?
Solved

Windows 2003 Server Virus Problems w32.downadup.b

Posted on 2009-02-17
18
Medium Priority
?
4,673 Views
Last Modified: 2013-12-06
We had a bad case of the w32.downadup.b virus spread through our company and I was able to get all of the servers and most of the clients patched with the windows update. Unfortunately one of our domain controllers was overlooked and did not have an anti-virus on it. It is pretty messed up. I cannot go to the micorosft update site, can't download norton live update files. Whatever is on here now has pretty much taken the server hostage. I tried to install computer associate anti-virus and it hung up and then came up disabled.

I have tried everything I have found to remove the w32.downadup.b virus and most of the stuff listed (dll's and the reg entries) were not there in the server. I ran the fixdownadup.exe and it says the virus was not found. I checked the hosts file and nothing in there. I am running spybot on there right now and I have attached a copy of the hyjackthis log file as well. PLEASE HELP!!!

Thanks, Scott...
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:31:51 AM, on 2/17/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe
C:\Program Files\Cisco Systems\CSAgent\bin\leventmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\ismserv.exe
C:\Program Files\BakBone Software\NetVault\bin\nvpmgr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\BakBone Software\NetVault\bin\nvstatsmngr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\taskmgr.exe
R:\Software\Spyware Remover Tools\HiJackThis_v2.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\RunOnce: [PBEUninstAgent] cmd /C "del /F/Q C:\DOCUME~1\ADMINI~1.BBK\LOCALS~1\Temp\2\Set???.tmp C:\DOCUME~1\ADMINI~1.BBK\LOCALS~1\Temp\2\IEC???.tmp C:\WINDOWS\system32\APCSnmp.dll | rmdir /S/Q "C:\Program Files\InstallShield Installation Information\{BCE9F441-9027-4911-82E0-5FB28057897D}""
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Cisco Security Agent.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234453096840
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234453090027
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BBK
O17 - HKLM\Software\..\Telephony: DomainName = BBK
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7D948A2-5F2C-4B5A-A1B0-4758DC25F7B7}: NameServer = 
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BBK
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BBK
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = BBK
O20 - AppInit_DLLs: csauser.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Cisco Security Agent (CSAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: NetVault Process Manager - Unknown owner - C:/Program Files/BakBone Software/NetVault/bin/nvpmgr.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
 
--
End of file - 5457 bytes

Open in new window

0
Comment
Question by:smuth
  • 10
  • 4
  • 4
18 Comments
 
LVL 12

Expert Comment

by:TK-77
ID: 23661252
Have you tried Malwarebytes, F-Secure, and Combofix?

Malwarebytes
http://www.malwarebytes.org/

F-Secure
ftp://ftp.f-secure.com/anti-virus/tools/DownadupRemovalTool.zip
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip

ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After you run those, please re-post your Hijackthis log and Combofix logs.

TK

0
 

Author Comment

by:smuth
ID: 23661418
I just installed Malwarebytes and it will not let me update it. Says it cannot connect to their site. Whatever this is has a detailed list of sites it is blocking. I checked the hosts file and it is clean. Where else do I need to go to keep this thing from blocking these sites?
0
 
LVL 12

Expert Comment

by:TK-77
ID: 23661817
Only "some" sites are being blocked? Are only Microsoft and Anti-Malware sites being blocked? Have you tried accessing blocked sites by IP address to eliminate a DNS issue? You can look up IP addresses here: http://www.zoneedit.com/lookup.html

Also, did you try to run any of the above scans in Safe Mode? Don't worry about the Malwarebytes update not working. Just try to run the scan to see if it picks up anything. The software you downloaded should be current.

TK

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:smuth
ID: 23661899
Yes, only sites for antivirus, malware and updates are being blocked. I tried the IP for update.microsoft.com and it brings up the site, but wont let the site scan the pc for updates.

I ran the f-secure in safe mode and it said no virus found. I ran malware bytes and it found two things, cleaned them, I rebooted and no change.
0
 

Author Comment

by:smuth
ID: 23661920
Also, combofix does not work on windows 2003 server
0
 

Author Comment

by:smuth
ID: 23662083
I tried to download the update files separately fro Norton and install them. It just comes up and says install failed. I am at a loss here. this is really bad and it is our main DC. I need to get this fixed. Any other thoughts anyone???
0
 
LVL 12

Expert Comment

by:TK-77
ID: 23662088
I think I found the problem. In your Hijackthis log, delete this entry:
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7D948A2-5F2C-4B5A-A1B0-4758DC25F7B7}: NameServer =

Also, is your domain BBK (I am assuming so)? If so, leave the following entries. If you don't recognize "BBK" then delete the following:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BBK
O17 - HKLM\Software\..\Telephony: DomainName = BBK
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BBK
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BBK
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = BBK

TK
0
 

Author Comment

by:smuth
ID: 23662138
The

O17 - HKLM\System\CCS\Services\Tcpip\..\{B7D948A2-5F2C-4B5A-A1B0-4758DC25F7B7}: NameServer =

Had the IP's of our DC's so I removed the addresses before I posted the log. Do you still think there is a problem with it? Also, The others are for our domain BBK
0
 
LVL 12

Expert Comment

by:TK-77
ID: 23662211
If you verified that the Nameserver IP's were correct and you only deleted the IP's from the Hijackthis log, then you can leave it.

