Solved

Computers with virus spreading through network

Posted on 2009-05-12
36
3,378 Views
Last Modified: 2013-12-06
Hi Guys,

We believe there is a virus spreading through our network but we are not able to locate the exact location of the virus and where its coming from.

On all the servers affected, we can find the following files/services when running virus scans (Malwarebytes, Norton Antivirus, Trend Micro etc...):
 - 1sass.exe
 - sysdrv32.exe
 - x[1], x[2], x[3] etc...
 - 1.scr, 2.scr, 3.scr etc...

The symptoms are:
 - slow computer speed.
 - tends to crash
 - services are stopping or not running when system boots up.

Even after a full computer format, the files come back pretty much straight away.

We've tried doing a windows recovery setup which seems to make the computers/servers run fine but the files are still there.

So not 100% sure if these files are the actual cause of it.

These files are on computers that are running perfectly fine as well.

We had an attack last Tuesday on 3 of our servers and after the Recovery suggested by you guys, they seem to be stable now. But this Tuesday, another few servers were attacked with exactly the same symptoms.

I have run Hijackthis on one of the computers affected:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:29 AM, on 13/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\xwntserv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ndong\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smapp01/intranet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smapp01/intranet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.110.136.172:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\system\1232sass.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://smapp01/intranet
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178512284989
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bluecircle.com.au
O17 - HKLM\Software\..\Telephony: DomainName = bluecircle.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bluecircle.com.au
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntserv.exe

--
End of file - 9013 bytes

Is there anything we can do to stop the virus from spreading?
Please give us some tips on how to diagnose and resolve the problem once and for all.

Thanks.
0
Comment
Question by:bluecirlce
  • 15
  • 9
  • 6
  • +3
36 Comments
 

Author Comment

by:bluecirlce
ID: 24365306
Hi,

The previous post I made about this problem is:

http://www.experts-exchange.com/Software/OS-2_Apps/Q_24387217.html

Hope that helps.
0
 

Author Comment

by:bluecirlce
ID: 24365336
Also in the Hijackthis log, i renamed the 1sass.exe to:

O4 - HKLM\..\Run: [lsass] C:\WINDOWS\system\1232sass.exe
0
 
LVL 7

Expert Comment

by:sfarazmand
ID: 24365434
xwntserv.exe seems to be non-native. I also see multiple antivirus programs. They tend to interfere with each other.

Use msconfig and use selective startup to remove all non-MS related items from startup. Reboot and run the scan again and post.
0
 

Author Comment

by:bluecirlce
ID: 24365899
Done what you said, this is what Hijackthis came back with this time:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:17 AM, on 13/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\xwntserv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\ndong\Desktop\HiJackThis.exe
C:\Program Files\UltraVNC\vncviewer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smapp01/intranet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smapp01/intranet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.110.136.172:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://smapp01/intranet
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178512284989
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bluecircle.com.au
O17 - HKLM\Software\..\Telephony: DomainName = bluecircle.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bluecircle.com.au
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntserv.exe

--
End of file - 6456 bytes
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 24366247
Your HijackThis log file appears ok, although this is not proof of course that you have a clean system.

One option now is to try running Combofix which in this case should be more successful.

Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running, and remember to re-enable them later, upon completion.

Before using ComboFix it may be necessary to rename it before saving it to your desktop.  If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick (or equivalent).  Rename it and connect to the problematic machine.

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins.  Just let it run.

Try initially to run Combofix in normal mode, although it works well in normal mode or safe mode.

0
 

Author Comment

by:bluecirlce
ID: 24366555
Hi,

thanks for the quick response.

here is the log for combofix on one of the infected computers:

ComboFix 09-05-11.08 - ndong 13/05/2009  2:20.1 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional  5.1.2600.2.1252.61.1033.18.503.280 [GMT 10:00]
Running from: c:\documents and settings\ndong.BLUECIRCLE\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system\1sass.exe
c:\windows\system32\drivers\sysdrv32.sys
c:\windows\system32\oledb32.dll
c:\windows\wiaserviv.log

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSDRV32
-------\Service_sysdrv32


(((((((((((((((((((((((((   Files Created from 2009-04-12 to 2009-05-12  )))))))))))))))))))))))))))))))
.

