Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NT AUTHORITY\SYSTEM bringing systems down


  • This topic is locked This topic is locked
13 replies to this topic

#1 Randy G.

Randy G.

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:53 AM

Posted 16 April 2012 - 04:18 PM

I have two sites and about ten machines experiencing this problem: They are working, and then suddenly a dialog box pops up with, for example, the following information:

Dialog Box Title = "System Shutdown." Text: "This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM. Time before shutdown = 00:00:53." The Message window at the bottom states: "Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly."

When I look at the eventvwr, there is typically (though not always) three events that happen under Applications:
1. Source = MSiInstaller, EventID = 10005; User = NT AUTHORITY\SYSTEM; Description: "Product Microsoft .NET Framework 1.1 - Internal Error 2705 Directory"

2. Source = MSiInstaller, EventID = 1023; User = NT AUTHORITY\SYSTEM; Description: "Product: Microsoft .NET Framework 1.1 - Update '{0213C6AF-5562-4D09-884C-2ADCFC8C2F35}' could not be installed. Error code 1603. Additional information is available in the log file C:\WINDOWS\TEMP\NDP1.1sp1-KB2656353-X86\NDP1.1sp1-KB2656353-X86-msi.0.log."

3. Source = NativeWrapper; Event ID = 5000; User = N/A; Description: "The description for Event ID ( 5000 ) in Source ( NativeWrapper ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: visualstudio7x80update, msiexec.exe, 1.0.1701.5039, kb2656353, 1033, 643, f, install, x86, 5.1.2600.2.3.0.256, 0."

Then the forced reboot.

I have tried many antivirus tools, including: Malwarebytes, Combofix, SuperAntispyware, and Emsisoft. Nothing. AND, when I tried to update .NET components from the Microsoft web site, the installs fail. I even tried to download the two .NET 1.1's KB's, and install them by hand, and that failed.

Users are pulling their hair out. Thanks in advance for your help!

###########################################
Here is the DDS.txt log:


