 W32/Virut.gen.n, Removing W32/Virut + Malware from Win Server + Clients |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
 Nov 6 2009, 10:11 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 10 Joined: 6-November 09 Member No.: 399,540  |
We have removed a W32/Virut infection from our server, and a number of computers, but malware remains, the browsers are hijacked (redirections happening), and a reinfection has occurred. We appreciate your guidance and help to clean up our server. Please note the following details: Application Server: > MS Windows 2000 Server Adv. Edition SP4 (running Terminal Services & some Client/Server applications, file sharing) We isolated this server from our network, and ran McAfee scans that detected and cleaned numerous file infections with W32/Virut.gen.n. McAfee almost gives us the all-clear, along with MalwareBytes and Housecall. But they still detect one file as infected : C:\WINDOWS\System32\kbdnet.dll We believe there is still a problem because when we try to access security sites (including bleepingcomputer.com), we are being redirected (by the browser) to other places. The browser also tried to prevent us accessing Housecall. We have also been testing with an infected laptop, and when we reconnected it to the network, we found that it immediately attempted to connect with two mail servers (google.com & mail.ru), and when that failed, it uploaded twice to a German webhost & internet provider (Netdirekt.de). I uninstalled McAfee from the laptop last night to run an independent pre-boot scan with Avast!. The scan detected two W64/CutWail infections (it's a 32-bit OS), and one W32/Virut infection. I uninstalled Avast!, and installed the Microsoft Security Essentials tool, which also found these three infections and cleaned them. We are concerned that a similar reinfection will happen on the server, so we cannot reconnect it to the network yet. Because the MSE is only for Windows clients, we ran the latest Microsoft Malicious Software Removal Tool on the server this morning, and the MSRT detected no infections. A quick search reveals that the kbdnet.dll file is still on the system though, with Housecall detecting an infection called TSPY_ONLINEG.TOS. We have also executed HijackThis, so that we may fix the browser hijacking problem, which we think may be related to the kbdnet.dll file. Please review the HijackThis log below and let us know what to try next. If you need more information, please let me know. Our goal is to have this server malware-free, with a clean kbdnet.dll (if it is needed), and connected to the network with no sneaky transmissions or reinfection. Thanks in advance for your help! Marty (please note: RootRepeal failed to run on our server, so I am attaching the Error report for your review) ******************************* DDS (Ver_09-10-26.01) - NTFSx86 Run by Administrator at 14:01:44.17 on Sat 07/11/2009 Internet Explorer: 6.0.2800.1106 Microsoft Windows 2000 Advanced Server 5.0.2195.4.1252.61.1033.18.3327.2574 [GMT 11:00] ============== Running Processes =============== C:\WINNT\System32\termsrv.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Compaq\Cpqacuxe\Bin\hpacubin.exe C:\Program Files\Hewlett-Packard\CM\AUM Agent\bin\AUMService.exe C:\Program Files\HP\Cissesrv\Cissesrv.exe C:\WINNT\System32\CpqRcmc.exe C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe C:\Program Files\EMC\PowerPath\PowMigSrvc.exe C:\Program Files\EMC\PowerCommon\EmcPowSrv.exe C:\WINNT\System32\llssrv.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\WINNT\system32\iscsiexe.exe C:\Program Files\EMC\Navisphere Agent\NaviAgent.Exe C:\Program Files\Hewlett-Packard\CM\Agent\radexecd.exe C:\Program Files\Hewlett-Packard\CM\Agent\radsched.exe C:\WINNT\system32\regsvc.exe C:\Program Files\Hewlett-Packard\CM\ManagementAgent\nvdkit.