2009-05-12 16:13 . 2009-05-12 16:13      76930      ----a-w      c:\windows\system32\81.scr
2009-05-12 15:55 . 2009-05-12 15:55      76930      ----a-w      c:\windows\system32\38.scr
2009-05-12 00:16 . 2009-05-12 00:16      76930      ----a-w      c:\windows\system32\88.scr
2009-05-12 00:11 . 2009-05-12 00:11      76930      ----a-w      c:\windows\system32\66.scr
2009-05-11 21:02 . 2009-05-11 21:02      --------      d-----w      c:\temp\WPDNSE
2009-04-17 04:42 . 2009-04-17 04:42      --------      d-----w      c:\documents and settings\vprincipato\Local Settings\Application Data\Microsoft

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 03:21 . 2008-05-20 21:46      552      ----a-w      c:\windows\system32\d3d8caps.dat
2009-03-25 01:47 . 2009-03-25 01:47      --------      d-----w      c:\program files\Malwarebytes' Anti-Malware
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-01-31 98304]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2002-05-27 69632]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-09-20 114688]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2004-01-19 458752]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-03 143360]
"WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2005-08-06 974848]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-21 144784]
"GhostStartTrayApp"="c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2003-12-17 94208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-5-8 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"MIDI1"= SYNCOR11.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\66.scr"=
"c:\\WINDOWS\\System32\\88.scr"=
"c:\\WINDOWS\\System32\\81.scr"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"9010:TCP"= 9010:TCP:FIPM
"8990:TCP"= 8990:TCP:FMSP

R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [17/12/2003 3:41 PM 5632]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [3/12/2002 12:17 AM 202768]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [3/12/2002 12:17 AM 35856]
R2 XWNTSERV;XWP_Services;c:\windows\system32\XWNTSERV.EXE [8/05/2007 9:59 AM 185184]
R2 XwpNTrdr;XwpNTrdr;c:\windows\system32\drivers\XWPFSW2K.SYS [8/05/2007 9:59 AM 166445]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-lsass


.
------- Supplementary Scan -------
.
uStart Page = hxxp://smapp01/intranet
uInternet Settings,ProxyServer = 203.110.136.172:8080
uInternet Settings,ProxyOverride = 192*;<local>
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 02:24
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2488)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\SYMANTEC\NORTON GHOST 2003\GHOSTSTARTSERVICE.EXE
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\program files\TREND MICRO\OFFICESCAN CLIENT\NTRTSCAN.EXE
c:\program files\ANALOG DEVICES\SOUNDMAX\SMAGENT.EXE
c:\program files\TREND MICRO\OFFICESCAN CLIENT\TMLISTEN.EXE
c:\program files\TREND MICRO\OFFICESCAN CLIENT\OFCDOG.EXE
.
**************************************************************************
.
Completion time: 2009-05-12  2:26 - machine was rebooted
ComboFix-quarantined-files.txt  2009-05-12 16:26

Pre-Run: 14,004,043,776 bytes free
Post-Run: 17,563,500,544 bytes free

125


Here is the hijackthis log for the same computer.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:44:35 AM, on 13/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\xwntserv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ndong.BLUECIRCLE\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smapp01/intranet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.110.136.172:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\system\1sass.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://smapp01/intranet
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206012376671
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bluecircle.com.au
O17 - HKLM\Software\..\Telephony: DomainName = bluecircle.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bluecircle.com.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bluecircle.com.au
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = bluecircle.com.au
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntserv.exe

--
End of file - 6488 bytes


I will post a few more logs once its complete on other computers.
0
 

Author Comment

by:bluecirlce
ID: 24366586
Here are the logs for the PC with the Selective Startup.

COMBO FIX LOG:

ComboFix 09-05-11.08 - ndong 13/05/2009  2:42.1 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional  5.1.2600.2.1252.61.1033.18.1015.602 [GMT 10:00]
Running from: c:\documents and settings\ndong\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\config.txt
c:\windows\system32\oledb32.dll
c:\windows\Tasks\SysFile.brk

.
(((((((((((((((((((((((((   Files Created from 2009-04-12 to 2009-05-12  )))))))))))))))))))))))))))))))
.

