Mintsauceuk
IS-IT--Management
Hi There,
I hope somebody could put a second set of eyes over this, taken on a new client, site visit resulted in me finding a ver out of date symantec installation and lots of problems, about 10 / 20 machines had win32/tanatos.m and win32/heur.
Using a combination of combofix, and the AVG removal tool iv managed to clean the machines and install a new copy of AG network edition.
But the virus is sill running on the SBS box, iv have spent hours looking at it! obviously restoring a backup isnt an option, and rebuilding the whole domain isnt high on my wish list!
I have used, Spybot, Malwarebytes etc on the server to try and clear it but to no luck, Combofix dosent work on Server2003 but seemed to do the trick of getting it out of memory on the workstations so the AVG clean tool can do its job.
The avg tool says the virus is in memory and it will scan after reboot. but it dosent seem to scan. and just says "scan complete" and you press any key to load windows.
my only hope i feel is to find how its loading manually, disable it then run the scan. or find the process. this virus is either very clever or im being very thick! -
current hijack this log.
iv seen the disable regedit key, the virus redoes this everytime i fix it.
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Extended Systems\Advantage\Server\ADS.EXE
C:\Program Files\Compaq\Cpqacuxe\Bin\hpacubin.exe
C:\PROGRA~1\AVG\AVG8AD~1\Server\avgadmsv.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\compaq\hpdiags\hpdiags.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Alt-N Technologies\SecurityGateway\App\SecurityGateway.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\Alt-N Technologies\SecurityGateway\Plugins\clamav\clamd.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\tcpsvcs.exe
E:\Program Files\Exchsrvr\bin\exmgmt.exe
E:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\sysdown.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Microsoft ISA Server\wspsrv.exe
C:\Program Files\Microsoft ISA Server\w3proxy.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
E:\Program Files\Exchsrvr\bin\store.exe
E:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Alt-N Technologies\SecurityGateway\SpamAssassin\SGSpamD.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\ocax.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\nxax.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\winnylcie.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8 Admin\Server\AVG8AdminServerMonitor.exe
C:\WINDOWS\system32\mmc.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\gocc.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\wodal.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\wincuprcx.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\mohgvt.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\nvgpm.exe
C:\Documents and Settings\Administrator\Desktop\CleanupTools\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\besadmin\LOCALS~1\Temp\uwsd.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\ynakkb.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
Dan Cunliffe, General MCSE Jack of all trades!
I hope somebody could put a second set of eyes over this, taken on a new client, site visit resulted in me finding a ver out of date symantec installation and lots of problems, about 10 / 20 machines had win32/tanatos.m and win32/heur.
Using a combination of combofix, and the AVG removal tool iv managed to clean the machines and install a new copy of AG network edition.
But the virus is sill running on the SBS box, iv have spent hours looking at it! obviously restoring a backup isnt an option, and rebuilding the whole domain isnt high on my wish list!
I have used, Spybot, Malwarebytes etc on the server to try and clear it but to no luck, Combofix dosent work on Server2003 but seemed to do the trick of getting it out of memory on the workstations so the AVG clean tool can do its job.
The avg tool says the virus is in memory and it will scan after reboot. but it dosent seem to scan. and just says "scan complete" and you press any key to load windows.
my only hope i feel is to find how its loading manually, disable it then run the scan. or find the process. this virus is either very clever or im being very thick! -
current hijack this log.
iv seen the disable regedit key, the virus redoes this everytime i fix it.
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Extended Systems\Advantage\Server\ADS.EXE
C:\Program Files\Compaq\Cpqacuxe\Bin\hpacubin.exe
C:\PROGRA~1\AVG\AVG8AD~1\Server\avgadmsv.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\compaq\hpdiags\hpdiags.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Alt-N Technologies\SecurityGateway\App\SecurityGateway.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\Alt-N Technologies\SecurityGateway\Plugins\clamav\clamd.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\tcpsvcs.exe
E:\Program Files\Exchsrvr\bin\exmgmt.exe
E:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\sysdown.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Microsoft ISA Server\wspsrv.exe
C:\Program Files\Microsoft ISA Server\w3proxy.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
E:\Program Files\Exchsrvr\bin\store.exe
E:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Alt-N Technologies\SecurityGateway\SpamAssassin\SGSpamD.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\ocax.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\nxax.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\winnylcie.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8 Admin\Server\AVG8AdminServerMonitor.exe
C:\WINDOWS\system32\mmc.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\gocc.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\wodal.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\wincuprcx.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\mohgvt.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\nvgpm.exe
C:\Documents and Settings\Administrator\Desktop\CleanupTools\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\besadmin\LOCALS~1\Temp\uwsd.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\ynakkb.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
Dan Cunliffe, General MCSE Jack of all trades!