday, another few servers were attacked with exactly the same symptoms.
I have run Hijackthis on one of the computers affected:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:29 AM, on 13/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\ATKKBService.ex
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchos
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\xwntse
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.ex
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.e
C:\WINDOWS\System32\igfxtr
C:\WINDOWS\System32\hkcmd.
C:\WINDOWS\System32\igfxpe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre1.6.0_07\bin
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.e
C:\WINDOWS\system32\ctfmon
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.e
C:\Program Files\ATI Technologies\ATI.ACE\cli.e
C:\WINDOWS\System32\svchos
C:\Program Files\Java\jre1.6.0_07\bin
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\WISPTI
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ntvdm.
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ndong\Desktop\HiJ
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.ex
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.e
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtr
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.e
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\system\1232sass
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O14 - IERESET.INF: START_PAGE_URL=http://smapp01/intranet
O16 - DPF: {44990301-3C9D-426D-81DF-A
O16 - DPF: {6414512B-B978-451D-A0D8-F
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sg
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.ex
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntse
--
End of file - 9013 bytes
Is there anything we can do to stop the virus from spreading?
Please give us some tips on how to diagnose and resolve the problem once and for all.
Thanks.
ASKER
Also in the Hijackthis log, i renamed the 1sass.exe to:
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\system\1232sass .exe
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\system\1232sass
xwntserv.exe seems to be non-native. I also see multiple antivirus programs. They tend to interfere with each other.
Use msconfig and use selective startup to remove all non-MS related items from startup. Reboot and run the scan again and post.
Use msconfig and use selective startup to remove all non-MS related items from startup. Reboot and run the scan again and post.
ASKER
Done what you said, this is what Hijackthis came back with this time:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:17 AM, on 13/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\ATKKBService.ex e
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\xwntse rv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmg r.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Documents and Settings\ndong\Desktop\HiJ ackThis.ex e
C:\Program Files\UltraVNC\vncviewer.e xe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://smapp01/intranet
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://smapp01/intranet
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = 203.110.136.172:8080
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = 192*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_07\bin \ssv.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON .EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON .EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON .EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON .EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_07\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_07\bin \ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~3\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://smapp01/intranet
O16 - DPF: {44990301-3C9D-426D-81DF-A AB636FA434 5} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178512284989
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = bluecircle.com.au
O17 - HKLM\Software\..\Telephony : DomainName = bluecircle.com.au
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = bluecircle.com.au
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev xx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sg ag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.ex e
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\HPB PRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\HPB OID.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU P~1\LUCOMS ~1.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntse rv.exe
--
End of file - 6456 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:17 AM, on 13/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\ATKKBService.ex
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchos
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\xwntse
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmg
C:\WINDOWS\system32\ctfmon
C:\Documents and Settings\ndong\Desktop\HiJ
C:\Program Files\UltraVNC\vncviewer.e
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O14 - IERESET.INF: START_PAGE_URL=http://smapp01/intranet
O16 - DPF: {44990301-3C9D-426D-81DF-A
O16 - DPF: {6414512B-B978-451D-A0D8-F
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sg
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.ex
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntse
--
End of file - 6456 bytes
Your HijackThis log file appears ok, although this is not proof of course that you have a clean system.
One option now is to try running Combofix which in this case should be more successful.
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running, and remember to re-enable them later, upon completion.
Before using ComboFix it may be necessary to rename it before saving it to your desktop. If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick (or equivalent). Rename it and connect to the problematic machine.
Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall. It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins. Just let it run.
Try initially to run Combofix in normal mode, although it works well in normal mode or safe mode.
One option now is to try running Combofix which in this case should be more successful.
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running, and remember to re-enable them later, upon completion.
Before using ComboFix it may be necessary to rename it before saving it to your desktop. If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick (or equivalent). Rename it and connect to the problematic machine.
Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall. It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins. Just let it run.
Try initially to run Combofix in normal mode, although it works well in normal mode or safe mode.
ASKER
Hi,
thanks for the quick response.
here is the log for combofix on one of the infected computers:
ComboFix 09-05-11.08 - ndong 13/05/2009 2:20.1 - [color=red][b]FAT32[/b][/c olor]x86
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18 .503.280 [GMT 10:00]
Running from: c:\documents and settings\ndong.BLUECIRCLE\ Desktop\Co mboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
c:\windows\system\1sass.ex e
c:\windows\system32\driver s\sysdrv32 .sys
c:\windows\system32\oledb3 2.dll
c:\windows\wiaserviv.log
.
(((((((((((((((((((((((((( (((((((((( ((( Drivers/Services )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
-------\Legacy_SYSDRV32
-------\Service_sysdrv32
((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 )))))))))))))))))))))))))) )))))
.