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by itsadmin at 22:42:27 on 2012-04-15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.545 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\PROGRA~1\SAAZOD\zRealTime\SAAZappr.exe
C:\PROGRA~1\SAAZOD\zRealTime\SAAZapsc.exe
C:\PROGRA~1\SAAZOD\SAAZDPMACTL.exe
C:\PROGRA~1\SAAZOD\SAAZRemoteSupport.exe
C:\PROGRA~1\SAAZOD\SAAZScheduler.exe
C:\PROGRA~1\SAAZOD\zRealTime\rtdrHlpDk.exe
C:\PROGRA~1\SAAZOD\zRealTime\rtHlpDk.exe
C:\PROGRA~1\SAAZOD\SAAZServerPlus.exe
C:\PROGRA~1\SAAZOD\SAAZWatchDog.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBPIMSvc.exe
C:\PROGRA~1\SAAZOD\RMHLPDSK.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Citrix\ICA Client\redirector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Citrix\ICA Client\Receiver\Receiver.exe
C:\Program Files\Citrix\SelfServicePlugin\SelfServicePlugin.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.avg.com/ww.special-uninstallation-feedback-app?lic=OEEtQUhDWjYtVDYwS1ctQkUyRlItUU1DTEYtUEhNTUU&inst=NzgtNjM1MjI4NTc&prod=51&ver=8.0.199
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: CtxIEInterceptorBHO Class: {2c4631ff-5cc8-4ebc-a0df-34c92291759e} - c:\program files\citrix\ica client\IEInterceptor.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
uPolicies-explorer: NoHardwareTab = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoTaskGrouping = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 0 (0x0)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189700866079
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1333323334140
DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} - hxxps://athenanet.athenahealth.com/static_20041001_abarbaro/iemenu.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {A8561647-E93C-11D3-AC3B-CE6078F7B616} - hxxps://login.pchinet.com/phsutils/lib/,DanaInfo=ppd.partners.org+vsprint7.cab
DPF: {B723F1B4-7132-45CA-A538-E90FBB690F3E} - hxxps://athenanet.athenahealth.com/static/AthenanetRegistry.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.111.201 68.87.71.230 68.87.71.226
TCP: Interfaces\{63CA2A14-8310-4089-A6AB-A68BDD111159} : DhcpNameServer = 192.168.111.201 68.87.71.230 68.87.71.226
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\citrix\icacli~1\RSHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 65.175.133.3 av.thenetworkmanagers.com
Hosts: 65.175.133.3 tnm-web
Hosts: 65.175.133.3 support
Hosts: 65.175.133.3 av
============= SERVICES / DRIVERS ===============
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 66776]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-12-20 21496]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2010-12-20 212568]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-30 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-11-22 47640]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-12-21 74104]
R4 SAAZappr;SAAZ RMM Agent Presence-PR;c:\progra~1\saazod\zrealtime\SAAZappr.exe [2011-7-15 82760]
R4 SAAZapsc;SAAZ RMM Agent Presence-SC;c:\progra~1\saazod\zrealtime\SAAZapsc.exe [2011-7-15 82760]
R4 SAAZDPMACTL;SAAZDPMACTL;c:\progra~1\saazod\SAAZDPMACTL.exe [2011-7-15 81920]
R4 SAAZRemoteSupport;SAAZRemoteSupport;c:\progra~1\saazod\SAAZRemoteSupport.exe [2011-7-15 73728]
R4 SAAZScheduler;SAAZScheduler;c:\progra~1\saazod\SAAZScheduler.exe [2011-7-15 77824]
R4 SAAZServerPlus;SAAZServerPlus;c:\progra~1\saazod\SAAZServerPlus.exe [2011-7-15 77824]
R4 SAAZWatchDog;SAAZWatchDog;c:\progra~1\saazod\SAAZWatchDog.exe [2011-7-15 81920]
R4 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\sbeagent\SBPIMSvc.exe [2011-10-12 181616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-8-30 101624]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2003-7-16 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-1 253088]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 SBAMSvc;VIPRE Business;c:\program files\sunbelt software\sbeagent\SBAMSvc.exe [2011-10-12 2804312]
.
=============== Created Last 30 ================
.
2012-04-02 00:03:01 -------- d-----w- c:\program files\common files\Citrix
2012-04-02 00:02:22 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-02 00:00:03 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-02 00:00:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-01 23:25:42 -------- d-----w- c:\documents and settings\itsadmin\local settings\application data\Identities
2012-04-01 23:25:36 -------- d-----w- c:\documents and settings\itsadmin\application data\Windows Desktop Search
2012-03-29 13:58:20 45568 -c----w- c:\windows\system32\dllcache\dnsrslvr.dll
2012-03-29 13:58:20 45568 ----a-w- c:\windows\system32\SET310.tmp
2012-03-29 13:58:19 245248 ----a-w- c:\windows\system32\SET30F.tmp
2012-03-29 13:52:12 -------- d-----w- c:\windows\system32\winrm
2012-03-29 13:52:03 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2012-03-29 13:48:28 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll
2012-03-29 13:45:01 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2012-03-29 13:43:03 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2012-03-29 13:41:49 -------- d-----w- c:\program files\Windows Desktop Search
2012-03-29 13:39:22 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2012-03-29 13:39:21 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2012-03-29 13:39:21 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2012-03-17 13:12:58 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-03-17 13:12:58 3072 ------w- c:\windows\system32\iacenc.dll
.
==================== Find3M ====================
.
2012-04-14 15:49:13 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec
2012-02-08 12:18:21 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-02-08 12:18:20 87424 ----a-w- c:\windows\system32\LMIinit.dll
2012-02-08 12:18:20 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2012-02-08 12:18:20 30592 ----a-w- c:\windows\system32\LMIport.dll
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 22:43:07.17 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:53 PM

Posted 19 April 2012 - 07:27 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Randy G.

Randy G.
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:53 AM

Posted 19 April 2012 - 09:32 PM

I'm here and ready to go!

#4 Randy G.

Randy G.
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:53 AM

Posted 20 April 2012 - 04:39 PM

Additional information: The message in the dialog box that is popping up can change. Today, several users got this message:
"Third Party critical application updates have been installed. Rebooting Computer." And then: "Shutdown initiated by NT Authority\SYSTEM."

#5 Randy G.

Randy G.
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:53 AM

Posted 20 April 2012 - 05:03 PM

And another variant: "Windows cannot determine the user or computer name. (The RPC server is unavailable). Group Policy processing aborted.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:53 PM

Posted 20 April 2012 - 05:53 PM

Is it possible that these system problems are not related to malware?

What makes you think that there has been an attack on the network?
Posted Image
m0le is a proud member of UNITE

#7 Randy G.

Randy G.
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:53 AM

Posted 20 April 2012 - 06:26 PM

I don't know if it's so much an attack on the network as it is a virus moving around between machines.

I believe this for several reasons:
1. I have never seen this behavior before in Win XP SP3 machines
2. It is happening to multiple people at the same time of day
3. It is now happening at more than one customer site
3. In scanning these systems with several tools, including Malwarebytes, Combofix and Emsisoft, Emsisoft returned the exact same Trojans almost repeatedly across most of the systems: Dropper, and another related one (I can't remember the name). I'm assuming there was one or more it couldn't find
4. If I rebuild a system (which I did) and put it back in the same environment, and keep the firewall up, and run WinPatrol, and run VIPRE, it does NOT exhibit this behavior.
5. Finally, there is a lot of chatter on the web about this situation being related to a virus or trojan or rootkit. Now, I know better than to believe the chatter, but the very fact that lots of other people are experiencing this, and cannot stop it, makes me think it's more than just coincidence that these machines happen to exhibit this behaviour simply from the Operating System.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:53 PM

Posted 20 April 2012 - 06:43 PM

I've not seen his sort of behaviour before in malware. Emsisoft is the only one to find any evidence of malware though, is that right?

