MS and other sites unaccessible

Dell / DL360
January 26, 2009 at 22:54:09
Specs: Windows 2k Server, 512k RAM
My Exchange server has been timing out when receiving mail from certain domains. Upon further inspection, the same server is unable to access Microsoft sites, MSN, and numerous other sites. I can not access the web sites for domains that are unable to send us e-mail.

I have run Malwarebytes Anti-Malware (another unaccessible site), and Norton. Norton found Netsky and Sober.X. All of which were removed. Anti-Malware found numerous mal-ware programs and removed them.

I have since run both several times and the server still does not function properly.

I have installed HiJackThis and am prepared to post logs if necessary.

I also checked the hosts file and it only has the 127.0.0.1 address.

Any info on what virus or malware could be causing this would be greatly appreciated. We are missing a lot of e-mail as a result of this.

Thanks!


See More: MS and other sites unaccessible

Report •


#1
January 27, 2009 at 17:32:16
Please post your Hijack This log.

Report •

#2
January 27, 2009 at 19:19:11
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:35 PM, on 1/27/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
D:\Program Files\Trend\Smex\InstMon.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\lserver.exe
D:\Program Files\Trend\Smex\RMonitor.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\spool\drivers\w32x86\win32\winmgr\svchost.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
D:\Program Files\Exchsrvr\bin\exmgmt.exe
D:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
D:\Program Files\Trend\Smex\InstRTS.exe
D:\Program Files\Trend\Smex\SmexVS.exe
D:\Program Files\Trend\Smex\WebRoot\InstWeb.exe
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
D:\Program Files\Trend\Smex\WebRoot\SmexHS.exe
D:\Program Files\Exchsrvr\bin\store.exe
D:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
D:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [VxTaskbarMgr] D:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Update Services] wcsnfty.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [Microsoft Update Services] wcsnfty.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MVRHA.ORG
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B920C9A-E8DA-4AF9-812F-08AB3CF136FE}: NameServer = 192.168.1.10,192.168.1.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MVRHA.ORG
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = MVRHA.ORG
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = MVRHA.ORG
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Naming Service (BackupExecNamingService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ExecView Communication Module (ECM) (ECM Service) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\ECM\ECM.exe
O23 - Service: Microsoft Internet Information Services kernel mode driver (msiisdrv) - Unknown owner - C:\WINNT\SYSTEM32\msiisdrv.exe (file missing)
O23 - Service: Microsoft IIS helper (msiishlp) - Unknown owner - C:\WINNT\System32\msiishlp.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: ScanMail_Monitor - Trend Micro Inc. - D:\Program Files\Trend\Smex\InstMon.exe
O23 - Service: ScanMail_RealTimeScan - Trend Micro Inc. - D:\Program Files\Trend\Smex\InstRTS.exe
O23 - Service: ScanMail_Web - Trend Micro Inc. - D:\Program Files\Trend\Smex\WebRoot\InstWeb.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINNT\system\system32\service.exe (file missing)

--
End of file - 6919 bytes


Report •

#3
January 27, 2009 at 19:36:44
Go to start> control panel> administrative tools> services> scroll down to "Microsoft IIS helper (msiishlp) " and double click it. Click the blue drop down arrow to the far right of "startup type"> click disable> apply> ok.

Do the same for this service:

Microsoft Internet Information Services kernel mode driver (msiisdrv)

Exit administrative tools.

Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 11 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Norton antivirus, Trend Micro and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


Report •

Related Solutions

#4
January 27, 2009 at 20:40:01
I have a question about the following in regards to the ComboFix :

----

1. Go offline turn off your Norton antivirus, Trend Micro and any other antispyware that you may have.

----

When you say "offline", do you mean disable the NIC? If so, I will have to wait a while for that part as I am working on the machine remotely and that would cut me off from it. If not, please explain what you mean by "offline".

Thanks


Report •

#5
January 28, 2009 at 03:44:34
Yes, disconnect from the internet.

Report •

#6
January 28, 2009 at 17:01:40
ComboFix 09-01-21.04 - administrator 01/28/2009 17:37:11.1 - NTFSx86
Microsoft Windows 2000 Server 5.0.2195.4.1252.1.1033.18.511.175 [GMT -7:00]
Running from: c:\documents and settings\Administrator.MVRHA\Desktop\Toolb.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\Cache
c:\winnt\system32\dns.exe
c:\winnt\system32\mdm.exe
c:\winnt\system32\winntsystem.dll
c:\winnt\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KDC
-------\Legacy_SERV-U
-------\Legacy_TRKSVR
-------\Service_kdc
-------\Service_Serv-U
-------\Service_TrkSvr
-------\Legacy_DNS
-------\Service_DNS


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-29 )))))))))))))))))))))))))))))))
.

2009-01-28 17:45 . 09-01-28 17:45 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_428.dat
2009-01-28 17:45 . 09-01-28 17:45 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_3f4.dat
2009-01-27 21:46 . 09-01-27 21:46 410,984 --a------ c:\winnt\system32\deploytk.dll
2009-01-27 21:46 . 09-01-27 21:46 73,728 --a------ c:\winnt\system32\javacpl.cpl
2009-01-27 21:45 . 09-01-27 21:45 <DIR> d-------- c:\program files\Java
2009-01-27 21:22 . 09-01-27 21:23 <DIR> d-------- C:\Downloads
2009-01-27 21:21 . 09-01-27 21:25 <DIR> d-------- c:\documents and settings\Administrator.MVRHA\.SunDownloadManager
2009-01-27 17:53 . 09-01-27 17:48 268,052 --a------ C:\rooter.exe
2009-01-27 17:49 . 09-01-27 17:53 <DIR> d-------- C:\Rooter$
2009-01-27 15:14 . 09-01-27 17:56 <DIR> d-------- C:\Logs
2009-01-27 14:58 . 09-01-27 14:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-27 14:58 . 09-01-27 14:58 <DIR> d-------- c:\documents and settings\Administrator.MVRHA\Application Data\SUPERAntiSpyware.com
2009-01-27 14:57 . 09-01-27 14:57 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-25 21:34 . 09-01-25 21:34 <DIR> d-------- C:\badmail
2009-01-25 21:01 . 09-01-25 21:01 <DIR> d-------- c:\documents and settings\Administrator.MVRHA\Application Data\Malwarebytes
2009-01-25 21:01 . 09-01-14 16:11 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-01-25 21:01 . 09-01-14 16:11 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-01-25 21:00 . 09-01-25 21:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-24 15:11 . 08-10-16 14:09 31,768 --a------ c:\winnt\system32\wucltui.dll.mui
2009-01-24 15:11 . 08-10-16 14:07 23,576 --a------ c:\winnt\system32\wuaucpl.cpl.mui
2009-01-24 15:11 . 08-10-16 14:07 23,576 --a------ c:\winnt\system32\wuapi.dll.mui
2009-01-24 15:11 . 08-10-16 14:07 18,456 --a------ c:\winnt\system32\wuaueng.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-26 06:34 --------- d-----w c:\program files\Google
2008-12-11 12:09 239,472 ------w c:\winnt\system32\drivers\SRV.SYS
2002-02-05 02:41 271 ---h--w c:\program files\desktop.ini
2002-02-05 02:41 21,952 ---h--w c:\program files\folder.htt
2001-05-08 12:00 32,528 ------w c:\winnt\inf\wbfirdma.sys
.