2009-05-12 16:13 . 2009-05-12 16:13 76930 ----a-w c:\windows\system32\81.scr
2009-05-12 15:55 . 2009-05-12 15:55 76930 ----a-w c:\windows\system32\38.scr
2009-05-12 00:16 . 2009-05-12 00:16 76930 ----a-w c:\windows\system32\88.scr
2009-05-12 00:11 . 2009-05-12 00:11 76930 ----a-w c:\windows\system32\66.scr
2009-05-11 21:02 . 2009-05-11 21:02 -------- d-----w c:\temp\WPDNSE
2009-04-17 04:42 . 2009-04-17 04:42 -------- d-----w c:\documents and settings\vprincipato\Local Settings\Application Data\Microsoft
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2009-05-07 03:21 . 2008-05-20 21:46 552 ----a-w c:\windows\system32\d3d8ca ps.dat
2009-03-25 01:47 . 2009-03-25 01:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"CTFMON.EXE"="c:\windows\s ystem32\ct fmon.exe" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.ex e" [2003-01-31 98304]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.e xe" [2002-05-27 69632]
"igfxtray"="c:\windows\Sys tem32\igfx tray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\Sy stem32\hkc md.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\Sys tem32\igfx pers.exe" [2005-09-20 114688]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2004-01-19 458752]
"Synchronization Manager"="c:\windows\syste m32\mobsyn c.exe" [2004-08-03 143360]
"WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2005-08-06 974848]
"SunJavaUpdateSched"="c:\p rogram files\Java\jre1.6.0_05\bin \jusched.e xe" [2008-02-21 144784]
"GhostStartTrayApp"="c:\pr ogram files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe " [2003-12-17 94208]
[HKEY_USERS\.DEFAULT\Softw are\Micros oft\Window s\CurrentV ersion\Run ]
"CTFMON.EXE"="c:\windows\S ystem32\CT FMON.EXE" [2004-08-03 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-5-8 106560]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\poli cies\syste m]
"disablecad"= 1 (0x1)
[HKEY_CURRENT_USER\softwar e\microsof t\windows\ currentver sion\polic ies\explor er]
"NoWelcomeScreen"= 1 (0x1)
HKEY_LOCAL_MACHINE\softwar e\microsof t\windows nt\currentversion\drivers3 2
"MIDI1"= SYNCOR11.DLL
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Auth orizedAppl ications\L ist]
"%windir%\\system32\\sessm gr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169 .254.2.0/2 55.255.255 .0:Enabled :ActiveSyn c RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:16 9.254.2.0/ 255.255.25 5.0:Enable d:ActiveSy nc Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169 .254.2.0/2 55.255.255 .0:Enabled :ActiveSyn c Application
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe" =
"c:\\WINDOWS\\System32\\66 .scr"=
"c:\\WINDOWS\\System32\\88 .scr"=
"c:\\WINDOWS\\System32\\81 .scr"=
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Glob allyOpenPo rts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255. 255.255.0: Enabled:Ac tiveSync Service
"9010:TCP"= 9010:TCP:FIPM
"8990:TCP"= 8990:TCP:FMSP
R1 GhPciScan;GhostPciScanner; c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [17/12/2003 3:41 PM 5632]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [3/12/2002 12:17 AM 202768]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [3/12/2002 12:17 AM 35856]
R2 XWNTSERV;XWP_Services;c:\w indows\sys tem32\XWNT SERV.EXE [8/05/2007 9:59 AM 185184]
R2 XwpNTrdr;XwpNTrdr;c:\windo ws\system3 2\drivers\ XWPFSW2K.S YS [8/05/2007 9:59 AM 166445]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-lsass
.
------- Supplementary Scan -------
.
uStart Page = hxxp://smapp01/intranet
uInternet Settings,ProxyServer = 203.110.136.172:8080
uInternet Settings,ProxyOverride = 192*;<local>
.
************************** ********** ********** ********** ********** ********
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 02:24
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2488)
c:\windows\system32\msi.dl l
c:\windows\system32\WPDShS erviceObj. dll
c:\windows\system32\Portab leDeviceTy pes.dll
c:\windows\system32\Portab leDeviceAp i.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\SYMANTEC\NORTON GHOST 2003\GHOSTSTARTSERVICE.EXE
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\program files\TREND MICRO\OFFICESCAN CLIENT\NTRTSCAN.EXE
c:\program files\ANALOG DEVICES\SOUNDMAX\SMAGENT.E XE
c:\program files\TREND MICRO\OFFICESCAN CLIENT\TMLISTEN.EXE
c:\program files\TREND MICRO\OFFICESCAN CLIENT\OFCDOG.EXE
.
************************** ********** ********** ********** ********** ********
.
Completion time: 2009-05-12 2:26 - machine was rebooted
ComboFix-quarantined-files .txt 2009-05-12 16:26
Pre-Run: 14,004,043,776 bytes free
Post-Run: 17,563,500,544 bytes free
125
Here is the hijackthis log for the same computer.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:44:35 AM, on 13/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\xwntse rv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.ex e
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.e xe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre1.6.0_05\bin \jusched.e xe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepa d.exe
C:\Program Files\Java\jre1.6.0_05\bin \jucheck.e xe
C:\WINDOWS\system32\dwwin. exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ndong.BLUECIRCLE\ Desktop\Hi JackThis.e xe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://smapp01/intranet
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = 203.110.136.172:8080
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = 192*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_05\bin \ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.ex e
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.e xe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtr ay.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd. exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpe rs.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs ync.exe /logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin \jusched.e xe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\system\1sass.ex e
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon .exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON .EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON .EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_05\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_05\bin \ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-0 0C04FAE2D4 F} - C:\PROGRA~1\MI3AA1~1\INetR epl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0 0C04FAE2D4 F} - C:\PROGRA~1\MI3AA1~1\INetR epl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-0 0C04FAE2D4 F} - C:\PROGRA~1\MI3AA1~1\INetR epl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~3\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://smapp01/intranet
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206012376671
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = bluecircle.com.au
O17 - HKLM\Software\..\Telephony : DomainName = bluecircle.com.au
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = bluecircle.com.au
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = bluecircle.com.au
O17 - HKLM\System\CS3\Services\T cpip\Param eters: Domain = bluecircle.com.au
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-9 7140C1C16E F} - C:\WINDOWS\system32\iefram e.dll
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntse rv.exe
--
End of file - 6488 bytes
I will post a few more logs once its complete on other computers.
thanks for the quick response.
here is the log for combofix on one of the infected computers:
ComboFix 09-05-11.08 - ndong 13/05/2009 2:20.1 - [color=red][b]FAT32[/b][/c
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18
Running from: c:\documents and settings\ndong.BLUECIRCLE\
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((
.
c:\windows\system\1sass.ex
c:\windows\system32\driver
c:\windows\system32\oledb3
c:\windows\wiaserviv.log
.