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\snmp.exe C:\WINNT\System32\sysdown.exe C:\hp\hpsmh\bin\smhstart.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\CPQNiMgt\cpqnimgt.exe C:\WINNT\System32\CPQMgmt\CqMgServ\cqmgserv.exe C:\WINNT\System32\CPQMgmt\CqMgStor\cqmgstor.exe C:\hp\hpsmh\bin\hpsmhd.exe C:\WINNT\System32\msdtc.exe C:\WINNT\System32\CPQMgmt\CqMgHost\cqmghost.exe C:\hp\hpsmh\bin\rotatelogs.exe C:\hp\hpsmh\bin\rotatelogs.exe C:\hp\hpsmh\bin\hpsmhd.exe C:\hp\hpsmh\bin\rotatelogs.exe C:\hp\hpsmh\bin\rotatelogs.exe C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe C:\WINNT\system32\Dfssvc.exe C:\WINNT\Explorer.EXE C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\EMC\PowerCommon\EmcPowMon.exe C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe C:\WINNT\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe C:\WINNT\system32\mfevtps.exe C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe C:\WINNT\system32\notepad.exe C:\Documents and Settings\Administrator\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://google.com/ uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll mURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll uRun: [<NO NAME>] mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\powerp~1.lnk - c:\program files\emc\powercommon\EmcPowMon.exe mPolicies-explorer: ShowSuperHidden = 1 (0x1) mPolicies-explorer: NoFileAssociate = 1 (0x1) IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll Trusted Zone: siteadvisor.com\www DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll Handler: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - c:\program files\compaq\hpadu\bin\hpapp.dll Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll Notify: AtiExtEvent - Ati2evxx.dll AppInit_DLLs: c:\winnt\system32\kbdnet.dll LSA: Notification Packages = FPNWCLNT RASSFM KDCSVC scecli IFEO: 1.exe - c:\windows\system32\ahui.exe IFEO: reader_s.exe - c:\windows\system32\ahui.exe IFEO: servises.exe - c:\windows\system32\ahui.exe IFEO: sys64_nov.exe - c:\windows\system32\ahui.exe ============= SERVICES / DRIVERS =============== R0 b06bdrv;HP Virtual Bus Device;c:\winnt\system32\drivers\bxvbdx.sys [2007-2-27 246272] R0 DfsDriver;DfsDriver;c:\winnt\system32\drivers\dfs.sys [2006-11-11 74448] R0 emcmpio;EMC PowerPath Generic DSM;c:\winnt\system32\drivers\emcmpio.sys [2007-3-16 219264] R0 EmcpBase;EMC PowerPath Base Driver;c:\winnt\system32\drivers\EmcpBase.sys [2007-3-16 313856] R0 EmcpCG;EMC PowerPath Consistency Group Extension for Symmetrix;c:\winnt\system32\drivers\EmcpCg.sys [2007-3-16 27264] R0 EmcpClass;EMC PowerPath Class Driver;c:\winnt\system32\drivers\EmcpClass.sys [2007-3-16 3712] R0 EmcpDm;EMC PowerPath Data Migration Manager;c:\winnt\system32\drivers\EmcpDm.sys [2007-3-16 25344] R0 EmcpGpx;EMC PowerPath Generic Purpose Extension;c:\winnt\system32\drivers\EmcpGpx.sys [2007-3-16 9984] R0 EmcpSAPI;EMC PowerPath SymmApi Extension for Symmetrix;c:\winnt\system32\drivers\EmcpSapi.sys [2007-3-16 101376] R0 HpCISSm2;HpCISSm2;c:\winnt\system32\drivers\HpCISSm2.sys [2007-2-27 23040] R0 mpdev;Multi-Path Device Driver;c:\winnt\system32\drivers\mpdev.sys [2005-6-12 14904] R0 mpspfltr;Multi-Path Adapter Filter Driver;c:\winnt\system32\drivers\mpspfltr.sys [2005-6-12 21048] R0 msiscdsm;iSCSI Multi-Path DSM;c:\winnt\system32\drivers\msiscdsm.sys [2005-6-12 34168] R2 Array Configuration Utility;Array Configuration Utility;c:\program files\compaq\cpqacuxe\bin\hpacubin.exe [2007-2-27 2498560] R2 AUMService;HP OpenView CM Application Usage Manager Agent Service;c:\program files\hewlett-packard\cm\aum agent\bin\AUMService.exe [2008-5-5 229376] R2 Cissesrv;HP Smart Array SAS/SATA Event Notification Service;c:\program files\hp\cissesrv\cissesrv.exe [2007-2-27 55808] R2 EmcPowMig;EMC PowerPath Migration Service 5.0.0;c:\program files\emc\powerpath\PowMigSrvc.exe [2007-4-25 638976] R2 EmcPowSrv;EMC PowerPath Service 5.0.0;c:\program files\emc\powercommon\EmcPowSrv.exe [2007-4-25 397312] R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\mcafee\siteadvisor enterprise\McSACore.exe [2009-8-6 222528] R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2009-10-22 21256] R2 mfevtp;McAfee Validation Trust Protection Service;c:\winnt\system32\mfevtps.exe [2009-11-7 70728] R2 Navisphere_Agent;Navisphere Agent;c:\program files\emc\navisphere agent\NaviAgent.exe [2007-10-10 13373625] R2 radexecd;HP Client Automation Notify Daemon;c:\program files\hewlett-packard\cm\agent\radexecd.exe [2008-7-7 258222] R2 radsched;HP Client Automation Scheduler Daemon;c:\program files\hewlett-packard\cm\agent\radsched.exe [2008-5-29 172206] R2 rma;HPCA Management Agent;c:\program files\hewlett-packard\cm\managementagent\nvdkit.exe [2009-3-17 2443554] R3 CpqCiDrv;HP iLO Management Channel Interface Driver;c:\winnt\system32\drivers\cpqcidrv.sys [2007-2-27 26880] R3 HPAUMDriver;HPAUMDriver;c:\winnt\system32\drivers\HPAUMDriver.sys [2008-1-7 6784] R3 hpqilo2;hpqilo2;c:\winnt\system32\drivers\hpqilo2.sys [2007-2-27 112128] R3 l2nd;HP NC370 Multifunction Gigabit Server Adapter;c:\winnt\system32\drivers\bxnd50x.sys [2007-2-27 24576] R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2007-2-27 49776] S2 FTRnetd;FTRnetd;c:\program files\frontier\services\FTRnetd.exe [2008-8-7 176128] S2 FTRsched;FTRsched;c:\program files\frontier\services\FTRsched.exe [2008-4-30 94208] S2 ouinetd2;ouinetd2;c:\program files\frontier\services\ouinetd2.exe [2008-4-30 33792] S3 CNMPROT;Network Management Protocol Driver;c:\winnt\system32\drivers\cnmprot.sys [2007-2-27 14976] S3 CPQTeam;HP Network Configuration Utility;c:\winnt\system32\drivers\cpqteam.sys [2006-7-19 185856] S3 DTCserver;IP4700 Trap Catcher;c:\program files\emc\navisphere agent\dtcsrv.exe [2007-10-10 235224] S3 EntDrv50;EntDrv50;\??\c:\winnt\system32\drivers\entdrv50.sys --> c:\winnt\system32\drivers\EntDrv50.sys [?] S3 mferkdet;McAfee Inc. mferkdet;c:\winnt\system32\drivers\mferkdet.sys [2009-11-7 65448] S3 NtFrs;File Replication;c:\winnt\system32\ntfrs.exe [2007-2-27 764928] S3 TDASYNC;TDASYNC;c:\winnt\system32\drivers\tdasync.sys [2007-2-27 12664] S3 TDIPX;TDIPX;c:\winnt\system32\drivers\tdipx.sys [2007-2-27 20760] S3 TDNETB;TDNETB;c:\winnt\system32\drivers\tdnetb.sys [2007-2-27 18392] S3 TDSPX;TDSPX;c:\winnt\system32\drivers\tdspx.sys [2007-2-27 18264] S3 TrkSvr;Distributed Link Tracking Server;c:\winnt\system32\SERVICES.EXE [2006-11-11 92944] S4 EmcpHR;EMC High Road Extension for PowerPath;c:\winnt\system32\drivers\EmcpHR.sys [2005-10-2 9344] S4 EmcpMP;EMC PowerPath MultiPath Extension for Symmetrix;c:\winnt\system32\drivers\EmcpMP.sys [2005-10-2 42624] S4 EmcpMPAA;EMC PowerPath Multipath Extension for Active-Active arrays;c:\winnt\system32\drivers\EmcpMPAA.sys [2006-2-2 53760] S4 EmcpMPAP;EMC PowerPath Multipath Extension for Active-Passive arrays;c:\winnt\system32\drivers\EmcpMPAP.sys [2005-10-2 75264] S4 EmcpMPC;EMC PowerPath MultiPath Extension for CLARiiON;c:\winnt\system32\drivers\EmcpMPC.sys [2006-2-2 70016] S4 IsmServ;Intersite Messaging;c:\winnt\system32\ismserv.exe [2007-2-27 45568] S4 kdc;Kerberos Key Distribution Center;c:\winnt\system32\LSASS.EXE [2006-11-11 33552] =============== Created Last 30 ================ 2009-11-07 01:59:21 91672 ----a-w- c:\winnt\system32\drivers\mfeavfk.sys 2009-11-07 01:59:21 75704 ----a-w- c:\winnt\system32\drivers\mfeapfk.sys 2009-11-07 01:59:21 70728 ----a-w- c:\winnt\system32\mfevtps.exe 2009-11-07 01:59:21 65448 ----a-w- c:\winnt\system32\drivers\mferkdet.sys 2009-11-07 01:59:21 63728 ----a-w- c:\winnt\system32\drivers\mfetdik.sys 