Sign In
Create Account
0
Dear All,
I have been facing this problems for the past 2 weeks, and this Malware is simply getting on my nerves and affecting server uptime. As per the instruction for posting, here is the complete information.
Sytem Information:
Windows Server 2003 R2, Standard x64 Edition, Service Pack 1.
Intel Xeon CPU 2.0Ghz, 7.99GB RAM.
Malware problems:
Keep disabling firewall and ICS service, adding new user account, downloading files and creating backdoors on server. Symantec keep detecting and quaranteen between 5 - 20 files each day. Have tried doing a scan using Symantec AV and Spybot Search & Destroy and also Malwarebytes Anti-Malware.
Here are the log files for MBAM, Panda Active Scan and HijackThis Scan. Hope someone could help me out.
Malwarebytes' Anti-Malware 1.28
Database version: 1170
Windows 5.2.3790 Service Pack 1
9/19/2008 2:12:54 PM
mbam-log-2008-09-19 (14-12-54).txt
Scan type: Full Scan (C:\|)
Objects scanned: 90198
Time elapsed: 13 minute(s), 34 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mininyust (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Not selected for removal.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\inf\svchoct.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inf\xccefb080830.scr (Trojan.Agent) -> Quarantined and deleted successfully.
Panda Active Scan:
;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-09-16 01:54:58
PROTECTIONS: 0
MALWARE: 10
SUSPECTS: 3
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00041904 adware/sidesearch Adware No 0 Yes No hkey_local_machine\software\classes\sep.av.scandlgs
00041904 adware/sidesearch Adware No 0 Yes No hkey_classes_root\sep.av.scandlgs
00118172 adware/startpage.ld Adware No 0 Yes No hkey_local_machine\system\currentcontrolset\services\pnpsvc
00136123 Application/FireDaemon.C HackTools No 0 Yes No C:\WINDOWS\system32\perftmp\firedaemon.exe
00139535 Application/Processor HackTools No 0 Yes No C:\SDFix\apps\Process.exe
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Administrator\Desktop\SDFix.exe[C:\Documents and Settings\Administrator\Desktop\SDFix.exe][SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Administrator\Desktop\malware-fix\SDFix.exe[C:\Documents and Settings\Administrator\Desktop\malware-fix\SDFix.exe][SDFix\apps\Process.exe]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@xiti[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\WINDOWS\system32\str236436\4.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes C:\WINDOWS\SysWOW64\State\smss.exe
03649403 Adware/AccesMembre Adware No 0 Yes No C:\WINDOWS\SysWOW64\Andy\smss.exe
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location ?,rLs5b
;===============================================================================
================================================================================
=
===================
Yes C:\Documents and Settings\json\Local Settings\Temporary Internet Files\Content.IE5\GDIFKZWJ\update[1].exe
Yes C:\WINDOWS\system\xccef080830.exe ?,rLs5b
Yes C:\WINDOWS\SysWOW64\inf\xccefb080830.scr ?,rLs5b
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description ?,rLs5b
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:56 PM, on 9/19/2008
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\SysWOW64\svchost.exe
C:\Program Files (x86)\Registry Mechanic\RegMech.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\IDE\vbexpress.exe
C:\Program Files (x86)\Microsoft SQL Server\90\Tools\binn\VSShell\Common7\IDE\SqlWb.exe
C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\IDE\VWDExpress.exe
C:\Program Files (x86)\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/
O4 - HKLM\..\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files (x86)\Registry Mechanic\RegMech.exe /H
O4 - HKLM\..\Policies\Explorer\Run: [xccinit] C:\WINDOWS\system32\inf\rundll33.exe C:\WINDOWS\xccdf16_080830a.dll xccd16
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O15 - ESC Trusted Zone: http://episteme.arstechnica.com
O15 - ESC Trusted Zone: http://*.askbobrankin.com
O15 - ESC Trusted Zone: http://*.asp.net
O15 - ESC Trusted Zone: http://www.atribune.org
O15 - ESC Trusted Zone: http://forum.aumha.org
O15 - ESC Trusted Zone: http://www.codeplex.com
O15 - ESC Trusted Zone: http://www.google.com.my
O15 - ESC Trusted Zone: http://www.delphifaq.com
O15 - ESC Trusted Zone: http://bwp.download.com
O15 - ESC Trusted Zone: http://www.download.com
O15 - ESC Trusted Zone: http://*.download.com
O15 - ESC Trusted Zone: http://www.eggheadcafe.com
