Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Virus on 2003 SBS. Tanatos.m ..Wood for the trees!

Status
Not open for further replies.

Mintsauceuk

IS-IT--Management
Jun 30, 2008
15
GB
Hi There,

I hope somebody could put a second set of eyes over this, taken on a new client, site visit resulted in me finding a ver out of date symantec installation and lots of problems, about 10 / 20 machines had win32/tanatos.m and win32/heur.

Using a combination of combofix, and the AVG removal tool iv managed to clean the machines and install a new copy of AG network edition.

But the virus is sill running on the SBS box, iv have spent hours looking at it! obviously restoring a backup isnt an option, and rebuilding the whole domain isnt high on my wish list!

I have used, Spybot, Malwarebytes etc on the server to try and clear it but to no luck, Combofix dosent work on Server2003 but seemed to do the trick of getting it out of memory on the workstations so the AVG clean tool can do its job.

The avg tool says the virus is in memory and it will scan after reboot. but it dosent seem to scan. and just says "scan complete" and you press any key to load windows.

my only hope i feel is to find how its loading manually, disable it then run the scan. or find the process. this virus is either very clever or im being very thick! -

current hijack this log.

iv seen the disable regedit key, the virus redoes this everytime i fix it.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Extended Systems\Advantage\Server\ADS.EXE
C:\Program Files\Compaq\Cpqacuxe\Bin\hpacubin.exe
C:\PROGRA~1\AVG\AVG8AD~1\Server\avgadmsv.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\compaq\hpdiags\hpdiags.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Alt-N Technologies\SecurityGateway\App\SecurityGateway.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\Alt-N Technologies\SecurityGateway\Plugins\clamav\clamd.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\tcpsvcs.exe
E:\Program Files\Exchsrvr\bin\exmgmt.exe
E:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\sysdown.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Microsoft ISA Server\wspsrv.exe
C:\Program Files\Microsoft ISA Server\w3proxy.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
E:\Program Files\Exchsrvr\bin\store.exe
E:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Alt-N Technologies\SecurityGateway\SpamAssassin\SGSpamD.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\ocax.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\nxax.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\winnylcie.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8 Admin\Server\AVG8AdminServerMonitor.exe
C:\WINDOWS\system32\mmc.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\gocc.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\wodal.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\wincuprcx.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\mohgvt.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\nvgpm.exe
C:\Documents and Settings\Administrator\Desktop\CleanupTools\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\besadmin\LOCALS~1\Temp\uwsd.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\ynakkb.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe

Dan Cunliffe, General MCSE Jack of all trades!
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = bgss-fs1:8080
O4 - HKLM\..\Run: [Avg8AdminServerMonitor] "C:\Program Files\AVG\AVG8 Admin\Server\AVG8AdminServerMonitor.exe" /startup
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Server Management.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BGSS.local
O17 - HKLM\Software\..\Telephony: DomainName = BGSS.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A4C3AB7-B912-44FF-9CCA-B65C07AD9789}: NameServer = 192.168.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1E6AF44-9279-421C-B4F3-BD4169EB618B}: NameServer = 192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BGSS.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A4C3AB7-B912-44FF-9CCA-B65C07AD9789}: NameServer = 192.168.1.5
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Advantage Database Server (Advantage) - Extended Systems, Inc. - C:\Program Files\Extended Systems\Advantage\Server\ADS.EXE
O23 - Service: Array Configuration Utility - Hewlett-Packard Company - C:\Program Files\Compaq\Cpqacuxe\Bin\hpacubin.exe
O23 - Service: AVG8 Admin Server (AVG8AdminServer) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8AD~1\Server\avgadmsv.exe
O23 - Service: BlackBerry Attachment Service (BBAttachServer) - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
O23 - Service: BlackBerry Controller - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryController.exe
O23 - Service: BlackBerry Dispatcher - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryDispatcher.exe
O23 - Service: BlackBerry MDS Connection Service - Research In Motion - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\bin\bmds.exe
O23 - Service: BlackBerry Policy Service - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\ITAdminServer.exe
O23 - Service: BlackBerry Router - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BypassRouter\BlackberryRouter.exe
O23 - Service: BlackBerry Alert (BlackBerry Server Alert) - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BESAlert.exe
O23 - Service: BlackBerry Synchronization Service (BlackBerry SyncServer) - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\SyncServer\BlackBerrySyncServer.exe
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: HP Insight Diagnostics (hpdiags) - Unknown owner - C:\compaq\hpdiags\hpdiags.exe
O23 - Service: SecurityGateway - Alt-N Technologies, Ltd. - C:\Program Files\Alt-N Technologies\SecurityGateway\App\SecurityGateway.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe


Dan Cunliffe, General MCSE Jack of all trades!
 
Them have to go:

C:\DOCUME~1\besadmin\LOCALS~1\Temp\ocax.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\nxax.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\winnylcie.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\gocc.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\wodal.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\wincuprcx.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\mohgvt.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\nvgpm.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\uwsd.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\ynakkb.exe

anything running from the TEMP folder is a NO GO...


fix, as it is a shame that an admin cannot edit the REGISTRY:

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

then run HJT again with the LOG option and repaste...



Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.
 
Thanks for the response!

If end the random EXEs and delete, then they are recreated afre a few minutes.

Same with the Regedit registry key. :-(

the dam bugger changes a few other things in the registry too, including hidden files, and access to task manager!




Dan Cunliffe, General MCSE Jack of all trades!
 
heres it with those out, virus is still in memory though somwhere!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:01:00, on 16/02/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Extended Systems\Advantage\Server\ADS.EXE
C:\Program Files\Compaq\Cpqacuxe\Bin\hpacubin.exe
C:\PROGRA~1\AVG\AVG8AD~1\Server\avgadmsv.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\compaq\hpdiags\hpdiags.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Alt-N Technologies\SecurityGateway\App\SecurityGateway.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\Alt-N Technologies\SecurityGateway\Plugins\clamav\clamd.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\tcpsvcs.exe
E:\Program Files\Exchsrvr\bin\exmgmt.exe
E:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\sysdown.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Microsoft ISA Server\wspsrv.exe
C:\Program Files\Microsoft ISA Server\w3proxy.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
E:\Program Files\Exchsrvr\bin\store.exe
E:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Alt-N Technologies\SecurityGateway\SpamAssassin\SGSpamD.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8 Admin\Server\AVG8AdminServerMonitor.exe
C:\WINDOWS\system32\mmc.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Documents and Settings\Administrator\Desktop\CleanupTools\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Windows Small Business Server\Backup\bkprunner.exe
C:\WINDOWS\system32\ntbackup.exe
C:\WINDOWS\System32\vssvc.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
C:\WINDOWS\system32\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = bgss-fs1:8080
O4 - HKLM\..\Run: [Avg8AdminServerMonitor] "C:\Program Files\AVG\AVG8 Admin\Server\AVG8AdminServerMonitor.exe" /startup
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2109627142-2701635856-3367251959-1128\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SBS Backup User')
O4 - HKUS\S-1-5-21-2109627142-2701635856-3367251959-1128\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SBS Backup User')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Server Management.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone: O15 - Trusted Zone: O15 - Trusted Zone: *.trendmicro.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BGSS.local
O17 - HKLM\Software\..\Telephony: DomainName = BGSS.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A4C3AB7-B912-44FF-9CCA-B65C07AD9789}: NameServer = 192.168.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1E6AF44-9279-421C-B4F3-BD4169EB618B}: NameServer = 192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BGSS.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A4C3AB7-B912-44FF-9CCA-B65C07AD9789}: NameServer = 192.168.1.5
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Advantage Database Server (Advantage) - Extended Systems, Inc. - C:\Program Files\Extended Systems\Advantage\Server\ADS.EXE
O23 - Service: Array Configuration Utility - Hewlett-Packard Company - C:\Program Files\Compaq\Cpqacuxe\Bin\hpacubin.exe
O23 - Service: AVG8 Admin Server (AVG8AdminServer) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8AD~1\Server\avgadmsv.exe
O23 - Service: BlackBerry Attachment Service (BBAttachServer) - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
O23 - Service: BlackBerry Controller - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryController.exe
O23 - Service: BlackBerry Dispatcher - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryDispatcher.exe
O23 - Service: BlackBerry MDS Connection Service - Research In Motion - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\bin\bmds.exe
O23 - Service: BlackBerry Policy Service - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\ITAdminServer.exe
O23 - Service: BlackBerry Router - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BypassRouter\BlackberryRouter.exe
O23 - Service: BlackBerry Alert (BlackBerry Server Alert) - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BESAlert.exe
O23 - Service: BlackBerry Synchronization Service (BlackBerry SyncServer) - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\SyncServer\BlackBerrySyncServer.exe
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: HP Insight Diagnostics (hpdiags) - Unknown owner - C:\compaq\hpdiags\hpdiags.exe
O23 - Service: SecurityGateway - Alt-N Technologies, Ltd. - C:\Program Files\Alt-N Technologies\SecurityGateway\App\SecurityGateway.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe

--
End of file - 8523 bytes


Dan Cunliffe, General MCSE Jack of all trades!
 
Download MalwareBytes AntiMalware:
rename it to TOOL.exe before you safe it, then install it and run it using Quick Scan (first) then Full Scan, will take some time, delete all that it finds... reboot if necessary...

download Super AntiSpyware:
run it after MBAM...

DL GMER:
run it and post log...

HJT LOG is clean, this bugger hides pretty well...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.
 
Thanks for you help ben,

iv Already run those two tools,(after renaming the exe) they just find the registry changes. fix them. then obviously their back on the next scan

tried spybot S+D too

Heres the log from the last program you suggested

GMER 1.0.14.14536 - Rootkit scan 2009-02-16 23:41:11
Windows 5.2.3790 Service Pack 2


---- System - GMER 1.0.14 ----

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B9E3116D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B9E30FC2

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\glnmkn.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text E:\Program Files\Exchsrvr\bin\store.exe[5216] kernel32.dll!TerminateProcess 77E42004 5 Bytes JMP 005FDA2F E:\Program Files\Exchsrvr\bin\store.exe (Microsoft MDB Store/Microsoft Corporation)
.text E:\Program Files\Exchsrvr\bin\store.exe[5216] kernel32.dll!ExitProcess 77E668F1 5 Bytes JMP 005FDA00 E:\Program Files\Exchsrvr\bin\store.exe (Microsoft MDB Store/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8520] USER32.dll!DialogBoxParamW 773896A9 5 Bytes JMP 00B15415 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8520] USER32.dll!MessageBoxExW 7739EE4A 5 Bytes JMP 00CAC3D9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8520] USER32.dll!DialogBoxIndirectParamW 773A6296 5 Bytes JMP 00CAC510 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8520] USER32.dll!MessageBoxExA 773C42AD 5 Bytes JMP 00CAC413 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8520] USER32.dll!DialogBoxParamA 773CA0AF 5 Bytes JMP 00CAC4D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8520] USER32.dll!DialogBoxIndirectParamA 773CA172 5 Bytes JMP 00CAC54B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8520] USER32.dll!MessageBoxIndirectA 773D7D40 5 Bytes JMP 00CAC491 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[8520] USER32.dll!MessageBoxIndirectW 773D7E30 5 Bytes JMP 00CAC44D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.14 ----

