×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Virus on 2003 SBS. Tanatos.m ..Wood for the trees!

Virus on 2003 SBS. Tanatos.m ..Wood for the trees!

Virus on 2003 SBS. Tanatos.m ..Wood for the trees!

(OP)
Hi There,

I hope somebody could put a second set of eyes over this, taken on a new client, site visit resulted in me finding a ver out of date symantec installation and lots of problems, about 10 / 20 machines had win32/tanatos.m and win32/heur.

Using a combination of combofix, and the AVG removal tool iv managed to clean the machines and install a new copy of AG network edition.

But the virus is sill running on the SBS box, iv have spent hours looking at it! obviously restoring a backup isnt an option, and rebuilding the whole domain isnt high on my wish list!

I have used, Spybot, Malwarebytes etc on the server to try and clear it but to no luck, Combofix dosent work on Server2003 but seemed to do the trick of getting it out of memory on the workstations so the AVG clean tool can do its job.

The avg tool says the virus is in memory and it will scan after reboot. but it dosent seem to scan. and just says "scan complete" and you press any key to load windows.

my only hope i feel is to find how its loading manually, disable it then run the scan. or find the process. this virus is either very clever or im being very thick! -

current hijack this log.

iv seen the disable regedit key, the virus redoes this everytime i fix it.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Extended Systems\Advantage\Server\ADS.EXE
C:\Program Files\Compaq\Cpqacuxe\Bin\hpacubin.exe
C:\PROGRA~1\AVG\AVG8AD~1\Server\avgadmsv.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\compaq\hpdiags\hpdiags.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Alt-N Technologies\SecurityGateway\App\SecurityGateway.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\Alt-N Technologies\SecurityGateway\Plugins\clamav\clamd.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\tcpsvcs.exe
E:\Program Files\Exchsrvr\bin\exmgmt.exe
E:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\sysdown.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Microsoft ISA Server\wspsrv.exe
C:\Program Files\Microsoft ISA Server\w3proxy.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
E:\Program Files\Exchsrvr\bin\store.exe
E:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Alt-N Technologies\SecurityGateway\SpamAssassin\SGSpamD.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\ocax.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\nxax.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\winnylcie.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8 Admin\Server\AVG8AdminServerMonitor.exe
C:\WINDOWS\system32\mmc.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\gocc.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\wodal.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\wincuprcx.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\mohgvt.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\nvgpm.exe
C:\Documents and Settings\Administrator\Desktop\CleanupTools\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\besadmin\LOCALS~1\Temp\uwsd.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\ynakkb.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe

Dan Cunliffe, General MCSE Jack of all trades!

RE: Virus on 2003 SBS. Tanatos.m ..Wood for the trees!

(OP)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = bgss-fs1:8080
O4 - HKLM\..\Run: [Avg8AdminServerMonitor] "C:\Program Files\AVG\AVG8 Admin\Server\AVG8AdminServerMonitor.exe" /startup
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Server Management.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210806174765
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BGSS.local
O17 - HKLM\Software\..\Telephony: DomainName = BGSS.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A4C3AB7-B912-44FF-9CCA-B65C07AD9789}: NameServer = 192.168.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1E6AF44-9279-421C-B4F3-BD4169EB618B}: NameServer = 192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BGSS.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A4C3AB7-B912-44FF-9CCA-B65C07AD9789}: NameServer = 192.168.1.5
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Advantage Database Server (Advantage) - Extended Systems, Inc. - C:\Program Files\Extended Systems\Advantage\Server\ADS.EXE
O23 - Service: Array Configuration Utility - Hewlett-Packard Company - C:\Program Files\Compaq\Cpqacuxe\Bin\hpacubin.exe
O23 - Service: AVG8 Admin Server (AVG8AdminServer) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8AD~1\Server\avgadmsv.exe
O23 - Service: BlackBerry Attachment Service (BBAttachServer) - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
O23 - Service: BlackBerry Controller - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryController.exe
O23 - Service: BlackBerry Dispatcher - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryDispatcher.exe
O23 - Service: BlackBerry MDS Connection Service - Research In Motion - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\bin\bmds.exe
O23 - Service: BlackBerry Policy Service - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\ITAdminServer.exe
O23 - Service: BlackBerry Router - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BypassRouter\BlackberryRouter.exe
O23 - Service: BlackBerry Alert (BlackBerry Server Alert) - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BESAlert.exe
O23 - Service: BlackBerry Synchronization Service (BlackBerry SyncServer) - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\SyncServer\BlackBerrySyncServer.exe
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: HP Insight Diagnostics (hpdiags) - Unknown owner - C:\compaq\hpdiags\hpdiags.exe
O23 - Service: SecurityGateway - Alt-N Technologies, Ltd. - C:\Program Files\Alt-N Technologies\SecurityGateway\App\SecurityGateway.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe
 

