Description of the PC that was infected, the network and infection symptoms and combofix log as follows:
- PC is on business network XP Pro OS, SBS 2003, wired w/remote access, SonicWALL tz180+McAfee Enforced AV
- Server & all other client PC's worked normally-
- infected PC use is primarily Accounting w/remote deposit/check scanning- & Banking- accessed remotely via logmein or SSL VPN via GETMyLAN-BarracudaWebDrive
Initial symptoms networking issues:
- PC getting disconnected from internet and/or server randomly
- PC reboot would reset connections to begin with- as progressed reboot did not fix.
- Investigation discovered services stopping while PC running (and not restarting with reboot as problem progressed) (PC's remain online 24/7 for remote access).
- As time passed more and more automatic services were affected.
- Upon investigation & trouble shooting (web search) i saw aggressive redirects of browser- knew that was malware.
- McAfee had not identified and quarantined the threat(s).
However- i feel VERY uneasy not knowing what it was - and since it was the primary accounting/banking PC infected.
After combofix i finally got GMER to run and it reported no problems, repeated scans since w/MBAM, ESTE are clean-
combo fix log:
2010-07-12 00:12:22 . 2010-07-12 00:12:22 1,130 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-MVS.reg.dat
2010-07-12 00:12:06 . 2010-07-12 00:12:06 306 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-NavLogon.reg.dat
2010-07-12 00:11:58 . 2010-07-12 00:11:58 194 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-sknbvyyy.reg.dat
2010-07-12 00:11:57 . 2010-07-12 00:11:57 189 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-McAfee Managed Services Tray.reg.dat
2010-07-12 00:03:43 . 2010-07-12 00:03:43 5,735 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-07-11 23:43:38 . 2010-07-11 23:54:45 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-07-09 15:37:09 . 2010-07-09 15:37:10 37,888 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\0052.DLL.vir
2010-07-02 09:12:10 . 2010-07-02 09:12:10 37,376 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\0051.DLL.vir
2010-07-02 09:12:09 . 2010-07-09 15:37:08 44,544 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wexe.exe.vir
2010-06-27 22:46:00 . 2010-07-11 17:07:07 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\wupd.dat.vir
2008-01-21 21:14:07 . 2008-01-21 21:14:07 391 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\xpsp1hfm.log.vir
2008-01-21 00:06:54 . 2010-07-11 23:55:29 57,600 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\redbook.sys.vir
- Scans on all other Desktops and remotes are clean,
- McAfee is reporting combofix quarantine files now- did not in few days following combofix when i checked it.
- I Ran temp file removal, registry backup & MBAM on all LAN & remotes- all report no issues- 7/12/2010
- Ran GMER on one other LAN PC- 7/12/2010 no issues found & since it was very difficult to run successfully - so i opted not to run on server and all other PC's.
I have not been able to find via web search any definitive information regarding the files quarantined- so i do not understand the nature of the threat.
I have been using (owing/maintaining/supporting) computers in business since 1980. This is my first infection.
I have been pressed into service supporting & learning on the fly SBS, Exchange Server, SonicWALL and network maintenance & security on a network I did setup and I want to do my best to insure that the owner & his business are properly protected.
- For now i have asked them to move to another PC for accounting & change banking passwords using another PC.
- Do i need to reformat or use F11 recovery to restore OS on PC that was infected?
- Do I need to run of GMER on all PC's local & remote?
- I think i got all Java, Adobe updated as i scanned other PC's- (i update as I logon- not sure if other users can, due to limited privileges- most programs are set to auto-update)
- I am thinking of moving all PC's to FireFox & uninstall all IE 8, FireFox is already installed on 2 PC's and I updated them & added no script & McAfee SiteAdviser per your recommendations.