------- Sigcheck -------

01-02-20 12:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 c:\winnt\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [09-01-15 16:17 1830128]
"ctfmon.exe"="ctfmon.exe" [01-02-20 12:09 8192 c:\winnt\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VxTaskbarMgr"="d:\program files\VERITAS\VxUpdate\VxTaskbarMgr.exe" [03-10-07 00:26 131040]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [03-05-21 00:21 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [09-01-27 21:46 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 11:05 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [08-05-13 09:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
08-12-22 11:05 356352 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"MSACM.MSNAUDIO"= msnaudio.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\[u]0[/u]DfsInit

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ FPNWCLNT RASSFM KDCSVC scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll

R0 DfsDriver;DfsDriver;c:\winnt\system32\drivers\dfs.sys [2001-05-08 74448]
R0 mraid2k;mraid2k;c:\winnt\system32\drivers\mraid2k.sys [2001-09-04 17065]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [2006-04-17 24784]
R3 QntmX32;QntmX32;c:\winnt\system32\drivers\QntmX32.sys [2006-06-15 10752]
R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R3 spud;Special Purpose Utility Driver;c:\winnt\system32\drivers\spud.sys [2002-02-07 12336]
R4 DHCPServer;DHCP Server;c:\winnt\system32\tcpsvcs.exe [2001-05-08 25360]
R4 EXIFS;EXIFS;c:\winnt\system32\drivers\EXIFS.SYS [2002-06-17 208960]
R4 IMAP4Svc;Microsoft Exchange IMAP4;c:\winnt\system32\inetsrv\inetinfo.exe [2005-06-23 14608]
R4 IsmServ;Intersite Messaging;c:\winnt\system32\ismserv.exe [2005-06-23 25872]
R4 MSADC;Microsoft Active Directory Connector;c:\program files\MSADC\adc.exe [2002-02-07 1114384]
R4 MSExchangeMGMT;Microsoft Exchange Management;d:\program files\Exchsrvr\BIN\EXMGMT.EXE [2002-06-24 1867776]
R4 MSSEARCH;Microsoft Search;c:\program files\Common Files\System\MSSearch\Bin\mssearch.exe [2002-02-07 69632]
R4 MSSQL$BKUPEXEC;MSSQL$BKUPEXEC;c:\program files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe -sBKUPEXEC --> c:\program files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe -sBKUPEXEC [?]
R4 NntpSvc;Network News Transport Protocol (NNTP);c:\winnt\system32\inetsrv\inetinfo.exe [2005-06-23 14608]
R4 NtFrs;File Replication Service;c:\winnt\system32\ntfrs.exe [2005-06-23 745232]
R4 POP3Svc;Microsoft Exchange POP3;c:\winnt\system32\inetsrv\inetinfo.exe [2005-06-23 14608]
R4 RESvc;Microsoft Exchange Routing Engine;c:\winnt\system32\inetsrv\inetinfo.exe [2005-06-23 14608]
R4 ScanMail_Monitor;ScanMail_Monitor;d:\program files\Trend\Smex\InstMon.exe ScanMail_Monitor --> d:\program files\Trend\Smex\InstMon.exe ScanMail_Monitor [?]
R4 ScanMail_RealTimeScan;ScanMail_RealTimeScan;d:\program files\Trend\Smex\InstRTS.exe ScanMail_RealTimeScan --> d:\program files\Trend\Smex\InstRTS.exe ScanMail_RealTimeScan [?]
R4 ScanMail_Web;ScanMail_Web;d:\program files\Trend\Smex\WebRoot\InstWeb.exe ScanMail_Web --> d:\program files\Trend\Smex\WebRoot\InstWeb.exe ScanMail_Web [?]
R4 TermServLicensing;Terminal Services Licensing;c:\winnt\system32\lserver.exe [2005-06-23 330512]
R4 WinMgr;WinMgr URL Update;c:\winnt\system32\spool\drivers\w32x86\win32\winmgr\svchost.exe [2005-07-08 825856]
S1 SCSIChanger;SCSIChanger;c:\winnt\system32\drivers\SCSICHNG.SYS [2000-07-12 15360]
S3 bnchtape;bnchtape;c:\winnt\system32\drivers\bnchtape.sys [2000-07-25 6961]
S3 MSExchangeES;Microsoft Exchange Event;d:\program files\Exchsrvr\BIN\EVENTS.EXE [2002-06-18 106496]
S3 SQLAgent$BKUPEXEC;SQLAgent$BKUPEXEC;c:\program files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlagent.EXE -i BKUPEXEC --> c:\program files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlagent.EXE -i BKUPEXEC [?]
S3 TDASYNC;TDASYNC;c:\winnt\system32\drivers\tdasync.sys [2002-02-04 12664]
S3 TDIPX;TDIPX;c:\winnt\system32\drivers\tdipx.sys [2002-02-04 20760]
S3 TDNETB;TDNETB;c:\winnt\system32\drivers\tdnetb.sys [2002-02-04 18392]
S3 TDSPX;TDSPX;c:\winnt\system32\drivers\tdspx.sys [2002-02-04 18264]
S4 MSExchangeIS;Microsoft Exchange Information Store;d:\program files\Exchsrvr\BIN\STORE.EXE [2002-07-15 4558848]
S4 MSExchangeMTA;Microsoft Exchange MTA Stacks;d:\program files\Exchsrvr\BIN\EMSMTA.EXE [2002-06-20 1798144]
S4 MSExchangeSA;Microsoft Exchange System Attendant;d:\program files\Exchsrvr\BIN\MAD.EXE [2002-06-24 2965504]
S4 MSExchangeSRS;Microsoft Exchange Site Replication Service;d:\program files\Exchsrvr\BIN\srsmain.exe [2002-06-18 401408]
S4 msiisdrv;Microsoft Internet Information Services kernel mode driver;c:\winnt\SYSTEM32\msiisdrv.exe --> c:\winnt\SYSTEM32\msiisdrv.exe [?]
S4 msiishlp;Microsoft IIS helper;c:\winnt\System32\msiishlp.exe --> c:\winnt\System32\msiishlp.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT
*NewlyCreated* - RASAUTO
*NewlyCreated* - SHAREDACCESS

