Some help with w32.rontokbro@mm please... 1

[petrosky]

Hi,

We are running Symantec Corporate 8.0 anti virus.

I have a workstation (Windows 2K server) infected with this virus. To be fair to Symantec the machine was infected before I loaded A/V onto it (it came from outside our company.)

Booting to safe mode and running a full scan detects the virus but I get the "Left Alone succeeded" message.

The virus reboots the computer when I attempt a manual fix IE. regedit.

The HOSTS file has been overwritten.

Short of a format, does anyone have any idea what I can do?

I should mention that it masquerades as important Windows services like winlogon & lsass which is why I can't stop the malignant processes to delete the files manually.

TIA for any ideas or help.

Peter.


Remember- It's nice to be important,
but it's important to be nice

 

[pechenegs]

where does it say the virus is located? Do this!


Download hijack this from the link below.Please do this. Click here:

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

to download HijackThis. Click scan and save a logfile, then post it here so
we can take a look at it for you. Don't click fix on anything in hijack this
as most of the files are legitimate.




Download the Hoster from:

http://members.aol.com/toadbee/hoster.zip.

UnZip
the file and press "Restore Original Hosts" and press "OK". Exit Program.

http://www.funkytoad.com/download/hoster.zip

Download DelDomains.inf from here:

http://www.mvps.org/winhelp2002/DelDomains.inf

Rightclick DelDomains.inf and choose install.





* Download the trial version of Ewido Security Suite here

http://www.ewido.net/en/

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.


*Download Cleanup from Here

http://www.stevengould.org/software/cleanup/download.html

* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET



* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:




* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop


* Run Cleanup:

* Click on the "Cleanup" button and let it run.
* Once its done, close the program.




reboot to normal mode and run a few online scans!



Run an online antivirus check from

http://www.kaspersky.com/virusscanner

choose extended database for the scan!



Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!



post another hijack this log, the ewido and active scan logs

 

[petrosky]

Hi pechenegs,

Many thanks for your prompt and thorough reply.

I have solved this problem (at least for now.)

I managed to join a spare machine I had here to the infected comps workgroup and then connected to the registry remotely.
Never done that before!
Hence stopped the virus from running at boot, and also removing the restriction to REGEDIT and the command prompt.

Norton's real time scan very quickly quarantined the offending exe's. which were located in %UserProfile%\Local Setttings\Application Data

They were named winlogon.exe, lsass.exe & services.exe.

I will still follow your step-by-step guide in a couple of hours when the computer stops making the company money!

A star for you & thanks.

Peter

Remember- It's nice to be important,
but it's important to be nice

 

[pechenegs]

you're welcome!

you would be advised to post a hijack this log as these things can install themselves as a service, this shows up in a hijack this log as entries 023, you would need to stop them in services if you have Xp and W2k and then use hijack this to remove them!

 

[petrosky]

Hi again,

As advised...here is the latest hijack this log. The machine has been rebooted this morning.

Logfile of HijackThis v1.99.1
Scan saved at 9:44:38 AM, on 2/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\msdtc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\llssrv.exe
C:\MSSQL7\binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\F-DIA\FDIAChanger.exe
C:\ceon\DCM.exe
C:\FE\FEOUT\FE_OUT.exe
C:\FE\Server\FDIAServerStatus.exe
C:\WINNT\system32\wuauclt.exe
C:\f-dia\CnvServer1\FDiaConvServer.exe
C:\WINNT\System32\svchost.exe
C:\f-dia\DelServer\FDiaDelServer.exe
C:\fe\Multi\MultiReg.exe
C:\FE\Product\PRODUCT_LOG.exe
C:\Variety\Variety_Laun.exe
C:\Fe\Fein\FrontEnd.exe
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe "C:\WINNT\eksplorasi.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: FUJIFILM DIGITAL IMAGING.lnk = C:\F-DIA\FDIAChanger.exe
O4 - Startup: Shortcut to DCM.lnk = C:\ceon\DCM.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Drag-to-Disc.lnk = C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133303751296

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{33EACA5B-92C4-4FE8-85AC-2DC3DCFD75C7}: NameServer = 202.92.65.254,202.92.65.252
O17 - HKLM\System\CS1\Services\Tcpip\..\{33EACA5B-92C4-4FE8-85AC-2DC3DCFD75C7}: NameServer = 202.92.65.254,202.92.65.252
O17 - HKLM\System\CS2\Services\Tcpip\..\{33EACA5B-92C4-4FE8-85AC-2DC3DCFD75C7}: NameServer = 202.92.65.254,202.92.65.252
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

I have also been to

http://www.hijackthis.de

and analysed it there.

I have fixed the F2 entry relating to eksplorasi.exe as this was introduced with the virus.

Thanks again,

Peter.

Remember- It's nice to be important,
but it's important to be nice

 

[pechenegs]

do you know what all these entries are?


C:\F-DIA\FDIAChanger.exe
C:\ceon\DCM.exe
C:\FE\FEOUT\FE_OUT.exe
C:\FE\Server\FDIAServerStatus.exe
C:\f-dia\CnvServer1\FDiaConvServer.exe
C:\f-dia\DelServer\FDiaDelServer.exe
C:\fe\Multi\MultiReg.exe
C:\FE\Product\PRODUCT_LOG.exe
C:\Variety\Variety_Laun.exe
C:\Fe\Fein\FrontEnd.exe



Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php

F2 - REG:system.ini: Shell=Explorer.exe "C:\WINNT\eksplorasi.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm



Double-click on Killbox.exe to run it. Now put a tick by Delete on Reboot. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.Then click yes to reboot after you entered the last one.


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.



C:\WINNT\eksplorasi.exe