O15 - ESC Trusted Zone: http://bulk.forest-interactive.com
O15 - ESC Trusted Zone: http://www.fotovallescrivia.it
O15 - ESC Trusted Zone: http://www.howtonetworking.com
O15 - ESC Trusted Zone: http://www.itnewsgroups.net
O15 - ESC Trusted Zone: http://sms.langkah.com
O15 - ESC Trusted Zone: http://www.mydigitallife.info
O15 - ESC Trusted Zone: http://www.neuber.com
O15 - ESC Trusted Zone: http://www.pandasecurity.com
O15 - ESC Trusted Zone: http://downloads.paretologic.com
O15 - ESC Trusted Zone: http://www.pctools.com
O15 - ESC Trusted Zone: http://www.safer-networking.org
O15 - ESC Trusted Zone: http://www.simplytech.it
O15 - ESC Trusted Zone: http://www.smallbizserver.net
O15 - ESC Trusted Zone: http://*.smallvoid.com
O15 - ESC Trusted Zone: http://forums.spybot.info
O15 - ESC Trusted Zone: http://www.spybotupdates.com
O15 - ESC Trusted Zone: http://www.spywareinfoforum.com
O15 - ESC Trusted Zone: http://download.sysinternals.com
O15 - ESC Trusted Zone: http://www.tech-archive.net
O15 - ESC Trusted Zone: http://forums.techguy.org
O15 - ESC Trusted Zone: http://www.theeldergeek.com
O15 - ESC Trusted Zone: http://support.theplanet.com
O15 - ESC Trusted Zone: http://hjt-data.trend-braintree.com
O15 - ESC Trusted Zone: http://www.trendsecure.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://www.ylcomputing.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FA64DDC-75D8-48B6-A9B1-B8FD1128909E}: NameServer = 203.223.128.151
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: DNS Server (DNS) - Unknown owner - C:\WINDOWS\System32\dns.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: IIS Admin Service (IISADMIN) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: FTP Publishing Service (MSFtpsvc) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: Message Queuing (MSMQ) - Unknown owner - C:\WINDOWS\system32\mqsvc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Remote Access Quarantine Agent (rqs) - Unknown owner - C:\WINDOWS\system32\rqs.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Telnet (TlntSvr) - Unknown owner - C:\WINDOWS\system32\tlntsvr.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: Windows Internet Name Service (WINS) (WINS) - Unknown owner - C:\WINDOWS\System32\wins.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
--
End of file - 7615 bytes
-
This topic is locked
Back to top
#2
Posted 19 September 2008 - 07:56 AM
-
- Administrators
-
- 22,568 posts
Forum Deity
- Gender:Male
- Location:US
Hi Johan and Welcome to Malwarebytes
Well let me just caution you as I've been a Network Administrator for Windows Networks now for many years and I'm assuming that if it's 64Bit Windows Server 2003 that this is a business.
1. Curious how a Server got infected in the first place since normally one would not be surfing or reading mail from a Server unless maybe it was Terminal Server and then if it was in Native Mode a normal user wouldn't have access to modify common locations.
2. Being a Server, at this point even if we do clean it up it will always be under suspicion that maybe something is still on the box and now serves hundreds or thousands of users with a potentially hidden infection.
So, before I start working on this with you I would still recommend doing a System Restore from backup if at all possible. Let me know if you want to continue and attempt cleaning the system so that neither one of us wastes time on this.
Thanks.
Well let me just caution you as I've been a Network Administrator for Windows Networks now for many years and I'm assuming that if it's 64Bit Windows Server 2003 that this is a business.
1. Curious how a Server got infected in the first place since normally one would not be surfing or reading mail from a Server unless maybe it was Terminal Server and then if it was in Native Mode a normal user wouldn't have access to modify common locations.
2. Being a Server, at this point even if we do clean it up it will always be under suspicion that maybe something is still on the box and now serves hundreds or thousands of users with a potentially hidden infection.
So, before I start working on this with you I would still recommend doing a System Restore from backup if at all possible. Let me know if you want to continue and attempt cleaning the system so that neither one of us wastes time on this.
Thanks.
#3
Posted 24 September 2008 - 08:33 PM
-
- Administrators
-
- 22,568 posts
Forum Deity
- Gender:Male
- Location:US
Topic closed due to no response in over 5 days.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