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv REG_MULTI_SZ Tapisrv
.
Contents of the 'Scheduled Tasks' folder

2009-01-29 c:\winnt\Tasks\Theft Loss Protection.job
- c:\program files\Wireless Sync\Client\ClientSys.exe []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Microsoft Update Services - wcsnfty.exe
HKLM-RunServices-Microsoft Update Services - wcsnfty.exe


.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
TCP: {1B920C9A-E8DA-4AF9-812F-08AB3CF136FE} = 192.168.1.10,192.168.1.10
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 17:48:17
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(224)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'lsass.exe'(264)
c:\winnt\system32\sp3res.dll
.
Completion time: 2009-01-28 17:50:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-29 00:50:22

Pre-Run: 1,337,036,800 bytes free
Post-Run: 1,293,303,808 bytes free

178 --- E O F --- 2009-01-26 03:11:27


Report •

#7
January 28, 2009 at 19:38:31
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\winnt\SYSTEM32\msiisdrv.exe
c:\winnt\System32\msiishlp.exe

Driver::
msiishlp
msiisdrv

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#8
January 29, 2009 at 16:54:09
I ran the ComboFix as directed. It looks like it did the exact same thing it did last time. I do not know if it executed the file that I dropped on it.

I had run ATC Cleaner prior to posting, but ran it again. It did not find any new files to delete.

I ran Kasperky and terminated it when it started scanning network shares. It found thousands of files that were quarantined. I will only post one of each unique quarantined item and anything not quarantined :


Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
F:\
M:\
P:\
R:\
Z:\

Scan statistics:
Files scanned: 89082
Threat name: 16
Infected objects: 6384
Suspicious objects: 0
Duration of the scan: 03:06:52


File name / Threat name / Threats count
svchost.exe\svchost.exe/svchost.exe\svchost.exe Infected: Backdoor.Win32.ServU-based.af 1
C:\WINNT\system32\spool\drivers\w32x86\win32\winmgr\svchost.exe/C:\WINNT\system32\spool\drivers\w32x86\win32\winmgr\svchost.exe Infected: Backdoor.Win32.ServU-based.af 1
C:\Documents and Settings\Administrator.MVRHA\Desktop\VNC.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A040000.VBN Infected: Email-Worm.Win32.Sober.y 1

Sober.y THOUSANDS of times.
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A0400CC.VBN Infected: Backdoor.Win32.Small.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0ED00000.VBN Infected: not-a-virus:Server-FTP.Win32.Serv-U.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0ED80000.VBN Infected: not-a-virus:RiskTool.Win32.HideRun 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0ED80000.VBN Infected: not-a-virus:RiskTool.Win32.Hideout 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0ED80000.VBN Infected: not-a-virus:RiskTool.Win32.PsKill.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10680000.VBN Infected: Trojan-Downloader.SWF.Gida.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\10680001.VBN Infected: Trojan-Downloader.SWF.Gida.b 1
C:\Inetpub\AdminScripts\ServUDaemon.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.40 1
C:\Inetpub\iissamples\sdk\asp\components\SCHOST.EXE Infected: not-a-virus:Server-FTP.Win32.Serv-U.25.i 1
C:\Inetpub\iissamples\sdk\asp\simple\Data\system1\Serv-U32.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.25.i 1
C:\Inetpub\iissamples\sdk\asp\simple\ServUDaemon.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.3016 1
C:\Inetpub\mailroot\Queue\serv-u32.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.25.o 1
C:\Inetpub\Scripts\sys\explorer.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.3017 1
C:\Inetpub\Scripts\TFTP1832 Infected: not-a-virus:Server-FTP.Win32.Serv-U.40 1
C:\Inetpub\Scripts\TFTP1840 Infected: not-a-virus:Server-FTP.Win32.Serv-U.40 1
C:\Inetpub\Scripts\TFTP2868 Infected: not-a-virus:Server-FTP.Win32.Serv-U.40 1
C:\Inetpub\Scripts\TFTP4020 Infected: not-a-virus:Server-FTP.Win32.Serv-U.25.i 1
C:\Inetpub\Scripts\TFTP4176 Infected: not-a-virus:Server-FTP.Win32.Serv-U.3017 1
C:\Inetpub\Scripts\TFTP4484 Infected: not-a-virus:Server-FTP.Win32.Serv-U.3017 1
C:\WINNT\system\system32\psshutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.101 1
C:\WINNT\system32\spool\drivers\w32x86\win32\shell32\msshell32.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat.jd 1
C:\WINNT\system32\spool\drivers\w32x86\win32\WinMgr\svchost.exe Infected: Backdoor.Win32.ServU-based.af 1
D:\Program Files\RealVNC\WinVNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
D:\Program Files\RealVNC\WinVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1

------
Let me know what to do from here.

Thanks!


Report •

#9
January 29, 2009 at 20:04:39
Use Norton and delete quarantined files.

Go to start> control panel> administrative tools> services> scroll down to "Serv-U FTP Server (Serv-U) " and double click it. Click the blue drop down arrow to the far right of "startup type"> click disable> apply> ok.

