Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Files with .exe as extension getting created within folders


  • Please log in to reply

#1
Bashyam

Bashyam

    New Member

  • Member
  • Pip
  • 1 posts
Hi there,

I am having trouble in getting rid some sort of virus plaguing my office computer network. I have ensured good protection using Symantec Endpoint Protection solution to keep my server and clients safe form getting hit by viruses. But still something sneeked into the LAN.

Both the server and one of the client pcs are getting infected by many files with .exe extensions within the folders. Eg. New Folder .exe, XYZ .exe inside a folder called XYZ and so on. Only a certain part of the harddisk is getting affected like this. Symantec acts whenever such risks starts multiplying by identifying them as W32.Imaut virus and says the action Cleaned By Deletion has been performed on it. Some 100s of files are cleaned like this twice daily once in the morning and once in the evening by both the Server and Client's symantec package.

I have tried to find help from many sources but never found any so far. Hope this could be the right place to find some solution to this menace. My daily routine is going on well without any interruption by these files, still everyday i feel my network should not go down with these infections.

Server - Windows Server 2008
Clients - Windows XP SP3



Kindly find a OTL log attached from the infected client. Just before I started writing this post the client pc identified the files again and automatically cleaned it.

OTL logfile created on: 09/09/2012 5:30:59 AM - Run 1
OTL by OldTimer - Version 3.2.61.2 Folder = C:\Documents and Settings\WORKS\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: dd/MM/yyyy

1.99 Gb Total Physical Memory | 1.03 Gb Available Physical Memory | 51.64% Memory free
3.84 Gb Paging File | 2.70 Gb Available in Paging File | 70.46% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.65 Gb Total Space | 82.79 Gb Free Space | 84.77% Space Free | Partition Type: NTFS
Drive D: | 368.10 Gb Total Space | 366.76 Gb Free Space | 99.63% Space Free | Partition Type: NTFS
Drive F: | 931.51 Gb Total Space | 858.09 Gb Free Space | 92.12% Space Free | Partition Type: NTFS

Computer Name: WORKS | User Name: WORKS | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/09 05:30:11 | 000,599,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\WORKS\Desktop\OTL.exe
PRC - [2012/08/03 15:52:00 | 015,900,672 | ---- | M] (Adobe Systems, Incorporated) -- C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
PRC - [2011/06/17 16:31:10 | 001,664,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe
PRC - [2011/06/17 16:31:08 | 000,137,224 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
PRC - [2009/07/16 09:05:10 | 000,114,688 | ---- | M] (JME) -- C:\Program Files\jmesoft\hotkey.exe
PRC - [2008/04/14 05:42:24 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2009/07/16 09:20:38 | 000,032,768 | ---- | M] () -- C:\Program Files\jmesoft\KeyHook.dll
MOD - [2001/06/29 18:38:20 | 000,712,751 | ---- | M] () -- C:\Program Files\Adobe\Photoshop 7.0\Asn.er.dll