Please run the following tools on one of the machines.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


And

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Posted Image
m0le is a proud member of UNITE

#9 Randy G.

Randy G.
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:53 AM

Posted 20 April 2012 - 10:53 PM

OK, aswMBR and Farbar analyses as requested. As an aside, I ran the Dropper and ATRAPS infected files through Virus Total, and they all came back with 6 or 7 hits.

######################## aswMBR ####################################
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-20 23:29:15
-----------------------------
23:29:15.412 OS Version: Windows 5.1.2600 Service Pack 3
23:29:15.412 Number of processors: 1 586 0x304
23:29:15.412 ComputerName: DESK-4535 UserName: itsadmin
23:29:16.157 Initialize success
23:29:29.166 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
23:29:29.166 Disk 0 Vendor: ST340014A 8.16 Size: 38146MB BusType: 3
23:29:29.182 Disk 0 MBR read successfully
23:29:29.182 Disk 0 MBR scan
23:29:29.182 Disk 0 Windows XP default MBR code
23:29:29.182 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38138 MB offset 63
23:29:29.182 Disk 0 scanning sectors +78108030
23:29:29.288 Disk 0 scanning C:\WINDOWS\system32\drivers
23:29:44.137 Service scanning
23:30:06.311 Modules scanning
23:30:20.840 Disk 0 trace - called modules:
23:30:20.855 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
23:30:20.855 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89bdaab8]
23:30:20.870 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89c05b00]
23:30:20.870 Scan finished successfully
23:30:32.892 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\itsadmin\Desktop\MBR.dat"
23:30:32.892 The log file has been saved successfully to "C:\Documents and Settings\itsadmin\Desktop\aswMBR.txt"


########################## FSS ################################
Farbar Service Scanner Version: 16-04-2012
Ran by itsadmin (administrator) on 20-04-2012 at 23:30:56
Running from "C:\Documents and Settings\itsadmin\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.

sr Service is not running. Checking service configuration:
The start type of sr service is set to Disabled. The default start type is Boot.
The ImagePath of sr: "\SystemRoot\system32\DRIVERS\sr.sys".


System Restore Disabled Policy:
========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=DWORD:1


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) SbTis(87) Tcpip(4)
0x0A00000005000000010000000200000003000000040000005600000007000000080000005700000006000000
IpSec Tag value is correct.

**** End of log ****

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:53 PM

Posted 21 April 2012 - 05:03 PM

There's no malware showing on these two logs. Please scan with ESET's online scanner and see if anything shows up.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.

If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.
Posted Image
m0le is a proud member of UNITE

#11 Randy G.

Randy G.
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:53 AM

Posted 23 April 2012 - 08:41 AM

ESET found one thing:

**** log from ESET Online Scan *****
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=8ded048e164bcd4495144cd8b21050bf
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-04-22 07:38:43
# local_time=2012-04-22 03:38:43 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=72699
# found=1
# cleaned=1
# scan_time=10154
C:\Program Files\SAAZOD\TempFiles\_ir_sf7_temp_0\zServiceImagePath.exe probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=8ded048e164bcd4495144cd8b21050bf
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-04-23 05:32:37
# local_time=2012-04-23 01:32:37 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=73762
# found=0
# cleaned=0
# scan_time=3819

***************************************************

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:53 PM

Posted 23 April 2012 - 06:14 PM

Even that result is in the balance, calling it Probably and detecting through heuristic means.

I'm not seeing any problems at this stage. I'm assuming that the symptoms remain at this point?
Posted Image
m0le is a proud member of UNITE

#13 Randy G.

Randy G.
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:53 AM

Posted 23 April 2012 - 09:12 PM

The problem has been solved! Tricky, b/c similar experiences at several sites was occurring.

It turns out that the systems were forcing a shutdown because they could not install two security updates for .NET 1.1 SP1. I couldn't install the two updates by hand either. Bizarre that it would bring down the systems, but there it was.

I reinstalled .NET 1.1 SP1, and then installed the two security updates, and we have a solution.

Thank you so much for working with me, and pushing me to look at a problem other than a nasty virus.

This issue can be closed...

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:53 PM

Posted 24 April 2012 - 06:24 PM

Glad I could help (indirectly). :thumbup2:

Thanks for letting me know :thumbup2:

-----------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users