((((((((((((((((((((((((((
.
-------\Legacy_SYSDRV32
-------\Service_sysdrv32
((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 ))))))))))))))))))))))))))
.
2009-05-12 16:13 . 2009-05-12 16:13 76930 ----a-w c:\windows\system32\81.scr
2009-05-12 15:55 . 2009-05-12 15:55 76930 ----a-w c:\windows\system32\38.scr
2009-05-12 00:16 . 2009-05-12 00:16 76930 ----a-w c:\windows\system32\88.scr
2009-05-12 00:11 . 2009-05-12 00:11 76930 ----a-w c:\windows\system32\66.scr
2009-05-11 21:02 . 2009-05-11 21:02 -------- d-----w c:\temp\WPDNSE
2009-04-17 04:42 . 2009-04-17 04:42 -------- d-----w c:\documents and settings\vprincipato\Local
.
((((((((((((((((((((((((((
.
2009-05-07 03:21 . 2008-05-20 21:46 552 ----a-w c:\windows\system32\d3d8ca
2009-03-25 01:47 . 2009-03-25 01:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR
"CTFMON.EXE"="c:\windows\s
[HKEY_LOCAL_MACHINE\SOFTWA
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.ex
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.e
"igfxtray"="c:\windows\Sys
"igfxhkcmd"="c:\windows\Sy
"igfxpers"="c:\windows\Sys
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2004-01-19 458752]
"Synchronization Manager"="c:\windows\syste
"WinVNC"="c:\program files\UltraVNC\WinVNC.exe"
"SunJavaUpdateSched"="c:\p
"GhostStartTrayApp"="c:\pr
[HKEY_USERS\.DEFAULT\Softw
"CTFMON.EXE"="c:\windows\S
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-5-8 106560]
[HKEY_LOCAL_MACHINE\softwa
"disablecad"= 1 (0x1)
[HKEY_CURRENT_USER\softwar
"NoWelcomeScreen"= 1 (0x1)
HKEY_LOCAL_MACHINE\softwar
"MIDI1"= SYNCOR11.DLL
[HKLM\~\services\sharedacc
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedacc
"%windir%\\system32\\sessm
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:16
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
"c:\\WINDOWS\\System32\\66
"c:\\WINDOWS\\System32\\88
"c:\\WINDOWS\\System32\\81
[HKLM\~\services\sharedacc
"26675:TCP"= 26675:TCP:169.254.2.0/255.
"9010:TCP"= 9010:TCP:FIPM
"8990:TCP"= 8990:TCP:FMSP
R1 GhPciScan;GhostPciScanner;
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [3/12/2002 12:17 AM 202768]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [3/12/2002 12:17 AM 35856]
R2 XWNTSERV;XWP_Services;c:\w
R2 XwpNTrdr;XwpNTrdr;c:\windo
[HKEY_LOCAL_MACHINE\softwa
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-lsass
.
------- Supplementary Scan -------
.
uStart Page = hxxp://smapp01/intranet
uInternet Settings,ProxyServer = 203.110.136.172:8080
uInternet Settings,ProxyOverride = 192*;<local>
.
**************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 02:24
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2488)
c:\windows\system32\msi.dl
c:\windows\system32\WPDShS
c:\windows\system32\Portab
c:\windows\system32\Portab
.
------------------------ Other Running Processes ------------------------
.
c:\program files\SYMANTEC\NORTON GHOST 2003\GHOSTSTARTSERVICE.EXE
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\program files\TREND MICRO\OFFICESCAN CLIENT\NTRTSCAN.EXE
c:\program files\ANALOG DEVICES\SOUNDMAX\SMAGENT.E
c:\program files\TREND MICRO\OFFICESCAN CLIENT\TMLISTEN.EXE
c:\program files\TREND MICRO\OFFICESCAN CLIENT\OFCDOG.EXE
.
**************************
.
Completion time: 2009-05-12 2:26 - machine was rebooted
ComboFix-quarantined-files
Pre-Run: 14,004,043,776 bytes free
Post-Run: 17,563,500,544 bytes free
125
Here is the hijackthis log for the same computer.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:44:35 AM, on 13/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchos
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\xwntse
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.ex
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.e
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre1.6.0_05\bin
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepa
C:\Program Files\Java\jre1.6.0_05\bin
C:\WINDOWS\system32\dwwin.
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ndong.BLUECIRCLE\
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.ex
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.e
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtr
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\system\1sass.ex
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-0
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O14 - IERESET.INF: START_PAGE_URL=http://smapp01/intranet
O16 - DPF: {6414512B-B978-451D-A0D8-F
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS3\Services\T
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-9
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntse
--
End of file - 6488 bytes
I will post a few more logs once its complete on other computers.
ASKER
Here are the logs for the PC with the Selective Startup.