Dan Cunliffe, General MCSE Jack of all trades!

RE: Virus on 2003 SBS. Tanatos.m ..Wood for the trees!

Them have to go:

C:\DOCUME~1\besadmin\LOCALS~1\Temp\ocax.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\nxax.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\winnylcie.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\gocc.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\wodal.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\wincuprcx.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\mohgvt.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\nvgpm.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\uwsd.exe
C:\DOCUME~1\besadmin\LOCALS~1\Temp\ynakkb.exe

anything running from the TEMP folder is a NO GO...


fix, as it is a shame that an admin cannot edit the REGISTRY:

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

then run HJT again with the LOG option and repaste...

 

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.

RE: Virus on 2003 SBS. Tanatos.m ..Wood for the trees!

(OP)
Thanks for the response!

If end the random EXEs and delete, then they are recreated afre a few minutes.

Same with the Regedit registry key. sad

the dam bugger changes a few other things in the registry too, including hidden files, and access to task manager!


 

Dan Cunliffe, General MCSE Jack of all trades!

RE: Virus on 2003 SBS. Tanatos.m ..Wood for the trees!

(OP)
heres it with those out, virus is still in memory though somwhere!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:01:00, on 16/02/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Extended Systems\Advantage\Server\ADS.EXE
C:\Program Files\Compaq\Cpqacuxe\Bin\hpacubin.exe
C:\PROGRA~1\AVG\AVG8AD~1\Server\avgadmsv.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\compaq\hpdiags\hpdiags.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Alt-N Technologies\SecurityGateway\App\SecurityGateway.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\Alt-N Technologies\SecurityGateway\Plugins\clamav\clamd.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\tcpsvcs.exe
E:\Program Files\Exchsrvr\bin\exmgmt.exe
E:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\sysdown.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Microsoft ISA Server\wspsrv.exe
C:\Program Files\Microsoft ISA Server\w3proxy.exe
C:\Program Files\Microsoft ISA Server\W3Prefch.exe
E:\Program Files\Exchsrvr\bin\store.exe
E:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Alt-N Technologies\SecurityGateway\SpamAssassin\SGSpamD.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8 Admin\Server\AVG8AdminServerMonitor.exe
C:\WINDOWS\system32\mmc.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Documents and Settings\Administrator\Desktop\CleanupTools\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Windows Small Business Server\Backup\bkprunner.exe
C:\WINDOWS\system32\ntbackup.exe
C:\WINDOWS\System32\vssvc.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
C:\WINDOWS\system32\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = bgss-fs1:8080
O4 - HKLM\..\Run: [Avg8AdminServerMonitor] "C:\Program Files\AVG\AVG8 Admin\Server\AVG8AdminServerMonitor.exe" /startup
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2109627142-2701635856-3367251959-1128\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SBS Backup User')
O4 - HKUS\S-1-5-21-2109627142-2701635856-3367251959-1128\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SBS Backup User')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Server Management.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone: http://housecall.trendmicro.com
O15 - Trusted Zone: http://housecall65.trendmicro.com
O15 - Trusted Zone: *.trendmicro.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210806174765
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BGSS.local
O17 - HKLM\Software\..\Telephony: DomainName = BGSS.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A4C3AB7-B912-44FF-9CCA-B65C07AD9789}: NameServer = 192.168.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1E6AF44-9279-421C-B4F3-BD4169EB618B}: NameServer = 192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BGSS.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A4C3AB7-B912-44FF-9CCA-B65C07AD9789}: NameServer = 192.168.1.5
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Advantage Database Server (Advantage) - Extended Systems, Inc. - C:\Program Files\Extended Systems\Advantage\Server\ADS.EXE
O23 - Service: Array Configuration Utility - Hewlett-Packard Company - C:\Program Files\Compaq\Cpqacuxe\Bin\hpacubin.exe
O23 - Service: AVG8 Admin Server (AVG8AdminServer) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8AD~1\Server\avgadmsv.exe
O23 - Service: BlackBerry Attachment Service (BBAttachServer) - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
O23 - Service: BlackBerry Controller - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryController.exe
O23 - Service: BlackBerry Dispatcher - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryDispatcher.exe
O23 - Service: BlackBerry MDS Connection Service - Research In Motion - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\bin\bmds.exe
O23 - Service: BlackBerry Policy Service - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\ITAdminServer.exe
O23 - Service: BlackBerry Router - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BypassRouter\BlackberryRouter.exe
O23 - Service: BlackBerry Alert (BlackBerry Server Alert) - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BESAlert.exe
O23 - Service: BlackBerry Synchronization Service (BlackBerry SyncServer) - Research In Motion Limited - c:\Program Files\Research In Motion\BlackBerry Enterprise Server\SyncServer\BlackBerrySyncServer.exe
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: HP Insight Diagnostics (hpdiags) - Unknown owner - C:\compaq\hpdiags\hpdiags.exe
O23 - Service: SecurityGateway - Alt-N Technologies, Ltd. - C:\Program Files\Alt-N Technologies\SecurityGateway\App\SecurityGateway.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe

--
End of file - 8523 bytes
 

Dan Cunliffe, General MCSE Jack of all trades!

RE: Virus on 2003 SBS. Tanatos.m ..Wood for the trees!

Download MalwareBytes AntiMalware: www.malwarebytes.org/mbam.php

rename it to TOOL.exe before you safe it, then install it and run it using Quick Scan (first) then Full Scan, will take some time, delete all that it finds... reboot if necessary...

download Super AntiSpyware: www.superantispyware.com

run it after MBAM...

DL GMER: www.gmer.net/index.php

run it and post log...

HJT LOG is clean, this bugger hides pretty well...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.

RE: Virus on 2003 SBS. Tanatos.m ..Wood for the trees!

(OP)
Thanks for you help ben,

iv Already run those two tools,(after renaming the exe) they just find the registry changes. fix them. then obviously their back on the next scan

tried spybot S+D too

Heres the log from the last program you suggested

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-16 23:41:11
Windows 5.2.3790 Service Pack 2


---- System - GMER 1.0.14 ----

INT 0x06        \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems)     B9E3116D
INT 0x0E        \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems)     B9E30FC2

---- Kernel code sections - GMER 1.0.14 ----

?               C:\WINDOWS\system32\drivers\glnmkn.sys                                                                              The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text           E:\Program Files\Exchsrvr\bin\store.exe[5216] kernel32.dll!TerminateProcess                                         77E42004 5 Bytes  JMP 005FDA2F E:\Program Files\Exchsrvr\bin\store.exe (Microsoft MDB Store/Microsoft Corporation)
.text           E:\Program Files\Exchsrvr\bin\store.exe[5216] kernel32.dll!ExitProcess                                              77E668F1 5 Bytes  JMP 005FDA00 E:\Program Files\Exchsrvr\bin\store.exe (Microsoft MDB Store/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\IEXPLORE.EXE[8520] USER32.dll!DialogBoxParamW                                    773896A9 5 Bytes  JMP 00B15415 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\IEXPLORE.EXE[8520] USER32.dll!MessageBoxExW                                      7739EE4A 5 Bytes  JMP 00CAC3D9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\IEXPLORE.EXE[8520] USER32.dll!DialogBoxIndirectParamW                            773A6296 5 Bytes  JMP 00CAC510 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\IEXPLORE.EXE[8520] USER32.dll!MessageBoxExA                                      773C42AD 5 Bytes  JMP 00CAC413 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\IEXPLORE.EXE[8520] USER32.dll!DialogBoxParamA                                    773CA0AF 5 Bytes  JMP 00CAC4D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\IEXPLORE.EXE[8520] USER32.dll!DialogBoxIndirectParamA                            773CA172 5 Bytes  JMP 00CAC54B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\IEXPLORE.EXE[8520] USER32.dll!MessageBoxIndirectA                                773D7D40 5 Bytes  JMP 00CAC491 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text           C:\Program Files\Internet Explorer\IEXPLORE.EXE[8520] USER32.dll!MessageBoxIndirectW                                773D7E30 5 Bytes  JMP 00CAC44D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.14 ----