2009-05-12 13:55 . 2009-05-12 13:55      --------      d-----w      c:\documents and settings\ndong\Application Data\AdobeUM
2009-05-12 12:48 . 2009-05-12 12:48      --------      d-----w      c:\documents and settings\ndong\Local Settings\Application Data\Symantec
2009-05-12 12:47 . 2009-05-12 12:47      48768      ----a-w      c:\windows\system32\S32EVNT1.DLL
2009-05-12 12:47 . 2009-05-12 12:47      110952      ----a-w      c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-12 12:46 . 2009-05-12 12:47      --------      d-----w      c:\program files\Symantec AntiVirus
2009-05-12 11:38 . 2009-05-12 11:38      --------      d-----w      c:\documents and settings\ndong\Local Settings\Application Data\Adobe
2009-05-12 11:14 . 2009-05-12 11:14      --------      d-----w      c:\program files\Spybot - Search & Destroy
2009-05-12 11:14 . 2009-05-12 11:14      --------      d-----w      c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-12 09:47 . 2009-05-12 09:47      --------      d-----w      c:\documents and settings\kchen\Application Data\ATI
2009-05-12 09:47 . 2009-05-12 09:47      --------      d-----w      c:\documents and settings\kchen\Local Settings\Application Data\ATI
2009-05-12 09:47 . 2009-05-12 09:47      128      ----a-w      c:\documents and settings\kchen\Local Settings\Application Data\fusioncache.dat
2009-05-12 09:47 . 2009-05-12 09:47      --------      d-----w      c:\documents and settings\kchen\Local Settings\Application Data\ApplicationHistory
2009-05-12 09:45 . 2009-05-12 09:45      --------      d-----w      c:\documents and settings\kchen
2009-05-12 08:31 . 2009-05-12 08:31      1615732      ----a-w      C:\ProcessExplorer.zip
2009-05-12 08:02 . 2009-05-12 08:02      --------      d-s---w      c:\documents and settings\ndong\UserData
2009-05-11 21:49 . 2009-05-11 21:49      --------      d-----w      c:\temp\WPDNSE
2009-04-22 00:46 . 2009-04-22 00:46      --------      d-----w      c:\temp\~nsu.tmp

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-12 12:47 . 2009-05-12 12:47      805      ----a-w      c:\windows\system32\drivers\SYMEVENT.INF
2009-05-12 12:47 . 2009-05-12 12:47      8014      ----a-w      c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-26 04:54 . 2009-02-26 04:54      64368      ----a-w      c:\documents and settings\dkirkwood\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-26 04:53 . 2009-02-26 04:53      132      ----a-w      c:\documents and settings\dkirkwood\Local Settings\Application Data\fusioncache.dat
2009-02-25 06:43 . 2009-02-25 06:43      64368      ----a-w      c:\documents and settings\ndong\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-25 06:43 . 2009-02-25 06:43      128      ----a-w      c:\documents and settings\ndong\Local Settings\Application Data\fusioncache.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2004-01-19 458752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-03 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"MIDI1"= SYNCOR11.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [17/12/2003 3:41 PM 5632]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [3/12/2002 12:17 AM 202768]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [3/12/2002 12:17 AM 35856]
R2 XWNTSERV;XWP_Services;c:\windows\system32\XWNTSERV.EXE [8/05/2007 9:59 AM 185184]
R2 XwpNTrdr;XwpNTrdr;c:\windows\system32\drivers\XWPFSW2K.SYS [8/05/2007 9:59 AM 166445]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [13/05/2009 1:37 AM 101936]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [7/10/2007 8:48 PM 116664]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ERASERUTILREBOOTDRV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-lsass


.
------- Supplementary Scan -------
.
uStart Page = hxxp://smapp01/intranet
uInternet Settings,ProxyServer = 203.110.136.172:8080
uInternet Settings,ProxyOverride = 192*;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 02:46
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-05-12  2:47
ComboFix-quarantined-files.txt  2009-05-12 16:47

Pre-Run: 13,398,638,592 bytes free
Post-Run: 17,890,459,648 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

124


HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:15 AM, on 13/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\xwntserv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\ndong\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smapp01/intranet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.110.136.172:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://smapp01/intranet
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178512284989
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bluecircle.com.au
O17 - HKLM\Software\..\Telephony: DomainName = bluecircle.com.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bluecircle.com.au
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: XWP_Services (XWNTSERV) - Unknown owner - C:\WINDOWS\System32\xwntserv.exe

--
End of file - 6426 bytes


Thanks.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 24366769
Thanks .. it's going to take a while to scrutinise your Combo log .. studying it now ...
0
 
LVL 7

Expert Comment

by:sfarazmand
ID: 24366807
I see a SYSDRV32 which doesn't seem normal. This is on the non-selective startup machine but not the selective one.  Is the machine with selective startup exhibiting the same problems as the one without?
0
 

Author Comment

by:bluecirlce
ID: 24367511
No, once I changed to Selective Startup, it seems a lot more stable and fast.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 24367527
From the Combofix log on one of the infected computers >>

Under "Other Deletions" ...
> C:\Windows\System32\drivers\sysdrv32.sys <
Apparantly added by the W32/Rbot-GXK worm and IRC backdoor.
Details >
http://www.bleepingcomputer.com/startups/sysdrv32.sys-24585.html