I wish I could have been more help. Let's see if someone else has any ideas.

TK
0
 
LVL 15

Expert Comment

by:xmachine
ID: 23662323
Hi,

I have the following questions/comments::

1) Download ListDlls (http://download.sysinternals.com/Files/ListDlls.zip). Run it and paste the output here.

2) Did you run the Symantec FixDump in Safe Mode? If not, please try it

3) The Hijackthis log doesn't contain anything malicious, or it was not able to expose any hidden/rootkitted files.  

4) Download Norton's definition and update it manually then run a full scan (in safe mode)

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=n95 

or download it directly: http://definitions.symantec.com/defs/20090217-002-v5i32.exe

5) Sniff the traffic using Wireshark (http://wireshark.cs.pu.edu.tw/download/win32/wireshark-setup-1.0.6.exe) and post it here

6) Add  the following lines in the server's HOST file, then try updating both (Windows & Norton)

207.46.225.221 windowsupdate.microsoft.com  
88.221.217.18   liveupdate.symantec.com


A Symantec Certified Specialist @ your service

0
 

Author Comment

by:smuth
ID: 23662463
1. I copied the results below.

2. Not sure what the symantec fixdump is. It was not installed on this DC for some reason, so I installed it, but was unable to update it. With the changes I made to the hosts file I am now able to run live update. I am running it now and going to run a scan when it is done. I was not able to get to the Microsoft update site with the hosts change however.
4. I tried that earlier and they would not install.

5. will do that next.

6. Did that. see #2

 
  0x76e60000  0x2f000   5.02.3790.3959  C:\WINDOWS\system32\TAPI32.dll
  0x76e30000  0xc000    5.02.3790.3959  C:\WINDOWS\system32\rtutils.dll
  0x76aa0000  0x2d000   5.02.3790.3959  C:\WINDOWS\system32\WINMM.dll
  0x761b0000  0x93000   5.131.3790.3959  C:\WINDOWS\system32\CRYPT32.dll
  0x76190000  0x12000   5.02.3790.3959  C:\WINDOWS\system32\MSASN1.dll
  0x71bc0000  0x8000    5.02.3790.0000  C:\WINDOWS\system32\rdpsnd.dll
  0x722f0000  0x5000    5.02.3790.3959  C:\WINDOWS\system32\sensapi.dll
  0x71d00000  0x1c000   6.00.3790.3959  C:\WINDOWS\system32\actxprxy.dll
  0x76f80000  0x5000    5.02.3790.3959  C:\WINDOWS\system32\rasadhlp.dll
  0x76ed0000  0x2a000   5.02.3790.4318  C:\WINDOWS\system32\DNSAPI.dll
  0x76f70000  0x7000    5.02.3790.3959  C:\WINDOWS\System32\winrnr.dll
  0x76f10000  0x2e000   5.02.3790.3959  C:\WINDOWS\system32\WLDAP32.dll
  0x76c90000  0x27000   5.02.3790.3959  C:\WINDOWS\system32\msv1_0.dll
  0x76cf0000  0x1a000   5.02.3790.3959  C:\WINDOWS\system32\iphlpapi.dll
  0x419c0000  0x374000  7.00.6000.16809  C:\WINDOWS\system32\mshtml.dll
  0x74490000  0x27000   3.10.0349.0000  C:\WINDOWS\system32\msls31.dll
  0x43f30000  0x60000   7.00.6000.16461  C:\WINDOWS\system32\ieapfltr.dll
  0x76bb0000  0x2b000   5.131.3790.3959  C:\WINDOWS\system32\WINTRUST.dll
  0x76c10000  0x28000   5.02.3790.3959  C:\WINDOWS\system32\imagehlp.dll
  0x77e00000  0x21000   5.02.3790.3959  C:\WINDOWS\system32\NTMARTA.DLL
  0x7e020000  0xf000    5.02.3790.3959  C:\WINDOWS\system32\SAMLIB.dll
  0x63380000  0x78000   5.07.0000.5730  C:\WINDOWS\system32\jscript.dll
  0x03250000  0x32000   7.00.5730.0011  C:\WINDOWS\system32\iepeers.dll
  0x461f0000  0x77000   7.00.6000.16791  C:\WINDOWS\system32\mshtmled.dll
  0x1b000000  0xc000    7.00.5730.0011  C:\WINDOWS\system32\ImgUtil.dll
  0x44e90000  0xe000    7.00.6000.16791  C:\WINDOWS\system32\pngfilt.dll
  0x68000000  0x35000   5.02.3790.3959  C:\WINDOWS\system32\rsaenh.dll
  0x72e50000  0x117000  8.100.1048.0000  C:\WINDOWS\system32\msxml3.dll
  0x76750000  0x27000   5.02.3790.4068  C:\WINDOWS\system32\schannel.dll
  0x68100000  0x27000   5.02.3790.3959  C:\WINDOWS\system32\dssenh.dll
  0x45610000  0x39000   7.00.6000.16791  C:\WINDOWS\system32\Dxtrans.dll
  0x76a80000  0x18000   3.05.2283.0000  C:\WINDOWS\system32\ATL.DLL
  0x6d4c0000  0xa000    5.03.3790.3959  C:\WINDOWS\system32\ddrawex.dll
  0x73860000  0x4b000   5.03.3790.3959  C:\WINDOWS\system32\DDRAW.dll
  0x73b30000  0x6000    5.02.3790.0000  C:\WINDOWS\system32\DCIMAN32.dll
  0x45210000  0x57000   7.00.6000.16791  C:\WINDOWS\system32\Dxtmsft.dll
  0x734d0000  0x59000   6.00.3790.3959  C:\WINDOWS\system32\zipfldr.dll
------------------------------------------------------------------------------
VPC32.exe pid: 1752
Command line: "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vpc3
2.exe"
 