Exit administrative tools.

Navigate to and delete these files (do not empty the recycle bin yet):

C:\Inetpub\iissamples\sdk\asp\simple\Data\system1\Serv-U32.exe

C:\Inetpub\iissamples\sdk\asp\components\SCHOST.EXE

C:\Inetpub\iissamples\sdk\asp\simple\ServUDaemon.exe

C:\Inetpub\mailroot\Queue\serv-u32.exe

C:\WINNT\system32\spool\drivers\w32x86\win32\winmgr\svchost.exe

C:\Inetpub\AdminScripts\ServUDaemon.exe

Run Kaspersky again and post its log.


Report •

#10
January 30, 2009 at 14:51:46
First off, I could not find the 5th file for deletion.

I have attached the newest Kasperky Log :

----------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, January 30, 2009
Operating System: Microsoft Windows 2000 Server Service Pack 4 (build 2195)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 30, 2009 19:20:00
Records in database: 1729150
----------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
M:\
Z:\

Scan statistics:
Files scanned: 65212
Threat name: 9
Infected objects: 21
Suspicious objects: 0
Duration of the scan: 03:08:20


File name / Threat name / Threats count
svchost.exe\svchost.exe/svchost.exe\svchost.exe Infected: Backdoor.Win32.ServU-based.af 1
C:\WINNT\system32\spool\drivers\w32x86\win32\winmgr\svchost.exe/C:\WINNT\system32\spool\drivers\w32x86\win32\winmgr\svchost.exe Infected: Backdoor.Win32.ServU-based.af 1
C:\Documents and Settings\Administrator.MVRHA\Desktop\VNC.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2
C:\Inetpub\Scripts\sys\explorer.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.3017 1
C:\Inetpub\Scripts\TFTP1832 Infected: not-a-virus:Server-FTP.Win32.Serv-U.40 1
C:\Inetpub\Scripts\TFTP1840 Infected: not-a-virus:Server-FTP.Win32.Serv-U.40 1
C:\Inetpub\Scripts\TFTP2868 Infected: not-a-virus:Server-FTP.Win32.Serv-U.40 1
C:\Inetpub\Scripts\TFTP4020 Infected: not-a-virus:Server-FTP.Win32.Serv-U.25.i 1
C:\Inetpub\Scripts\TFTP4176 Infected: not-a-virus:Server-FTP.Win32.Serv-U.3017 1
C:\Inetpub\Scripts\TFTP4484 Infected: not-a-virus:Server-FTP.Win32.Serv-U.3017 1
C:\RECYCLER\S-1-5-21-1957994488-1563985344-839522115-500\Dc1.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.25.i 1
C:\RECYCLER\S-1-5-21-1957994488-1563985344-839522115-500\Dc2.EXE Infected: not-a-virus:Server-FTP.Win32.Serv-U.25.i 1
C:\RECYCLER\S-1-5-21-1957994488-1563985344-839522115-500\Dc3.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.3016 1
C:\RECYCLER\S-1-5-21-1957994488-1563985344-839522115-500\Dc4.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.25.o 1
C:\RECYCLER\S-1-5-21-1957994488-1563985344-839522115-500\Dc5.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.40 1
C:\WINNT\system\system32\psshutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.101 1
C:\WINNT\system32\spool\drivers\w32x86\win32\shell32\msshell32.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat.jd 1
C:\WINNT\system32\spool\drivers\w32x86\win32\WinMgr\svchost.exe Infected: Backdoor.Win32.ServU-based.af 1
D:\Program Files\RealVNC\WinVNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
D:\Program Files\RealVNC\WinVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1

The selected area was scanned.


Report •

#11
February 2, 2009 at 07:02:40
jabuck, are you still there, or do you take weekends off?

Please help, I think we are close to clearning this server up.

Thanks!


Report •

#12
February 3, 2009 at 19:18:11
Please post a new Combofix log following the previous directions.

Report •

#13
February 5, 2009 at 08:26:53
ComboFix 09-01-21.04 - administrator 2009-02-04 17:19:42.3 - NTFSx86
Microsoft Windows 2000 Server 5.0.2195.4.1252.1.1033.18.511.191 [GMT -7:00]
Running from: c:\documents and settings\Administrator.MVRHA\Desktop\Toolb.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-04 17:19 . 09-02-04 17:19 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_608.dat
2009-01-29 10:10 . 09-01-29 10:10 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_45c.dat
2009-01-29 10:10 . 09-01-29 10:10 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_410.dat
2009-01-27 21:46 . 09-01-27 21:46 410,984 --a------ c:\winnt\system32\deploytk.dll
2009-01-27 21:46 . 09-01-27 21:46 73,728 --a------ c:\winnt\system32\javacpl.cpl
2009-01-27 21:45 . 09-01-27 21:45 <DIR> d-------- c:\program files\Java
2009-01-27 21:22 . 09-01-27 21:23 <DIR> d-------- C:\Downloads
2009-01-27 21:21 . 09-01-27 21:25 <DIR> d-------- c:\documents and settings\Administrator.MVRHA\.SunDownloadManager
2009-01-27 17:53 . 09-01-27 17:48 268,052 --a------ C:\rooter.exe
2009-01-27 17:49 . 09-01-27 17:53 <DIR> d-------- C:\Rooter$
2009-01-27 15:14 . 09-01-30 15:45 <DIR> d-------- C:\Logs
2009-01-27 14:58 . 09-01-27 14:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-27 14:58 . 09-01-27 14:58 <DIR> d-------- c:\documents and settings\Administrator.MVRHA\Application Data\SUPERAntiSpyware.com
2009-01-27 14:57 . 09-01-27 14:57 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-25 21:34 . 09-01-25 21:34 <DIR> d-------- C:\badmail
2009-01-25 21:01 . 09-01-25 21:01 <DIR> d-------- c:\documents and settings\Administrator.MVRHA\Application Data\Malwarebytes
2009-01-25 21:01 . 09-01-14 16:11 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-01-25 21:01 . 09-01-14 16:11 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-01-25 21:00 . 09-01-25 21:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-24 15:11 . 08-10-16 14:09 31,768 --a------ c:\winnt\system32\wucltui.dll.mui
2009-01-24 15:11 . 08-10-16 14:07 23,576 --a------ c:\winnt\system32\wuaucpl.cpl.mui
2009-01-24 15:11 . 08-10-16 14:07 23,576 --a------ c:\winnt\system32\wuapi.dll.mui
2009-01-24 15:11 . 08-10-16 14:07 18,456 --a------ c:\winnt\system32\wuaueng.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-26 06:34 --------- d-----w c:\program files\Google
2008-12-11 12:09 239,472 ------w c:\winnt\system32\drivers\SRV.SYS
2002-02-05 02:41 271 ---h--w c:\program files\desktop.ini
2002-02-05 02:41 21,952 ---h--w c:\program files\folder.htt
2001-05-08 12:00 32,528 ------w c:\winnt\inf\wbfirdma.sys
.