2009-11-07 01:59:21 43288 ----a-w- c:\winnt\system32\drivers\mfebopk.sys 2009-11-07 01:59:21 343664 ----a-w- c:\winnt\system32\drivers\mfehidk.sys 2009-11-07 01:59:10 0 d-----w- c:\program files\common files\McAfee 2009-11-07 00:32:39 0 d-----w- c:\program files\Trend Micro 2009-11-06 22:38:14 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_6a8.dat 2009-11-06 22:38:09 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_51c.dat 2009-11-06 10:16:06 0 ----a-w- c:\winnt\kbdnet.dll 2009-11-06 10:16:02 42504 ----a-w- c:\winnt\system32\uses32.dat 2009-11-06 10:16:02 100 ----a-w- c:\winnt\system32\flags.ini 2009-11-06 10:12:24 0 d-----w- c:\documents and settings\administrator\.housecall6.6 2009-11-06 09:38:44 0 d-s---w- c:\documents and settings\administrator\UserData 2009-11-06 07:09:38 0 d-----w- c:\docume~1\admini~1\applic~1\Sierra Wireless 2009-11-06 05:13:25 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4f0.dat 2009-11-06 02:42:19 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_524.dat 2009-11-06 00:46:26 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4f8.dat 2009-11-06 00:42:21 555560 ---h--w- c:\winnt\ShellIconCache 2009-11-06 00:39:30 30768 ----a-w- c:\winnt\system32\drivers\disk.sys 2009-11-06 00:36:25 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4a8.dat 2009-11-06 00:09:06 0 d-----w- C:\vsclean 2009-11-04 19:51:47 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4e8.dat 2009-11-04 19:11:50 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes 2009-11-04 16:19:13 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4e0.dat 2009-11-04 14:40:15 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4d4.dat 2009-11-04 11:17:15 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4dc.dat 2009-11-04 11:07:19 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4b8.dat 2009-11-04 10:28:55 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4f4.dat 2009-11-04 05:57:21 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4d0.dat 2009-11-04 00:55:26 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes 2009-11-04 00:50:40 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4e4.dat 2009-11-04 00:45:41 0 ----a-w- c:\winnt\system32\33.tmp 2009-11-04 00:45:40 696 ----a-w- c:\winnt\system32\32.tmp 2009-11-04 00:45:39 696 ----a-w- c:\winnt\system32\30.tmp 2009-11-04 00:45:37 53248 ----a-w- c:\winnt\system32\4703593.exe 2009-11-04 00:45:35 117248 ----a-w- c:\winnt\system32\2F.tmp 2009-11-04 00:45:34 1 ----a-w- c:\winnt\system32\2E.tmp 2009-11-04 00:45:33 288 ----a-w- c:\winnt\system32\2D.tmp 2009-11-04 00:45:29 868 ----a-w- c:\winnt\system32\5388758.exe 2009-11-03 22:37:43 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_2a70.dat 2009-11-03 22:32:16 0 ----a-w- c:\winnt\system32\23.tmp 2009-11-03 22:32:15 696 ----a-w- c:\winnt\system32\22.tmp 2009-11-03 22:32:10 696 ----a-w- c:\winnt\system32\20.tmp 2009-11-03 22:32:09 196 ----a-w- c:\winnt\system32\1F.tmp 2009-11-03 22:13:36 0 d-----w- C:\Quarantine 2009-11-03 20:05:10 0 ----a-w- c:\winnt\system32\1E.tmp 2009-11-03 20:05:09 696 ----a-w- c:\winnt\system32\1D.tmp 2009-11-03 20:05:08 696 ----a-w- c:\winnt\system32\1B.tmp 2009-11-03 20:05:07 196 ----a-w- c:\winnt\system32\1A.tmp 2009-11-03 19:59:39 0 ----a-w- c:\winnt\system32\19.tmp 2009-11-03 16:59:46 696 ----a-w- c:\winnt\system32\17.tmp 2009-11-03 16:59:46 0 ----a-w- c:\winnt\system32\18.tmp 2009-11-03 16:59:43 696 ----a-w- c:\winnt\system32\15.tmp 2009-11-03 16:59:43 31744 ----a-w- c:\winnt\system32\16.tmp 2009-11-03 16:59:42 196 ----a-w- c:\winnt\system32\14.tmp 2009-11-03 14:07:13 696 ----a-w- c:\winnt\system32\12.tmp 2009-11-03 14:07:13 0 ----a-w- c:\winnt\system32\13.tmp 2009-11-03 07:45:04 0 ----a-w- c:\winnt\system32\RGB75D84 2009-11-03 07:10:24 0 ----a-w- c:\winnt\system32\D6.tmp 