IAT             E:\Program Files\Exchsrvr\bin\exmgmt.exe[1172] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW]    [4B761B7E] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT             E:\Program Files\Exchsrvr\bin\exmgmt.exe[1172] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW]  [4B761AC7] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT             E:\Program Files\Exchsrvr\bin\mad.exe[4236] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW]       [4B761B7E] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT             E:\Program Files\Exchsrvr\bin\mad.exe[4236] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW]     [4B761AC7] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT             E:\Program Files\Exchsrvr\bin\store.exe[5216] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW]     [4B761B7E] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT             E:\Program Files\Exchsrvr\bin\store.exe[5216] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW]   [4B761AC7] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT             E:\Program Files\Exchsrvr\bin\emsmta.exe[5288] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW]    [4B761B7E] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT             E:\Program Files\Exchsrvr\bin\emsmta.exe[5288] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW]  [4B761AC7] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT             C:\WINDOWS\system32\wbem\wmiprvse.exe[6380] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW]       [4B761B7E] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT             C:\WINDOWS\system32\wbem\wmiprvse.exe[6380] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW]     [4B761AC7] E:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

AttachedDevice  \FileSystem\Fastfat \Fat                                                                                            fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.14 ----

Service         C:\WINDOWS\System32\sbscrexe.exe (*** hidden *** )                                                                  AUTO SBCore                                                                                                        <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Type                                                                  16
Reg             HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Start                                                                 2
Reg             HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ErrorControl                                                          3
Reg             HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ImagePath                                                             %SystemRoot%\System32\sbscrexe.exe
Reg             HKLM\SYSTEM\CurrentControlSet\Services\SBCore@DisplayName                                                           SBCore Service
Reg             HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ObjectName                                                            LocalSystem
Reg             HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Description                                                           Provides core server services.
Reg             HKLM\SYSTEM\CurrentControlSet\Services\SBCore\Security                                                              
Reg             HKLM\SYSTEM\CurrentControlSet\Services\SBCore\Security@Security                                                     0x01 0x00 0x14 0x80 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\SBCore@Type                                                                      16
Reg             HKLM\SYSTEM\ControlSet003\Services\SBCore@Start                                                                     2
Reg             HKLM\SYSTEM\ControlSet003\Services\SBCore@ErrorControl                                                              3
Reg             HKLM\SYSTEM\ControlSet003\Services\SBCore@ImagePath                                                                 %SystemRoot%\System32\sbscrexe.exe
Reg             HKLM\SYSTEM\ControlSet003\Services\SBCore@DisplayName                                                               SBCore Service
Reg             HKLM\SYSTEM\ControlSet003\Services\SBCore@ObjectName                                                                LocalSystem
Reg             HKLM\SYSTEM\ControlSet003\Services\SBCore@Description                                                               Provides core server services.
Reg             HKLM\SYSTEM\ControlSet003\Services\SBCore\Security                                                                  
Reg             HKLM\SYSTEM\ControlSet003\Services\SBCore\Security@Security                                                         0x01 0x00 0x14 0x80 ...
Reg             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability@LastAliveUptime                                          24098
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout                                  15
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota                                     10000
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler                                                   yes
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk                                                  
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout                                  90
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota                                    10000
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DesktopHeapLogging                                        1
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs                                              C:\WINDOWS\system32\karna.dat
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs                                          1

---- EOF - GMER 1.0.14 ----
 

Dan Cunliffe, General MCSE Jack of all trades!

