Our server was infected with viruses. It has been scanned and cleaned, but still may have something on it.

check the following registry keys to make sure there isn't anything that you're not aware of in the registry.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

if need be, load the server into safe mode and remove any keys that you find there that look suspicious and to be honest, what i would do is write down all of the keys and values you have there and start removing anything you don't know what it is. Then check your packet capture tool.  

You also might want to take a look at computer associates (CA) (http://ca.com/us/securityadvisor/virusinfo/scan.aspx) and check that out.  Also, you must use internet explorer to utilitze the webscan from CA.

it could also be possible spyware that is installed on that server.  You may want to download a spyware checker like Spybot S&D or something of your liking.

Here is my HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 4:05:46 PM, on 1/28/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\system32\nhsrvice.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
C:\Program Files\NovaStor\NovaBACKUP\NMSAccessU.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\FileZilla Server\FileZilla Server Interface.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Documents and Settings\Administrator.BUCK\Desktop\procexp.exe
C:\Program Files\NovaStor\NovaBACKUP\NSENGINE.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://realvnc.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Bginfo.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189465807296
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = buck.local
O17 - HKLM\Software\..\Telephony: DomainName = buck.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DA811FD-5881-4A0A-B0BE-814D6473A007}: NameServer = 192.168.1.217,192.168.1.201
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A52BCAC-B0C5-4DB1-8E2F-F6A016795E35}: NameServer = 192.168.1.217,192.168.1.201
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E9775F1-E123-46C9-B5AF-9D01C9FC435F}: NameServer = 192.168.1.217,192.168.1.201
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB06448C-FB58-4239-B7A6-7E998C046221}: NameServer = 192.168.1.217,192.168.1.201
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = buck.local
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe" -r (file missing)
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HASP Loader - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\nhsrvice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\NovaStor\NovaBACKUP\NMSAccessU.exe
O23 - Service: NsEngine - NovaStor Corporation - C:\Program Files\NovaStor\NovaBACKUP\NSENGINE.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINDOWS\systom32\svchost.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

spybot S&D found 1 cookie infected. removed
Spyware doctor found some cookies infected. removed
i will post my rootkit revelaer when it finishes.

thanks for all the help, hope i get it.

fyi: the server is still sending out fishy stuff

If you can I would get it off the internet for now until this is resolved. IS it just sending data packets out or are they comming back into the server ?

kill this
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINDOWS\systom32\svchost.exe


notice it says SYSTOM32    that is wrong... it is a fake process. get the properties on it before you kill it such as date modified.
You will then use the date of this svchost file as your search parameter.
go tot start find files or folders click advanced search all files folders hidden and system then put in dates specified and put the modified date   lets say it says
1-10-2008  put your start and end dates as the same date. This will then show all the files that were modified that day some of these will be normal all could be for that fact but you are looking for anything strange   dll's or exes that have odd names or are misnamed i.e.   SCVHOST.EXE or A42ns772.dll  (random letters and numbers).

Also search for the SYSTOM path reference in the registry do not look for svchost.exe as you will find the valid entries too.

I am trying to find more information on this but you are still infected and it looks like it is hitting mainly systems in China

looks like the service is not currently running.
i searched my registry and found systom in a folder called rasauto
should i delete the rasauto folder in the registry?

is it the only instance ?
can you post a screenshot of the registry key area ?

check that c:\windows\systom32 folder see what else is there check the properties and the date of the files found there if there is more then svchost.exe... Let me know if you find anything else suspicious

Here are some other things you can try but they may require a reboot

Use combofix here is instructions and the download http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Another anti spyware program
http://www.superantispyware.com/




Look for these files if found they need to be removed.
C:\windows\system32\jsqxazc.exe
c:\windows\system32\gjfhazc.exe
c:\windows\system32\swjqbac.exe
c:\windows\system32\avzxmst.exe
c:\windows\system32\avwlhst.exe
c:\windows\system32\avwghst.exe
c:\program files\internet explorer\plugins\nvsys_55.sys
c:\windows\136588mm.dll
c:\windows\136588wl.dll
c:\windows\system32\flrxekpvb.dll
c:\windows\system32\avwghmn.dll
c:\windows\system32\avwlhmn.dll
c:\windows\system32\avzxmmn.dll
c:\windows\system32\diktko.dll
c:\windows\system32\dmzjmm.dll
c:\windows\system32\gacjck.dll
c:\windows\system32\gjfhayc.dll
c:\windows\system32\jsqxayc.dll
c:\windows\system32\kvsc3.dll
c:\windows\system32\lotushlp.dll
c:\windows\system32\qhlduh.dll
c:\windows\system32\qwehem.dll
c:\windows\system32\swjqbzc.dll
c:\windows\system32\upxdnd.dll
c:\windows\system32\wsockdrv32.dll
c:\windows\system32\yemlat.dll
c:\windows\system32\ywluji.dll
c:\windows\system32\avpsrv.dll
c:\windows\system32\cmdbcs.dll
c:\windows\system32\dbghlp32.dll
c:\windows\system32\msimms32.dll
c:\windows\system32\msprint32d.dll
c:\windows\system32\nvdispdrv.dll
c:\windows\system32\winform.dll
c:\windows\136588l.exe
c:\windows\136588m.exe
c:\windows\lotushlp.exe
c:\windows\dbghlp32.exe
c:\windows\nvdispdrv.exe
c:\program files\common files\services\svchost.exe

3 instances of rasauto, all look the same.
registry.JPG

Allright I looked at it. You need to remove the image path since it is incorrect what I don'tlike is the square boxes at the top. What does it say in the sub keys do they look ok or not ?

Do you have another windows 2003 server box ?


I need to look into how that registry entry can be restored. The path definately needs to be changed but I have to look at a 2003 machine and get back to you

http://www.cybertechhelp.com/forums/showthread.php?t=173131

what do you think about the last procedures in this link, similar to what you stated above?

yes I had seen that and was going to reference that but first I wanted you to see if you had any of those other files I had listed above.

I am working on getting a 2003 server online so I can look at that registry key and then export it (if necessary) so you can fix your registry

I want you to do the following back up that registry key rasman before you do this.

I have uploaded the registry file you need to correct the settings in .txt format you will need to rename the extension to .reg then double click on the reg file and say yes when it asks if you want to enter the information in the registry it should then say successful.

Make sure you have killed the c:\windows\SYSTOM folder before doing this.
rasman.txt

let me know the status of other stuff if the outbound connections are occuring etc.. also if you found any of those files I listed above.

after completing the procedures in the link, i now cannot ping my server. i can get to the internet still from the computer, but i cannot ping the server from inside the network.

ok restored a backup registry. now i can ping the server again. virus seems to not be active either. i will check again tomorrow.

ok