2009-11-03 07:10:18 31744 ----a-w- c:\winnt\system32\D4.tmp 2009-11-03 07:10:14 696 ----a-w- c:\winnt\system32\D3.tmp 2009-11-03 07:10:09 236 ----a-w- c:\winnt\system32\D1.tmp 2009-11-02 07:47:47 34652160 ----a-w- c:\winnt\system32\RGB1E82A 2009-11-01 00:43:20 0 ----a-w- c:\winnt\system32\RGBFACCC 2009-10-30 08:52:20 0 ----a-w- c:\winnt\system32\RGBAEE6A 2009-10-29 07:46:46 0 ----a-w- c:\winnt\system32\RGB38388 2009-10-28 07:50:25 0 ----a-w- c:\winnt\system32\RGBB38EA 2009-10-27 07:37:48 0 ----a-w- c:\winnt\system32\RGBF9C8C 2009-10-26 07:45:39 34574336 ----a-w- c:\winnt\system32\RGBB2634 2009-10-23 10:00:07 34553856 ----a-w- c:\winnt\system32\RGB8A898 2009-10-22 09:07:00 20768 ----a-w- c:\winnt\system32\MFEOtlk.dll 2009-10-22 07:39:28 34553856 ----a-w- c:\winnt\system32\RGB02440 2009-10-20 07:39:09 0 ----a-w- c:\winnt\system32\RGB24ECE 2009-10-19 07:46:40 34562048 ----a-w- c:\winnt\system32\RGBCF630 2009-10-15 07:55:09 34570240 ----a-w- c:\winnt\system32\RGBC8088 2009-10-12 05:11:34 0 d-----w- c:\docume~1\alluse~1.win\applic~1\RICOH ==================== Find3M ==================== 2009-11-06 10:12:30 102664 ----a-w- c:\winnt\system32\drivers\tmcomm.sys 2009-11-03 23:21:04 184320 ----a-w- c:\winnt\system32\wbem\wbemtest.exe 2009-11-03 23:21:01 180224 ----a-w- c:\winnt\system32\wbem\ScrCons.exe 2009-11-03 23:21:00 49152 ----a-w- c:\winnt\system32\wbem\mofcomp.exe 2009-11-03 23:16:59 29696 ----a-w- c:\winnt\system32\print.exe 2009-11-03 23:15:59 97280 ----a-w- c:\winnt\system32\gpresult.exe 2009-11-03 23:06:01 290304 ----a-w- c:\winnt\winhlp32.exe 2009-11-03 23:06:01 212992 ----a-w- c:\winnt\winrep.exe 2009-11-03 23:06:00 34816 ----a-w- c:\winnt\upwizun.exe 2009-11-03 23:05:59 46080 ----a-w- c:\winnt\twunk_32.exe 2009-11-03 23:05:58 55296 ----a-w- c:\winnt\TASKMAN.EXE 2009-11-03 23:05:56 93184 ----a-w- c:\winnt\regedit.exe 2009-11-03 23:05:56 46080 ----a-w- c:\winnt\setdebug.exe 2009-11-03 23:05:55 136704 ----a-w- c:\winnt\poledit.exe 2009-11-03 23:05:54 70656 ----a-w- c:\winnt\NOTEPAD.EXE 2009-11-03 23:05:45 1122304 ----a-w- c:\winnt\hpzshl01.exe 2009-11-03 23:05:44 30720 ----a-w- c:\winnt\hh.exe 2009-11-03 23:05:44 1122304 ----a-w- c:\winnt\hpzmsi01.exe 2009-11-03 23:05:43 25088 ----a-w- c:\winnt\delttsul.exe 2009-11-03 23:05:43 243200 ----a-w- c:\winnt\explorer.exe 2009-11-03 22:48:18 53248 ----a-w- c:\winnt\system32\wbem\unsecapp.exe 2009-11-03 22:48:15 110592 ----a-w- c:\winnt\system32\dfssvc.exe 2009-11-03 22:48:14 26624 ----a-w- c:\winnt\system32\msdtc.exe 2009-11-03 22:48:07 217088 ----a-w- c:\winnt\system32\wbem\WinMgmt.exe 2009-11-03 22:48:06 28672 ----a-w- c:\winnt\system32\sysdown.exe 2009-11-03 22:48:05 50176 ----a-w- c:\winnt\system32\SNMP.EXE 2009-11-03 22:48:05 141824 ----a-w- c:\winnt\system32\mstask.exe 2009-11-03 22:17:33 471040 ----a-w- C:\pathscan.exe 2009-11-03 22:13:37 29696 ------w- c:\winnt\system32\rundll32.exe 2009-08-18 12:01:43 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_62c.dat 2009-08-18 12:01:41 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_5d8.dat 2007-02-27 09:01:40 271 ---h--w- c:\program files\desktop.ini 2007-02-27 09:01:40 21952 ---h--w- c:\program files\folder.htt 2002-07-24 12:00:00 32528 ------w- c:\winnt\inf\wbfirdma.sys ============= FINISH: 14:01:59.18 ===============
Attached File(s)
RootRepeal_crash_110709.140411.txt ( 146bytes )
Number of downloads: 2
Attach.txt ( 7.57k )
Number of downloads: 2 |
 |
 
|
 |
Replies
(1 - 14)
|
Nov 6 2009, 11:10 PM
Post
#2
|
|
 Forum Regular Group: HJT Team Posts: 334 Joined: 16-December 05 From: Midwest U.S.A. Member No.: 45,080 |
Unfortunately, virut is most often a game over scenario. If your antivirus hasn't cleaned it, then it can't be disinfected...must be one of the newer variants. You can read more Here, and Here.
