beyonds
2008-09-15, 04:38
Hi there everyone,
I'm a system administrator who is maintaining a few Windows 2003 64-bit servers. For the past 2 months, one of my server has been constantly being attacked by an unknown Malware/Virus. I have already reformat the HD and installed a new system. complete with Symantec A/V 2008 and also Spybot search & Destroy. However, it seems this Malware/Virus is really smart enough to penetrate inside the system and do funny things.
I've tried so many things, from disabling unwated services, enabling the firewall but it seems that it has somehow planted something inside the system. Regular activities of this Malkware/Virus
- Disabling the Firewall
- Creating a user account
- Downloading items to the system.
- Disables PC Anywhere and VNC.
- Our Antivirus would constantly be detecting around 5 - 15 files per day which will be quarantined. Some of these files are affected with - Trojan.Horse, Backdoor.Trojan, Downloader, Trojan.Drooper, W32.Hitapop, Trojan.Packed.16, Infostealer.Gampass.
Sometimes after a reboot or system restart, we encounter funny Pop-Up Window Message with funny characters. We're just going nuts figuring what's affecting the system as all our Antivirus and MAlware Scans doesn't detect any trend during safe mode. I've attached a scan from the HijackThis software, and hope someone could assist us on this.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:47 AM, on 9/15/2008
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\SysWOW64\svchost.exe
C:\Program Files (x86)\Registry Mechanic\RegMech.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/
F2 - REG:system.ini: UserInit=userinit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files (x86)\Registry Mechanic\RegMech.exe /H
O4 - HKLM\..\Policies\Explorer\Run: [mininyust] C:\WINDOWS\system32\inf\svchoct.exe C:\WINDOWS\wftadfi16_080824a.dll tanlt88
O4 - HKLM\..\Policies\Explorer\Run: [xccinit] C:\WINDOWS\system32\inf\rundll33.exe C:\WINDOWS\xccdf16_080830a.dll xccd16
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O15 - ESC Trusted Zone: http://*.asp.net
O15 - ESC Trusted Zone: http://www.atribune.org
O15 - ESC Trusted Zone: http://forum.aumha.org
O15 - ESC Trusted Zone: http://www.codeplex.com
O15 - ESC Trusted Zone: http://www.google.com.my
O15 - ESC Trusted Zone: http://bwp.download.com
O15 - ESC Trusted Zone: http://www.download.com
O15 - ESC Trusted Zone: http://*.download.com
O15 - ESC Trusted Zone: http://www.eggheadcafe.com
O15 - ESC Trusted Zone: http://bulk.forest-interactive.com
O15 - ESC Trusted Zone: http://www.fotovallescrivia.it
O15 - ESC Trusted Zone: http://sms.langkah.com
O15 - ESC Trusted Zone: http://www.neuber.com
O15 - ESC Trusted Zone: http://downloads.paretologic.com
O15 - ESC Trusted Zone: http://www.pctools.com
O15 - ESC Trusted Zone: http://www.safer-networking.org
O15 - ESC Trusted Zone: http://www.simplytech.it
O15 - ESC Trusted Zone: http://www.smallbizserver.net
O15 - ESC Trusted Zone: http://*.smallvoid.com
O15 - ESC Trusted Zone: http://www.spybotupdates.com
O15 - ESC Trusted Zone: http://download.sysinternals.com
O15 - ESC Trusted Zone: http://www.tech-archive.net
O15 - ESC Trusted Zone: http://www.theeldergeek.com
O15 - ESC Trusted Zone: http://hjt-data.trend-braintree.com
O15 - ESC Trusted Zone: http://www.trendsecure.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://www.ylcomputing.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FA64DDC-75D8-48B6-A9B1-B8FD1128909E}: NameServer = 203.223.128.151,203.223.128.152
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: IIS Admin Service (IISADMIN) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: FTP Publishing Service (MSFtpsvc) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: Message Queuing (MSMQ) - Unknown owner - C:\WINDOWS\system32\mqsvc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Telnet (TlntSvr) - Unknown owner - C:\WINDOWS\system32\tlntsvr.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
--
End of file - 6543 bytes
Looking forward to all the help and advice we can get!