Still investigating ...
0
 
LVL 7

Expert Comment

by:sfarazmand
ID: 24367588
Ok so the issue is with something loading in your startup.
Frist off, the following are unnecessary (not harmful):
WinZip Quick Pick, Adobe Speed Launcher, Jussched, igfxtray, hkcmd, igfxpers

The culpret is a remaining item. Download and install spybot s&d (http://www.safer-networking.org/en/download/index.html). It not only has a malware scanner but the advanced options have tools which allow you to independently disable startup processes.
0
 
LVL 7

Expert Comment

by:sfarazmand
ID: 24367599
Jonvee, that's a startup item that keeps re-infecting clean machines. On the one he did a selective startup, this was no longer an issue.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 24367654
@ sfarazmand,
Yes, it's ok, i realise that  : )
Been concentrating on the ComboFix log for the PC with the Selective Startup.

0
 
LVL 27

Expert Comment

by:Jonvee
ID: 24368240
Cannot see anything nasty in the Combo log.

Hopefully Spybot, suggested by sfarazmand, will do the trick.  
If not, try Superantispyware which tends to compliment Malwarebytes:                        
http://www.superantispyware.com/

There's also the Kaspersky online virus scanner>
http://www.kaspersky.co.uk/virusscanner
0
 
LVL 7

Expert Comment

by:sfarazmand
ID: 24368279
I also ran into a situation where nothing would work to remove or clean it other than http://www.pctools.com/spyware-doctor/
0
 

Author Comment

by:bluecirlce
ID: 24369821
Thanks for the help guys, i will try all the suggestions and get back to you.

I did notice that the service 1sass.exe made its way back into the startup list after the the Selective Startup.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:bluecirlce
ID: 24370882
hi guys,
the virus we have got is called W32/IRCbot.gen (Macfee) the following link has the information relating to the this virus that I am having
http://www.avertlabs.com/research/blog/?s=conficker

I am now trying to remove the virus with no success. right now i am tryin to use Norton and AVG to scan the infected computers, but could not clean it up.

thanks in advance.
0
 
LVL 7

Expert Comment

by:sfarazmand
ID: 24370967
Those won't work. I've had that one and like I said the only thing that cleaned it was spyware doctor.
you can use this link to download my backup of it. http://www.megaupload.com/?d=BPD2O72G
0
 

Author Comment

by:bluecirlce
ID: 24371029
will definitelly give it a go. thanks for your quick response.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 24371870
  >Conficker<
More information and a Solution!
Downadup (or Conficker) is a network worm that takes advantage of vulnerabilities in Windows to spread. Its removal is complicated by the fact that it blocks many known antivirus software and associated websites.

BitDefender Labs has detected a new and more aggressive Downadup version. It spreads using a Windows RPC Server Service vulnerability and is called Win32.Worm.Downadup.Gen.

Here's a link that's been used to remove Downadup from infected computers!
http://www.bdtools.net/
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 24378203
Took another look at your problem and located this url>
http://www.scanspyware.net/info/IRCBot.gen.htm

If you still haven't resolved the issue using the earlier suggestions, these comments may be helpful.
I have no experience in using information from this particular site, so if you do attempt a manual removal it will certainly be prudent to make a backup of the Registry before following the instructions.
0
 

Author Comment

by:bluecirlce
ID: 24381552
It doesn't seem to be the IRCBot.gen virus as none of the files are the same.

I have tried running Spyware Doctor on a lot of computers, it seems to pick up the 1sass.exe and 00.scr files, but doesn't stop the virus from coming back.

sysdrv32.sys is still there, i have to manually remove this.

even then, it still comes back after awhile.

are there any useful tools i can use to check incoming connections to computers and what files they're trying to send.
0
 

Author Comment

by:bluecirlce
ID: 24381633
Some of the computers are displaying svhost.exe - application error.

the instruction at "0x001f1cb0" referenced memory at "0x48544950". The memory could not be read.

After running Spyware Doctor, this still appears.

I did a rescan but didn't pick up the same virus results as before.

i'm not sure what else it could be.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 24383012
Thanks for the feedback.  It's quite conceivable that i missed something in the ComboFix log that could help us clear up this remaining infection.

bluecirlce, unless you get further suggestions from experts in this thread, i truly believe your best move would be to create a new thread in the HijackThis topic area where there are some brilliant people dealing with the removal of stubborn infections. In any case most questions can be posted in three TAs, giving you an input from experts active in these other zones >>
http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/

Or, an alternative would be to create a new (20 point) question in this same HijackThis TA, which is linked to this question >> http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24401465.html?cid=1066#a24381633  
Be sure to quote the address of this question in your new one, and advise everyone to only reply in this original question.  Naturally i'll continue to monitor and periodically investigate.

