Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Infection, High Network Utilization Port 445


  • Please log in to reply
1 reply to this topic

#1 Idea Solutions

Idea Solutions

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 04 March 2011 - 12:06 PM

I have a situation where a virus is propagating by using shares. The network utilization on the workstation jumps to about 90% and port 445 or port 139 is being used to look for more EXE files on the network. I can see the exe's on the local computers have been modified and the size is about 100k larger.

I have run MalwareBytes, Spybot Search and Destroy, ComboFix, Avira, RKill, McAfee VirusScan and TDSKiller. Only Avira finds some of the files as infected with the TR/crypt.zpack.gen or TR/cryptxpack.gen3 virus, but not all the corrupted exe's are found. I have to keep monitoring each running application to see if the network utilization jumps and then track down the offending process using Process Monitor. Once that process is located, I have to rename the EXE and either remove and reinstall the software or find a clean copy of that file somewhere.

I have two of the infected files in my dropbox that can be downloaded and reviewed.
hxxp://dl.dropbox.com/u/21974438/QBDBMgrN.exeinfected
hxxp://dl.dropbox.com/u/21974438/winvnc.exeinfected

I need to find a tool that can find this virus located in the EXE's and be able to clean it. Any recommendations?

Edited by Blade Zephon, 09 March 2011 - 01:56 PM.
Disabled Links


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:28 AM

Posted 09 March 2011 - 01:59 PM

Hello.

First of all. . . you need to isolate infected machines from each other and from the rest of the network. You'll never stop an infection like this while the machines are connected.

Second of all. . . since you've run ComboFix it will be necessary for you to seek help from the Malware Removal Team.

Please follow the instructions in This Guide starting at Step 6.

Once the proper logs are created, then make a NEW TOPIC and post it HERE Please include a description of your computer issues and what you have done to try to resolve them. You should also post your ComboFix log.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users