[mmiller1970]

Original problem was that we couldn't get to certain websites, although others were somewhat OK (ie: could get to some, could get to front page of some but not subpages, couldn't get to others at all).

Tried rebuilding DNS, rebuilding TCP/IP stack, updating NIC driver, no change in results. Started looking for virus or malware explanation.

This is a Windows 2000 Server, SP4, all applicable updates from Microsoft and others installed (we use PatchLink Update to ensure they're up-to-date). Double-checked with MSUpdate.

System is running Symantec AV/CE version 9, scan engine 1.4.1.12, most recent defs updates, update has been run multiple times to ensure we're up-to-date. Full system scan shows no infections, auto-protection is enabled.

Ran AdAware w/ current updates, found a few tracking traces, no malware.
CWShredder found one item on first run, fixed, no change in status, nothing found on subequent runs.
Spybot similarly found tracking traces, but no malware. (removed, of course)
TDS found nothing
Hijack this finds several Run and RunService entries that concern me because I don't recognize them nor can I find any info on them with google (except a couple pages in a foreign language for veyegu that look like G2G forum discussion, even more worrying): aromedy.exe, veyegu.exe, simenu.exe, gotemuqu.exe, ondosica.exe

Currently, after rebuilding dns and tcp/ip and clearing all dns caches, can't get to any websites, all nslookups are timing out, but I can ping and ftp. Really weird!

ANY help appreciated! Thanks. -- Matthew.

HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:53:19 PM, on 05/11/05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\FlushServ.exe
C:\WINNT\system32\CBA\pds.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\Megaserv.exe
C:\WINNT\system32\ntfrs.exe
C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\snmptrap.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINNT\system32\veyegu.exe
C:\WINNT\system32\gotemuqu.exe
C:\WINNT\system32\veyegu.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\SYSTEM32\onudosica.exe
C:\WINNT\system32\aromedy.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\downloads\Util\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ameritel...hange/logon.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Audiocast] C:\WINNT\SYSTEM32\onudosica.exe
O4 - HKLM\..\Run: [nibufe] aromedy.exe
O4 - HKLM\..\RunServices: [ipidi] veyegu.exe
O4 - HKLM\..\RunServices: [nibufe] aromedy.exe
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\administrator\Client\HelpExp.exe
O4 - HKCU\..\Run: [apyginapygin] simenu.exe
O4 - HKCU\..\Run: [ipidi] veyegu.exe
O4 - HKCU\..\Run: [nibufe] aromedy.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Rebate Nation - file://C:\Program Files\Rebate_Nation\Sy5300\Tp5300\scri5300a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O15 - Trusted Zone: *.patchmgr.kolkidos.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ameritelinns.loc
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB8DAA14-225D-46EB-B3C2-336A1FF81057}: NameServer = 127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ameritelinns.loc
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ameritelinns.loc
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Synchronize Cache Utility (FlushService) - American Megatrends Inc. - C:\WINNT\system32\FlushServ.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\CBA\pds.exe
O23 - Service: NetRAID - Unknown owner - C:\WINNT\system32\Megaserv.exe
O23 - Service: PatchLink Update - Patchlink Corporation - C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: HP TopTools Services (RViewSCM) - Hewlett-Packard Co. - C:\Program Files\Hptt\Bin\RVIEWSCM.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

[Advertisements]

First, download, install, and run CleanUp! (so the scan won't take as long because cleanup will clear temporary files) *NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, backup it up or move it to a permanent folder prior to running Cleanup!

Please download ewido security suite

• Install ewido security suite
• Launch ewido, there should be a big E icon on your desktop, double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.

Once the updates are installed do the following:

• Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run Ewido.
• Click on scanner
• Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop

Reboot into normal mode.

Then, please run this online virus scan:
ActiveScan

Save the results from ActiveScan.

I need you to post the log from Ewido, the log from ActiveScan and a new HiJackThis log.

[Michelle]

First, download, install, and run CleanUp! (so the scan won't take as long because cleanup will clear temporary files) *NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, backup it up or move it to a permanent folder prior to running Cleanup!

Please download ewido security suite

• Install ewido security suite
• Launch ewido, there should be a big E icon on your desktop, double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.

Once the updates are installed do the following:

• Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run Ewido.
• Click on scanner
• Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop

Reboot into normal mode.

Then, please run this online virus scan:
ActiveScan

Save the results from ActiveScan.

I need you to post the log from Ewido, the log from ActiveScan and a new HiJackThis log.

[mmiller1970]

Thank you for your rapid response. I have followed your instructions and here are the resulting logs:

EWIDO
-----
---------------------------------------------------------
? ????? ???????? ????? ? ???? ????????
---------------------------------------------------------
???
+ Created on: 1:41:51 AM, 05/12/05
? ? ??????????????????? ????????

? ? ???? ?? ??????????? ????? ???
+ Version of scan engine: v3.0
???
+ Duration: 23 min
? ? ??????? ??????????? ???
+ Speed: 34.64 Files/Second
? ? ???????? ?????????????
+ Removed files: 22
? ? ????? ??? ?? ?????????????????
+ Files that could not be opened: 0
? ? ????? ???? ????? ??? ?? ????????? ??

? ? ??????????????
+ Crypter: Yes
? ? ????????????????