Incidently a google search found three urls referring to this exact error>
>>the instruction at "0x001f1cb0" referenced memory at "0x48544950". The memory could not be read<<

Unfortunately they were from France and Thailand, both were poorly translated, none helped me to establish anything, but the Countries may possibly give you a clue?

0
 
LVL 27

Expert Comment

by:Jonvee
ID: 24383034
If between us we can spot something i missed in the Combo log it wouldn't be a problem.  A small script could be written, Combo re-run, and the infection removed as described in this Tutorial>
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 

Author Comment

by:bluecirlce
ID: 24384752
Thanks for all your help guys,

i will raise a new thread in the hijackthis topic area as any input is much appreciated at this time.

i will put the link of the new thread once its been raised.
0
 

Author Comment

by:bluecirlce
ID: 24384834
Hi Guys,

i have posted another thread under the Hijackthis zone.

link: http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_24408424.html
0
 
LVL 16

Accepted Solution

by:
warturtle earned 500 total points
ID: 24385309
Hello,

I have the read the thread and will suggest that first of all you scan all shared network drives for viruses. Normally when you log into a corporate network, your startup profile contains links to the different mapped network drives and they might have the viruses in them.

Second suggestion is to create another new domain administrator username and then disable the existing one to not allow the virus to use it for any more propogation.

Third suggestion is to install Wireshark (http://www.wireshark.org) on your server/another machine and then let it scan the network for packets. Look for IP address(es) which you know are infected and see what protocols are they using apart from the very standard ones. A quick guide to using Wireshark is here: http://www.wireshark.org/docs/wsug_html/ . That will give you an idea if the infected computers are trying to communicate with an external IP. If its the same IP, you can block that external IP from your firewall to cut off the worm connection. Then you can attempt cleaning.

As long as you have the BackDoor open, viruses will keep on coming back.

Hope it helps.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24385356
Another idea that I just had is that you can use NMap(http://nmap.org/) to investigate the open ports on an infected machine and then use ngrep (http://ngrep.sourceforge.net/) to see what is being sent outside of your network by ngrepping on that port number.

0
 
LVL 15

Expert Comment

by:greyknight17
ID: 24386685
I requested this thread to be moved to the HijackThis section. Also asked to close the other one you opened as it will be a duplicate.

We had a similar problem last week and it was the IRCbot trojan wreaking havoc on our servers. In your case, it doesn't seem to be related. What I do recommend is that you have all the latest Windows and security/antivirus updates. We excluded SP3 for XP since we need to test it first, but if it doesn't conflict with any of your work programs, you may proceed. For Server 2003, upgrade to SP2 and get all the critical updates. We were able to patch everything up once that was done.

For Symantec, you might want to get the rapid release updates here. If you are using an antivirus server (Symantec Antivirus Corporate Edition ), upload the xdb to the symantec install folder (C:\Program Files\Symantec AntiVirus\) and restart the Symantec Antivirus service. That should update it to the latest definitions. Any computers that are pointed to this server should be updated as well once this is done. I recommend getting the servers fixed first especially if other clients connect to it.

Download the Malicious Removal Tool from Microsoft and run it to see if anything is found.

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.
0
 
LVL 3

Expert Comment

by:bleech677
ID: 24396091
0
 

Author Comment

by:bluecirlce
ID: 24411509
Hi All,

Thanks for all your input.

I am currently removing the virus using the following steps:

1. apply the windows conficker pactch to pc/server
2. disable system restore.
3. use antivirus to scan for virus.
4. clean everything out (files, registry).
5. enable windows firewall (xp only).

after performing these steps the pcs/servers are alot more stable and hoping it stays this way.

the antivirus software is not coming up with infections like before (which used to pop up repeatedly due to the virus trying to replicate itself.)

i will keep you posted in few days to confirm if it is still contained.

in the mean time, can you please recommend some good resources for network security so we can prevent this from happening moving forward.

thanks.
0
 

Author Comment

by:bluecirlce
ID: 24481144
Hi Guys,

Its been awhile since we used the above steps to deal with the virus, so i'm posting to update you guys on our current status.

Our PC's and servers are looking a lot better now, the virus seems to have been contained.

Thank you for all your help.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24481461
Good to see that the problem has been resolved and thanks for the feedback.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now