Jump to content

Virii problems on our W2K and XP pc's today

crp

By crp
in Security & Networking

 Share

Recommended Posts

crp

crp

Posted
Posted

We had a few pc's hit today with varii, the pc's are running different vendors AV and different firewalls (plus we have a hardware firewall).The names we captured are:wuampr.exe (which wants to talk to 210.22.107.213)exe82.exewhSurvey.exemmxgamesexe.exeIn addition we have something which pops up a warning that the pc is going to reboot in 30 seconds and then does so , with no way to abort the shutdown.Our PC-Cilin 's won't connect to the server , our Norton's say no new defintions since last week. We dl'ed new clamav and avg to try to stem the tide and stop them from spreading.Looking for any hints about this situation.So far we have been trying to deleted files using a BartPE boot disk.

Link to comment
Share on other sites
Ed_P

Ed_P

Posted
Posted

I ran into exe82.exe a couple of weeks ago. I think I used HiJackThis to prevent a program from starting that kept reinstalling it. Does it bring up a window for WinTools when booting?

Link to comment
Share on other sites
crp

crp

Posted
  • Author
Posted
I ran into exe82.exe a couple of weeks ago. I think I used HiJackThis to prevent a program from starting that kept reinstalling it. Does it bring up a window for WinTools when booting?
I'll check out HiJack. No window for WinTools comes up that I can see.
Link to comment
Share on other sites
crp

crp

Posted
  • Author
Posted

More information:X-soft was disappointing :D , could not print out or save the scan resultsThere is yet another file involved, sometimes. A file called simply "i" , and it attempts to open an ftp session to the local DNS server.

Link to comment
Share on other sites
TeMerc

TeMerc

Posted
Posted

Run HJT log, post it all here, or all we can do is guess, which just wastes our time and, more importantly, yours.With a log we get a bigger picture and we can offer specific help, if need be. Its apparant you ahve more than one bit of malware, so with a log we an address everything at once.ewido is a good app, if you don't get everything first pass, depending on what it is, run it in safe mode too.

Link to comment
Share on other sites
crp

crp

Posted
  • Author
Posted
Give this a try - free download - trial:EWIDO :hmm:
a bit of synchrinicity here, the comptroller found that last night.It did a very good job and we are much better off. We also used several online scans to id the files and a process lister, then used BartPE to delete some more files. Then we installed SpyBot1.4 which helped a lot in stopping things. B) I am hugely disappointed in Symantec, Panda and pc-Cillin. They did next to nothing in preventing the virii from reinfecting the pc's - they simply did nothing about the Registry. Xoft id'ed Registry issued and claimed to remove them yet on reboot some of them came right back when rescanning with Xoft.These do not seem to have been new virii, etc. Some of them were over a year old. So why the big 3 could not handle the protection of the pc's is really inexcusable. :hmm:
Link to comment
Share on other sites
crp

crp

Posted
  • Author
Posted
Download Trend SysClean from here:http://www.trendmicro.com/download/dcs.aspand the pattern file here:http://www.trendmicro.com/download/pattern.aspBoot from BartPE and run it.
B) how do I set this up? We have a plain vanilla BartPE (no networking). Does this need to be on a pc that already has a TrendMicro product on it or will Sysclean do the same thing.
Link to comment
Share on other sites
Ed_P