COMBO FIX LOG:
ComboFix 09-05-11.08 - ndong 13/05/2009 2:42.1 - [color=red][b]FAT32[/b][/c olor]x86
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18 .1015.602 [GMT 10:00]
Running from: c:\documents and settings\ndong\Desktop\Com boFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
c:\windows\IE4 Error Log.txt
c:\windows\system32\config .txt
c:\windows\system32\oledb3 2.dll
c:\windows\Tasks\SysFile.b rk
.
((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 )))))))))))))))))))))))))) )))))
.
2009-05-12 13:55 . 2009-05-12 13:55 -------- d-----w c:\documents and settings\ndong\Application Data\AdobeUM
2009-05-12 12:48 . 2009-05-12 12:48 -------- d-----w c:\documents and settings\ndong\Local Settings\Application Data\Symantec
2009-05-12 12:47 . 2009-05-12 12:47 48768 ----a-w c:\windows\system32\S32EVN T1.DLL
2009-05-12 12:47 . 2009-05-12 12:47 110952 ----a-w c:\windows\system32\driver s\SYMEVENT .SYS
2009-05-12 12:46 . 2009-05-12 12:47 -------- d-----w c:\program files\Symantec AntiVirus
2009-05-12 11:38 . 2009-05-12 11:38 -------- d-----w c:\documents and settings\ndong\Local Settings\Application Data\Adobe
2009-05-12 11:14 . 2009-05-12 11:14 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-12 11:14 . 2009-05-12 11:14 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-12 09:47 . 2009-05-12 09:47 -------- d-----w c:\documents and settings\kchen\Application Data\ATI
2009-05-12 09:47 . 2009-05-12 09:47 -------- d-----w c:\documents and settings\kchen\Local Settings\Application Data\ATI
2009-05-12 09:47 . 2009-05-12 09:47 128 ----a-w c:\documents and settings\kchen\Local Settings\Application Data\fusioncache.dat
2009-05-12 09:47 . 2009-05-12 09:47 -------- d-----w c:\documents and settings\kchen\Local Settings\Application Data\ApplicationHistory
2009-05-12 09:45 . 2009-05-12 09:45 -------- d-----w c:\documents and settings\kchen
2009-05-12 08:31 . 2009-05-12 08:31 1615732 ----a-w C:\ProcessExplorer.zip
2009-05-12 08:02 . 2009-05-12 08:02 -------- d-s---w c:\documents and settings\ndong\UserData
2009-05-11 21:49 . 2009-05-11 21:49 -------- d-----w c:\temp\WPDNSE
2009-04-22 00:46 . 2009-04-22 00:46 -------- d-----w c:\temp\~nsu.tmp
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2009-05-12 12:47 . 2009-05-12 12:47 805 ----a-w c:\windows\system32\driver s\SYMEVENT .INF
2009-05-12 12:47 . 2009-05-12 12:47 8014 ----a-w c:\windows\system32\driver s\SYMEVENT .CAT
2009-02-26 04:54 . 2009-02-26 04:54 64368 ----a-w c:\documents and settings\dkirkwood\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-26 04:53 . 2009-02-26 04:53 132 ----a-w c:\documents and settings\dkirkwood\Local Settings\Application Data\fusioncache.dat
2009-02-25 06:43 . 2009-02-25 06:43 64368 ----a-w c:\documents and settings\ndong\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-25 06:43 . 2009-02-25 06:43 128 ----a-w c:\documents and settings\ndong\Local Settings\Application Data\fusioncache.dat
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"ctfmon.exe"="c:\windows\s ystem32\ct fmon.exe" [2004-08-03 15360]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2004-01-19 458752]
[HKEY_USERS\.DEFAULT\Softw are\Micros oft\Window s\CurrentV ersion\Run ]
"CTFMON.EXE"="c:\windows\S ystem32\CT FMON.EXE" [2004-08-03 15360]
[HKEY_USERS\.DEFAULT\Softw are\Micros oft\Window s\CurrentV ersion\Run Once]
"RunNarrator"="Narrator.ex e" - c:\windows\system32\narrat or.exe [2004-08-03 53760]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\poli cies\syste m]
"disablecad"= 1 (0x1)
[HKEY_CURRENT_USER\softwar e\microsof t\windows\ currentver sion\polic ies\explor er]
"NoWelcomeScreen"= 1 (0x1)
HKEY_LOCAL_MACHINE\softwar e\microsof t\windows nt\currentversion\drivers3 2
"MIDI1"= SYNCOR11.DLL
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^Adob e Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adob e Reader Speed Launch.lnk
backup=c:\windows\pss\Adob e Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^WinZ ip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZ ip Quick Pick.lnk
backup=c:\windows\pss\WinZ ip Quick Pick.lnkCommon Startup
[HKEY_LOCAL_MACHINE\softwa re\microso ft\securit y center\Monitoring\Symantec AntiVirus]
"DisableMonitoring"=dword: 00000001
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Auth orizedAppl ications\L ist]
"%windir%\\system32\\sessm gr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Glob allyOpenPo rts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22 009
R1 GhPciScan;GhostPciScanner; c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [17/12/2003 3:41 PM 5632]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [3/12/2002 12:17 AM 202768]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [3/12/2002 12:17 AM 35856]
R2 XWNTSERV;XWP_Services;c:\w indows\sys tem32\XWNT SERV.EXE [8/05/2007 9:59 AM 185184]
R2 XwpNTrdr;XwpNTrdr;c:\windo ws\system3 2\drivers\ XWPFSW2K.S YS [8/05/2007 9:59 AM 166445]
R3 EraserUtilRebootDrv;Eraser UtilReboot Drv;c:\pro gram files\Common Files\Symantec Shared\EENGINE\EraserUtilR ebootDrv.s ys [13/05/2009 1:37 AM 101936]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [7/10/2007 8:48 PM 116664]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ERASERUTILREBOOTDRV
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-lsass
.