  Base        Size      Version         Path
  0x00400000  0x3a000   8.01.0000.0825  C:\Program Files\Symantec_Client_Securit
y\Symantec AntiVirus\vpc32.exe
  0x7c800000  0xc0000   5.02.3790.3959  C:\WINDOWS\system32\ntdll.dll
  0x77e40000  0x102000  5.02.3790.4062  C:\WINDOWS\system32\kernel32.dll
  0x77c50000  0x9f000   5.02.3790.4115  C:\WINDOWS\system32\RPCRT4.dll
  0x77f50000  0x9b000   5.02.3790.3959  C:\WINDOWS\system32\ADVAPI32.dll
  0x76f50000  0x13000   5.02.3790.3959  C:\WINDOWS\system32\Secur32.dll
  0x10000000  0x7b000   5.03.0000.0180  C:\Program Files\Symantec_Client_Securit
y\Symantec AntiVirus\S32NAVS.DLL
  0x77530000  0x97000   5.82.3790.3959  C:\WINDOWS\WinSxS\x86_Microsoft.Windows.
Common-Controls_6595b64144ccf1df_5.82.3790.3959_x-ww_78FCF8D0\COMCTL32.dll
  0x77c00000  0x49000   5.02.3790.4396  C:\WINDOWS\system32\GDI32.dll
  0x77380000  0x91000   5.02.3790.4033  C:\WINDOWS\system32\USER32.dll
  0x7c8d0000  0x7ff000  6.00.3790.4184  C:\WINDOWS\system32\SHELL32.dll
  0x77ba0000  0x5a000   7.00.3790.3959  C:\WINDOWS\system32\msvcrt.dll
  0x77da0000  0x52000   6.00.3790.3959  C:\WINDOWS\system32\SHLWAPI.dll
  0x762b0000  0x49000   6.00.3790.3959  C:\WINDOWS\system32\comdlg32.dll
  0x73eb0000  0x121000  6.06.8063.0000  C:\WINDOWS\system32\MFC42.DLL
  0x77670000  0x139000  5.02.3790.3959  C:\WINDOWS\system32\ole32.dll
  0x77d00000  0x8b000   5.02.3790.4202  C:\WINDOWS\system32\OLEAUT32.dll
  0x46a70000  0xd0000   7.00.6000.16791  C:\WINDOWS\system32\WININET.dll
  0x00320000  0x9000    6.00.5441.0000  C:\WINDOWS\system32\Normaliz.dll
  0x46300000  0x45000   7.00.6000.16791  C:\WINDOWS\system32\iertutil.dll
  0x71bb0000  0x9000    5.02.3790.0000  C:\WINDOWS\system32\WSOCK32.dll
  0x71c00000  0x17000   5.02.3790.3959  C:\WINDOWS\system32\WS2_32.dll
  0x71bf0000  0x8000    5.02.3790.3959  C:\WINDOWS\system32\WS2HELP.dll
  0x48890000  0x3d000   3.526.3959.0000  C:\WINDOWS\system32\ODBC32.dll
  0x76290000  0x1d000   5.02.3790.3959  C:\WINDOWS\system32\IMM32.DLL
  0x77420000  0x103000  6.00.3790.3959  C:\WINDOWS\WinSxS\x86_Microsoft.Windows.
Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\comctl32.dll
  0x00d50000  0x17000   3.526.3959.0000  C:\WINDOWS\system32\odbcint.dll
  0x4b3c0000  0x50000   5.02.3790.3959  C:\WINDOWS\system32\MSCTF.dll
  0x777b0000  0x83000   2001.12.4720.3959  C:\WINDOWS\system32\CLBCatQ.DLL
  0x77010000  0xc6000   2001.12.4720.3959  C:\WINDOWS\system32\COMRes.dll
  0x77b90000  0x8000    5.02.3790.3959  C:\WINDOWS\system32\VERSION.dll
  0x745e0000  0x2be000  3.01.4000.4042  C:\WINDOWS\system32\msi.dll
  0x75e60000  0x27000   5.02.3790.3959  C:\WINDOWS\system32\apphelp.dll
  0x4dc30000  0x2e000   5.02.3790.3959  C:\WINDOWS\system32\msctfime.ime
  0x51070000  0x6f000   8.01.0000.0825  C:\Program Files\Common Files\Symantec S
hared\SSC\LDVPCtls.ocx
  0x60020000  0x10000   7.00.3790.0000  C:\WINDOWS\system32\MSVCIRT.dll
  0x010b0000  0x65000   7.00.3790.3959  C:\WINDOWS\system32\MSVCP60.dll
  0x51510000  0x24000   8.01.0000.0825  C:\Program Files\Common Files\Symantec S
hared\SSC\LDVPView.ocx
  0x514d0000  0x29000   8.01.0000.0825  C:\PROGRA~1\COMMON~1\SYMANT~1\SSC\LDVPTa
sk.ocx
  0x51420000  0x51000   8.01.0000.0825  C:\Program Files\Symantec_Client_Securit
y\Symantec AntiVirus\Cliscan.dll
  0x76aa0000  0x2d000   5.02.3790.3959  C:\WINDOWS\system32\WINMM.dll
  0x71bd0000  0x11000   5.02.3790.3959  C:\WINDOWS\system32\MPR.dll
  0x6dc60000  0x11000   2.31.0000.0000  C:\WINDOWS\system32\CTL3D32.dll
  0x71bc0000  0x8000    5.02.3790.0000  C:\WINDOWS\system32\rdpsnd.dll
  0x771f0000  0x11000   5.02.3790.3959  C:\WINDOWS\system32\WINSTA.dll
  0x71c40000  0x57000   5.02.3790.4392  C:\WINDOWS\system32\NETAPI32.dll
  0x76b70000  0xb000    5.02.3790.3959  C:\WINDOWS\system32\PSAPI.DLL
  0x766d0000  0x9000    6.00.3790.3959  C:\WINDOWS\system32\shfolder.dll
  0x01090000  0xd000    1.00.0000.0001  C:\Program Files\Symantec_Client_Securit
y\Symantec AntiVirus\NAVNTUTL.DLL
  0x76b10000  0x5000    5.02.3790.0000  C:\WINDOWS\system32\SFC.DLL
  0x76be0000  0x2b000   5.02.3790.3959  C:\WINDOWS\system32\sfc_os.dll
  0x76bb0000  0x2b000   5.131.3790.3959  C:\WINDOWS\system32\WINTRUST.dll
  0x761b0000  0x93000   5.131.3790.3959  C:\WINDOWS\system32\CRYPT32.dll
  0x76190000  0x12000   5.02.3790.3959  C:\WINDOWS\system32\MSASN1.dll
  0x76c10000  0x28000   5.02.3790.3959  C:\WINDOWS\system32\imagehlp.dll
  0x75da0000  0xbd000   5.02.3790.3959  C:\WINDOWS\system32\SXS.DLL
  0x51300000  0xe000    9.01.0000.0026  C:\Program Files\Symantec_Client_Securit
y\Symantec AntiVirus\NAVAP32.DLL
------------------------------------------------------------------------------
VPDN_LU.exe pid: 3904
Command line: vpdn_lu
 
