BleepingComputer.com: W32/Virut.gen.n

Hello all,

We have removed a W32/Virut infection from our server, and a number of computers, but malware remains, the browsers are hijacked (redirections happening), and a reinfection has occurred. We appreciate your guidance and help to clean up our server.

Please note the following details:

Application Server:


We isolated this server from our network, and ran McAfee scans that detected and cleaned numerous file infections with W32/Virut.gen.n. McAfee almost gives us the all-clear, along with MalwareBytes and Housecall. But they still detect one file as infected :



We believe there is still a problem because when we try to access security sites (including bleepingcomputer.com), we are being redirected (by the browser) to other places. The browser also tried to prevent us accessing Housecall.

We have also been testing with an infected laptop, and when we reconnected it to the network, we found that it immediately attempted to connect with two mail servers (google.com & mail.ru), and when that failed, it uploaded twice to a German webhost & internet provider (Netdirekt.de). I uninstalled McAfee from the laptop last night to run an independent pre-boot scan with Avast!. The scan detected two W64/CutWail infections (it's a 32-bit OS), and one W32/Virut infection. I uninstalled Avast!, and installed the Microsoft Security Essentials tool, which also found these three infections and cleaned them. We are concerned that a similar reinfection will happen on the server, so we cannot reconnect it to the network yet.

Because the MSE is only for Windows clients, we ran the latest Microsoft Malicious Software Removal Tool on the server this morning, and the MSRT detected no infections. A quick search reveals that the kbdnet.dll file is still on the system though, with Housecall detecting an infection called TSPY_ONLINEG.TOS.

We have also executed HijackThis, so that we may fix the browser hijacking problem, which we think may be related to the kbdnet.dll file. Please review the HijackThis log below and let us know what to try next. If you need more information, please let me know.

Our goal is to have this server malware-free, with a clean kbdnet.dll (if it is needed), and connected to the network with no sneaky transmissions or reinfection.

Thanks in advance for your help!

Marty

(please note: RootRepeal failed to run on our server, so I am attaching the Error report for your review)

*******************************


DDS (Ver_09-10-26.01) - NTFSx86
Run by Administrator at 14:01:44.17 on Sat 07/11/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Advanced Server 5.0.2195.4.1252.61.1033.18.3327.2574 [GMT 11:00]


============== Running Processes ===============

C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Compaq\Cpqacuxe\Bin\hpacubin.exe
C:\Program Files\Hewlett-Packard\CM\AUM Agent\bin\AUMService.exe
C:\Program Files\HP\Cissesrv\Cissesrv.exe
C:\WINNT\System32\CpqRcmc.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\Program Files\EMC\PowerPath\PowMigSrvc.exe
C:\Program Files\EMC\PowerCommon\EmcPowSrv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINNT\system32\iscsiexe.exe
C:\Program Files\EMC\Navisphere Agent\NaviAgent.Exe
C:\Program Files\Hewlett-Packard\CM\Agent\radexecd.exe
C:\Program Files\Hewlett-Packard\CM\Agent\radsched.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Hewlett-Packard\CM\ManagementAgent\nvdkit.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\sysdown.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\CPQNiMgt\cpqnimgt.exe
C:\WINNT\System32\CPQMgmt\CqMgServ\cqmgserv.exe
C:\WINNT\System32\CPQMgmt\CqMgStor\cqmgstor.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\CPQMgmt\CqMgHost\cqmghost.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\EMC\PowerCommon\EmcPowMon.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINNT\system32\mfevtps.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
mURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
uRun: [<NO NAME>]
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\powerp~1.lnk - c:\program files\emc\powercommon\EmcPowMon.exe
mPolicies-explorer: ShowSuperHidden = 1 (0x1)
mPolicies-explorer: NoFileAssociate = 1 (0x1)
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
Trusted Zone: siteadvisor.com\www
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
Handler: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - c:\program files\compaq\hpadu\bin\hpapp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor enterprise\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\winnt\system32\kbdnet.dll
LSA: Notification Packages = FPNWCLNT RASSFM KDCSVC scecli
IFEO: 1.exe - c:\windows\system32\ahui.exe
IFEO: reader_s.exe - c:\windows\system32\ahui.exe
IFEO: servises.exe - c:\windows\system32\ahui.exe
IFEO: sys64_nov.exe - c:\windows\system32\ahui.exe