-------------------- Disabled Veteran, U.S.C.G. 1972 - 1978
 Member: U.N.I.T.E., A.S.A.P. Windows XP Performance and Maintenance Windows Vista Performance and Maintenance |
|
|
|
|
Nov 7 2009, 04:43 PM
Post
#3
|
|
|
New Member Group: Members Posts: 10 Joined: 6-November 09 Member No.: 399,540 |
Hi 1972vet,
First of all, thanks very much for your quick reply. I have reviewed the linked advice you included in your post and acknowledge that the ultimate solution will be a system rebuild, which we intend to do as soon as we are able to source the new hardware. Having said that, at this point the server has been connected to the internet for almost 24 hours, and not reinfected itself with W32/Virut. Our firewall logs show that the server has not attempted any sneaky uploads, and our McAfee & Housecall scans are returning no detections (except for one dirty cookie), so we believe that W32/Virut (at least), has been cleaned. Because we will have to reintroduce this server into the production environment, we have applied much tighter settings for McAfee VSE & Spyware, as well as closely monitoring all network traffic and blocking many ports. Could we obtain help to just remove the existing Adware, Spyware, and Malware ? Marty |
|
|
|
|
Nov 7 2009, 05:23 PM
Post
#4
|
|
|
Forum Regular Group: HJT Team Posts: 334 Joined: 16-December 05 From: Midwest U.S.A. Member No.: 45,080 |
QUOTE I have reviewed the linked advice you included in your post and acknowledge that the ultimate solution will be a system rebuild, which we intend to do as soon as we are able to source the new hardware...Could we obtain help to just remove the existing Adware, Spyware, and Malware ? We can certainly give it a run. Please download combofix from This Webpage...and read through the instructions there for running the tool. ***Important Note*** Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED. If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems. The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments. Once installed, a blue screen prompt should appear that reads as follows: The Recovery Console was successfully installed. When you see that screen, please continue as follows:
When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks! Note: Do not mouseclick combofix's window while it's running....that may cause the scan to stall -------------------- Disabled Veteran, U.S.C.G. 1972 - 1978
Member: U.N.I.T.E., A.S.A.P. Windows XP Performance and Maintenance Windows Vista Performance and Maintenance |
|
|
|
|
Nov 7 2009, 07:31 PM
Post
#5
|
|
|
New Member Group: Members Posts: 10 Joined: 6-November 09 Member No.: 399,540 |
Thanks and sorry for the delay, a workmate had executed an MBAM scan which just finished.
I am now going to follow the steps for the combofix utility, but I'd just like to make sure you will be able to instruct me if there's a problem and I need to rely on the Recovery Console. Cheers Marty |
|
|
|
|
Nov 8 2009, 05:51 AM
Post
#6
|
|
|
Forum Regular Group: HJT Team Posts: 334 Joined: 16-December 05 From: Midwest U.S.A. Member No.: 45,080 |
Indeed I'll be available.
-------------------- Disabled Veteran, U.S.C.G. 1972 - 1978
Member: U.N.I.T.E., A.S.A.P. Windows XP Performance and Maintenance Windows Vista Performance and Maintenance |
|
|
|
|
Nov 8 2009, 06:47 AM
Post
#7
|
|
|
New Member Group: Members Posts: 10 Joined: 6-November 09 Member No.: 399,540 |
Hi 1972Vet, I finally got the chance to execute the ComboFix utility!
Unfortunately it seems as though the ComboFix has turned out to be a bit of a fizzer... It only runs on workstation Operating Systems W2000 & WXP. I am attaching the error I receive. (we're running Windows Server 2000) Standing by for your advice.. Marty
Attached File(s)
|
|
|
|
|
Nov 8 2009, 08:38 AM
Post
#8
|
|
|
Forum Regular Group: HJT Team Posts: 334 Joined: 16-December 05 From: Midwest U.S.A. Member No.: 45,080 |
Aye...indeed an oversight on my part. My apologies. I remember from one of the earlier logs, "Windows 2000" but I see now my error.
I do know Kaspersky antivirus products have support for Windows Servers and is an excellent software choice...let's try an online scan Here.
Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well. -------------------- Disabled Veteran, U.S.C.G. 1972 - 1978
Member: U.N.I.T.E., A.S.A.P. Windows XP Performance and Maintenance Windows Vista Performance and Maintenance |
|
|
|
|
Nov 8 2009, 11:42 PM
Post
#9
|
|
|
New Member Group: Members Posts: 10 Joined: 6-November 09 Member No.: 399,540 |
Sorry 1972Vet ! I messed up and didn't see the "Save to Text" option in Kaspersky, so I only have it in HTML format now. There were 14 detections and I am about to write a strongly-worded letter to our McAfee rep asking for an explanation, as McAfee is still reporting a clean bill of health.