IAT E:\Program Files\Exchsrvr\bin\exmgmt.exe[1172] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [4B761B7E] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT E:\Program Files\Exchsrvr\bin\exmgmt.exe[1172] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [4B761AC7] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT E:\Program Files\Exchsrvr\bin\mad.exe[4236] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [4B761B7E] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT E:\Program Files\Exchsrvr\bin\mad.exe[4236] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [4B761AC7] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT E:\Program Files\Exchsrvr\bin\store.exe[5216] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [4B761B7E] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT E:\Program Files\Exchsrvr\bin\store.exe[5216] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [4B761AC7] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT E:\Program Files\Exchsrvr\bin\emsmta.exe[5288] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [4B761B7E] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT E:\Program Files\Exchsrvr\bin\emsmta.exe[5288] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [4B761AC7] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[6380] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [4B761B7E] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[6380] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [4B761AC7] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\System32\sbscrexe.exe (*** hidden *** ) [AUTO] SBCore <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Type 16
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ErrorControl 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ImagePath %SystemRoot%\System32\sbscrexe.exe
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@DisplayName SBCore Service
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Description Provides core server services.
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@Type 16
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@ErrorControl 3
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@ImagePath %SystemRoot%\System32\sbscrexe.exe
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@DisplayName SBCore Service
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@Description Provides core server services.
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore\Security
Reg HKLM\SYSTEM\ControlSet003\Services\SBCore\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability@LastAliveUptime 24098
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DesktopHeapLogging 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\WINDOWS\system32\karna.dat
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.14 ----


Dan Cunliffe, General MCSE Jack of all trades!
 
Follow Ben's advice, after which I would try running each or all of the following, if they work with SBS:




...many times the "home" security software does not like it when an "enterprise" OS tries to run it...all you can do is try.

I'll bet that this nasty bugger came in on/through a BlackBerry. Why do I think this? Because I recently had to install BES, BlackBerry Enterprise Server, which grated against every molecule of my soul security-wise. Why???

You see, to install BES, you need to give it its own user account & password, and this account MUST have full Administrative privileges. On my server. Even my account does not have full admin privileges, yet I was required to give them to the BES account, which I really don't fully control. I don't like that, and I think it's a major flaw in the application.

Best of luck killing that bug.


Tony

Users helping Users...
 
Cheers Tony,

I know, iv been on all the RIM courses and i raised the same issues, i must have installed BES 50 times though and never had a problem

no luck with the online scans im afraid :-( if i install the actuall AVG client on the server it just goes mental!

Dan Cunliffe, General MCSE Jack of all trades!
 
Have run the above tools from Safe Mode?


James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
Hi James,

This virus seems to prevent booting in safemode, casuses a blue screen of death on evey machine iv tried.

Dan Cunliffe, General MCSE Jack of all trades!
 
At this point it looks like you have to go to bootable CDs like Bart PE, Helix, or Dr. Web LiveCD or a combination.

Helix is great for forensic but light on AV or antispyware (AS). Dr. Web has some great AV and AS tools. Bart PE is good in that you can add tools you need.

Good luck.


James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
Well, the GMER log doesn't reveal much there... unfortunately...

so best bet is the Dr. Web suggestion, as it is a Linux distro with full access to NTFS, and works like a charm... though be ready for a long down time...

some ROOTKIT detectors that may be of value in this situation:

RootkitRevealer 1.71

F-Secure Blacklight (scroll down to download the app or use the online scanner which has it included)...

IceSword 1.22 English Version

RKDetector v2.0 - Security Analyzer & Rootkit Removal

Rootkit Buster



Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.
 
cheers for the tips, i think i have found it....

C:\WINDOWS\system32\drivers\glnmkn.sys

this is being hidden by a rootkit and iv still not managed to stop the bugger loading!

tried, UnhackME, Sophos and McAfee up to now.

unfortunately im having to do this remotely i had a few hours at site today but it was one thing after another!

Dan Cunliffe, General MCSE Jack of all trades!
 
Just for anyone reading this thread.. after about 12 hours i have managed to clean it, after discovering this virus has more than one name.

1) use msconfig to do a diagnostic startup

2) run
3) then reboot

4) run sality_off again make sure it dosent find anything.

5) run the avg removal tool from here


that should now run without a problem and clean all files

6) enable all services

7) UPDATE YOUR AV!!! LOL :-D

Dan Cunliffe, General MCSE Jack of all trades!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top