------- Sigcheck -------

01-02-20 12:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 c:\winnt\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((( snapshot@Wed 2009-01-28_17.49.16.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-29 00:48:06 330,142 ----a-w c:\winnt\system32\inetsrv\MetaBase.bin
+ 2009-02-05 00:06:15 330,147 ----a-w c:\winnt\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [09-01-15 16:17 1830128]
"ctfmon.exe"="ctfmon.exe" [01-02-20 12:09 8192 c:\winnt\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VxTaskbarMgr"="d:\program files\VERITAS\VxUpdate\VxTaskbarMgr.exe" [03-10-07 00:26 131040]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [03-05-21 00:21 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [09-01-27 21:46 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 11:05 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [08-05-13 09:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
08-12-22 11:05 356352 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"MSACM.MSNAUDIO"= msnaudio.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\[u]0[/u]DfsInit

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ FPNWCLNT RASSFM KDCSVC scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll

R0 DfsDriver;DfsDriver;c:\winnt\system32\drivers\dfs.sys [2001-05-08 74448]
R0 mraid2k;mraid2k;c:\winnt\system32\drivers\mraid2k.sys [2001-09-04 17065]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [2006-04-17 24784]
R3 QntmX32;QntmX32;c:\winnt\system32\drivers\QntmX32.sys [2006-06-15 10752]
R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R3 spud;Special Purpose Utility Driver;c:\winnt\system32\drivers\spud.sys [2002-02-07 12336]
R4 DHCPServer;DHCP Server;c:\winnt\system32\tcpsvcs.exe [2001-05-08 25360]
R4 EXIFS;EXIFS;c:\winnt\system32\drivers\EXIFS.SYS [2002-06-17 208960]
R4 IMAP4Svc;Microsoft Exchange IMAP4;c:\winnt\system32\inetsrv\inetinfo.exe [2005-06-23 14608]
R4 IsmServ;Intersite Messaging;c:\winnt\system32\ismserv.exe [2005-06-23 25872]
R4 MSADC;Microsoft Active Directory Connector;c:\program files\MSADC\adc.exe [2002-02-07 1114384]
R4 MSExchangeIS;Microsoft Exchange Information Store;d:\program files\Exchsrvr\BIN\STORE.EXE [2002-07-15 4558848]
R4 MSExchangeMGMT;Microsoft Exchange Management;d:\program files\Exchsrvr\BIN\EXMGMT.EXE [2002-06-24 1867776]
R4 MSExchangeMTA;Microsoft Exchange MTA Stacks;d:\program files\Exchsrvr\BIN\EMSMTA.EXE [2002-06-20 1798144]
R4 MSExchangeSA;Microsoft Exchange System Attendant;d:\program files\Exchsrvr\BIN\MAD.EXE [2002-06-24 2965504]
R4 MSSEARCH;Microsoft Search;c:\program files\Common Files\System\MSSearch\Bin\mssearch.exe [2002-02-07 69632]
R4 MSSQL$BKUPEXEC;MSSQL$BKUPEXEC;c:\program files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe -sBKUPEXEC --> c:\program files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe -sBKUPEXEC [?]
R4 NntpSvc;Network News Transport Protocol (NNTP);c:\winnt\system32\inetsrv\inetinfo.exe [2005-06-23 14608]
R4 NtFrs;File Replication Service;c:\winnt\system32\ntfrs.exe [2005-06-23 745232]
R4 POP3Svc;Microsoft Exchange POP3;c:\winnt\system32\inetsrv\inetinfo.exe [2005-06-23 14608]
R4 RESvc;Microsoft Exchange Routing Engine;c:\winnt\system32\inetsrv\inetinfo.exe [2005-06-23 14608]
R4 TermServLicensing;Terminal Services Licensing;c:\winnt\system32\lserver.exe [2005-06-23 330512]
S1 SCSIChanger;SCSIChanger;c:\winnt\system32\drivers\SCSICHNG.SYS [2000-07-12 15360]
S3 bnchtape;bnchtape;c:\winnt\system32\drivers\bnchtape.sys [2000-07-25 6961]
S3 MSExchangeES;Microsoft Exchange Event;d:\program files\Exchsrvr\BIN\EVENTS.EXE [2002-06-18 106496]
S3 SQLAgent$BKUPEXEC;SQLAgent$BKUPEXEC;c:\program files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlagent.EXE -i BKUPEXEC --> c:\program files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlagent.EXE -i BKUPEXEC [?]
S3 TDASYNC;TDASYNC;c:\winnt\system32\drivers\tdasync.sys [2002-02-04 12664]
S3 TDIPX;TDIPX;c:\winnt\system32\drivers\tdipx.sys [2002-02-04 20760]
S3 TDNETB;TDNETB;c:\winnt\system32\drivers\tdnetb.sys [2002-02-04 18392]
S3 TDSPX;TDSPX;c:\winnt\system32\drivers\tdspx.sys [2002-02-04 18264]
S4 MSExchangeSRS;Microsoft Exchange Site Replication Service;d:\program files\Exchsrvr\BIN\srsmain.exe [2002-06-18 401408]
S4 ScanMail_Monitor;ScanMail_Monitor;d:\program files\Trend\Smex\InstMon.exe ScanMail_Monitor --> d:\program files\Trend\Smex\InstMon.exe ScanMail_Monitor [?]
S4 ScanMail_RealTimeScan;ScanMail_RealTimeScan;d:\program files\Trend\Smex\InstRTS.exe ScanMail_RealTimeScan --> d:\program files\Trend\Smex\InstRTS.exe ScanMail_RealTimeScan [?]
S4 ScanMail_Web;ScanMail_Web;d:\program files\Trend\Smex\WebRoot\InstWeb.exe ScanMail_Web --> d:\program files\Trend\Smex\WebRoot\InstWeb.exe ScanMail_Web [?]
S4 WinMgr;WinMgr URL Update;c:\winnt\system32\spool\drivers\w32x86\win32\winmgr\svchost.exe [2005-07-08 825856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv REG_MULTI_SZ Tapisrv
.
Contents of the 'Scheduled Tasks' folder

2009-01-29 c:\winnt\Tasks\Theft Loss Protection.job
- c:\program files\Wireless Sync\Client\ClientSys.exe []
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
TCP: {1B920C9A-E8DA-4AF9-812F-08AB3CF136FE} = 192.168.1.10,192.168.1.10
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 17:20:16
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(232)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'lsass.exe'(272)
c:\winnt\system32\sp3res.dll
.
Completion time: 2009-02-04 17:21:59
ComboFix-quarantined-files.txt 2009-02-05 00:21:56
ComboFix2.txt 2009-01-29 17:15:13
ComboFix3.txt 2009-01-29 00:50:31

Pre-Run: 2,647,597,056 bytes free
Post-Run: 2,638,094,336 bytes free

161 --- E O F --- 2009-01-26 03:11:27


Report •

#14
February 5, 2009 at 17:15:37
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\winnt\system32\spool\drivers\w32x86\win32\winmgr\svchost.exe

Driver::
WinMgr

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#15
February 9, 2009 at 09:03:05
Newest ComboFix Log : (BTW, my system hangs everytime I run ComboFix)

ComboFix 09-01-21.04 - administrator 2009-02-09 1:44:13.4 - NTFSx86
Microsoft Windows 2000 Server 5.0.2195.4.1252.1.1033.18.511.143 [GMT -7:00]
Running from: c:\documents and settings\Administrator.MVRHA\Desktop\Toolb.exe
Command switches used :: c:\documents and settings\Administrator.MVRHA\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
c:\winnt\system32\spool\drivers\w32x86\win32\winmgr\svchost.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\spool\drivers\w32x86\win32\winmgr\svchost.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))
.

2009-02-09 09:49 . 09-02-09 09:49 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_440.dat
2009-02-09 09:49 . 09-02-09 09:49 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_404.dat
2009-01-27 21:46 . 09-01-27 21:46 410,984 --a------ c:\winnt\system32\deploytk.dll
2009-01-27 21:46 . 09-01-27 21:46 73,728 --a------ c:\winnt\system32\javacpl.cpl
2009-01-27 21:45 . 09-01-27 21:45 <DIR> d-------- c:\program files\Java
2009-01-27 21:22 . 09-01-27 21:23 <DIR> d-------- C:\Downloads
2009-01-27 21:21 . 09-01-27 21:25 <DIR> d-------- c:\documents and settings\Administrator.MVRHA\.SunDownloadManager
2009-01-27 17:53 . 09-01-27 17:48 268,052 --a------ C:\rooter.exe
2009-01-27 17:49 . 09-01-27 17:53 <DIR> d-------- C:\Rooter$
2009-01-27 15:14 . 09-02-04 17:22 <DIR> d-------- C:\Logs
2009-01-27 14:58 . 09-01-27 14:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-27 14:58 . 09-01-27 14:58 <DIR> d-------- c:\documents and settings\Administrator.MVRHA\Application Data\SUPERAntiSpyware.com
2009-01-27 14:57 . 09-01-27 14:57 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-25 21:34 . 09-01-25 21:34 <DIR> d-------- C:\badmail
2009-01-25 21:01 . 09-01-25 21:01 <DIR> d-------- c:\documents and settings\Administrator.MVRHA\Application Data\Malwarebytes
2009-01-25 21:01 . 09-01-14 16:11 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-01-25 21:01 . 09-01-14 16:11 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-01-25 21:00 . 09-01-25 21:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-24 15:11 . 08-10-16 14:09 31,768 --a------ c:\winnt\system32\wucltui.dll.mui
2009-01-24 15:11 . 08-10-16 14:07 23,576 --a------ c:\winnt\system32\wuaucpl.cpl.mui
2009-01-24 15:11 . 08-10-16 14:07 23,576 --a------ c:\winnt\system32\wuapi.dll.mui
2009-01-24 15:11 . 08-10-16 14:07 18,456 --a------ c:\winnt\system32\wuaueng.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-26 06:34 --------- d-----w c:\program files\Google
2008-12-11 12:09 239,472 ------w c:\winnt\system32\drivers\SRV.SYS
2002-02-05 02:41 271 ---h--w c:\program files\desktop.ini
2002-02-05 02:41 21,952 ---h--w c:\program files\folder.htt
2001-05-08 12:00 32,528 ------w c:\winnt\inf\wbfirdma.sys
.

------- Sigcheck -------

01-02-20 12:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 c:\winnt\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((( snapshot@Wed 2009-01-28_17.49.16.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-29 00:48:06 330,142 ----a-w c:\winnt\system32\inetsrv\MetaBase.bin
+ 2009-02-09 16:50:49 330,142 ----a-w c:\winnt\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [09-01-15 16:17 1830128]
"ctfmon.exe"="ctfmon.exe" [01-02-20 12:09 8192 c:\winnt\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VxTaskbarMgr"="d:\program files\VERITAS\VxUpdate\VxTaskbarMgr.exe" [03-10-07 00:26 131040]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [03-05-21 00:21 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [09-01-27 21:46 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 11:05 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [08-05-13 09:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
08-12-22 11:05 356352 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"MSACM.MSNAUDIO"= msnaudio.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\[u]0[/u]DfsInit

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ FPNWCLNT RASSFM KDCSVC scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, pwdssp.dll

