Hi,

My system is infected with win32/ heur and win32 / tanatos.M virus , please help me remove this virus,
I am running a windows 2003 server, and have a mail server (Mdeamon) , proxy server (winproxy ) running on it. also it is the domain server, for the network user, i cannot afford to format and reinstall the server.
i have scanned the pc through network with avg 8.5 and it show me the infected files all of them are .exe files. I cannot heal them as they may get deleted and crash the system.
Please help me clean it.

blow is the hijackthis log please have a look at it.

===========================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:57:05 PM, on 4/24/2009
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\ismserv.exe
C:\MDaemon\APP\MDAEMON.EXE
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\stunnel\stunnel.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\MDaemon\WebAdmin\WebAdmin.exe
C:\Program Files\Blue Coat Systems\WinProxy 6\WPService.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\MDaemon\APP\CFEngine.exe
C:\MDaemon\WorldClient\WorldClient.exe
C:\MDaemon\SpamAssassin\MDSpamD.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\TEMP\winsgusbw.exe
C:\WINDOWS\TEMP\winciqr.exe
C:\PROGRA~1\BLUECO~1\WINPRO~1\WinProxy.exe
C:\Program Files\stunnel\stunnel.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://192.168.0.82:4343
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0.1;localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: LPVideoPlugin - {BC4753E7-B823-449E-8B2B-6A04645467C0} - C:\WINDOWS\system32\LPVideo.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SeePassword] C:\Program Files\SeePassword\SeePassword.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://192.168.0.139:4343/officescan/conso...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://192.168.0.139:4343/officescan/conso...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://192.168.0.139:4343/officescan/conso...stall/setup.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - http://192.168.0.1:8080/officescan/console/html/AtxEnc.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.0.139:4343/officescan/conso.../RemoveCtrl.cab
O16 - DPF: {8990AFAD-D352-42AC-A72F-A660BBF6E209} (OfficeScan Management Console) - http://192.168.0.1:8080/officescan/console.../AtxConsole.cab
O16 - DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} (PieChart Class) - http://192.168.0.1:8080/officescan/console/html/AtxPie.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.wiantech.com
O17 - HKLM\Software\..\Telephony: DomainName = domain.wiantech.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F2A8E01-2EE5-41B7-AE0F-26766F5444E4}: NameServer = 59.144.127.16,59.144.127.17
O17 - HKLM\System\CCS\Services\Tcpip\..\{C87AFCFF-47AB-436D-95F7-9CD95F16A830}: NameServer = 59.144.127.16,59.144.127.17
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.wiantech.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{8F2A8E01-2EE5-41B7-AE0F-26766F5444E4}: NameServer = 59.144.127.16,59.144.127.17
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.wiantech.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{8F2A8E01-2EE5-41B7-AE0F-26766F5444E4}: NameServer = 59.144.127.16,59.144.127.17
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = domain.wiantech.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{8F2A8E01-2EE5-41B7-AE0F-26766F5444E4}: NameServer = 59.144.127.16,59.144.127.17
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\xampp\apache\bin\apache.exe
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - C:\MDaemon\APP\MDAEMON.EXE
O23 - Service: mysql - Unknown owner - C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: stunnel - Unknown owner - C:\Program Files\stunnel\stunnel.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\winvnc.exe
O23 - Service: WebAdmin - Alt-N Technologies, Ltd. - C:\MDaemon\WebAdmin\WebAdmin.exe
O23 - Service: WinProxy - Blue Coat Systems, Inc. - C:\Program Files\Blue Coat Systems\WinProxy 6\WPService.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Program Files\xampp\service.exe

--
End of file - 6518 bytes
==================================================================

Mitesh



This post has been edited by mithpat: Apr 24 2009, 06:29 AM

I am awaiting your reply here. any quick help would be much appreciated.

Thanks
Mitesh

Hello and welcome to Geekstogo.. For your information, tanatos.M = Sality.. A very nasty polymorphic virus infection.. It will infect each and every .exe and .scr files.. Very few computers survived this kind of infection and mostly the best course is to backup and reformat the whole computer..

I would advised you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installer and Do NOT backup any .exe/.scr/.zip/.rar/.iso files...

Make sure you back-up everything ONLY via CD or DVD (non-rewritable).. If you need to backup into external hard drive or thumbdrive, make sure it is EMPTY.. Meaning NO FILE inside it.. Format the external drive first before attach it to the infected computer.. A single .exe file inside the external drive may infected other computers as well


I won't guarantee that we will clean this infection, however, we will try our best.. If we fail, then perhaps you have to reformat the whole computer (all partitions).. Lets do this first..


Download avz4.zip from HERE

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again



1. Start AVZ.
2. Choose from the menu File => Standard scripts and mark the 3. Healing/Quarantine and Advanced System Investigation check box.
3. Click on the Execute selected scripts.
4. Automatic scanning, healing and system check will be executed.
5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
6. It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
7. All applications will work properly after the system restart.

• After that, please restart AVZ again,
• From the "File" menu, choose "Standard Scripts"
• Put a check next to item 2: Advanced System Investigation
• Click Execute selected scripts
• At the next prompt, click the OK button
• Let the scan run and click "OK" when the completion prompt pops up
• Now Close out of the Standard Scripts window, and exit AVZ
• Navigate to the avz4 folder and locate the folder LOG
• Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
• Attach virusinfo_syscheck.htm to your next reply

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.