============= SERVICES / DRIVERS ===============

R0 b06bdrv;HP Virtual Bus Device;c:\winnt\system32\drivers\bxvbdx.sys [2007-2-27 246272]
R0 DfsDriver;DfsDriver;c:\winnt\system32\drivers\dfs.sys [2006-11-11 74448]
R0 emcmpio;EMC PowerPath Generic DSM;c:\winnt\system32\drivers\emcmpio.sys [2007-3-16 219264]
R0 EmcpBase;EMC PowerPath Base Driver;c:\winnt\system32\drivers\EmcpBase.sys [2007-3-16 313856]
R0 EmcpCG;EMC PowerPath Consistency Group Extension for Symmetrix;c:\winnt\system32\drivers\EmcpCg.sys [2007-3-16 27264]
R0 EmcpClass;EMC PowerPath Class Driver;c:\winnt\system32\drivers\EmcpClass.sys [2007-3-16 3712]
R0 EmcpDm;EMC PowerPath Data Migration Manager;c:\winnt\system32\drivers\EmcpDm.sys [2007-3-16 25344]
R0 EmcpGpx;EMC PowerPath Generic Purpose Extension;c:\winnt\system32\drivers\EmcpGpx.sys [2007-3-16 9984]
R0 EmcpSAPI;EMC PowerPath SymmApi Extension for Symmetrix;c:\winnt\system32\drivers\EmcpSapi.sys [2007-3-16 101376]
R0 HpCISSm2;HpCISSm2;c:\winnt\system32\drivers\HpCISSm2.sys [2007-2-27 23040]
R0 mpdev;Multi-Path Device Driver;c:\winnt\system32\drivers\mpdev.sys [2005-6-12 14904]
R0 mpspfltr;Multi-Path Adapter Filter Driver;c:\winnt\system32\drivers\mpspfltr.sys [2005-6-12 21048]
R0 msiscdsm;iSCSI Multi-Path DSM;c:\winnt\system32\drivers\msiscdsm.sys [2005-6-12 34168]
R2 Array Configuration Utility;Array Configuration Utility;c:\program files\compaq\cpqacuxe\bin\hpacubin.exe [2007-2-27 2498560]
R2 AUMService;HP OpenView CM Application Usage Manager Agent Service;c:\program files\hewlett-packard\cm\aum agent\bin\AUMService.exe [2008-5-5 229376]
R2 Cissesrv;HP Smart Array SAS/SATA Event Notification Service;c:\program files\hp\cissesrv\cissesrv.exe [2007-2-27 55808]
R2 EmcPowMig;EMC PowerPath Migration Service 5.0.0;c:\program files\emc\powerpath\PowMigSrvc.exe [2007-4-25 638976]
R2 EmcPowSrv;EMC PowerPath Service 5.0.0;c:\program files\emc\powercommon\EmcPowSrv.exe [2007-4-25 397312]
R2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;c:\program files\mcafee\siteadvisor enterprise\McSACore.exe [2009-8-6 222528]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2009-10-22 21256]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\winnt\system32\mfevtps.exe [2009-11-7 70728]
R2 Navisphere_Agent;Navisphere Agent;c:\program files\emc\navisphere agent\NaviAgent.exe [2007-10-10 13373625]
R2 radexecd;HP Client Automation Notify Daemon;c:\program files\hewlett-packard\cm\agent\radexecd.exe [2008-7-7 258222]
R2 radsched;HP Client Automation Scheduler Daemon;c:\program files\hewlett-packard\cm\agent\radsched.exe [2008-5-29 172206]
