entourage714
asked on
Our server was infected with viruses. It has been scanned and cleaned, but still may have something on it.
We have a server that may still be infected with a virus. I have scanned with bitdefender (online), trend micro (online), avg, sophos, and kaspersky. All looks good except when i do a packet capture, my server seems to be sending something out to ip 60.4.196.188 (some where in china with lookup tool). It connects via random ports from my server to port 8080 on 60.4.196.188. I have disabled all my anti-viruses. Still it appears. What else can i do?
Some random ports are
4326, 3995, 3996, etc.
Some random ports are
4326, 3995, 3996, etc.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here is my HiJackThis Log
Logfile of HijackThis v1.99.1
Scan saved at 4:05:46 PM, on 1/28/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\csrss. exe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\system32\msdtc. exe
C:\WINDOWS\system32\Dfssvc .exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\FolderSize\FolderSiz eSvc.exe
C:\WINDOWS\system32\nhsrvi ce.exe
C:\WINDOWS\system32\inetsr v\inetinfo .exe
C:\WINDOWS\System32\ismser v.exe
C:\Program Files\NovaStor\NovaBACKUP\ NMSAccessU .exe
C:\WINDOWS\system32\ntfrs. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\snmp.e xe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\UPHClean\uphclean.ex e
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin \jusched.e xe
C:\Program Files\NovaStor\NovaBACKUP\ NbkCtrl.ex e
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\wbem\w miprvse.ex e
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\FileZilla Server\FileZilla Server Interface.exe
c:\windows\system32\inetsr v\w3wp.exe
C:\Documents and Settings\Administrator.BUC K\Desktop\ procexp.ex e
C:\Program Files\NovaStor\NovaBACKUP\ NSENGINE.e xe
c:\Program Files\Sophos\AutoUpdate\AL svc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe
C:\PROGRA~1\Grisoft\AVG7\a vgamsvr.ex e
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Hijackthis\HijackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = res://shdoclc.dll/hardAdmi n.htm
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmi n.htm
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://realvnc.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D} - C:\Program Files\Google\GoogleToolbar Notifier\2 .1.1119.17 36\swg.dll
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin \jusched.e xe"
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBACKUP\ NbkCtrl.ex e"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\a vgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Bginfo.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\AL Mon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_03\bin \ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0 800200c9a6 6} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0 800200c9a6 6} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D 4730F4EE49 9} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189465807296
O16 - DPF: {E8F628B5-259A-4734-97EE-B A914D7BE94 1} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = buck.local
O17 - HKLM\Software\..\Telephony : DomainName = buck.local
O17 - HKLM\System\CCS\Services\T cpip\..\{2 DA811FD-58 81-4A0A-B0 BE-814D647 3A007}: NameServer = 192.168.1.217,192.168.1.20 1
O17 - HKLM\System\CCS\Services\T cpip\..\{4 A52BCAC-B0 C5-4DB1-8E 2F-F6A0167 95E35}: NameServer = 192.168.1.217,192.168.1.20 1
O17 - HKLM\System\CCS\Services\T cpip\..\{7 E9775F1-E1 23-46C9-B5 AF-9D01C9F C435F}: NameServer = 192.168.1.217,192.168.1.20 1
O17 - HKLM\System\CCS\Services\T cpip\..\{B B06448C-FB 58-4239-B7 A6-7E998C0 46221}: NameServer = 192.168.1.217,192.168.1.20 1
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = buck.local
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwln tf.dll
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsnt fy.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon .dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a vgamsvr.ex e
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a vgupsvc.ex e
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a vgrssvc.ex e
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a vgemc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe" -r (file missing)
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSiz eSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: HASP Loader - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\nhsrvi ce.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \1150\Inte l 32\IDriverT.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\NovaStor\NovaBACKUP\ NMSAccessU .exe
O23 - Service: NsEngine - NovaStor Corporation - C:\Program Files\NovaStor\NovaBACKUP\ NSENGINE.e xe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINDOWS\systom32\svchos t.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService .exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\AL svc.exe
Logfile of HijackThis v1.99.1
Scan saved at 4:05:46 PM, on 1/28/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\csrss.
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\msdtc.