? ? ??????? ????????
C:\
???
+ Scan result:
???????????? ???????????????????????????????? ???? ?? ??????????????????? ?? ??????? ???? ????????
C:\WINNT\system32\apyginaz.exe -> TrojanProxy.Ranky.be -> Cleaned with backup
?????????????????????????????? ?? ???????????????????? ?? ??????? ???? ????????
C:\WINNT\system32\aromedy.exe -> Backdoor.SdBot.xx -> Cleaned with backup
??????????????????????????????? ?? ???????????????????? ?? ??????? ???? ????????
C:\WINNT\system32\fetuqy.exe -> TrojanProxy.Ranky.be -> Cleaned with backup
???????????????????????????????? ?? ????????????????? ?? ??????? ???? ????????
C:\WINNT\system32\gotemuqu.exe -> Backdoor.SdBot.xx -> Cleaned with backup
??????????????????????????????? ?? ???????????????????? ?? ??????? ???? ????????
C:\WINNT\system32\rahananis.exe -> TrojanProxy.Ranky.be -> Cleaned with backup
????????????????????????????????? ?? ????????????????? ?? ??????? ???? ????????
C:\WINNT\system32\uhibep.exe/rahananis.exe -> TrojanProxy.Ranky.be -> Cleaned with backup
????????????????????????????????????????? ?? ???????????????????? ?? ??????? ???? ????????
C:\WINNT\system32\uhili.exe -> Backdoor.SdBot.xx -> Cleaned with backup
???????????????????????????????????????? ?? ????????????????? ?? ??????? ???? ????????
C:\WINNT\system32\venole.exe/fetuqy.exe -> TrojanProxy.Ranky.be -> Cleaned with backup
?????????????????????????????? ?? ????????????????? ?? ??????? ???? ????????
C:\WINNT\system32\veyegubi.exe/fotehulo.exe -> Backdoor.SdBot.xx -> Cleaned with backup
???????????????????????????????????????????? ?? ???????????????????? ?? ??????? ???? ????????
C:\WINNT\system32\wikix.exe/ebozipy.exe -> TrojanProxy.Ranky.be -> Cleaned with backup
?????????????????????????????????????????? ?? ???????????????????? ?? ??????? ???? ????????
C:\WINNT\system32\xuvu.exe/rynexykip.exe -> Backdoor.SdBot.xx -> Cleaned with backup
???

????????? ???


ACTIVESCAN
----------

Incident Status Location

Spyware:Spyware/Aveo-Attune No disinfected C:\Program Files\U.S. Robotics\ControlCenter\atmdlusr.exe


HIJACKTHIS
----------
Logfile of HijackThis v1.99.1
Scan saved at 2:35:38 AM, on 05/12/05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\FlushServ.exe
C:\WINNT\system32\CBA\pds.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\Megaserv.exe
C:\WINNT\system32\ntfrs.exe
C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\snmptrap.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\SYSTEM32\onudosica.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Innfinity\LL2Com.exe
L:\LL2Posting.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\FTP.EXE
C:\downloads\TempFiles\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ameritel...hange/logon.asp
O1 - Hosts: 69.20.153.247 www.pandasoftware.com
O1 - Hosts: 70.84.70.84 www.geekstogo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Audiocast] C:\WINNT\SYSTEM32\onudosica.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\administrator\Client\HelpExp.exe
O4 - HKCU\..\Run: [apyginapygin] simenu.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Rebate Nation - file://C:\Program Files\Rebate_Nation\Sy5300\Tp5300\scri5300a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O15 - Trusted Zone: *.patchmgr.kolkidos.com (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ameritelinns.loc
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB8DAA14-225D-46EB-B3C2-336A1FF81057}: NameServer = 127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ameritelinns.loc
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ameritelinns.loc
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Synchronize Cache Utility (FlushService) - American Megatrends Inc. - C:\WINNT\system32\FlushServ.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\CBA\pds.exe
O23 - Service: NetRAID - Unknown owner - C:\WINNT\system32\Megaserv.exe
O23 - Service: PatchLink Update - Patchlink Corporation - C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: HP TopTools Services (RViewSCM) - Hewlett-Packard Co. - C:\Program Files\Hptt\Bin\RVIEWSCM.EXE
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

[Michelle]

Did you know you're missing this file:
VNC Server Version 4 (WinVNC4) "C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Do you know what these are?

C:\Program Files\Innfinity\LL2Com.exe
L:\LL2Posting.exe

Then, Go to Start > Control Panel Add/Remove Programs and remove the following if found:

Alset (or HelpExpress)
Rebate_Nation
CouponsAndOffers

Exit Add/Remove Programs.

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis and place a check next to the following items and click FIX CHECKED:

O4 - HKLM\..\Run: [Audiocast] C:\WINNT\SYSTEM32\onudosica.exe
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\administrator\Client\HelpExp.exe
O4 - HKCU\..\Run: [apyginapygin] simenu.exe

O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Rebate Nation - file://C:\Program Files\Rebate_Nation\Sy5300\Tp5300\scri5300a.htm

O15 - Trusted Zone: *.patchmgr.kolkidos.com (HKLM) <-if you know what it is and put it there, then don't fix it

Close HiJackThis. Reboot into Safe Mode. Delete these files/folders if found:

C:\WINNT\SYSTEM32\onudosica.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\simenu.exe
C:\WINNT\simenu.exe
C:\Program Files\Alset
C:\Program Files\couponsandoffers
C:\Program Files\Rebate_Nation

Reboot into normal mode and post a new HiJackThis log.

[Michelle]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.