Tried rebuilding DNS, rebuilding TCP/IP stack, updating NIC driver, no change in results. Started looking for virus or malware explanation.
This is a Windows 2000 Server, SP4, all applicable updates from Microsoft and others installed (we use PatchLink Update to ensure they're up-to-date). Double-checked with MSUpdate.
System is running Symantec AV/CE version 9, scan engine 1.4.1.12, most recent defs updates, update has been run multiple times to ensure we're up-to-date. Full system scan shows no infections, auto-protection is enabled.
Ran AdAware w/ current updates, found a few tracking traces, no malware.
CWShredder found one item on first run, fixed, no change in status, nothing found on subequent runs.
Spybot similarly found tracking traces, but no malware. (removed, of course)
TDS found nothing
Hijack this finds several Run and RunService entries that concern me because I don't recognize them nor can I find any info on them with google (except a couple pages in a foreign language for veyegu that look like G2G forum discussion, even more worrying): aromedy.exe, veyegu.exe, simenu.exe, gotemuqu.exe, ondosica.exe
Currently, after rebuilding dns and tcp/ip and clearing all dns caches, can't get to any websites, all nslookups are timing out, but I can ping and ftp. Really weird!
ANY help appreciated! Thanks. -- Matthew.
HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:53:19 PM, on 05/11/05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\FlushServ.exe
C:\WINNT\system32\CBA\pds.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\Megaserv.exe
C:\WINNT\system32\ntfrs.exe
C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\snmptrap.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINNT\system32\veyegu.exe
C:\WINNT\system32\gotemuqu.exe
C:\WINNT\system32\veyegu.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\SYSTEM32\onudosica.exe
C:\WINNT\system32\aromedy.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\downloads\Util\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ameritel...hange/logon.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Audiocast] C:\WINNT\SYSTEM32\onudosica.exe
O4 - HKLM\..\Run: [nibufe] aromedy.exe
O4 - HKLM\..\RunServices: [ipidi] veyegu.exe
O4 - HKLM\..\RunServices: [nibufe] aromedy.exe
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\administrator\Client\HelpExp.exe
O4 - HKCU\..\Run: [apyginapygin] simenu.exe
O4 - HKCU\..\Run: [ipidi] veyegu.exe
O4 - HKCU\..\Run: [nibufe] aromedy.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Rebate Nation - file://C:\Program Files\Rebate_Nation\Sy5300\Tp5300\scri5300a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O15 - Trusted Zone: *.patchmgr.kolkidos.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ameritelinns.loc
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB8DAA14-225D-46EB-B3C2-336A1FF81057}: NameServer = 127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ameritelinns.loc
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ameritelinns.loc
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Synchronize Cache Utility (FlushService) - American Megatrends Inc. - C:\WINNT\system32\FlushServ.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\CBA\pds.exe
O23 - Service: NetRAID - Unknown owner - C:\WINNT\system32\Megaserv.exe
O23 - Service: PatchLink Update - Patchlink Corporation - C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: HP TopTools Services (RViewSCM) - Hewlett-Packard Co. - C:\Program Files\Hptt\Bin\RVIEWSCM.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)