R2 rma;HPCA Management Agent;c:\program files\hewlett-packard\cm\managementagent\nvdkit.exe [2009-3-17 2443554]
R3 CpqCiDrv;HP iLO Management Channel Interface Driver;c:\winnt\system32\drivers\cpqcidrv.sys [2007-2-27 26880]
R3 HPAUMDriver;HPAUMDriver;c:\winnt\system32\drivers\HPAUMDriver.sys [2008-1-7 6784]
R3 hpqilo2;hpqilo2;c:\winnt\system32\drivers\hpqilo2.sys [2007-2-27 112128]
R3 l2nd;HP NC370 Multifunction Gigabit Server Adapter;c:\winnt\system32\drivers\bxnd50x.sys [2007-2-27 24576]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2007-2-27 49776]
S2 FTRnetd;FTRnetd;c:\program files\frontier\services\FTRnetd.exe [2008-8-7 176128]
S2 FTRsched;FTRsched;c:\program files\frontier\services\FTRsched.exe [2008-4-30 94208]
S2 ouinetd2;ouinetd2;c:\program files\frontier\services\ouinetd2.exe [2008-4-30 33792]
S3 CNMPROT;Network Management Protocol Driver;c:\winnt\system32\drivers\cnmprot.sys [2007-2-27 14976]
S3 CPQTeam;HP Network Configuration Utility;c:\winnt\system32\drivers\cpqteam.sys [2006-7-19 185856]
S3 DTCserver;IP4700 Trap Catcher;c:\program files\emc\navisphere agent\dtcsrv.exe [2007-10-10 235224]
S3 EntDrv50;EntDrv50;\??\c:\winnt\system32\drivers\entdrv50.sys --> c:\winnt\system32\drivers\EntDrv50.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\winnt\system32\drivers\mferkdet.sys [2009-11-7 65448]
S3 NtFrs;File Replication;c:\winnt\system32\ntfrs.exe [2007-2-27 764928]
S3 TDASYNC;TDASYNC;c:\winnt\system32\drivers\tdasync.sys [2007-2-27 12664]
S3 TDIPX;TDIPX;c:\winnt\system32\drivers\tdipx.sys [2007-2-27 20760]
S3 TDNETB;TDNETB;c:\winnt\system32\drivers\tdnetb.sys [2007-2-27 18392]
S3 TDSPX;TDSPX;c:\winnt\system32\drivers\tdspx.sys [2007-2-27 18264]
S3 TrkSvr;Distributed Link Tracking Server;c:\winnt\system32\SERVICES.EXE [2006-11-11 92944]
S4 EmcpHR;EMC High Road Extension for PowerPath;c:\winnt\system32\drivers\EmcpHR.sys [2005-10-2 9344]
S4 EmcpMP;EMC PowerPath MultiPath Extension for Symmetrix;c:\winnt\system32\drivers\EmcpMP.sys [2005-10-2 42624]
S4 EmcpMPAA;EMC PowerPath Multipath Extension for Active-Active arrays;c:\winnt\system32\drivers\EmcpMPAA.sys [2006-2-2 53760]
S4 EmcpMPAP;EMC PowerPath Multipath Extension for Active-Passive arrays;c:\winnt\system32\drivers\EmcpMPAP.sys [2005-10-2 75264]
S4 EmcpMPC;EMC PowerPath MultiPath Extension for CLARiiON;c:\winnt\system32\drivers\EmcpMPC.sys [2006-2-2 70016]
S4 IsmServ;Intersite Messaging;c:\winnt\system32\ismserv.exe [2007-2-27 45568]
S4 kdc;Kerberos Key Distribution Center;c:\winnt\system32\LSASS.EXE [2006-11-11 33552]