Ed_P

Posted
Posted
I am hugely disappointed in Symantec, Panda and pc-Cillin. They did next to nothing in preventing the virii from reinfecting the pc's - they simply did nothing about the Registry. Xoft id'ed Registry issued and claimed to remove them yet on reboot some of them came right back when rescanning with Xoft.These do not seem to have been new virii, etc. Some of them were over a year old. So why the big 3 could not handle the protection of the pc's is really inexcusable. :angry:
That's because antivirus software protects the machine from virii. What you had was scumlware (adware/spyware/malware) which is why the antispyware tools like Spybot helped. "we installed SpyBot1.4 which helped a lot in stopping things."The newer versions of some of the main antivirus softwares are in suites which include firewalls and antispyware functions also. I use PC-cillin 2005 and it has the added functions though I have them disabled. Check your PC-cillin machines and see if the antispyware function is available and if it has been enabled. A couple of good antispyware tools that I recommend for live protection are MS's Antispyware for XP machines and SpywareBlaster for all Windows machines. For periodic scans I recommend Adaware and Spybot.
Xoft id'ed Registry issued and claimed to remove them yet on reboot some of them came right back when rescanning with Xoft.
That's because some of the more sophisticated malware has sleepers that check when their payload has been removed and reinfects the machine. They are amazingly clever. Xoft found the payload but not the sleeper. It could be of the type that changes it's name every boot. As I said, amazingly clever. If only the talent could be redirected to good...
Link to comment
Share on other sites
Ed_P

Ed_P

Posted
Posted (edited)
:angry: how do I set this up? We have a plain vanilla BartPE (no networking). Does this need to be on a pc that already has a TrendMicro product on it or will Sysclean do the same thing.
The Sysclean Package is a standalone product for non-Trend Micro customers. ie it does NOT require a prior version of PC-cillin be installed.As for the BartPE setup, setup a plugin using files something like this:Sysclean.inf
; **************************************************************************; *				  Sysclean Plug-In for BartPE						   *; *						 by Ed Paquette								 *; *						 Version 1.0.0								  *; **************************************************************************[Version]Signature= "$Windows NT$"[PEBuilder]Name="TrendMicro Sysclean"Help="sysclean.htm"  Version=1.0.0Enable=1[WinntDirectories]a="Programs\TrendMicro",2[SourceDisksFiles]files\sysclean.com=a,,1files\readme.txt=a,,1files\lpt*.zip=a,,1files\sysclean.cmd=a,,1[Append]nu2menu.xml, sysclean_nu2menu.xml

Sysclean_nu2menu.xml

<!-- Nu2Menu entry for TrendMicro Sysclean --><NU2MENU>	<MENU ID="Programs">	   				<MITEM TYPE="POPUP" DISABLED="@Not(@FileExists(@GetProgramDrive()\Programs\TrendMicro\*.*))" MENUID="TrendMicro">TrendMicro Sysclean</MITEM>	</MENU>	<MENU ID="TrendMicro">	   				<MITEM TYPE="ITEM" DISABLED="@Not(@FileExists(@GetProgramDrive()\Programs\TrendMicro\sysclean.com))" CMD="RUN" FUNC="@GetProgramDrive()\Programs\TrendMicro\sysclean.cmd">TrendMicro Sysclean</MITEM>		<MITEM TYPE="ITEM" DISABLED="@Not(@FileExists(@GetProgramDrive()\Programs\TrendMicro\sysclean.com))" CMD="RUN" FUNC="@GetProgramDrive()\Programs\TrendMicro\sysclean.cmd /?">TrendMicro Sysclean help</MITEM>		<MITEM TYPE="ITEM" DISABLED="@Not(@FileExists(@GetProgramDrive()\Programs\TrendMicro\sysclean.com))" CMD="RUN" FUNC="notepad.exe @GetProgramDrive()\Programs\TrendMicro\Readme.txt">TrendMicro Sysclean Readme.txt</MITEM>	</MENU></NU2MENU>