C:\WINDOWS\system32\Dfssvc
C:\WINDOWS\System32\svchos
C:\Program Files\FolderSize\FolderSiz
C:\WINDOWS\system32\nhsrvi
C:\WINDOWS\system32\inetsr
C:\WINDOWS\System32\ismser
C:\Program Files\NovaStor\NovaBACKUP\
C:\WINDOWS\system32\ntfrs.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\snmp.e
C:\WINDOWS\system32\svchos
C:\Program Files\UPHClean\uphclean.ex
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin
C:\Program Files\NovaStor\NovaBACKUP\
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\system32\wbem\w
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\FileZilla Server\FileZilla Server Interface.exe
c:\windows\system32\inetsr
C:\Documents and Settings\Administrator.BUC
C:\Program Files\NovaStor\NovaBACKUP\
c:\Program Files\Sophos\AutoUpdate\AL
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe
C:\PROGRA~1\Grisoft\AVG7\a
C:\Program Files\Google\Common\Google
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Hijackthis\HijackThi
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBACKUP\
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Bginfo.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\AL
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {E8F628B5-259A-4734-97EE-B
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwln
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsnt
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe" -r (file missing)
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSiz
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: HASP Loader - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\nhsrvi
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\NovaStor\NovaBACKUP\
O23 - Service: NsEngine - NovaStor Corporation - C:\Program Files\NovaStor\NovaBACKUP\
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINDOWS\systom32\svchos
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\AL
ASKER
spybot S&D found 1 cookie infected. removed
Spyware doctor found some cookies infected. removed
i will post my rootkit revelaer when it finishes.
thanks for all the help, hope i get it.
fyi: the server is still sending out fishy stuff
Spyware doctor found some cookies infected. removed
i will post my rootkit revelaer when it finishes.
thanks for all the help, hope i get it.
fyi: the server is still sending out fishy stuff
If you can I would get it off the internet for now until this is resolved. IS it just sending data packets out or are they comming back into the server ?
kill this
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINDOWS\systom32\svchos t.exe
notice it says SYSTOM32 that is wrong... it is a fake process. get the properties on it before you kill it such as date modified.
You will then use the date of this svchost file as your search parameter.
go tot start find files or folders click advanced search all files folders hidden and system then put in dates specified and put the modified date lets say it says
1-10-2008 put your start and end dates as the same date. This will then show all the files that were modified that day some of these will be normal all could be for that fact but you are looking for anything strange dll's or exes that have odd names or are misnamed i.e. SCVHOST.EXE or A42ns772.dll (random letters and numbers).
Also search for the SYSTOM path reference in the registry do not look for svchost.exe as you will find the valid entries too.
I am trying to find more information on this but you are still infected and it looks like it is hitting mainly systems in China
kill this
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINDOWS\systom32\svchos
notice it says SYSTOM32 that is wrong... it is a fake process. get the properties on it before you kill it such as date modified.
You will then use the date of this svchost file as your search parameter.
go tot start find files or folders click advanced search all files folders hidden and system then put in dates specified and put the modified date lets say it says
1-10-2008 put your start and end dates as the same date. This will then show all the files that were modified that day some of these will be normal all could be for that fact but you are looking for anything strange dll's or exes that have odd names or are misnamed i.e. SCVHOST.EXE or A42ns772.dll (random letters and numbers).
Also search for the SYSTOM path reference in the registry do not look for svchost.exe as you will find the valid entries too.
I am trying to find more information on this but you are still infected and it looks like it is hitting mainly systems in China
ASKER
looks like the service is not currently running.
i searched my registry and found systom in a folder called rasauto
should i delete the rasauto folder in the registry?
i searched my registry and found systom in a folder called rasauto
should i delete the rasauto folder in the registry?
is it the only instance ?
can you post a screenshot of the registry key area ?
check that c:\windows\systom32 folder see what else is there check the properties and the date of the files found there if there is more then svchost.exe... Let me know if you find anything else suspicious
Here are some other things you can try but they may require a reboot
Use combofix here is instructions and the download http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Another anti spyware program
http://www.superantispyware.com/
Look for these files if found they need to be removed.
C:\windows\system32\jsqxaz c.exe
c:\windows\system32\gjfhaz c.exe
c:\windows\system32\swjqba c.exe
c:\windows\system32\avzxms t.exe
c:\windows\system32\avwlhs t.exe
c:\windows\system32\avwghs t.exe
c:\program files\internet explorer\plugins\nvsys_55. sys
c:\windows\136588mm.dll
c:\windows\136588wl.dll
c:\windows\system32\flrxek pvb.dll
c:\windows\system32\avwghm n.dll
c:\windows\system32\avwlhm n.dll
c:\windows\system32\avzxmm n.dll
c:\windows\system32\diktko .dll
c:\windows\system32\dmzjmm .dll
c:\windows\system32\gacjck .dll
c:\windows\system32\gjfhay c.dll
c:\windows\system32\jsqxay c.dll
c:\windows\system32\kvsc3. dll
c:\windows\system32\lotush lp.dll
c:\windows\system32\qhlduh .dll
c:\windows\system32\qwehem .dll
c:\windows\system32\swjqbz c.dll
c:\windows\system32\upxdnd .dll
c:\windows\system32\wsockd rv32.dll
c:\windows\system32\yemlat .dll
c:\windows\system32\ywluji .dll
c:\windows\system32\avpsrv .dll
c:\windows\system32\cmdbcs .dll
c:\windows\system32\dbghlp 32.dll
c:\windows\system32\msimms 32.dll
c:\windows\system32\msprin t32d.dll
c:\windows\system32\nvdisp drv.dll
c:\windows\system32\winfor m.dll
c:\windows\136588l.exe
c:\windows\136588m.exe
c:\windows\lotushlp.exe
c:\windows\dbghlp32.exe
c:\windows\nvdispdrv.exe
c:\program files\common files\services\svchost.exe
can you post a screenshot of the registry key area ?