=============== Created Last 30 ================

2009-11-07 01:59:21 91672 ----a-w- c:\winnt\system32\drivers\mfeavfk.sys
2009-11-07 01:59:21 75704 ----a-w- c:\winnt\system32\drivers\mfeapfk.sys
2009-11-07 01:59:21 70728 ----a-w- c:\winnt\system32\mfevtps.exe
2009-11-07 01:59:21 65448 ----a-w- c:\winnt\system32\drivers\mferkdet.sys
2009-11-07 01:59:21 63728 ----a-w- c:\winnt\system32\drivers\mfetdik.sys
2009-11-07 01:59:21 43288 ----a-w- c:\winnt\system32\drivers\mfebopk.sys
2009-11-07 01:59:21 343664 ----a-w- c:\winnt\system32\drivers\mfehidk.sys
2009-11-07 01:59:10 0 d-----w- c:\program files\common files\McAfee
2009-11-07 00:32:39 0 d-----w- c:\program files\Trend Micro
2009-11-06 22:38:14 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_6a8.dat
2009-11-06 22:38:09 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_51c.dat
2009-11-06 10:16:06 0 ----a-w- c:\winnt\kbdnet.dll
2009-11-06 10:16:02 42504 ----a-w- c:\winnt\system32\uses32.dat
2009-11-06 10:16:02 100 ----a-w- c:\winnt\system32\flags.ini
2009-11-06 10:12:24 0 d-----w- c:\documents and settings\administrator\.housecall6.6
2009-11-06 09:38:44 0 d-s---w- c:\documents and settings\administrator\UserData
2009-11-06 07:09:38 0 d-----w- c:\docume~1\admini~1\applic~1\Sierra Wireless
2009-11-06 05:13:25 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4f0.dat
2009-11-06 02:42:19 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_524.dat
2009-11-06 00:46:26 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4f8.dat
2009-11-06 00:42:21 555560 ---h--w- c:\winnt\ShellIconCache
2009-11-06 00:39:30 30768 ----a-w- c:\winnt\system32\drivers\disk.sys
2009-11-06 00:36:25 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4a8.dat
2009-11-06 00:09:06 0 d-----w- C:\vsclean
2009-11-04 19:51:47 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4e8.dat
2009-11-04 19:11:50 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-11-04 16:19:13 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4e0.dat
2009-11-04 14:40:15 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4d4.dat
2009-11-04 11:17:15 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4dc.dat
2009-11-04 11:07:19 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4b8.dat
2009-11-04 10:28:55 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4f4.dat
2009-11-04 05:57:21 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4d0.dat
2009-11-04 00:55:26 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-11-04 00:50:40 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_4e4.dat
2009-11-04 00:45:41 0 ----a-w- c:\winnt\system32\33.tmp