R0 DfsDriver;DfsDriver;c:\winnt\system32\drivers\dfs.sys [2001-05-08 74448]
R0 mraid2k;mraid2k;c:\winnt\system32\drivers\mraid2k.sys [2001-09-04 17065]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [2006-04-17 24784]
R3 QntmX32;QntmX32;c:\winnt\system32\drivers\QntmX32.sys [2006-06-15 10752]
R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R3 spud;Special Purpose Utility Driver;c:\winnt\system32\drivers\spud.sys [2002-02-07 12336]
R4 DHCPServer;DHCP Server;c:\winnt\system32\tcpsvcs.exe [2001-05-08 25360]
R4 EXIFS;EXIFS;c:\winnt\system32\drivers\EXIFS.SYS [2002-06-17 208960]
R4 IMAP4Svc;Microsoft Exchange IMAP4;c:\winnt\system32\inetsrv\inetinfo.exe [2005-06-23 14608]
R4 IsmServ;Intersite Messaging;c:\winnt\system32\ismserv.exe [2005-06-23 25872]
R4 MSADC;Microsoft Active Directory Connector;c:\program files\MSADC\adc.exe [2002-02-07 1114384]
R4 MSExchangeIS;Microsoft Exchange Information Store;d:\program files\Exchsrvr\BIN\STORE.EXE [2002-07-15 4558848]
R4 MSExchangeMGMT;Microsoft Exchange Management;d:\program files\Exchsrvr\BIN\EXMGMT.EXE [2002-06-24 1867776]
R4 MSExchangeMTA;Microsoft Exchange MTA Stacks;d:\program files\Exchsrvr\BIN\EMSMTA.EXE [2002-06-20 1798144]
R4 MSExchangeSA;Microsoft Exchange System Attendant;d:\program files\Exchsrvr\BIN\MAD.EXE [2002-06-24 2965504]
R4 MSSEARCH;Microsoft Search;c:\program files\Common Files\System\MSSearch\Bin\mssearch.exe [2002-02-07 69632]
R4 MSSQL$BKUPEXEC;MSSQL$BKUPEXEC;c:\program files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe -sBKUPEXEC --> c:\program files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe -sBKUPEXEC [?]
R4 NntpSvc;Network News Transport Protocol (NNTP);c:\winnt\system32\inetsrv\inetinfo.exe [2005-06-23 14608]
R4 NtFrs;File Replication Service;c:\winnt\system32\ntfrs.exe [2005-06-23 745232]
R4 POP3Svc;Microsoft Exchange POP3;c:\winnt\system32\inetsrv\inetinfo.exe [2005-06-23 14608]
R4 RESvc;Microsoft Exchange Routing Engine;c:\winnt\system32\inetsrv\inetinfo.exe [2005-06-23 14608]
R4 ScanMail_Monitor;ScanMail_Monitor;d:\program files\Trend\Smex\InstMon.exe ScanMail_Monitor --> d:\program files\Trend\Smex\InstMon.exe ScanMail_Monitor [?]
R4 ScanMail_RealTimeScan;ScanMail_RealTimeScan;d:\program files\Trend\Smex\InstRTS.exe ScanMail_RealTimeScan --> d:\program files\Trend\Smex\InstRTS.exe ScanMail_RealTimeScan [?]
R4 ScanMail_Web;ScanMail_Web;d:\program files\Trend\Smex\WebRoot\InstWeb.exe ScanMail_Web --> d:\program files\Trend\Smex\WebRoot\InstWeb.exe ScanMail_Web [?]
R4 TermServLicensing;Terminal Services Licensing;c:\winnt\system32\lserver.exe [2005-06-23 330512]
S1 SCSIChanger;SCSIChanger;c:\winnt\system32\drivers\SCSICHNG.SYS [2000-07-12 15360]
S3 bnchtape;bnchtape;c:\winnt\system32\drivers\bnchtape.sys [2000-07-25 6961]
S3 MSExchangeES;Microsoft Exchange Event;d:\program files\Exchsrvr\BIN\EVENTS.EXE [2002-06-18 106496]
S3 SQLAgent$BKUPEXEC;SQLAgent$BKUPEXEC;c:\program files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlagent.EXE -i BKUPEXEC --> c:\program files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlagent.EXE -i BKUPEXEC [?]
S3 TDASYNC;TDASYNC;c:\winnt\system32\drivers\tdasync.sys [2002-02-04 12664]
S3 TDIPX;TDIPX;c:\winnt\system32\drivers\tdipx.sys [2002-02-04 20760]
S3 TDNETB;TDNETB;c:\winnt\system32\drivers\tdnetb.sys [2002-02-04 18392]
S3 TDSPX;TDSPX;c:\winnt\system32\drivers\tdspx.sys [2002-02-04 18264]
S4 MSExchangeSRS;Microsoft Exchange Site Replication Service;d:\program files\Exchsrvr\BIN\srsmain.exe [2002-06-18 401408]
S4 WinMgr;WinMgr URL Update;c:\winnt\system32\spool\drivers\w32x86\win32\winmgr\svchost.exe --> c:\winnt\system32\spool\drivers\w32x86\win32\winmgr\svchost.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv REG_MULTI_SZ Tapisrv
.
Contents of the 'Scheduled Tasks' folder

2009-01-29 c:\winnt\Tasks\Theft Loss Protection.job
- c:\program files\Wireless Sync\Client\ClientSys.exe []
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
TCP: {1B920C9A-E8DA-4AF9-812F-08AB3CF136FE} = 192.168.1.10,192.168.1.10
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 09:55:54
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(232)
d:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'winlogon.exe'(3856)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'lsass.exe'(272)
c:\winnt\system32\sp3res.dll
.
r Running Proce
.
SystemRoot\System32\smss.exe [180]
??\c:\winnt\system32\csrss.exe [208]
??\c:\winnt\system32\winlogon.exe [232]
c:\winnt\system32\services.exe [260]
c:\winnt\system32\lsass.exe [272]
c:\winnt\System32\termsrv.exe [372]
c:\winnt\system32\svchost.exe [488]
c:\winnt\System32\svchost.exe [548]
c:\winnt\system32\spoolsv.exe [592]
c:\program files\VERITAS\Backup Exec\NT\beremote.exe [860]
c:\program files\VERITAS\Backup Exec\NT\benetns.exe [888]
c:\program files\VERITAS\Backup Exec\NT\benser.exe [912]
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe [952]
c:\winnt\system32\Dfssvc.exe [964]
c:\winnt\System32\inetsrv\inetinfo.exe [1008]
c:\program files\Java\jre6\bin\jqs.exe [1028]
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [1060]
c:\program files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe [1088]
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe [1120]
c:\winnt\system32\ntfrs.exe [1244]
c:\winnt\system32\regsvc.exe [1272]
c:\winnt\System32\locator.exe [1300]
d:\program files\Trend\Smex\InstMon.exe [1324]
c:\winnt\System32\svchost.exe [1356]
c:\winnt\System32\lserver.exe [1380]
d:\program files\Trend\Smex\RMonitor.exe [1500]
c:\winnt\System32\WBEM\WinMgmt.exe [1516]
c:\winnt\system32\mspmspsv.exe [1564]
c:\winnt\system32\svchost.exe [1584]
c:\program files\VERITAS\Backup Exec\NT\pvlsvr.exe [1596]
c:\winnt\System32\tcpsvcs.exe [1680]
c:\winnt\System32\ismserv.exe [1716]
c:\program files\MSADC\adc.exe [1728]
c:\winnt\System32\msdtc.exe [1828]
d:\program files\Exchsrvr\bin\exmgmt.exe [1896]
d:\program files\Exchsrvr\bin\mad.exe [1980]
c:\program files\Common Files\System\MSSearch\Bin\mssearch.exe [2184]
d:\program files\Trend\Smex\InstRTS.exe [2192]
d:\program files\Trend\Smex\SmexVS.exe [2404]
d:\program files\Trend\Smex\WebRoot\InstWeb.exe [2412]
c:\program files\VERITAS\Backup Exec\NT\beserver.exe [2452]
d:\program files\Trend\Smex\WebRoot\SmexHS.exe [2468]
d:\program files\Exchsrvr\bin\store.exe [2752]
d:\program files\Exchsrvr\bin\emsmta.exe [2804]
c:\program files\VERITAS\Backup Exec\NT\bengine.exe [3376]
??\c:\winnt\system32\csrss.exe [836]
??\c:\winnt\system32\winlogon.exe [3856]
c:\winnt\system32\rdpclip.exe [808]
c:\winnt\system32\CF9105.exe [3548]
d:\program files\VERITAS\VxUpdate\VxTaskbarMgr.exe [4060]
c:\program files\Java\jre6\bin\jusched.exe [4016]
c:\winnt\system32\ctfmon.exe [4112]
d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe [4124]
c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [4136]
c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [4020]
c:\winnt\explorer.exe [4076]
c:\toolb\catchme.cfexe [4172]
.
**************************************************************************
.
Completion time: 2009-02-09 9:58:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-09 16:58:01
ComboFix2.txt 2009-02-05 00:22:00
ComboFix3.txt 2009-01-29 17:15:13
ComboFix4.txt 2009-01-29 00:50:31

Pre-Run: 2,848,317,440 bytes free
Post-Run: 2,839,851,008 bytes free

232 --- E O F --- 2009-01-26 03:11:27


Report •

#16
February 9, 2009 at 14:17:52
Go to start> run> copy/paste this command into the provided space:

sc delete WinMgr

then press ok.

Run the Kaspersky scan again, the items with "not a virus" are most likely false positives. Is the server operating better?


Report •

#17
February 10, 2009 at 15:13:42
The server still does not access certain websites, thus prevents us from receiving some e-mail. The server also hangs when ComboFix forces a reboot.

New Kaspersky Log Attached :

----

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
M:\
Z:\

Scan statistics:
Files scanned: 64740
Threat name: 7
Infected objects: 14
Suspicious objects: 0
Duration of the scan: 02:57:52


File name / Threat name / Threats count
C:\Documents and Settings\Administrator.MVRHA\Desktop\VNC.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2
C:\Inetpub\Scripts\sys\explorer.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.3017 1
C:\Inetpub\Scripts\TFTP1832 Infected: not-a-virus:Server-FTP.Win32.Serv-U.40 1
C:\Inetpub\Scripts\TFTP1840 Infected: not-a-virus:Server-FTP.Win32.Serv-U.40 1
C:\Inetpub\Scripts\TFTP2868 Infected: not-a-virus:Server-FTP.Win32.Serv-U.40 1
C:\Inetpub\Scripts\TFTP4020 Infected: not-a-virus:Server-FTP.Win32.Serv-U.25.i 1
C:\Inetpub\Scripts\TFTP4176 Infected: not-a-virus:Server-FTP.Win32.Serv-U.3017 1
C:\Inetpub\Scripts\TFTP4484 Infected: not-a-virus:Server-FTP.Win32.Serv-U.3017 1
C:\Qoobox\Quarantine\C\WINNT\system32\spool\drivers\w32x86\win32\WinMgr\svchost.exe.vir Infected: Backdoor.Win32.ServU-based.af 1
C:\WINNT\system\system32\psshutdown.exe Infected: not-a-virus:RiskTool.Win32.PsShutdown.101 1
C:\WINNT\system32\spool\drivers\w32x86\win32\shell32\msshell32.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat.jd 1
D:\Program Files\RealVNC\WinVNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
D:\Program Files\RealVNC\WinVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1


Report •

#18
February 10, 2009 at 15:57:41
This is the extent of any help I have to offer, sorry I could not be of more help.

I'm not to familiar with Inetpub and RealVNC but if it is possible you might try to uninstall them then reinstall. That may help.

I don't see anything else that might cause a problem with entering web sites. If you are getting 404 errors your domain setting in the registry are most likely corrupt.I do not have a copy of them for Windows 2000.

Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Go to start> control panel> add/remove programs and uninstall these programs:

Hijack This

Malwarebytes

Kaspersky

You should keep AFT Cleaner and run it weekly.


Report •

#19
February 11, 2009 at 08:37:17
As far as my domain settings in the registry being corrupt, I have other Windows 2000 Servers at my disposal. Would I be able to get the files that I need from those machines?

Thanks for all of your help. You helped me find a lot of problems with this server. Unfortunately, it may be beyond repair.


Report •

#20
February 11, 2009 at 15:20:46
This is the procedure for replacing the registry domain keys in XP, they would be real similar in Windows 2000. As you can see you remove the old keys and install the exact same thing.

Launch Notepad, and copy/paste all the instructions between the X’s below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.


Report •


Ask Question