  Base        Size      Version         Path
  0x00400000  0xa000    8.01.0000.0825  C:\Program Files\Symantec_Client_Securit
y\Symantec AntiVirus\vpdn_lu.exe
  0x7c800000  0xc0000   5.02.3790.3959  C:\WINDOWS\system32\ntdll.dll
  0x77e40000  0x102000  5.02.3790.4062  C:\WINDOWS\system32\kernel32.dll
  0x77380000  0x91000   5.02.3790.4033  C:\WINDOWS\system32\USER32.dll
  0x77c00000  0x49000   5.02.3790.4396  C:\WINDOWS\system32\GDI32.dll
  0x77f50000  0x9b000   5.02.3790.3959  C:\WINDOWS\system32\ADVAPI32.dll
  0x77c50000  0x9f000   5.02.3790.4115  C:\WINDOWS\system32\RPCRT4.dll
  0x76f50000  0x13000   5.02.3790.3959  C:\WINDOWS\system32\Secur32.dll
  0x77670000  0x139000  5.02.3790.3959  C:\WINDOWS\system32\ole32.dll
  0x77ba0000  0x5a000   7.00.3790.3959  C:\WINDOWS\system32\msvcrt.dll
  0x516a0000  0x11000   8.01.0000.0825  C:\Program Files\Symantec_Client_Securit
y\Symantec AntiVirus\NAVLU.dll
  0x73eb0000  0x121000  6.06.8063.0000  C:\WINDOWS\system32\MFC42.DLL
  0x77d00000  0x8b000   5.02.3790.4202  C:\WINDOWS\system32\OLEAUT32.dll
  0x46a70000  0xd0000   7.00.6000.16791  C:\WINDOWS\system32\WININET.dll
  0x77da0000  0x52000   6.00.3790.3959  C:\WINDOWS\system32\SHLWAPI.dll
  0x00320000  0x9000    6.00.5441.0000  C:\WINDOWS\system32\Normaliz.dll
  0x46300000  0x45000   7.00.6000.16791  C:\WINDOWS\system32\iertutil.dll
  0x71bb0000  0x9000    5.02.3790.0000  C:\WINDOWS\system32\WSOCK32.dll
  0x71c00000  0x17000   5.02.3790.3959  C:\WINDOWS\system32\WS2_32.dll
  0x71bf0000  0x8000    5.02.3790.3959  C:\WINDOWS\system32\WS2HELP.dll
  0x48890000  0x3d000   3.526.3959.0000  C:\WINDOWS\system32\ODBC32.dll
  0x77530000  0x97000   5.82.3790.3959  C:\WINDOWS\WinSxS\x86_Microsoft.Windows.
Common-Controls_6595b64144ccf1df_5.82.3790.3959_x-ww_78FCF8D0\COMCTL32.dll
  0x7c8d0000  0x7ff000  6.00.3790.4184  C:\WINDOWS\system32\SHELL32.dll
  0x762b0000  0x49000   6.00.3790.3959  C:\WINDOWS\system32\comdlg32.dll
  0x76290000  0x1d000   5.02.3790.3959  C:\WINDOWS\system32\IMM32.DLL
  0x77420000  0x103000  6.00.3790.3959  C:\WINDOWS\WinSxS\x86_Microsoft.Windows.
Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\comctl32.dll
  0x00c10000  0x17000   3.526.3959.0000  C:\WINDOWS\system32\odbcint.dll
  0x10000000  0x28000   1.80.0019.0000  C:\Program Files\Symantec\LiveUpdate\S32
LIVE1.DLL
  0x4b3c0000  0x50000   5.02.3790.3959  C:\WINDOWS\system32\MSCTF.dll
  0x777b0000  0x83000   2001.12.4720.3959  C:\WINDOWS\system32\CLBCatQ.DLL
  0x77010000  0xc6000   2001.12.4720.3959  C:\WINDOWS\system32\COMRes.dll
  0x77b90000  0x8000    5.02.3790.3959  C:\WINDOWS\system32\VERSION.dll
  0x00e40000  0x2c5000  5.02.3790.3959  C:\WINDOWS\system32\xpsp2res.dll
------------------------------------------------------------------------------
LUCOMS~1.EXE pid: 2232
Command line: C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE -Embedding
 