========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2011/06/17 16:31:10 | 001,664,744 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe -- (SmcService)
SRV - [2011/06/17 16:31:10 | 000,280,496 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe -- (SNAC)
SRV - [2011/06/17 16:31:08 | 000,137,224 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe -- (SepMasterService)
SRV - [2008/04/14 05:42:24 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/14 05:42:24 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC)
SRV - [2008/04/14 05:42:24 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/09/04 22:00:12 | 000,373,728 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20120907.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2012/08/28 22:02:29 | 000,821,920 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20120823.013\BHDrvx86.sys -- (BHDrvx86)
DRV - [2012/08/21 21:56:31 | 001,601,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120908.009\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/08/21 21:56:31 | 000,092,704 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120908.009\NAVENG.SYS -- (NAVENG)
DRV - [2012/08/09 10:15:59 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/08/09 10:15:59 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/08/06 18:47:03 | 000,127,096 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2012/08/06 18:46:02 | 000,092,080 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SysPlant.sys -- (SysPlant)
DRV - [2011/06/17 16:31:12 | 000,756,856 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\SymEFA.sys -- (SymEFA)
DRV - [2011/06/17 16:31:12 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtsp.sys -- (SRTSP)
DRV - [2011/06/17 16:31:12 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\symtdi.sys -- (SYMTDI)
DRV - [2011/06/17 16:31:12 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\SymDS.sys -- (SymDS)
DRV - [2011/06/17 16:31:12 | 000,136,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\Ironx86.sys -- (SymIRON)
DRV - [2011/06/17 16:31:12 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SEP\0C01029F\136B.105\x86\srtspx.sys -- (SRTSPX)
DRV - [2011/06/17 16:31:10 | 000,118,960 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\teefer.sys -- (Teefer2)
DRV - [2011/06/17 16:31:10 | 000,023,984 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\SyDvCtrl32.sys -- (SyDvCtrl)
DRV - [2010/09/28 21:20:08 | 006,150,760 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2009/11/18 07:17:00 | 001,395,800 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2009/11/18 07:16:00 | 001,691,480 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2009/11/06 21:55:08 | 001,590,528 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2009/10/14 12:29:54 | 000,030,880 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
DRV - [2009/10/02 07:24:10 | 000,158,408 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\fei5132.sys -- (FEIExpress)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://securityrespo...r/fix_homepage/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://securityrespo...r/fix_homepage/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://securityrespo...r/fix_homepage/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec...._sep_V12_1_MR_0
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\IPSFFPlgn\ [2012/09/08 21:44:25 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2001/08/23 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\IPS\IPSBHO.dll (Symantec Corporation)
O4 - HKLM..\Run: [jmekey] C:\Program Files\jmesoft\hotkey.exe (JME)
O4 - HKLM..\Run: [Yahoo Messenger] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3FDB8253-FDAF-49B7-B34C-D969FCBB237D}: NameServer = 192.168.1.100
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\SEP: DllName - (C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll) - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\WORKS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\WORKS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2012/08/03 15:38:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{0340450e-ddcb-11e1-90c0-b57d158713c0}\Shell - "" = AutoRun
O33 - MountPoints2\{0340450e-ddcb-11e1-90c0-b57d158713c0}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{0340450e-ddcb-11e1-90c0-b57d158713c0}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/09 05:30:06 | 000,599,552 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\WORKS\Desktop\OTL.exe
[2012/09/09 04:13:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WORKS\Desktop\do
[2012/09/08 04:38:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WORKS\Desktop\SARASHWATHI
[2012/09/02 04:42:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WORKS\Desktop\New Folder (2)
[2012/08/12 05:26:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WORKS\Local Settings\Application Data\PCHealth
[2012/08/12 05:24:46 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2012/08/12 05:17:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office
[2012/08/12 05:15:59 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Works
[2012/08/12 05:15:44 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio
[2012/08/12 05:15:44 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2012/08/12 05:13:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\SHELLNEW
[2012/08/12 05:12:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WORKS\Local Settings\Application Data\Microsoft Help
[2012/08/12 05:12:36 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2012/08/12 05:12:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help
[2012/08/12 05:12:05 | 000,000,000 | RH-D | C] -- C:\MSOCache
[2012/08/11 23:21:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\RICOH
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/09/09 05:30:11 | 000,599,552 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\WORKS\Desktop\OTL.exe
[2012/09/09 05:29:30 | 001,071,730 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\cpstud.psd
[2012/09/09 04:39:23 | 000,129,386 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\002.jpg
[2012/09/09 04:39:07 | 000,113,777 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\001.jpg
[2012/09/09 03:53:25 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\iMac Public.lnk
[2012/09/09 03:01:36 | 000,360,320 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/09/09 03:01:36 | 000,056,818 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/09/09 02:06:59 | 000,000,469 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\Mailing Labels.lnk
[2012/09/09 00:36:29 | 015,371,235 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\ANS Blue 20x20.pdf
[2012/09/08 21:44:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/08 06:41:01 | 000,128,181 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\nv ring side vive.jpg
[2012/09/06 08:09:20 | 000,061,297 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\CP Stud.jpg
[2012/09/06 06:11:03 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\WORKS\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/09/04 21:49:14 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/03 05:34:03 | 000,066,695 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\antique stud.jpg
[2012/08/31 22:02:38 | 001,133,812 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\Attachments_2012_08_31.zip
[2012/08/30 06:07:33 | 011,936,304 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\without address.tif
[2012/08/30 04:42:58 | 000,002,457 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Document Manager.lnk
[2012/08/25 21:48:23 | 000,006,656 | ---- | M] () -- C:\Documents and Settings\WORKS\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/08/22 05:15:47 | 001,450,900 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\ANS.jpg
[2012/08/21 23:55:09 | 000,358,740 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\WINMAN CHALLAN.jpg
[2012/08/12 22:14:37 | 001,248,610 | ---- | M] () -- C:\Documents and Settings\WORKS\Desktop\RapaportMarketReport_080912_Weekly.pdf
[2012/08/12 05:28:32 | 000,138,848 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/08/12 05:25:32 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2012/08/11 23:21:47 | 000,000,158 | ---- | M] () -- C:\WINDOWS\ricdb.ini
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/09/09 04:39:22 | 000,129,386 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\002.jpg
[2012/09/09 04:39:04 | 000,113,777 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\001.jpg
[2012/09/09 00:36:28 | 015,371,235 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\ANS Blue 20x20.pdf
[2012/09/08 06:41:00 | 000,128,181 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\nv ring side vive.jpg
[2012/09/06 08:09:30 | 001,071,730 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\cpstud.psd
[2012/09/06 08:09:19 | 000,061,297 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\CP Stud.jpg
[2012/09/06 00:56:51 | 000,066,695 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\antique stud.jpg
[2012/08/31 22:02:37 | 001,133,812 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\Attachments_2012_08_31.zip
[2012/08/30 06:07:25 | 011,936,304 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\without address.tif
[2012/08/22 05:15:39 | 001,450,900 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\ANS.jpg
[2012/08/21 23:55:06 | 000,358,740 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\WINMAN CHALLAN.jpg
[2012/08/12 22:14:36 | 001,248,610 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\RapaportMarketReport_080912_Weekly.pdf
[2012/08/12 05:00:53 | 000,000,469 | ---- | C] () -- C:\Documents and Settings\WORKS\Desktop\Mailing Labels.lnk
[2012/08/11 23:21:47 | 000,000,158 | ---- | C] () -- C:\WINDOWS\ricdb.ini
[2012/08/04 13:33:35 | 000,010,547 | R--- | C] () -- C:\WINDOWS\hpwscr19.dat
[2012/08/04 13:31:36 | 000,176,643 | ---- | C] () -- C:\WINDOWS\hpwins19.dat
[2012/08/04 13:31:35 | 000,000,997 | R--- | C] () -- C:\WINDOWS\hpwmdl19.dat
[2012/08/04 13:19:28 | 000,182,026 | ---- | C] () -- C:\WINDOWS\hpwins21.dat
[2012/08/04 13:19:28 | 000,000,575 | ---- | C] () -- C:\WINDOWS\hpwmdl21.dat
[2012/08/03 20:13:14 | 000,006,656 | ---- | C] () -- C:\Documents and Settings\WORKS\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/08/03 16:01:20 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2012/08/03 16:01:20 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2012/08/03 16:01:01 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2012/08/03 16:01:01 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2012/08/03 16:00:59 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2012/08/03 15:57:57 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2012/08/03 15:40:51 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2012/08/03 15:27:40 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2012/08/03 08:20:21 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2012/08/03 08:18:54 | 000,138,848 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== LOP Check ==========