RE: Virus on 2003 SBS. Tanatos.m ..Wood for the trees!

Follow Ben's advice, after which I would try running each or all of the following, if they work with SBS:

http://housecall.trendmicro.com/

http://security.symantec.com/sscv6/WelcomePage.asp

http://www.pandasecurity.com/activescan/index/

...many times the "home" security software does not like it when an "enterprise" OS tries to run it...all you can do is try.

I'll bet that this nasty bugger came in on/through a BlackBerry.  Why do I think this?  Because I recently had to install BES, BlackBerry Enterprise Server, which grated against every molecule of my soul security-wise.  Why???

You see, to install BES, you need to give it its own user account & password, and this account MUST have full Administrative privileges.  On my server.  Even my account does not have full admin privileges, yet I was required to give them to the BES account, which I really don't fully control.  I don't like that, and I think it's a major flaw in the application.

Best of luck killing that bug.  
 

Tony

Users helping Users...

RE: Virus on 2003 SBS. Tanatos.m ..Wood for the trees!

(OP)
Cheers Tony,

I know, iv been on all the RIM courses and i raised the same issues, i must have installed BES 50 times though and never had a problem

no luck with the online scans im afraid sad if i install the actuall AVG client on the server it just goes mental!

Dan Cunliffe, General MCSE Jack of all trades!

RE: Virus on 2003 SBS. Tanatos.m ..Wood for the trees!

Have run the above tools from Safe Mode?
 

James P. Cottingham
I'm number 1,229!
I'm number 1,229!

RE: Virus on 2003 SBS. Tanatos.m ..Wood for the trees!

(OP)
Hi James,

This virus seems to prevent booting in safemode, casuses a blue screen of death on evey machine iv tried.

Dan Cunliffe, General MCSE Jack of all trades!

RE: Virus on 2003 SBS. Tanatos.m ..Wood for the trees!

At this point it looks like you have to go to bootable CDs like Bart PE, Helix, or Dr. Web LiveCD or a combination.

Helix is great for forensic but light on AV or antispyware (AS). Dr. Web has some great AV and AS tools. Bart PE is good in that you can add tools you need.

Good luck.
 

James P. Cottingham
I'm number 1,229!
I'm number 1,229!

RE: Virus on 2003 SBS. Tanatos.m ..Wood for the trees!

Well, the GMER log doesn't reveal much there... unfortunately...

so best bet is the Dr. Web suggestion, as it is a Linux distro with full access to NTFS, and works like a charm... though be ready for a long down time...

some ROOTKIT detectors that may be of value in this situation:

RootkitRevealer 1.71
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

F-Secure Blacklight (scroll down to download the app or use the online scanner which has it included)...
http://www.f-secure.com/security_center/

IceSword 1.22 English Version
http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip

RKDetector v2.0 - Security Analyzer & Rootkit Removal
http://www.rkdetector.com/

Rootkit Buster
http://www.trendmicro.com/download/rbuster.asp

 

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.

RE: Virus on 2003 SBS. Tanatos.m ..Wood for the trees!

(OP)
cheers for the tips, i think i have found it....

            C:\WINDOWS\system32\drivers\glnmkn.sys               

this is being hidden by a rootkit and iv still not managed to stop the bugger loading!

tried, UnhackME, Sophos and McAfee up to now.

unfortunately im having to do this remotely i had a few hours at site today but it was one thing after another!

Dan Cunliffe, General MCSE Jack of all trades!

RE: Virus on 2003 SBS. Tanatos.m ..Wood for the trees!

(OP)
Just for anyone reading this thread.. after about 12 hours i have managed to clean it, after discovering this virus has more than one name.

1) use msconfig to do a diagnostic startup

2) run http://support.kaspersky.com/downloads/utils/sality_off.rar

3) then reboot

4) run sality_off again make sure it dosent find anything.

5) run the avg removal tool from here

http://www.avg.com/uk.virus-removal.ndi-90825

that should now run without a problem and clean all files

6) enable all services

7) UPDATE YOUR AV!!! LOL big smile

Dan Cunliffe, General MCSE Jack of all trades!

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close