  Base        Size      Version         Path
  0x00400000  0x17d000  1.80.0019.0000  C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.E
XE
  0x7c800000  0xc0000   5.02.3790.3959  C:\WINDOWS\system32\ntdll.dll
  0x77e40000  0x102000  5.02.3790.4062  C:\WINDOWS\system32\kernel32.dll
  0x77380000  0x91000   5.02.3790.4033  C:\WINDOWS\system32\USER32.dll
  0x77c00000  0x49000   5.02.3790.4396  C:\WINDOWS\system32\GDI32.dll
  0x77f50000  0x9b000   5.02.3790.3959  C:\WINDOWS\system32\ADVAPI32.dll
  0x77c50000  0x9f000   5.02.3790.4115  C:\WINDOWS\system32\RPCRT4.dll
  0x76f50000  0x13000   5.02.3790.3959  C:\WINDOWS\system32\Secur32.dll
  0x7c8d0000  0x7ff000  6.00.3790.4184  C:\WINDOWS\system32\SHELL32.dll
  0x77ba0000  0x5a000   7.00.3790.3959  C:\WINDOWS\system32\msvcrt.dll
  0x77da0000  0x52000   6.00.3790.3959  C:\WINDOWS\system32\SHLWAPI.dll
  0x77670000  0x139000  5.02.3790.3959  C:\WINDOWS\system32\ole32.dll
  0x77d00000  0x8b000   5.02.3790.4202  C:\WINDOWS\system32\OLEAUT32.dll
  0x46a70000  0xd0000   7.00.6000.16791  C:\WINDOWS\system32\WININET.dll
  0x00320000  0x9000    6.00.5441.0000  C:\WINDOWS\system32\Normaliz.dll
  0x46300000  0x45000   7.00.6000.16791  C:\WINDOWS\system32\iertutil.dll
  0x71bb0000  0x9000    5.02.3790.0000  C:\WINDOWS\system32\WSOCK32.dll
  0x71c00000  0x17000   5.02.3790.3959  C:\WINDOWS\system32\WS2_32.dll
  0x71bf0000  0x8000    5.02.3790.3959  C:\WINDOWS\system32\WS2HELP.dll
  0x71bd0000  0x11000   5.02.3790.3959  C:\WINDOWS\system32\MPR.dll
  0x77b90000  0x8000    5.02.3790.3959  C:\WINDOWS\system32\VERSION.dll
  0x76290000  0x1d000   5.02.3790.3959  C:\WINDOWS\system32\IMM32.DLL
  0x77420000  0x103000  6.00.3790.3959  C:\WINDOWS\WinSxS\x86_Microsoft.Windows.
Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\comctl32.dll
  0x4b3c0000  0x50000   5.02.3790.3959  C:\WINDOWS\system32\MSCTF.dll
  0x777b0000  0x83000   2001.12.4720.3959  C:\WINDOWS\system32\CLBCatQ.DLL
  0x77010000  0xc6000   2001.12.4720.3959  C:\WINDOWS\system32\COMRes.dll
  0x00eb0000  0x2c5000  5.02.3790.3959  C:\WINDOWS\system32\xpsp2res.dll
  0x10000000  0x42000   1.80.0019.0000  C:\Program Files\Symantec\LiveUpdate\LuC
omServerPS.DLL
  0x011a0000  0x2e000   1.80.0019.0000  C:\Program Files\Symantec\LiveUpdate\Pro
ductRegCom.DLL
  0x76ed0000  0x2a000   5.02.3790.4318  C:\WINDOWS\system32\DNSAPI.dll
  0x76f80000  0x5000    5.02.3790.3959  C:\WINDOWS\system32\rasadhlp.dll
  0x76e90000  0x3f000   5.02.3790.3959  C:\WINDOWS\system32\Rasapi32.dll
  0x76e40000  0x12000   5.02.3790.3959  C:\WINDOWS\system32\rasman.dll
  0x71c40000  0x57000   5.02.3790.4392  C:\WINDOWS\system32\NETAPI32.dll
  0x76e60000  0x2f000   5.02.3790.3959  C:\WINDOWS\system32\TAPI32.dll
  0x76e30000  0xc000    5.02.3790.3959  C:\WINDOWS\system32\rtutils.dll
  0x76aa0000  0x2d000   5.02.3790.3959  C:\WINDOWS\system32\WINMM.dll
  0x761b0000  0x93000   5.131.3790.3959  C:\WINDOWS\system32\CRYPT32.dll
  0x76190000  0x12000   5.02.3790.3959  C:\WINDOWS\system32\MSASN1.dll
  0x71bc0000  0x8000    5.02.3790.0000  C:\WINDOWS\system32\rdpsnd.dll
  0x771f0000  0x11000   5.02.3790.3959  C:\WINDOWS\system32\WINSTA.dll
  0x76b70000  0xb000    5.02.3790.3959  C:\WINDOWS\system32\PSAPI.DLL
  0x76c90000  0x27000   5.02.3790.3959  C:\WINDOWS\system32\msv1_0.dll
  0x76cf0000  0x1a000   5.02.3790.3959  C:\WINDOWS\system32\iphlpapi.dll
  0x76920000  0xc2000   5.02.3790.3959  C:\WINDOWS\system32\USERENV.dll
  0x722f0000  0x5000    5.02.3790.3959  C:\WINDOWS\system32\sensapi.dll
  0x71b20000  0x41000   5.02.3790.4318  C:\WINDOWS\System32\mswsock.dll
  0x44130000  0x127000  7.00.6000.16791  C:\WINDOWS\system32\urlmon.dll
  0x76f70000  0x7000    5.02.3790.3959  C:\WINDOWS\System32\winrnr.dll
  0x76f10000  0x2e000   5.02.3790.3959  C:\WINDOWS\system32\WLDAP32.dll
  0x5f270000  0x5a000   5.02.3790.3959  C:\WINDOWS\system32\hnetcfg.dll
  0x57b60000  0xa000    5.02.3790.3959  C:\WINDOWS\System32\wshqos.dll
  0x71ae0000  0x8000    5.02.3790.3959  C:\WINDOWS\system32\wshtcpip.dll
------------------------------------------------------------------------------
LUALL.EXE pid: 3828
Command line: C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE "-a [-p"Avenge 1.5 MicroDe
fs2 Corp" -l"SymAllLanguages" -v"MicroDefsB.Full"] [-p"Avenge 1.5 MicroDefs2 Cor
p" -l"SymAllLanguages" -v"MicroDefsB.CurDefs"] [-p"AV Engine 5.0 Definitions" -l
"English" -v"1.0"] [-p"Symantec AntiVirus Corporate Client NT" -l"English" -v"8.
0"] "
 