------- Supplementary Scan -------
.
uStart Page = hxxp://smapp01/intranet
uInternet Settings,ProxyServer = 203.110.136.172:8080
uInternet Settings,ProxyOverride = 192*;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFIC E11\EXCEL. EXE/3000
.
************************** ********** ********** ********** ********** ********
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 02:46
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2ev xx.dll
.
Completion time: 2009-05-12 2:47
ComboFix-quarantined-files .txt 2009-05-12 16:47
Pre-Run: 13,398,638,592 bytes free
Post-Run: 17,890,459,648 bytes free
WindowsXP-KB310994-SP2-Pro -BootDisk- ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdi sk(0)parti tion(1)\WI NDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="M icrosoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)par tition(1)\ WINDOWS="M icrosoft Windows XP Professional" /fastdetect /NoExecute=OptIn
124
HIJACKTHIS LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:15 AM, on 13/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\ATKKBService.ex e
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\xwntse rv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\notepa d.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\ndong\Desktop\HiJ ackThis.ex e
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://smapp01/intranet
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = 203.110.136.172:8080
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = 192*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_07\bin \ssv.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON .EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON .EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_07\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_07\bin \ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~3\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://smapp01/intranet
O16 - DPF: {44990301-3C9D-426D-81DF-A AB636FA434 5} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178512284989
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = bluecircle.com.au
O17 - HKLM\Software\..\Telephony : DomainName = bluecircle.com.au
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = bluecircle.com.au
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev xx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sg ag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.ex e
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\HPB PRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\ DRIVERS\W3 2X86\3\HPB OID.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU P~1\LUCOMS ~1.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntse rv.exe
--
End of file - 6426 bytes
Thanks.
COMBO FIX LOG:
ComboFix 09-05-11.08 - ndong 13/05/2009 2:42.1 - [color=red][b]FAT32[/b][/c
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18
Running from: c:\documents and settings\ndong\Desktop\Com
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((
.
c:\windows\IE4 Error Log.txt
c:\windows\system32\config
c:\windows\system32\oledb3
c:\windows\Tasks\SysFile.b
.
((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 ))))))))))))))))))))))))))
.
2009-05-12 13:55 . 2009-05-12 13:55 -------- d-----w c:\documents and settings\ndong\Application
2009-05-12 12:48 . 2009-05-12 12:48 -------- d-----w c:\documents and settings\ndong\Local Settings\Application Data\Symantec
2009-05-12 12:47 . 2009-05-12 12:47 48768 ----a-w c:\windows\system32\S32EVN
2009-05-12 12:47 . 2009-05-12 12:47 110952 ----a-w c:\windows\system32\driver
2009-05-12 12:46 . 2009-05-12 12:47 -------- d-----w c:\program files\Symantec AntiVirus
2009-05-12 11:38 . 2009-05-12 11:38 -------- d-----w c:\documents and settings\ndong\Local Settings\Application Data\Adobe
2009-05-12 11:14 . 2009-05-12 11:14 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-12 11:14 . 2009-05-12 11:14 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-12 09:47 . 2009-05-12 09:47 -------- d-----w c:\documents and settings\kchen\Application
2009-05-12 09:47 . 2009-05-12 09:47 -------- d-----w c:\documents and settings\kchen\Local Settings\Application Data\ATI
2009-05-12 09:47 . 2009-05-12 09:47 128 ----a-w c:\documents and settings\kchen\Local Settings\Application Data\fusioncache.dat
2009-05-12 09:47 . 2009-05-12 09:47 -------- d-----w c:\documents and settings\kchen\Local Settings\Application Data\ApplicationHistory
2009-05-12 09:45 . 2009-05-12 09:45 -------- d-----w c:\documents and settings\kchen
2009-05-12 08:31 . 2009-05-12 08:31 1615732 ----a-w C:\ProcessExplorer.zip
2009-05-12 08:02 . 2009-05-12 08:02 -------- d-s---w c:\documents and settings\ndong\UserData
2009-05-11 21:49 . 2009-05-11 21:49 -------- d-----w c:\temp\WPDNSE
2009-04-22 00:46 . 2009-04-22 00:46 -------- d-----w c:\temp\~nsu.tmp
.
((((((((((((((((((((((((((
.
