Virus Infection, High Network Utilization Port 445

BleepingComputer.com: Virus Infection, High Network Utilization Port 445

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.

Page 1 of 1

You cannot start a new topic
You cannot reply to this topic

Virus Infection, High Network Utilization Port 445 Virus Modifies Exe's and scans for others on port 445

#1 Idea Solutions

New Member

Group: Members
Posts: 1
Joined: 09-March 10

Posted 04 March 2011 - 12:06 PM

I have a situation where a virus is propagating by using shares. The network utilization on the workstation jumps to about 90% and port 445 or port 139 is being used to look for more EXE files on the network. I can see the exe's on the local computers have been modified and the size is about 100k larger.

I have run MalwareBytes, Spybot Search and Destroy, ComboFix, Avira, RKill, McAfee VirusScan and TDSKiller. Only Avira finds some of the files as infected with the TR/crypt.zpack.gen or TR/cryptxpack.gen3 virus, but not all the corrupted exe's are found. I have to keep monitoring each running application to see if the network utilization jumps and then track down the offending process using Process Monitor. Once that process is located, I have to rename the EXE and either remove and reinstall the software or find a clean copy of that file somewhere.

I have two of the infected files in my dropbox that can be downloaded and reviewed.
hxxp://dl.dropbox.com/u/21974438/QBDBMgrN.exeinfected
hxxp://dl.dropbox.com/u/21974438/winvnc.exeinfected

I need to find a tool that can find this virus located in the EXE's and be able to clean it. Any recommendations?

This post has been edited by Blade Zephon: 09 March 2011 - 01:56 PM
Reason for edit: Disabled Links

#2 Blade

Strong in the Bleepforce

Group: Site Admin
Posts: 10,238
Joined: 20-January 09
Gender:Male
Location:US

Posted 09 March 2011 - 01:59 PM

Hello.

First of all. . . you need to isolate infected machines from each other and from the rest of the network. You'll never stop an infection like this while the machines are connected.

Second of all. . . since you've run ComboFix it will be necessary for you to seek help from the Malware Removal Team.

Please follow the instructions in This Guide starting at Step 6.

Once the proper logs are created, then make a NEW TOPIC and post it HERE Please include a description of your computer issues and what you have done to try to resolve them. You should also post your ComboFix log.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

~Blade

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+