2009-11-04 00:45:40 696 ----a-w- c:\winnt\system32\32.tmp
2009-11-04 00:45:39 696 ----a-w- c:\winnt\system32\30.tmp
2009-11-04 00:45:37 53248 ----a-w- c:\winnt\system32\4703593.exe
2009-11-04 00:45:35 117248 ----a-w- c:\winnt\system32\2F.tmp
2009-11-04 00:45:34 1 ----a-w- c:\winnt\system32\2E.tmp
2009-11-04 00:45:33 288 ----a-w- c:\winnt\system32\2D.tmp
2009-11-04 00:45:29 868 ----a-w- c:\winnt\system32\5388758.exe
2009-11-03 22:37:43 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_2a70.dat
2009-11-03 22:32:16 0 ----a-w- c:\winnt\system32\23.tmp
2009-11-03 22:32:15 696 ----a-w- c:\winnt\system32\22.tmp
2009-11-03 22:32:10 696 ----a-w- c:\winnt\system32\20.tmp
2009-11-03 22:32:09 196 ----a-w- c:\winnt\system32\1F.tmp
2009-11-03 22:13:36 0 d-----w- C:\Quarantine
2009-11-03 20:05:10 0 ----a-w- c:\winnt\system32\1E.tmp
2009-11-03 20:05:09 696 ----a-w- c:\winnt\system32\1D.tmp
2009-11-03 20:05:08 696 ----a-w- c:\winnt\system32\1B.tmp
2009-11-03 20:05:07 196 ----a-w- c:\winnt\system32\1A.tmp
2009-11-03 19:59:39 0 ----a-w- c:\winnt\system32\19.tmp
2009-11-03 16:59:46 696 ----a-w- c:\winnt\system32\17.tmp
2009-11-03 16:59:46 0 ----a-w- c:\winnt\system32\18.tmp
2009-11-03 16:59:43 696 ----a-w- c:\winnt\system32\15.tmp
2009-11-03 16:59:43 31744 ----a-w- c:\winnt\system32\16.tmp
2009-11-03 16:59:42 196 ----a-w- c:\winnt\system32\14.tmp
2009-11-03 14:07:13 696 ----a-w- c:\winnt\system32\12.tmp
2009-11-03 14:07:13 0 ----a-w- c:\winnt\system32\13.tmp
2009-11-03 07:45:04 0 ----a-w- c:\winnt\system32\RGB75D84
2009-11-03 07:10:24 0 ----a-w- c:\winnt\system32\D6.tmp
2009-11-03 07:10:18 31744 ----a-w- c:\winnt\system32\D4.tmp
2009-11-03 07:10:14 696 ----a-w- c:\winnt\system32\D3.tmp
2009-11-03 07:10:09 236 ----a-w- c:\winnt\system32\D1.tmp
2009-11-02 07:47:47 34652160 ----a-w- c:\winnt\system32\RGB1E82A
2009-11-01 00:43:20 0 ----a-w- c:\winnt\system32\RGBFACCC
2009-10-30 08:52:20 0 ----a-w- c:\winnt\system32\RGBAEE6A
2009-10-29 07:46:46 0 ----a-w- c:\winnt\system32\RGB38388
2009-10-28 07:50:25 0 ----a-w- c:\winnt\system32\RGBB38EA
2009-10-27 07:37:48 0 ----a-w- c:\winnt\system32\RGBF9C8C
2009-10-26 07:45:39 34574336 ----a-w- c:\winnt\system32\RGBB2634
2009-10-23 10:00:07 34553856 ----a-w- c:\winnt\system32\RGB8A898
2009-10-22 09:07:00 20768 ----a-w- c:\winnt\system32\MFEOtlk.dll
2009-10-22 07:39:28 34553856 ----a-w- c:\winnt\system32\RGB02440
2009-10-20 07:39:09 0 ----a-w- c:\winnt\system32\RGB24ECE
2009-10-19 07:46:40 34562048 ----a-w- c:\winnt\system32\RGBCF630
2009-10-15 07:55:09 34570240 ----a-w- c:\winnt\system32\RGBC8088
2009-10-12 05:11:34 0 d-----w- c:\docume~1\alluse~1.win\applic~1\RICOH