2009-05-12 12:47 . 2009-05-12 12:47 805 ----a-w c:\windows\system32\driver
2009-05-12 12:47 . 2009-05-12 12:47 8014 ----a-w c:\windows\system32\driver
2009-02-26 04:54 . 2009-02-26 04:54 64368 ----a-w c:\documents and settings\dkirkwood\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-26 04:53 . 2009-02-26 04:53 132 ----a-w c:\documents and settings\dkirkwood\Local Settings\Application Data\fusioncache.dat
2009-02-25 06:43 . 2009-02-25 06:43 64368 ----a-w c:\documents and settings\ndong\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-25 06:43 . 2009-02-25 06:43 128 ----a-w c:\documents and settings\ndong\Local Settings\Application Data\fusioncache.dat
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR
"ctfmon.exe"="c:\windows\s
[HKEY_LOCAL_MACHINE\SOFTWA
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2004-01-19 458752]
[HKEY_USERS\.DEFAULT\Softw
"CTFMON.EXE"="c:\windows\S
[HKEY_USERS\.DEFAULT\Softw
"RunNarrator"="Narrator.ex
[HKEY_LOCAL_MACHINE\softwa
"disablecad"= 1 (0x1)
[HKEY_CURRENT_USER\softwar
"NoWelcomeScreen"= 1 (0x1)
HKEY_LOCAL_MACHINE\softwar
"MIDI1"= SYNCOR11.DLL
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adob
backup=c:\windows\pss\Adob
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZ
backup=c:\windows\pss\WinZ
[HKEY_LOCAL_MACHINE\softwa
"DisableMonitoring"=dword:
[HKLM\~\services\sharedacc
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedacc
"%windir%\\system32\\sessm
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
[HKLM\~\services\sharedacc
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22
R1 GhPciScan;GhostPciScanner;
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [3/12/2002 12:17 AM 202768]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [3/12/2002 12:17 AM 35856]
R2 XWNTSERV;XWP_Services;c:\w
R2 XwpNTrdr;XwpNTrdr;c:\windo
R3 EraserUtilRebootDrv;Eraser
S3 SavRoam;SAVRoam;c:\program
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ERASERUTILREBOOTDRV
[HKEY_LOCAL_MACHINE\softwa
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-lsass
.
------- Supplementary Scan -------
.
uStart Page = hxxp://smapp01/intranet
uInternet Settings,ProxyServer = 203.110.136.172:8080
uInternet Settings,ProxyOverride = 192*;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFIC
.
**************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 02:46
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2ev
.
Completion time: 2009-05-12 2:47
ComboFix-quarantined-files
Pre-Run: 13,398,638,592 bytes free
Post-Run: 17,890,459,648 bytes free
WindowsXP-KB310994-SP2-Pro
[boot loader]
timeout=2
default=multi(0)disk(0)rdi
[operating systems]
c:\cmdcons\BOOTSECT.DAT="M
multi(0)disk(0)rdisk(0)par
124
HIJACKTHIS LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:15 AM, on 13/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\ATKKBService.ex
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchos
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\xwntse
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\system32\notepa
C:\WINDOWS\explorer.exe
C:\Documents and Settings\ndong\Desktop\HiJ
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O14 - IERESET.INF: START_PAGE_URL=http://smapp01/intranet
O16 - DPF: {44990301-3C9D-426D-81DF-A
O16 - DPF: {6414512B-B978-451D-A0D8-F
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sg
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.ex
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntse
--
End of file - 6426 bytes
Thanks.
Thanks .. it's going to take a while to scrutinise your Combo log .. studying it now ...
I see a SYSDRV32 which doesn't seem normal. This is on the non-selective startup machine but not the selective one. Is the machine with selective startup exhibiting the same problems as the one without?
ASKER
No, once I changed to Selective Startup, it seems a lot more stable and fast.
From the Combofix log on one of the infected computers >>
Under "Other Deletions" ...
> C:\Windows\System32\driver s\sysdrv32 .sys <
Apparantly added by the W32/Rbot-GXK worm and IRC backdoor.
Details >
http://www.bleepingcomputer.com/startups/sysdrv32.sys-24585.html
Still investigating ...
Under "Other Deletions" ...
> C:\Windows\System32\driver
Apparantly added by the W32/Rbot-GXK worm and IRC backdoor.
Details >
http://www.bleepingcomputer.com/startups/sysdrv32.sys-24585.html
Still investigating ...
Ok so the issue is with something loading in your startup.
Frist off, the following are unnecessary (not harmful):
WinZip Quick Pick, Adobe Speed Launcher, Jussched, igfxtray, hkcmd, igfxpers
The culpret is a remaining item. Download and install spybot s&d (http://www.safer-networking.org/en/download/index.html). It not only has a malware scanner but the advanced options have tools which allow you to independently disable startup processes.
Frist off, the following are unnecessary (not harmful):
WinZip Quick Pick, Adobe Speed Launcher, Jussched, igfxtray, hkcmd, igfxpers
The culpret is a remaining item. Download and install spybot s&d (http://www.safer-networking.org/en/download/index.html). It not only has a malware scanner but the advanced options have tools which allow you to independently disable startup processes.
Jonvee, that's a startup item that keeps re-infecting clean machines. On the one he did a selective startup, this was no longer an issue.
@ sfarazmand,
Yes, it's ok, i realise that : )
Been concentrating on the ComboFix log for the PC with the Selective Startup.
Yes, it's ok, i realise that : )
Been concentrating on the ComboFix log for the PC with the Selective Startup.
Cannot see anything nasty in the Combo log.
Hopefully Spybot, suggested by sfarazmand, will do the trick.
If not, try Superantispyware which tends to compliment Malwarebytes:
http://www.superantispyware.com/
There's also the Kaspersky online virus scanner>
http://www.kaspersky.co.uk/virusscanner
Hopefully Spybot, suggested by sfarazmand, will do the trick.
If not, try Superantispyware which tends to compliment Malwarebytes:
http://www.superantispyware.com/
There's also the Kaspersky online virus scanner>
http://www.kaspersky.co.uk/virusscanner
I also ran into a situation where nothing would work to remove or clean it other than http://www.pctools.com/spyware-doctor/
ASKER
Thanks for the help guys, i will try all the suggestions and get back to you.