We have uninstalled and deleted the infected files manually and since rebooting, are running another scan now. I will paste the Kaspersky HTML log anyway, and hopefully you can read it. Thanks again.. Marty *********** KASPERSKY ONLINE SCANNER 7.0: scan report Monday, November 9, 2009 Operating system: Microsoft Windows 2000 Advanced Server Service Pack 4 (build 2195) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Sunday, November 08, 2009 23:44:13 Records in database: 3179055 Scan settings scan using the following database extended Scan archives yes Scan e-mail databases yes Scan area My Computer C:\ D:\ E:\ F:\ I:\ M:\ Z:\ Scan statistics Objects scanned 269961 Threats found 2 Infected objects found 14 Suspicious objects found 0 Scan duration 02:53:51 File name Threat Threats count IEXPLORE.EXE\kbdnet.dll/IEXPLORE.EXE\kbdnet.dll Infected: Backdoor.Win32.Agent.amos 1 C:\WINNT\system32\kbdnet.dll/C:\WINNT\system32\kbdnet.dll Infected: Backdoor.Win32.Agent.amos 1 C:\RECYCLER\S-1-5-21-2062711326-864884203-903097961-500\Dc11.COR\LOCALS~1\Temp\V27\checksym64.exe Infected: Virus.Win32.Virut.ce 1 C:\RECYCLER\S-1-5-21-2062711326-864884203-903097961-500\Dc11.COR\LOCALS~1\Temp\V27\checksymamd.exe Infected: Virus.Win32.Virut.ce 1 C:\WINNT\EMCReports\bin\checksym64.exe Infected: Virus.Win32.Virut.ce 1 C:\WINNT\EMCReports\bin\checksymamd.exe Infected: Virus.Win32.Virut.ce 1 C:\WINNT\system32\kbdnet.dll Infected: Backdoor.Win32.Agent.amos 1 E:\HP Print Driver\HP7410\setup\hponiprint64.exe Infected: Virus.Win32.Virut.ce 1 E:\HP Print Driver\HP7410\setup\HPZdui40.exe Infected: Virus.Win32.Virut.ce 1 E:\HP Print Driver\HP7410\setup\HPZmsi40.exe Infected: Virus.Win32.Virut.ce 1 E:\HP Print Driver\HP7410\setup\HPZpnp40.exe Infected: Virus.Win32.Virut.ce 1 E:\HP Print Driver\HP7410\setup\HPZprl40.exe Infected: Virus.Win32.Virut.ce 1 E:\HP Print Driver\HP7410\setup\HPZscr40.exe Infected: Virus.Win32.Virut.ce 1 E:\HP Print Driver\HP7410\setup\HPZshl40.exe Infected: Virus.Win32.Virut.ce 1 Selected area has been scanned. |
|
|
|
|
Nov 9 2009, 05:40 AM
Post
#10
|
|
|
New Member Group: Members Posts: 10 Joined: 6-November 09 Member No.: 399,540 |
Hi 1972Vet,
We have rebooted and run another scan on the server (this time only "Critical Areas"). I am pasting the log here and I will now run a Full System Scan. Thanks for your advice. Marty ****** -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Monday, November 9, 2009 Operating system: Microsoft Windows 2000 Advanced Server Service Pack 4 (build 2195) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Monday, November 09, 2009 09:39:32 Records in database: 3180422 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - Critical areas: C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup C:\Documents and Settings\appadmin\Start Menu\Programs\Startup C:\Documents and Settings\appadmin\WINDOWS C:\Program Files Scan statistics: Objects scanned: 9026 Threats found: 1 Infected objects found: 2 Suspicious objects found: 0 Scan duration: 00:13:32 File name / Threat / Threats count IEXPLORE.EXE\kbdnet.dll/IEXPLORE.EXE\kbdnet.dll Infected: Backdoor.Win32.Agent.amos 1 C:\WINNT\system32\kbdnet.dll/C:\WINNT\system32\kbdnet.dll Infected: Backdoor.Win32.Agent.amos 1 Selected area has been scanned. |
|
|
|
|
Nov 9 2009, 08:27 AM
Post
#11
|
|
|
Forum Regular Group: HJT Team Posts: 334 Joined: 16-December 05 From: Midwest U.S.A. Member No.: 45,080 |
I still see virut...even your Microsoft Platform Support Reporting utility is infected with it along with your HP print driver package. Is there any point in continuing? I don't think so.
-------------------- Disabled Veteran, U.S.C.G. 1972 - 1978
Member: U.N.I.T.E., A.S.A.P. Windows XP Performance and Maintenance Windows Vista Performance and Maintenance |
|
|
|
|
Nov 9 2009, 04:36 PM
Post
#12
|
|
|
New Member Group: Members Posts: 10 Joined: 6-November 09 Member No.: 399,540 |
I know, I was surprised to see it too, because MBAM, McAfee & Housecall all failed to detect those Virut infections.
After manually deleting them, rebooting, and conducting another Kaspersky scan, the result is below. It shows the threat that we are really keen to get rid of : kbdnet.dll : Backdoor.Win32.Agent.amos Can you help with this one? (only) Cheers, Marty -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Tuesday, November 10, 2009 Operating system: Microsoft Windows 2000 Advanced Server Service Pack 4 (build 2195) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Monday, November 09, 2009 18:22:25 Records in database: 3181750 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ I:\ M:\ Z:\ Scan statistics: Objects scanned: 265893 Threats found: 1 Infected objects found: 3 Suspicious objects found: 0 Scan duration: 02:46:56 File name / Threat / Threats count IEXPLORE.EXE\kbdnet.dll/IEXPLORE.EXE\kbdnet.dll Infected: Backdoor.Win32.Agent.amos 1 C:\WINNT\system32\kbdnet.dll/C:\WINNT\system32\kbdnet.dll Infected: Backdoor.Win32.Agent.amos 1 C:\WINNT\system32\kbdnet.dll Infected: Backdoor.Win32.Agent.amos 1 Selected area has been scanned. |
|
|
|
|
Nov 9 2009, 05:55 PM
Post
#13
|
|
|
Forum Regular Group: HJT Team Posts: 334 Joined: 16-December 05 From: Midwest U.S.A. Member No.: 45,080 |
As I've stated, virut is a game over scenario. I won't waste anymore of my time beyond this:
Please download the KILLBOX. Save it to your desktop. Open killbox.exe...First click on Tools-->Delete Temp Files. A box will open with a list of all user profiles. Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed. Temporary Internet Files Temp Files XP Prefetch If you want to clean your cookies, history, and list of recent files run you may check those boxes as well...next, click on the Button titled Delete Selected Temp Files. Exit by clicking the Button titled Exit(Save Settings). Once back into the main killbox program, check the box Delete on Reboot. Now, highlight all the entries below in Bold text and then copy them. C:\WINNT\system32\kbdnet.dll Then in killbox click File-->Paste from Clipboard...Now, Click the All Files button. Next, click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click Yes to allow the reboot. When the system comes back up, you can run your scan again and you'll see that virut still exists. You really should save your effort. -------------------- Disabled Veteran, U.S.C.G. 1972 - 1978
Member: U.N.I.T.E., A.S.A.P. Windows XP Performance and Maintenance Windows Vista Performance and Maintenance |
|
|
|
|
Nov 11 2009, 04:00 PM
Post
#14
|
|
|
New Member Group: Members Posts: 10 Joined: 6-November 09 Member No.: 399,540 |
Thanks for all your help.
We ran the Killbox utility and it did in fact get rid of the kbdnet.dll file, but the latest Kaspersky scan shows three new infections related to another DLL file. This issue can be closed now, as we are discontinuing our troubleshooting with this server. Regards, Marty -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Thursday, November 12, 2009 Operating system: Microsoft Windows 2000 Advanced Server Service Pack 4 (build 2195) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Wednesday, November 11, 2009 12:04:54 Records in database: 3191245 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ I:\ M:\ Z:\ Scan statistics: Objects scanned: 264997 Threats found: 1 Infected objects found: 3 Suspicious objects found: 0 Scan duration: 02:48:56 File name / Threat / Threats count IEXPLORE.EXE\rdolib.dll/IEXPLORE.EXE\rdolib.dll Infected: Backdoor.Win32.Agent.amqy 1 C:\WINNT\system32\rdolib.dll/C:\WINNT\system32\rdolib.dll Infected: Backdoor.Win32.Agent.amqy 1 C:\WINNT\system32\rdolib.dll Infected: Backdoor.Win32.Agent.amqy 1 Selected area has been scanned. |
|
|
|
|
Nov 11 2009, 06:12 PM
Post
#15
|
|
|
Forum Regular Group: HJT Team Posts: 334 Joined: 16-December 05 From: Midwest U.S.A. Member No.: 45,080 |
As this member has resolved to discontinue troubleshooting on the virut infected server, this thread will be closed to prevent others from posting here.
Other members who need assistance please start your own topic in a new thread. Thanks! The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you. -------------------- Disabled Veteran, U.S.C.G. 1972 - 1978
Member: U.N.I.T.E., A.S.A.P. Windows XP Performance and Maintenance Windows Vista Performance and Maintenance |
|
|
|
 |
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 22nd November 2009 - 12:21 AM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.