Rhys

Log Files for the server When I run GMER it says the system cannot find the path specified Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:57:27 AM, on 3/23/2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.maristpagewood.catholic.edu.au R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maristpagewood.catholic.edu.au R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.marist.pagewood.syd.catholic.edu.au R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Marist College Pagewood R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe, O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~3\Office12\GRA8E1~1.DLL O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [Symantec Backup Exec System Recovery 7.0] "C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProTray.exe" O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL O10 - Broken Internet access because of LSP provider 'c:\users\administrator.mcp\windows\system32\nlaapi.dll' missing O13 - Gopher Prefix: O15 - ESC Trusted Zone: http://www.maristpagewood.catholic.edu.au O15 - ESC Trusted Zone: http://clients1.google.com.au O15 - ESC Trusted Zone: http://www.google.com.au O15 - ESC Trusted Zone: *.internet%20explorer%20enchanced%20security O15 - ESC Trusted Zone: http://www.wise.com O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM) O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mcp.nsw.edu.au O17 - HKLM\System\CCS\Services\Tcpip\..\{1EC6EB39-2E5E-48BD-A71F-FD7F439C88F5}: NameServer = 10.82.96.50,10.82.96.52 O17 - HKLM\System\CCS\Services\Tcpip\..\{3B06FB6D-E63A-4192-AE78-899691364642}: NameServer = 113.29.215.26 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mcp.nsw.edu.au O17 - HKLM\System\CS1\Services\Tcpip\..\{1EC6EB39-2E5E-48BD-A71F-FD7F439C88F5}: NameServer = 10.82.96.50,10.82.96.52 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~3\Office12\GR99D3~1.DLL O20 - AppInit_DLLs: HookDLL.DLL O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: Altiris Deployment Server Console Manager - - C:\Program Files (x86)\Altiris\eXpress\Deployment Web Console\ConsoleManager.exe O23 - Service: Altiris Deployment Server Data Manager - - C:\Program Files (x86)\Altiris\eXpress\Deployment Server\\DataManager.exe O23 - Service: Altiris Deployment Server DB Management - Altiris, Inc. - C:\Program Files (x86)\Altiris\eXpress\Deployment Server\\dbmanager.exe O23 - Service: Altiris eXpress Server - Altiris, Inc. - C:\Program Files (x86)\Altiris\eXpress\Deployment Server\\axengine.exe O23 - Service: Altiris PXE Config Helper - Altiris, inc. - C:\Program Files (x86)\Altiris\eXpress\Deployment Server\PXE\PxeCfgService.exe O23 - Service: Altiris PXE Manager - Altiris, inc. - C:\Program Files (x86)\Altiris\eXpress\Deployment Server\PXE\PxeMgr.exe O23 - Service: Altiris PXE MTFTP Server - Altiris, inc. - C:\Program Files (x86)\Altiris\eXpress\Deployment Server\PXE\Pxemtftp.exe O23 - Service: Altiris PXE Server - Altiris, inc. - C:\Program Files (x86)\Altiris\eXpress\Deployment Server\PXE\PXEService.exe O23 - Service: Backup Exec System Recovery - Symantec Corporation - C:\Program Files (x86)\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe O23 - Service: HP Smart Array SAS/SATA Event Notification Service (Cissesrv) - Hewlett-Packard Company - C:\Program Files\HP\Cissesrv\cissesrv.exe O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Unknown owner - C:\Windows\system32\cpqrcmc.exe (file missing) O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe O23 - Service: @%systemroot%\system32\dfssvc.exe,-101 (Dfs) - Unknown owner - C:\Windows\system32\dfssvc.exe (file missing) O23 - Service: @dfsrress.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSRs.exe (file missing) O23 - Service: @%systemroot%\system32\dns.exe,-49157 (DNS) - Unknown owner - C:\Windows\system32\dns.exe (file missing) O23 - Service: Web Help Desk Embedded Database (FrontBaseServicewhd) - Unknown owner - C:\Program Files (x86)\WebHelpDesk\FrontBase4\bin\FrontBase.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30007 (IISADMIN) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing) O23 - Service: @%SystemRoot%\System32\ismserv.exe,-1 (IsmServ) - Unknown owner - C:\Windows\System32\ismserv.exe (file missing) O23 - Service: @%SystemRoot%\System32\kdcsvc.dll,-1 (kdc) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30005 (MSFTPSVC) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\System32\ntdsmsg.dll,-1 (NTDS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: File Replication Service (NtFrs) - Unknown owner - C:\Windows\system32\ntfrs.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Unknown owner - C:\Windows\system32\sysdown.exe (file missing) O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: Web Help Desk (webhelpdesk) - Unknown owner - C:\Program Files (x86)\WebHelpDesk\bin\wrapper\bin\wrapper.exe O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-20001 (WMSvc) - Unknown owner - C:\Windows\system32\inetsrv\wmsvc.exe (file missing) -- End of file - 9651 bytes Malwarebytes' Anti-Malware 1.44 Database version: 3510 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.18702 3/23/2010 11:56:52 AM mbam-log-2010-03-23 (11-56-39).txt Scan type: Quick Scan Objects scanned: 2138376 Time elapsed: 52 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 5 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Hi sorry I didn't reply to this sooner but a few urgent tasks have kept me rather busy The same virus has shown up on our Windows 2008 server (x64) and since that is a lot more important to operations than a single laptop I was hoping I could sort that out first. I haven't put a USB in the server ever so I am not sure how it has managed to infect it but I assume someone has put something on one of the network drives (unfortunately I inherited the current setup and it's a bit of a mess security wise and I am not allowed to change a lot of it without the roof falling in) Should I run combo-fix on our server?

Title says it all really, see the MBAM and GMER logs below, I will note while MVAM says that it will clear the 5 infections after a reboot it does not. I would appreciate any advice I can get on how to fix this. Cheers Rhys Malwarebytes' Anti-Malware 1.44 Database version: 3510 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 3/17/2010 4:31:19 PM mbam-log-2010-03-17 (16-31-19).txt Scan type: Quick Scan Objects scanned: 102635 Time elapsed: 2 minute(s), 46 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 5 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-03-17 16:43:56 Windows 5.1.2600 Service Pack 2 Running: epssli1j.exe; Driver: D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ugriqpow.sys ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.) AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.) AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.) ---- Services - GMER 1.0.15 ---- Service D:\WINDOWS\system32\drivers\mbamswissarmy.sys (*** hidden *** ) [MANUAL] MBAMSwissArmy <-- ROOTKIT !!! ---- Files - GMER 1.0.15 ---- File D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (size mismatch) 1394000/1471824 bytes executable ---- EOF - GMER 1.0.15 ----