[2012/08/11 23:21:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RICOH

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 60 bytes -> C:\Documents and Settings\WORKS\Desktop\antique stud.jpg:AFP_AfpInfo
@Alternate Data Stream - 49219 bytes -> C:\Documents and Settings\WORKS\Desktop\antique stud.jpg:AFP_Resource

< End of report >



Look forward to your help......Thanks in advance..... Bashyam.
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
The symantec writeup is sort of useless.

My guess is that this is your bug:

http://www.microsoft...:Win32/Nuqel.AY

I think I would turn off the Task Scheduler service on all clients as the "at" job is one of its methods. You can do this from the command line:

sc  config  Schedule  start=  disabled


It looks like you have already removed your IM clients (or Symantec ate it) but if other clients have IM, uninstall it.

Check any desktop.ini files (in notepad) to see what they do. There should not be any trying to call a .exe or .dll file). Remove any that are not on the desktop (after looking to see what they do. Creating a folder called desktop.ini every where you remove a desktop.ini file that doesn't belong (except the desktop). If you find one that calls a .exe or .dll then hunt the file down and delete it. Check for autorun.ini files (folders are OK and are a protection created by Flash Disinfector see below.)

You should install Flash_Disinfector.exe by sUBs on each client.
http://download.blee...Disinfector.exe
and save it to your desktop.

* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.


Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


Also install AutoRun Eater v2.5 on each client.
http://download.cnet...4-10752777.html
It will stay resident and prevent USB drives from infecting your PC.

Could I see an OTL log from your server? Let's make it a custom log:

Download OTL from
http://www.geekstogo...timers-list-it/
and Save it to your desktop.


Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
subst.exe
bi mat.exe
bimat.exe
autorun.ini
desktop.ini
iexplorer.exe
word.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares /rs
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /rs
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /rs
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} 
hklm\software\clients\startmenuinternet|command /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job 
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemdrive%\$Recycle.Bin|@;true;true;true
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Also I suppose Symantec must keep logs of the files it has removed. Could you find one and post it? If nothing else a screen shot of their quarantine are might help. Or an OTL log of a system before disinfection.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP