1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Malware cannot be cleaned, Super tough malware keeps disabling service.

Discussion in 'Malware and Virus Removal Archive' started by beyonds, 2008/09/19.

  1. 2008/09/19
    beyonds

    beyonds Inactive Thread Starter

    Joined:
    2008/09/19
    Messages:
    1
    Likes Received:
    0
    Dear All,

    I have been facing this problems for the past 2 weeks, and this Malware is simply getting on my nerves and affecting server uptime. As per the instruction for posting, here is the complete information.

    Sytem Information:
    Windows Server 2003 R2, Standard x64 Edition, Service Pack 1.
    Intel Xeon CPU 2.0Ghz, 7.99GB RAM.

    Malware problems:
    Keep disabling firewall and ICS service, adding new user account, downloading files and creating backdoors on server. Symantec keep detecting and quaranteen between 5 - 20 files each day. Have tried doing a scan using Symantec AV and Spybot Search & Destroy and also Malwarebytes Anti-Malware.

    Here are the log files for HijackThis Scan. Hope someone could help me out.


    HijackThis Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:21:56 PM, on 9/19/2008
    Platform: Windows 2003 SP1 (WinNT 5.02.3790)
    MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe
    C:\WINDOWS\SysWOW64\svchost.exe
    C:\Program Files (x86)\Registry Mechanic\RegMech.exe
    C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
    C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\IDE\vbexpress.exe
    C:\Program Files (x86)\Microsoft SQL Server\90\Tools\binn\VSShell\Common7\IDE\SqlWb.exe
    C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\IDE\VWDExpress.exe
    C:\Program Files (x86)\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files (x86)\Registry Mechanic\RegMech.exe /H
    O4 - HKLM\..\Policies\Explorer\Run: [xccinit] C:\WINDOWS\system32\inf\rundll33.exe C:\WINDOWS\xccdf16_080830a.dll xccd16
    O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
    O15 - ESC Trusted Zone: http://episteme.arstechnica.com
    O15 - ESC Trusted Zone: http://*.askbobrankin.com
    O15 - ESC Trusted Zone: http://*.asp.net
    O15 - ESC Trusted Zone: http://www.atribune.org
    O15 - ESC Trusted Zone: http://forum.aumha.org
    O15 - ESC Trusted Zone: http://www.codeplex.com
    O15 - ESC Trusted Zone: http://www.google.com.my
    O15 - ESC Trusted Zone: http://www.delphifaq.com
    O15 - ESC Trusted Zone: http://bwp.download.com
    O15 - ESC Trusted Zone: http://www.download.com
    O15 - ESC Trusted Zone: http://*.download.com
    O15 - ESC Trusted Zone: http://www.eggheadcafe.com
    O15 - ESC Trusted Zone: http://bulk.forest-interactive.com
    O15 - ESC Trusted Zone: http://www.fotovallescrivia.it
    O15 - ESC Trusted Zone: http://www.howtonetworking.com
    O15 - ESC Trusted Zone: http://www.itnewsgroups.net
    O15 - ESC Trusted Zone: http://sms.langkah.com
    O15 - ESC Trusted Zone: http://www.mydigitallife.info
    O15 - ESC Trusted Zone: http://www.neuber.com
    O15 - ESC Trusted Zone: http://www.pandasecurity.com
    O15 - ESC Trusted Zone: http://downloads.paretologic.com
    O15 - ESC Trusted Zone: http://www.pctools.com
    O15 - ESC Trusted Zone: http://www.safer-networking.org
    O15 - ESC Trusted Zone: http://www.simplytech.it
    O15 - ESC Trusted Zone: http://www.smallbizserver.net
    O15 - ESC Trusted Zone: http://*.smallvoid.com
    O15 - ESC Trusted Zone: http://forums.spybot.info
    O15 - ESC Trusted Zone: http://www.spybotupdates.com
    O15 - ESC Trusted Zone: http://www.spywareinfoforum.com
    O15 - ESC Trusted Zone: http://download.sysinternals.com
    O15 - ESC Trusted Zone: http://www.tech-archive.net
    O15 - ESC Trusted Zone: http://forums.techguy.org
    O15 - ESC Trusted Zone: http://www.theeldergeek.com
    O15 - ESC Trusted Zone: http://support.theplanet.com
    O15 - ESC Trusted Zone: http://hjt-data.trend-braintree.com
    O15 - ESC Trusted Zone: http://www.trendsecure.com
    O15 - ESC Trusted Zone: http://*.windowsupdate.com
    O15 - ESC Trusted Zone: http://www.ylcomputing.com
    O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
    O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8FA64DDC-75D8-48B6-A9B1-B8FD1128909E}: NameServer = 203.223.128.151
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
    O23 - Service: DNS Server (DNS) - Unknown owner - C:\WINDOWS\System32\dns.exe (file missing)
    O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
    O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
    O23 - Service: IIS Admin Service (IISADMIN) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
    O23 - Service: FTP Publishing Service (MSFtpsvc) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
    O23 - Service: Message Queuing (MSMQ) - Unknown owner - C:\WINDOWS\system32\mqsvc.exe (file missing)
    O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
    O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
    O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
    O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
    O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
    O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
    O23 - Service: Remote Access Quarantine Agent (rqs) - Unknown owner - C:\WINDOWS\system32\rqs.exe (file missing)
    O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
    O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    O23 - Service: Telnet (TlntSvr) - Unknown owner - C:\WINDOWS\system32\tlntsvr.exe (file missing)
    O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
    O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
    O23 - Service: Windows Internet Name Service (WINS) (WINS) - Unknown owner - C:\WINDOWS\System32\wins.exe (file missing)
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe
    O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

    --
    End of file - 7615 bytes
     
    beyonds,
    #1
  2. 2008/09/20
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS beyonds. :)

    That system being 64 bit could be a bit of a problem here. None of the tools currently available to us will give accurate reports on a 64 bit system. If this system is being used in a business environment, the best advice I could offer is to nuke and pave. It's generally just not worth the risk of missing something to avoid a fresh install.

    If you do however want to try cleaning, I'll lend what guidance I can, but only if you are unable to resolve the issue in the ongoing topic you started here.
     
    noahdfear,
    #2


  3. to hide this advert.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...