==================== Find3M ====================

2009-11-06 10:12:30 102664 ----a-w- c:\winnt\system32\drivers\tmcomm.sys
2009-11-03 23:21:04 184320 ----a-w- c:\winnt\system32\wbem\wbemtest.exe
2009-11-03 23:21:01 180224 ----a-w- c:\winnt\system32\wbem\ScrCons.exe
2009-11-03 23:21:00 49152 ----a-w- c:\winnt\system32\wbem\mofcomp.exe
2009-11-03 23:16:59 29696 ----a-w- c:\winnt\system32\print.exe
2009-11-03 23:15:59 97280 ----a-w- c:\winnt\system32\gpresult.exe
2009-11-03 23:06:01 290304 ----a-w- c:\winnt\winhlp32.exe
2009-11-03 23:06:01 212992 ----a-w- c:\winnt\winrep.exe
2009-11-03 23:06:00 34816 ----a-w- c:\winnt\upwizun.exe
2009-11-03 23:05:59 46080 ----a-w- c:\winnt\twunk_32.exe
2009-11-03 23:05:58 55296 ----a-w- c:\winnt\TASKMAN.EXE
2009-11-03 23:05:56 93184 ----a-w- c:\winnt\regedit.exe
2009-11-03 23:05:56 46080 ----a-w- c:\winnt\setdebug.exe
2009-11-03 23:05:55 136704 ----a-w- c:\winnt\poledit.exe
2009-11-03 23:05:54 70656 ----a-w- c:\winnt\NOTEPAD.EXE
2009-11-03 23:05:45 1122304 ----a-w- c:\winnt\hpzshl01.exe
2009-11-03 23:05:44 30720 ----a-w- c:\winnt\hh.exe
2009-11-03 23:05:44 1122304 ----a-w- c:\winnt\hpzmsi01.exe
2009-11-03 23:05:43 25088 ----a-w- c:\winnt\delttsul.exe
2009-11-03 23:05:43 243200 ----a-w- c:\winnt\explorer.exe
2009-11-03 22:48:18 53248 ----a-w- c:\winnt\system32\wbem\unsecapp.exe
2009-11-03 22:48:15 110592 ----a-w- c:\winnt\system32\dfssvc.exe
2009-11-03 22:48:14 26624 ----a-w- c:\winnt\system32\msdtc.exe
2009-11-03 22:48:07 217088 ----a-w- c:\winnt\system32\wbem\WinMgmt.exe
2009-11-03 22:48:06 28672 ----a-w- c:\winnt\system32\sysdown.exe
2009-11-03 22:48:05 50176 ----a-w- c:\winnt\system32\SNMP.EXE
2009-11-03 22:48:05 141824 ----a-w- c:\winnt\system32\mstask.exe
2009-11-03 22:17:33 471040 ----a-w- C:\pathscan.exe
2009-11-03 22:13:37 29696 ------w- c:\winnt\system32\rundll32.exe
2009-08-18 12:01:43 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_62c.dat
2009-08-18 12:01:41 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_5d8.dat
2007-02-27 09:01:40 271 ---h--w- c:\program files\desktop.ini
2007-02-27 09:01:40 21952 ---h--w- c:\program files\folder.htt
2002-07-24 12:00:00 32528 ------w- c:\winnt\inf\wbfirdma.sys

============= FINISH: 14:01:59.18 ===============

Unfortunately, virut is most often a game over scenario. If your antivirus hasn't cleaned it, then it can't be disinfected...must be one of the newer variants. You can read more Here, and Here.

Hi 1972vet,

First of all, thanks very much for your quick reply. I have reviewed the linked advice you included in your post and acknowledge that the ultimate solution will be a system rebuild, which we intend to do as soon as we are able to source the new hardware.

Having said that, at this point the server has been connected to the internet for almost 24 hours, and not reinfected itself with W32/Virut. Our firewall logs show that the server has not attempted any sneaky uploads, and our McAfee & Housecall scans are returning no detections (except for one dirty cookie), so we believe that W32/Virut (at least), has been cleaned.

Because we will have to reintroduce this server into the production environment, we have applied much tighter settings for McAfee VSE & Spyware, as well as closely monitoring all network traffic and blocking many ports.

Could we obtain help to just remove the existing Adware, Spyware, and Malware ?

Marty

Quote

We can certainly give it a run. Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

Thanks and sorry for the delay, a workmate had executed an MBAM scan which just finished.

I am now going to follow the steps for the combofix utility, but I'd just like to make sure you will be able to instruct me if there's a problem and I need to rely on the Recovery Console.

Cheers

Marty

Indeed I'll be available.

Hi 1972Vet, I finally got the chance to execute the ComboFix utility!

Unfortunately it seems as though the ComboFix has turned out to be a bit of a fizzer...

It only runs on workstation Operating Systems W2000 & WXP. I am attaching the error I receive.

(we're running Windows Server 2000)

Standing by for your advice..

Marty

Aye...indeed an oversight on my part. My apologies. I remember from one of the earlier logs, "Windows 2000" but I see now my error.

I do know Kaspersky antivirus products have support for Windows Servers and is an excellent software choice...let's try an online scan Here.

• At the main page click on "Accept" (after reading the agreement).
  
• The necessary files will be downloaded...wait for the Database to finish updating.

Note: If prompted to run or update your Java, follow the prompts to do so. (Kaspersky requires Java to run and I did notice your log showed a couple of java installations, both out of date and exploited. You should in fact uninstall those and keep only the most up to date Java components on board).

• Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
  
• Select Scan Report.
  
• If any threats were found they will appear in the report
  
• Select "Save error report as"

Then in the file name just type in kaspersky Under "save as type" select text .txt Save it to your Desktop.

Copy and post the results of the Kaspersky Online scan. If no threats were found then report that as well.

Sorry 1972Vet ! I messed up and didn't see the "Save to Text" option in Kaspersky, so I only have it in HTML format now. There were 14 detections and I am about to write a strongly-worded letter to our McAfee rep asking for an explanation, as McAfee is still reporting a clean bill of health.

We have uninstalled and deleted the infected files manually and since rebooting, are running another scan now. I will paste the Kaspersky HTML log anyway, and hopefully you can read it.

Thanks again..

Marty


***********

KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, November 9, 2009
Operating system: Microsoft Windows 2000 Advanced Server Service Pack 4 (build 2195)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, November 08, 2009 23:44:13
Records in database: 3179055


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
I:\
M:\
Z:\

Scan statistics
Objects scanned 269961
Threats found 2
Infected objects found 14
Suspicious objects found 0
Scan duration 02:53:51

File name Threat Threats count
IEXPLORE.EXE\kbdnet.dll/IEXPLORE.EXE\kbdnet.dll Infected: Backdoor.Win32.Agent.amos 1

C:\WINNT\system32\kbdnet.dll/C:\WINNT\system32\kbdnet.dll Infected: Backdoor.Win32.Agent.amos 1

C:\RECYCLER\S-1-5-21-2062711326-864884203-903097961-500\Dc11.COR\LOCALS~1\Temp\V27\checksym64.exe Infected: Virus.Win32.Virut.ce 1

C:\RECYCLER\S-1-5-21-2062711326-864884203-903097961-500\Dc11.COR\LOCALS~1\Temp\V27\checksymamd.exe Infected: Virus.Win32.Virut.ce 1

C:\WINNT\EMCReports\bin\checksym64.exe Infected: Virus.Win32.Virut.ce 1

C:\WINNT\EMCReports\bin\checksymamd.exe Infected: Virus.Win32.Virut.ce 1

C:\WINNT\system32\kbdnet.dll Infected: Backdoor.Win32.Agent.amos 1

E:\HP Print Driver\HP7410\setup\hponiprint64.exe Infected: Virus.Win32.Virut.ce 1

E:\HP Print Driver\HP7410\setup\HPZdui40.exe Infected: Virus.Win32.Virut.ce 1

E:\HP Print Driver\HP7410\setup\HPZmsi40.exe Infected: Virus.Win32.Virut.ce 1

E:\HP Print Driver\HP7410\setup\HPZpnp40.exe Infected: Virus.Win32.Virut.ce 1

E:\HP Print Driver\HP7410\setup\HPZprl40.exe Infected: Virus.Win32.Virut.ce 1

E:\HP Print Driver\HP7410\setup\HPZscr40.exe Infected: Virus.Win32.Virut.ce 1

E:\HP Print Driver\HP7410\setup\HPZshl40.exe Infected: Virus.Win32.Virut.ce 1

Selected area has been scanned.

Hi 1972Vet,

We have rebooted and run another scan on the server (this time only "Critical Areas"). I am pasting the log here and I will now run a Full System Scan.

Thanks for your advice.

Marty

******

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, November 9, 2009
Operating system: Microsoft Windows 2000 Advanced Server Service Pack 4 (build 2195)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, November 09, 2009 09:39:32
Records in database: 3180422
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - Critical areas:
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup
C:\Documents and Settings\appadmin\Start Menu\Programs\Startup
C:\Documents and Settings\appadmin\WINDOWS
C:\Program Files

Scan statistics:
Objects scanned: 9026
Threats found: 1
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 00:13:32


File name / Threat / Threats count
IEXPLORE.EXE\kbdnet.dll/IEXPLORE.EXE\kbdnet.dll Infected: Backdoor.Win32.Agent.amos 1
C:\WINNT\system32\kbdnet.dll/C:\WINNT\system32\kbdnet.dll Infected: Backdoor.Win32.Agent.amos 1

Selected area has been scanned.

I still see virut...even your Microsoft Platform Support Reporting utility is infected with it along with your HP print driver package. Is there any point in continuing? I don't think so.

I know, I was surprised to see it too, because MBAM, McAfee & Housecall all failed to detect those Virut infections.

After manually deleting them, rebooting, and conducting another Kaspersky scan, the result is below. It shows the threat that we are really keen to get rid of : kbdnet.dll : Backdoor.Win32.Agent.amos

Can you help with this one? (only)

Cheers,

Marty

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, November 10, 2009
Operating system: Microsoft Windows 2000 Advanced Server Service Pack 4 (build 2195)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, November 09, 2009 18:22:25
Records in database: 3181750
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
I:\
M:\
Z:\

Scan statistics:
Objects scanned: 265893
Threats found: 1
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 02:46:56


File name / Threat / Threats count
IEXPLORE.EXE\kbdnet.dll/IEXPLORE.EXE\kbdnet.dll Infected: Backdoor.Win32.Agent.amos 1
C:\WINNT\system32\kbdnet.dll/C:\WINNT\system32\kbdnet.dll Infected: Backdoor.Win32.Agent.amos 1
C:\WINNT\system32\kbdnet.dll Infected: Backdoor.Win32.Agent.amos 1

Selected area has been scanned.

As I've stated, virut is a game over scenario. I won't waste anymore of my time beyond this:

Please download the KILLBOX. Save it to your desktop.

Open killbox.exe...First click on Tools-->Delete Temp Files.
A box will open with a list of all user profiles.

Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

Temporary Internet Files
Temp Files
XP Prefetch

If you want to clean your cookies, history, and list of recent files run you may check those boxes as well...next, click on the Button titled Delete Selected Temp Files.
Exit by clicking the Button titled Exit(Save Settings).

Once back into the main killbox program, check the box Delete on Reboot. Now, highlight all the entries below in Bold text and then copy them.

C:\WINNT\system32\kbdnet.dll

Then in killbox click File-->Paste from Clipboard...Now, Click the All Files button.

Next, click the Red X ...and for the confirmation message that will appear, you will need to click Yes.

A second message will ask to Reboot now? you will need to click Yes to allow the reboot.
When the system comes back up, you can run your scan again and you'll see that virut still exists. You really should save your effort.

Thanks for all your help.

We ran the Killbox utility and it did in fact get rid of the kbdnet.dll file, but the latest Kaspersky scan shows three new infections related to another DLL file.

This issue can be closed now, as we are discontinuing our troubleshooting with this server.

Regards,

Marty

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, November 12, 2009
Operating system: Microsoft Windows 2000 Advanced Server Service Pack 4 (build 2195)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, November 11, 2009 12:04:54
Records in database: 3191245
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
I:\
M:\
Z:\

Scan statistics:
Objects scanned: 264997
Threats found: 1
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 02:48:56


File name / Threat / Threats count
IEXPLORE.EXE\rdolib.dll/IEXPLORE.EXE\rdolib.dll Infected: Backdoor.Win32.Agent.amqy 1
C:\WINNT\system32\rdolib.dll/C:\WINNT\system32\rdolib.dll Infected: Backdoor.Win32.Agent.amqy 1
C:\WINNT\system32\rdolib.dll Infected: Backdoor.Win32.Agent.amqy 1

Selected area has been scanned.

As this member has resolved to discontinue troubleshooting on the virut infected server, this thread will be closed to prevent others from posting here.
Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.