I'm a system administrator who is maintaining a few Windows 2003 64-bit servers. For the past 2 months, one of my server has been constantly being attacked by an unknown Malware/Virus. I have already reformat the HD and installed a new system. complete with Symantec A/V 2008 and also Spybot search & Destroy. However, it seems this Malware/Virus is really smart enough to penetrate inside the system and do funny things.
I've tried so many things, from disabling unwated services, enabling the firewall but it seems that it has somehow planted something inside the system. Regular activities of this Malkware/Virus
- Disabling the Firewall
- Creating a user account
- Downloading items to the system.
- Disables PC Anywhere and VNC.
- Our Antivirus would constantly be detecting around 5 - 15 files per day which will be quarantined. Some of these files are affected with - Trojan.Horse, Backdoor.Trojan, Downloader, Trojan.Drooper, W32.Hitapop, Trojan.Packed.16, Infostealer.Gampass.
Sometimes after a reboot or system restart, we encounter funny Pop-Up Window Message with funny characters. We're just going nuts figuring what's affecting the system as all our Antivirus and MAlware Scans doesn't detect any trend during safe mode. I've attached a scan from the HijackThis software, and hope someone could assist us on this.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:47 AM, on 9/15/2008
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\SysWOW64\svchost.exe
C:\Program Files (x86)\Registry Mechanic\RegMech.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/
F2 - REG:system.ini: UserInit=userinit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files (x86)\Registry Mechanic\RegMech.exe /H
O4 - HKLM\..\Policies\Explorer\Run: [mininyust] C:\WINDOWS\system32\inf\svchoct.exe C:\WINDOWS\wftadfi16_080824a.dll tanlt88
O4 - HKLM\..\Policies\Explorer\Run: [xccinit] C:\WINDOWS\system32\inf\rundll33.exe C:\WINDOWS\xccdf16_080830a.dll xccd16
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O15 - ESC Trusted Zone: http://*.asp.net
O15 - ESC Trusted Zone: http://www.atribune.org
O15 - ESC Trusted Zone: http://forum.aumha.org
O15 - ESC Trusted Zone: http://www.codeplex.com
O15 - ESC Trusted Zone: http://www.google.com.my
O15 - ESC Trusted Zone: http://bwp.download.com
O15 - ESC Trusted Zone: http://www.download.com
O15 - ESC Trusted Zone: http://*.download.com
O15 - ESC Trusted Zone: http://www.eggheadcafe.com
O15 - ESC Trusted Zone: http://bulk.forest-interactive.com
O15 - ESC Trusted Zone: http://www.fotovallescrivia.it
O15 - ESC Trusted Zone: http://sms.langkah.com
O15 - ESC Trusted Zone: http://www.neuber.com
O15 - ESC Trusted Zone: http://downloads.paretologic.com
O15 - ESC Trusted Zone: http://www.pctools.com
O15 - ESC Trusted Zone: http://www.safer-networking.org
O15 - ESC Trusted Zone: http://www.simplytech.it
O15 - ESC Trusted Zone: http://www.smallbizserver.net
O15 - ESC Trusted Zone: http://*.smallvoid.com
O15 - ESC Trusted Zone: http://www.spybotupdates.com
O15 - ESC Trusted Zone: http://download.sysinternals.com
O15 - ESC Trusted Zone: http://www.tech-archive.net
O15 - ESC Trusted Zone: http://www.theeldergeek.com
O15 - ESC Trusted Zone: http://hjt-data.trend-braintree.com
O15 - ESC Trusted Zone: http://www.trendsecure.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://www.ylcomputing.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FA64DDC-75D8-48B6-A9B1-B8FD1128909E}: NameServer = 203.223.128.151,203.223.128.152
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: IIS Admin Service (IISADMIN) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: FTP Publishing Service (MSFtpsvc) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: Message Queuing (MSMQ) - Unknown owner - C:\WINDOWS\system32\mqsvc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Telnet (TlntSvr) - Unknown owner - C:\WINDOWS\system32\tlntsvr.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
--
End of file - 6543 bytes
Looking forward to all the help and advice we can get!