rohit3312
2008-12-26, 23:36
This is my first query after joining this forum.
So,i need all your valuable advise and suggestions for virus and related severe network connectivity issues.
Issues:-Explorer hanging and crashing,CPU usage percentage showing about 90-100% always,IE nd MOZILLA also hanging very frequently.
System is also significant lagging in performance.
**The worst part is during these times-all the settings of the CORPORATE ANTIVIRUS protection,updates are disabled and SET to READ ONLY.
And also effects severly network connectivity like loosing domain and workgroup membersips,internet connections,router page not opening at all,etc
I am sorry for writing so much mainly because the issues and symptoms were not restricted to only 1 virus but of different combinations for which its been a mess.
It has been very bad experiences with viruses that after sometime-- the network & security admin people had to format and clean install 3 times in past 1 month as the OS started giving severe issues and that it would
in turn effect the network in general.This has really put me into security issues of my company's policies and also it wasted a huge amount of my work time.I am really frustrated and I really worry that what would
happen next as viruses have effected again.Its really a mess.
I use my Company's dell laptop which is loaded with Winxp pro + sp2.This is installed as an Image bundled with other customized utilities.
Antivirus:- Corporate edition of Trend Office Scan latest 8.0 and its entire suite included with Rootkit,etc
Steps I took:-I have been told that Trend Office gives real time protection and hence would never face any issues.But,unluckily i have seen that for some viruses
like PAK_GENERIC ,it gives a virus found alert but the quarantine fails.
So,next i go to the virus location and do a SHIFT+DELETE of all items reported.But this doesnot solve all problems because I still get Security alert mails for
the same virus later on which means its still left out.
Next time,i restart and everything is changed.Cant start TREND OFFICE SCAN,nor its related services,all disabled,etc.
Once even it removed my USER profile and so couldnt login to any DOMAIN.
I did a google of virus removal steps but havent been successful much.I dont install ANY OTHER ANTIVIRUS PROGRAM BECAUSE as far as I know 2 active antivirus progs
would usually conflict and also more important is we cant un-install/de-activate/remove corporately provided specified SOFTWARES as per our official policies.
Also,i fear that my IP connections has also been HIJACKED as twice i found different MAC adresses other then my PCs in the router configuration and i couldnt remove them.
Only option was to do a hard reset and set the router to default settings.(Have both wired and wireless networks at home)
The WIRELESS NETWORK is properly encypted with passwords.
(1)I have attached a word document with Images of all the recent settings on my MACHINE for ANTIVIRUS,etc
(1)I have attached the latest HIJACKTHIS log below
Still in addition,i have the full version of Spybot and it does identify certain things- but still its clear that i am infected.
***************************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:18 PM, on 12/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program \Common \Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program \SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program \DellTPad\Apoint.exe
C:\Program \ (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program \Microsoft Office Communicator\Communicator.exe
C:\Program \Messenger\msmsgs.exe
C:\Program \DellTPad\ApMsgFwd.exe
C:\Program \DellTPad\HidFind.exe
C:\Program \DellTPad\Apntex.exe
C:\Program \Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mmc.exe
C:\Program \Internet Explorer\iexplore.exe
C:\Program \Internet Explorer\iexplore.exe
C:\Program \Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program \Trend Micro\OfficeScan Client\PccNTMon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Program \Citrix\ICA Client\pn.exe
C:\Program \Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program \Microsoft Office\OFFICE11\EXCEL.EXE
C:\Documents and Settings\mp010668.\Desktop\RootkitRevealer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program \Trend Micro\OfficeScan Client\pccnt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my..com/my/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my..com/my/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program \Common \Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program \Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program \DellTPad\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program \ (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKCU\..\Run: [Communicator] "c:\Program \Microsoft Office Communicator\Communicator.exe" /silentRetrials /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program \Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program \Common \Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program \Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program \Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program \Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program \Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program \Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program \Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program \Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program \Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program \Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program \Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program \Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://how.you.are//
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http:officescan/console/html/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - officescan/console/html/ClientInstall/setupini.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - http://officescan/console/html/root/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://officescan/console/html/ClientInstall/RemoveCtrl.cab
O16 - DPF: {B2FC031D-8C74-46AE-8042-BCF4FC03C1EF} (Loader Class v4) - http://qualitySpider91.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain =
O23 - Service: IXJZDFOH - Sysinternals - www.sysinternals.com - C:\DOCUME~1\LOCALS~1\Temp\IXJZDFOH.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program \SigmaTel\C-Major Audio\WDM\StacSV.exe
--
End of file - 7533 bytes
So,i need all your valuable advise and suggestions for virus and related severe network connectivity issues.