I did notice that the service 1sass.exe made its way back into the startup list after the the Selective Startup.
I did notice that the service 1sass.exe made its way back into the startup list after the the Selective Startup.
ASKER
hi guys,
the virus we have got is called W32/IRCbot.gen (Macfee) the following link has the information relating to the this virus that I am having
http://www.avertlabs.com/research/blog/?s=conficker
I am now trying to remove the virus with no success. right now i am tryin to use Norton and AVG to scan the infected computers, but could not clean it up.
thanks in advance.
the virus we have got is called W32/IRCbot.gen (Macfee) the following link has the information relating to the this virus that I am having
http://www.avertlabs.com/research/blog/?s=conficker
I am now trying to remove the virus with no success. right now i am tryin to use Norton and AVG to scan the infected computers, but could not clean it up.
thanks in advance.
Those won't work. I've had that one and like I said the only thing that cleaned it was spyware doctor.
you can use this link to download my backup of it. http://www.megaupload.com/?d=BPD2O72G
you can use this link to download my backup of it. http://www.megaupload.com/?d=BPD2O72G
ASKER
will definitelly give it a go. thanks for your quick response.
>Conficker<
More information and a Solution!
Downadup (or Conficker) is a network worm that takes advantage of vulnerabilities in Windows to spread. Its removal is complicated by the fact that it blocks many known antivirus software and associated websites.
BitDefender Labs has detected a new and more aggressive Downadup version. It spreads using a Windows RPC Server Service vulnerability and is called Win32.Worm.Downadup.Gen.
Here's a link that's been used to remove Downadup from infected computers!
http://www.bdtools.net/
More information and a Solution!
Downadup (or Conficker) is a network worm that takes advantage of vulnerabilities in Windows to spread. Its removal is complicated by the fact that it blocks many known antivirus software and associated websites.
BitDefender Labs has detected a new and more aggressive Downadup version. It spreads using a Windows RPC Server Service vulnerability and is called Win32.Worm.Downadup.Gen.
Here's a link that's been used to remove Downadup from infected computers!
http://www.bdtools.net/
Took another look at your problem and located this url>
http://www.scanspyware.net/info/IRCBot.gen.htm
If you still haven't resolved the issue using the earlier suggestions, these comments may be helpful.
I have no experience in using information from this particular site, so if you do attempt a manual removal it will certainly be prudent to make a backup of the Registry before following the instructions.
http://www.scanspyware.net/info/IRCBot.gen.htm
If you still haven't resolved the issue using the earlier suggestions, these comments may be helpful.
I have no experience in using information from this particular site, so if you do attempt a manual removal it will certainly be prudent to make a backup of the Registry before following the instructions.
ASKER
It doesn't seem to be the IRCBot.gen virus as none of the files are the same.
I have tried running Spyware Doctor on a lot of computers, it seems to pick up the 1sass.exe and 00.scr files, but doesn't stop the virus from coming back.
sysdrv32.sys is still there, i have to manually remove this.
even then, it still comes back after awhile.
are there any useful tools i can use to check incoming connections to computers and what files they're trying to send.
I have tried running Spyware Doctor on a lot of computers, it seems to pick up the 1sass.exe and 00.scr files, but doesn't stop the virus from coming back.
sysdrv32.sys is still there, i have to manually remove this.
even then, it still comes back after awhile.
are there any useful tools i can use to check incoming connections to computers and what files they're trying to send.
ASKER
Some of the computers are displaying svhost.exe - application error.
the instruction at "0x001f1cb0" referenced memory at "0x48544950". The memory could not be read.
After running Spyware Doctor, this still appears.
I did a rescan but didn't pick up the same virus results as before.
i'm not sure what else it could be.
the instruction at "0x001f1cb0" referenced memory at "0x48544950". The memory could not be read.
After running Spyware Doctor, this still appears.
I did a rescan but didn't pick up the same virus results as before.
i'm not sure what else it could be.
Thanks for the feedback. It's quite conceivable that i missed something in the ComboFix log that could help us clear up this remaining infection.
bluecirlce, unless you get further suggestions from experts in this thread, i truly believe your best move would be to create a new thread in the HijackThis topic area where there are some brilliant people dealing with the removal of stubborn infections. In any case most questions can be posted in three TAs, giving you an input from experts active in these other zones >>
https://www.experts-exchange.com/Virus_and_Spyware/HijackThis/
Or, an alternative would be to create a new (20 point) question in this same HijackThis TA, which is linked to this question >> https://www.experts-exchange.com/questions/24401465/Computers-with-virus-spreading-through-network.html?cid=1066&anchorAnswerId=24381633#a24381633
Be sure to quote the address of this question in your new one, and advise everyone to only reply in this original question. Naturally i'll continue to monitor and periodically investigate.
Incidently a google search found three urls referring to this exact error>
>>the instruction at "0x001f1cb0" referenced memory at "0x48544950". The memory could not be read<<
Unfortunately they were from France and Thailand, both were poorly translated, none helped me to establish anything, but the Countries may possibly give you a clue?
bluecirlce, unless you get further suggestions from experts in this thread, i truly believe your best move would be to create a new thread in the HijackThis topic area where there are some brilliant people dealing with the removal of stubborn infections. In any case most questions can be posted in three TAs, giving you an input from experts active in these other zones >>
https://www.experts-exchange.com/Virus_and_Spyware/HijackThis/
Or, an alternative would be to create a new (20 point) question in this same HijackThis TA, which is linked to this question >> https://www.experts-exchange.com/questions/24401465/Computers-with-virus-spreading-through-network.html?cid=1066&anchorAnswerId=24381633#a24381633
Be sure to quote the address of this question in your new one, and advise everyone to only reply in this original question. Naturally i'll continue to monitor and periodically investigate.