  Base        Size      Version         Path
  0x00400000  0x11f000  1.80.0019.0000  C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
  0x7c800000  0xc0000   5.02.3790.3959  C:\WINDOWS\system32\ntdll.dll
  0x77e40000  0x102000  5.02.3790.4062  C:\WINDOWS\system32\kernel32.dll
  0x77380000  0x91000   5.02.3790.4033  C:\WINDOWS\system32\USER32.dll
  0x77c00000  0x49000   5.02.3790.4396  C:\WINDOWS\system32\GDI32.dll
  0x77f50000  0x9b000   5.02.3790.3959  C:\WINDOWS\system32\ADVAPI32.dll
  0x77c50000  0x9f000   5.02.3790.4115  C:\WINDOWS\system32\RPCRT4.dll
  0x76f50000  0x13000   5.02.3790.3959  C:\WINDOWS\system32\Secur32.dll
  0x762b0000  0x49000   6.00.3790.3959  C:\WINDOWS\system32\comdlg32.dll
  0x77ba0000  0x5a000   7.00.3790.3959  C:\WINDOWS\system32\msvcrt.dll
  0x77da0000  0x52000   6.00.3790.3959  C:\WINDOWS\system32\SHLWAPI.dll
  0x77420000  0x103000  6.00.3790.3959  C:\WINDOWS\WinSxS\X86_Microsoft.Windows.
Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\COMCTL32.dll
  0x7c8d0000  0x7ff000  6.00.3790.4184  C:\WINDOWS\system32\SHELL32.dll
  0x73070000  0x27000   5.02.3790.3959  C:\WINDOWS\system32\WINSPOOL.DRV
  0x74b40000  0x23000   5.02.3790.3959  C:\WINDOWS\system32\oledlg.dll
  0x77670000  0x139000  5.02.3790.3959  C:\WINDOWS\system32\ole32.dll
  0x5e9a0000  0x17000   5.02.3790.3959  C:\WINDOWS\system32\OLEPRO32.DLL
  0x77d00000  0x8b000   5.02.3790.4202  C:\WINDOWS\system32\OLEAUT32.dll
  0x76290000  0x1d000   5.02.3790.3959  C:\WINDOWS\system32\IMM32.DLL
  0x4b3c0000  0x50000   5.02.3790.3959  C:\WINDOWS\system32\MSCTF.dll
  0x73440000  0x5000    5.02.3790.0000  C:\WINDOWS\system32\RICHED32.DLL
  0x48ef0000  0x71000   5.31.0023.1226  C:\WINDOWS\system32\RICHED20.dll
  0x777b0000  0x83000   2001.12.4720.3959  C:\WINDOWS\system32\CLBCatQ.DLL
  0x77010000  0xc6000   2001.12.4720.3959  C:\WINDOWS\system32\COMRes.dll
  0x77b90000  0x8000    5.02.3790.3959  C:\WINDOWS\system32\VERSION.dll
  0x00fa0000  0x2c5000  5.02.3790.3959  C:\WINDOWS\system32\xpsp2res.dll
  0x10000000  0x42000   1.80.0019.0000  C:\Program Files\Symantec\LiveUpdate\LuC
omServerPS.DLL
  0x01590000  0x2e000   1.80.0019.0000  C:\Program Files\Symantec\LiveUpdate\Pro
ductRegCom.DLL
  0x75e60000  0x27000   5.02.3790.3959  C:\WINDOWS\system32\apphelp.dll
  0x4dc30000  0x2e000   5.02.3790.3959  C:\WINDOWS\system32\msctfime.ime
  0x71b70000  0x36000   6.00.3790.3959  C:\WINDOWS\system32\UxTheme.dll
------------------------------------------------------------------------------
cmd.exe pid: 2052
Command line: "C:\WINDOWS\system32\cmd.exe"
 