check that c:\windows\systom32 folder see what else is there check the properties and the date of the files found there if there is more then svchost.exe... Let me know if you find anything else suspicious
Here are some other things you can try but they may require a reboot
Use combofix here is instructions and the download http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Another anti spyware program
http://www.superantispyware.com/
Look for these files if found they need to be removed.
C:\windows\system32\jsqxaz
c:\windows\system32\gjfhaz
c:\windows\system32\swjqba
c:\windows\system32\avzxms
c:\windows\system32\avwlhs
c:\windows\system32\avwghs
c:\program files\internet explorer\plugins\nvsys_55.
c:\windows\136588mm.dll
c:\windows\136588wl.dll
c:\windows\system32\flrxek
c:\windows\system32\avwghm
c:\windows\system32\avwlhm
c:\windows\system32\avzxmm
c:\windows\system32\diktko
c:\windows\system32\dmzjmm
c:\windows\system32\gacjck
c:\windows\system32\gjfhay
c:\windows\system32\jsqxay
c:\windows\system32\kvsc3.
c:\windows\system32\lotush
c:\windows\system32\qhlduh
c:\windows\system32\qwehem
c:\windows\system32\swjqbz
c:\windows\system32\upxdnd
c:\windows\system32\wsockd
c:\windows\system32\yemlat
c:\windows\system32\ywluji
c:\windows\system32\avpsrv
c:\windows\system32\cmdbcs
c:\windows\system32\dbghlp
c:\windows\system32\msimms
c:\windows\system32\msprin
c:\windows\system32\nvdisp
c:\windows\system32\winfor
c:\windows\136588l.exe
c:\windows\136588m.exe
c:\windows\lotushlp.exe
c:\windows\dbghlp32.exe
c:\windows\nvdispdrv.exe
c:\program files\common files\services\svchost.exe
ASKER
3 instances of rasauto, all look the same.
registry.JPG
registry.JPG
Allright I looked at it. You need to remove the image path since it is incorrect what I don'tlike is the square boxes at the top. What does it say in the sub keys do they look ok or not ?
Do you have another windows 2003 server box ?
I need to look into how that registry entry can be restored. The path definately needs to be changed but I have to look at a 2003 machine and get back to you
Do you have another windows 2003 server box ?
I need to look into how that registry entry can be restored. The path definately needs to be changed but I have to look at a 2003 machine and get back to you
ASKER
http://www.cybertechhelp.com/forums/showthread.php?t=173131
what do you think about the last procedures in this link, similar to what you stated above?
what do you think about the last procedures in this link, similar to what you stated above?
yes I had seen that and was going to reference that but first I wanted you to see if you had any of those other files I had listed above.
I am working on getting a 2003 server online so I can look at that registry key and then export it (if necessary) so you can fix your registry
I am working on getting a 2003 server online so I can look at that registry key and then export it (if necessary) so you can fix your registry
I want you to do the following back up that registry key rasman before you do this.
I have uploaded the registry file you need to correct the settings in .txt format you will need to rename the extension to .reg then double click on the reg file and say yes when it asks if you want to enter the information in the registry it should then say successful.
Make sure you have killed the c:\windows\SYSTOM folder before doing this.
rasman.txt
I have uploaded the registry file you need to correct the settings in .txt format you will need to rename the extension to .reg then double click on the reg file and say yes when it asks if you want to enter the information in the registry it should then say successful.
Make sure you have killed the c:\windows\SYSTOM folder before doing this.
rasman.txt
let me know the status of other stuff if the outbound connections are occuring etc.. also if you found any of those files I listed above.
ASKER
after completing the procedures in the link, i now cannot ping my server. i can get to the internet still from the computer, but i cannot ping the server from inside the network.
ASKER
ok restored a backup registry. now i can ping the server again. virus seems to not be active either. i will check again tomorrow.
ok
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_CURRENT_USER\Software
if need be, load the server into safe mode and remove any keys that you find there that look suspicious and to be honest, what i would do is write down all of the keys and values you have there and start removing anything you don't know what it is. Then check your packet capture tool.
You also might want to take a look at computer associates (CA) (http://ca.com/us/securityadvisor/virusinfo/scan.aspx) and check that out. Also, you must use internet explorer to utilitze the webscan from CA.
it could also be possible spyware that is installed on that server. You may want to download a spyware checker like Spybot S&D or something of your liking.