Incidently a google search found three urls referring to this exact error>
>>the instruction at "0x001f1cb0" referenced memory at "0x48544950". The memory could not be read<<
Unfortunately they were from France and Thailand, both were poorly translated, none helped me to establish anything, but the Countries may possibly give you a clue?
If between us we can spot something i missed in the Combo log it wouldn't be a problem. A small script could be written, Combo re-run, and the infection removed as described in this Tutorial>
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
ASKER
Thanks for all your help guys,
i will raise a new thread in the hijackthis topic area as any input is much appreciated at this time.
i will put the link of the new thread once its been raised.
i will raise a new thread in the hijackthis topic area as any input is much appreciated at this time.
i will put the link of the new thread once its been raised.
ASKER
Hi Guys,
i have posted another thread under the Hijackthis zone.
link: https://www.experts-exchange.com/questions/24408424/Pointer-1sass-exe-sysdrv32-exe-problem-arising-through-network.html
i have posted another thread under the Hijackthis zone.
link: https://www.experts-exchange.com/questions/24408424/Pointer-1sass-exe-sysdrv32-exe-problem-arising-through-network.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Another idea that I just had is that you can use NMap(http://nmap.org/) to investigate the open ports on an infected machine and then use ngrep (http://ngrep.sourceforge.net/) to see what is being sent outside of your network by ngrepping on that port number.
I requested this thread to be moved to the HijackThis section. Also asked to close the other one you opened as it will be a duplicate.
We had a similar problem last week and it was the IRCbot trojan wreaking havoc on our servers. In your case, it doesn't seem to be related. What I do recommend is that you have all the latest Windows and security/antivirus updates. We excluded SP3 for XP since we need to test it first, but if it doesn't conflict with any of your work programs, you may proceed. For Server 2003, upgrade to SP2 and get all the critical updates. We were able to patch everything up once that was done.
For Symantec, you might want to get the rapid release updates here. If you are using an antivirus server (Symantec Antivirus Corporate Edition ), upload the xdb to the symantec install folder (C:\Program Files\Symantec AntiVirus\) and restart the Symantec Antivirus service. That should update it to the latest definitions. Any computers that are pointed to this server should be updated as well once this is done. I recommend getting the servers fixed first especially if other clients connect to it.
Download the Malicious Removal Tool from Microsoft and run it to see if anything is found.
Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm
* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.
We had a similar problem last week and it was the IRCbot trojan wreaking havoc on our servers. In your case, it doesn't seem to be related. What I do recommend is that you have all the latest Windows and security/antivirus updates. We excluded SP3 for XP since we need to test it first, but if it doesn't conflict with any of your work programs, you may proceed. For Server 2003, upgrade to SP2 and get all the critical updates. We were able to patch everything up once that was done.
For Symantec, you might want to get the rapid release updates here. If you are using an antivirus server (Symantec Antivirus Corporate Edition ), upload the xdb to the symantec install folder (C:\Program Files\Symantec AntiVirus\) and restart the Symantec Antivirus service. That should update it to the latest definitions. Any computers that are pointed to this server should be updated as well once this is done. I recommend getting the servers fixed first especially if other clients connect to it.
Download the Malicious Removal Tool from Microsoft and run it to see if anything is found.
Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm
* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.
ASKER
Hi All,
Thanks for all your input.
I am currently removing the virus using the following steps:
1. apply the windows conficker pactch to pc/server
2. disable system restore.
3. use antivirus to scan for virus.
4. clean everything out (files, registry).
5. enable windows firewall (xp only).
after performing these steps the pcs/servers are alot more stable and hoping it stays this way.
the antivirus software is not coming up with infections like before (which used to pop up repeatedly due to the virus trying to replicate itself.)
i will keep you posted in few days to confirm if it is still contained.
in the mean time, can you please recommend some good resources for network security so we can prevent this from happening moving forward.
thanks.
Thanks for all your input.
I am currently removing the virus using the following steps:
1. apply the windows conficker pactch to pc/server
2. disable system restore.
3. use antivirus to scan for virus.
4. clean everything out (files, registry).
5. enable windows firewall (xp only).
after performing these steps the pcs/servers are alot more stable and hoping it stays this way.
the antivirus software is not coming up with infections like before (which used to pop up repeatedly due to the virus trying to replicate itself.)
i will keep you posted in few days to confirm if it is still contained.
in the mean time, can you please recommend some good resources for network security so we can prevent this from happening moving forward.
thanks.
ASKER
Hi Guys,
Its been awhile since we used the above steps to deal with the virus, so i'm posting to update you guys on our current status.
Our PC's and servers are looking a lot better now, the virus seems to have been contained.
Thank you for all your help.
Its been awhile since we used the above steps to deal with the virus, so i'm posting to update you guys on our current status.
Our PC's and servers are looking a lot better now, the virus seems to have been contained.
Thank you for all your help.
Good to see that the problem has been resolved and thanks for the feedback.
ASKER
The previous post I made about this problem is:
https://www.experts-exchange.com/questions/24387217/Windows-Server-2003-SP2-Running-Slow-and-Crashes-on-scheduled-or-repeated-tasks.html
Hope that helps.