  Base        Size      Version         Path
  0x4ad00000  0x61000   5.02.3790.3959  C:\WINDOWS\system32\cmd.exe
  0x7c800000  0xc0000   5.02.3790.3959  C:\WINDOWS\system32\ntdll.dll
  0x77e40000  0x102000  5.02.3790.4062  C:\WINDOWS\system32\kernel32.dll
  0x77ba0000  0x5a000   7.00.3790.3959  C:\WINDOWS\system32\msvcrt.dll
  0x77f50000  0x9b000   5.02.3790.3959  C:\WINDOWS\system32\ADVAPI32.dll
  0x77c50000  0x9f000   5.02.3790.4115  C:\WINDOWS\system32\RPCRT4.dll
  0x76f50000  0x13000   5.02.3790.3959  C:\WINDOWS\system32\Secur32.dll
  0x77380000  0x91000   5.02.3790.4033  C:\WINDOWS\system32\USER32.dll
  0x77c00000  0x49000   5.02.3790.4396  C:\WINDOWS\system32\GDI32.dll
  0x71bd0000  0x11000   5.02.3790.3959  C:\WINDOWS\system32\MPR.dll
  0x76290000  0x1d000   5.02.3790.3959  C:\WINDOWS\system32\IMM32.DLL
------------------------------------------------------------------------------
Listdlls.exe pid: 1364
Command line: Listdlls.exe
 