Issues:-Explorer hanging and crashing,CPU usage percentage showing about 90-100% always,IE nd MOZILLA also hanging very frequently.
System is also significant lagging in performance.
**The worst part is during these times-all the settings of the CORPORATE ANTIVIRUS protection,updates are disabled and SET to READ ONLY.
And also effects severly network connectivity like loosing domain and workgroup membersips,internet connections,router page not opening at all,etc
I am sorry for writing so much mainly because the issues and symptoms were not restricted to only 1 virus but of different combinations for which its been a mess.
It has been very bad experiences with viruses that after sometime-- the network & security admin people had to format and clean install 3 times in past 1 month as the OS started giving severe issues and that it would
in turn effect the network in general.This has really put me into security issues of my company's policies and also it wasted a huge amount of my work time.I am really frustrated and I really worry that what would
happen next as viruses have effected again.Its really a mess.
I use my Company's dell laptop which is loaded with Winxp pro + sp2.This is installed as an Image bundled with other customized utilities.
Antivirus:- Corporate edition of Trend Office Scan latest 8.0 and its entire suite included with Rootkit,etc
Steps I took:-I have been told that Trend Office gives real time protection and hence would never face any issues.But,unluckily i have seen that for some viruses
like PAK_GENERIC ,it gives a virus found alert but the quarantine fails.
So,next i go to the virus location and do a SHIFT+DELETE of all items reported.But this doesnot solve all problems because I still get Security alert mails for
the same virus later on which means its still left out.
Next time,i restart and everything is changed.Cant start TREND OFFICE SCAN,nor its related services,all disabled,etc.
Once even it removed my USER profile and so couldnt login to any DOMAIN.
I did a google of virus removal steps but havent been successful much.I dont install ANY OTHER ANTIVIRUS PROGRAM BECAUSE as far as I know 2 active antivirus progs
would usually conflict and also more important is we cant un-install/de-activate/remove corporately provided specified SOFTWARES as per our official policies.
Also,i fear that my IP connections has also been HIJACKED as twice i found different MAC adresses other then my PCs in the router configuration and i couldnt remove them.
Only option was to do a hard reset and set the router to default settings.(Have both wired and wireless networks at home)
The WIRELESS NETWORK is properly encypted with passwords.
(1)I have attached a word document with Images of all the recent settings on my MACHINE for ANTIVIRUS,etc
(1)I have attached the latest HIJACKTHIS log below
Still in addition,i have the full version of Spybot and it does identify certain things- but still its clear that i am infected.
***************************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:18 PM, on 12/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program \Common \Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program \SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program \DellTPad\Apoint.exe
C:\Program \ (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program \Microsoft Office Communicator\Communicator.exe
C:\Program \Messenger\msmsgs.exe
C:\Program \DellTPad\ApMsgFwd.exe
C:\Program \DellTPad\HidFind.exe
C:\Program \DellTPad\Apntex.exe
C:\Program \Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mmc.exe
C:\Program \Internet Explorer\iexplore.exe
C:\Program \Internet Explorer\iexplore.exe
C:\Program \Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program \Trend Micro\OfficeScan Client\PccNTMon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Program \Citrix\ICA Client\pn.exe
C:\Program \Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program \Microsoft Office\OFFICE11\EXCEL.EXE
C:\Documents and Settings\mp010668.\Desktop\RootkitRevealer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program \Trend Micro\OfficeScan Client\pccnt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my..com/my/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my..com/my/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program \Common \Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program \Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program \DellTPad\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program \ (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKCU\..\Run: [Communicator] "c:\Program \Microsoft Office Communicator\Communicator.exe" /silentRetrials /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program \Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program \Common \Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program \Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program \Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program \Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program \Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program \Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program \Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program \Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program \Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program \Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program \Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program \Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://how.you.are//
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http:officescan/console/html/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - officescan/console/html/ClientInstall/setupini.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - http://officescan/console/html/root/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://officescan/console/html/ClientInstall/RemoveCtrl.cab
O16 - DPF: {B2FC031D-8C74-46AE-8042-BCF4FC03C1EF} (Loader Class v4) - http://qualitySpider91.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain =
O23 - Service: IXJZDFOH - Sysinternals - www.sysinternals.com - C:\DOCUME~1\LOCALS~1\Temp\IXJZDFOH.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program \SigmaTel\C-Major Audio\WDM\StacSV.exe
--
End of file - 7533 bytes