  Base        Size      Version         Path
  0x00400000  0x29000   2.25.0000.0000  C:\Temp\Listdlls.exe
  0x7c800000  0xc0000   5.02.3790.3959  C:\WINDOWS\system32\ntdll.dll
  0x77e40000  0x102000  5.02.3790.4062  C:\WINDOWS\system32\kernel32.dll
  0x77380000  0x91000   5.02.3790.4033  C:\WINDOWS\system32\USER32.dll
  0x77c00000  0x49000   5.02.3790.4396  C:\WINDOWS\system32\GDI32.dll
  0x77f50000  0x9b000   5.02.3790.3959  C:\WINDOWS\system32\ADVAPI32.dll
  0x77c50000  0x9f000   5.02.3790.4115  C:\WINDOWS\system32\RPCRT4.dll
  0x76f50000  0x13000   5.02.3790.3959  C:\WINDOWS\system32\Secur32.dll
  0x77b90000  0x8000    5.02.3790.3959  C:\WINDOWS\system32\VERSION.dll
  0x77ba0000  0x5a000   7.00.3790.3959  C:\WINDOWS\system32\msvcrt.dll
  0x762b0000  0x49000   6.00.3790.3959  C:\WINDOWS\system32\comdlg32.dll
  0x77da0000  0x52000   6.00.3790.3959  C:\WINDOWS\system32\SHLWAPI.dll
  0x77530000  0x97000   5.82.3790.3959  C:\WINDOWS\WinSxS\x86_Microsoft.Windows.
Common-Controls_6595b64144ccf1df_5.82.3790.3959_x-ww_78FCF8D0\COMCTL32.dll
  0x7c8d0000  0x7ff000  6.00.3790.4184  C:\WINDOWS\system32\SHELL32.dll
  0x76c10000  0x28000   5.02.3790.3959  C:\WINDOWS\system32\imagehlp.dll
  0x76290000  0x1d000   5.02.3790.3959  C:\WINDOWS\system32\IMM32.DLL
  0x77420000  0x103000  6.00.3790.3959  C:\WINDOWS\WinSxS\x86_Microsoft.Windows.
Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55\comctl32.dll
 
C:\Temp>

Open in new window

0
 
LVL 15

Accepted Solution

by:
xmachine earned 2000 total points
ID: 23662775
1) Also, add these ones to the HOST:

88.221.217.9      download.windowsupdate.com
65.55.184.189      update.microsoft.com
87.248.210.235      download.microsoft.com
207.46.22.245      ntservicepack.microsoft.com
207.46.197.59      wustat.windows.com
207.46.244.190      v4.windowsupdate.microsoft.com
65.55.184.253      v5.windowsupdate.microsoft.com

I think this should fix the windows update

2) The current AV is old, I think if you upgrade to Symantec Endpoint Protection 11 will help, because the detection engine has been re-engineered to detect malwares better than SAV, get the trail ware from here:

http://www.symantec.com/offer?a_id=48182


- I'm still checking the dll's output
0
 

Author Comment

by:smuth
ID: 23663082
I ran the scan in safe mode and it picked up the w32.downadup.b virus in one of the temp directories and cleaned it off, but I am still having all of the same problems

I tried to capture the wireshark data to a text file and it is all garbled. Not sure what format I should be outputting the data to. I did as save as and it saves it as a pcap file that is 7.5MB for about 20 seconds worth of capture data. Can you tell me what I should be posting exactly?

I also tried to add the extra IPs you sent to the hosts file and that is not working.

I appreciate all of your help. Don't give up on me yet!
0
 
LVL 15

Expert Comment

by:xmachine
ID: 23663178
Check the removal procedures here:

http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=3

Did you download & update your norton AV ?
0
 

Author Comment

by:smuth
ID: 23663391
I update Norton and ran the scan in safe mode and it picked up the w32.downadup.b virus in one of the temp directories and cleaned it off, but I am still having all of the same problems.

I went through that document and I do not have any of the reg entries. It says to locate and stop "the service that was detected." How exactly am I supposed to do that considering it attaches itself to the service, system and svchost file? How do I know what service to end?

Also, regarding all of the reg keys with HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\ in them, how in the hell am I supposed to know which one that is. There are hundreds listed under this key, most of which I do not recognize.

Scott, who patience is running out...
0
 

Author Comment

by:smuth
ID: 23663700
I downloaded the Norton Endpoint, removed the older version and installed this one. The install went well, but of course the live update button is not functioning. I click on it, but nothing.

Is it possible this virus left the door open for something else?
0
 

Author Closing Comment

by:smuth
ID: 31547848
I was able to manually update Norton Endpoint and it cleaned the virus. Thank you very much!
0
 
LVL 15

Expert Comment

by:xmachine
ID: 23666656
1) Download the definition manually from here:

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=savce

or Directly:

http://definitions.symantec.com/defs/20090217-002-v5i32.exe

2) Run a full scan in safe mode

Endpoint should clean it completely, I know the product and I'm managing a huge setup here (2500+). Downadup infected a couple of machines, but was contained very fast .
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question