Sysclean.htm

<html><head><title>TrendMicro Sysclean</title></head><body bgcolor=white><i>PE Builder v3 plugin</i><hr><h1>TrendMicro Sysclean</h1><br><pre>I. Description	This self-extracting archive is a stand-alone fix package that 	incorporates the Damage Cleanup Engine and Template. It replaces the 	traditional fix tool by addressing a wide variety of system infections	rather than a specific malware infection. 		This tool supports the following features:	o   Terminate all malware instances in memory	o   Remove malware registry entries	o   Remove malware entries from system files	o   Scan for and delete all malware copies in all local hard drives	II. File List	o   sysclean.com - the main executable module	o   readme.txt   - this file		o   lpt$vpn.XXX  - downloadable component (see Requirements) III. Requirements	1.  Download the latest pattern file lpt$vpn.XXX in ZIP format as 		lptXXX.ZIP from the following location:		http://www.trendmicro.com/download/pattern.asp			This file must be saved in the same folder where you run 		this fix package.	2.  This tool is designed to run under Windows 9x/ME/NT/2000/XP.	For users running Windows NT 4.0, you need to copy the file, PSAPI.DLL,	to the Windows system directory, which is usually C:\WINNT\system32. 	You can find the file in the Windows NT 4.0 Setup CD at the	following locations:		\Support\Debug\i386\PSAPI.DLL   	3.  This tool needs approximately 48MB of free space in which to run.</pre><b>Sysclean Package:</b> <A HREF="http://www.trendmicro.com/download/dcs.asp">http://www.trendmicro.com/download/dcs.asp</A><br><b>Sysclean Readme:</b> <A HREF="http://www.trendmicro.com/ftp/products/tsc/readme.txt">http://www.trendmicro.com/ftp/products/tsc/readme.txt</A><br><b>TrendMicro Patterns:</b> <A HREF="http://www.trendmicro.com/download/pattern.asp">http://www.trendmicro.com/download/pattern.asp</A><br><br><i>TrendMicro Sysclean Plug-In by Ed Paquette </i><br><hr><i>PE Builder Copyright (c) 2002-2004 Bart Lagerweij. All rights reserved.</i><br></body></html>

Sysclean.cmd

Title=TrendMicro Syscleancolor 17MODE CON lines=12 cols=63clsecho **************************************************************echo *			 Sysclean Plug-In for BartPE					*echo *					by Ed Paquette						  *echo *					Version 1.3.1						   *echo **************************************************************echo.if exist %ramdrv%\TrendMicro\Sysclean.com goto startmkdir %ramdrv%\TrendMicrocopy "%SystemDrive%\Programs\TrendMicro\sysclean.com" %ramdrv%\TrendMicroif exist "%SystemDrive%\Programs\TrendMicro\lpt$VPN.*" copy "%SystemDrive%\Programs\TrendMicro\lpt$VPN.*" %ramdrv%\TrendMicro%ramdrv%cd \TrendMicroif exist "%SystemDrive%\Programs\TrendMicro\lpt*.zip" "%SystemDrive%\Programs\7-zip\7z.exe" e "%SystemDrive%\Programs\TrendMicro\lpt*.zip" :start%ramdrv%cd \TrendMicro%ramdrv%\TrendMicro\Sysclean.com %1

I like this idea but haven't tested these plugin files as yet. I will later tonight. I'll let you know how well they work. :) And if you test them before me, you can tell me how they work.----------------------Well, so far, the sysclean.cmd needed fixing and got enhanced.b2cm, I agree that the program doesn't have to be on the menu but it's darn more convenient to find there. :) The CMD file can be changed to load the files to a folder on the hard drive if that's your desire, and a good option for pcs with low amounts of RAM.-----------------------Ok, these have been proven on my system. The main thing that I found is the RAM drive needs to be greater than 32MB to run Sysclean. Even with a fresh boot Sysclean would not run with a 32MB RAM drive which is the default with BartPE 3.1.3. It runs fine with a 48MB one. One must either change the default or use a plugin to dynamically change the size of the RAM drive. The script I use to change my BartPE RAM drive is:RAMdrive.cmd

@ECHO OFF:: solara  http://www.911cd.net/forums//index.php?showtopic=13442&view=findpost&p=85615:: mod'ed by Ed_PTitle=[RamDrive] Clear-Resizecolor 17setlocal:: (solara: the line below has a [TAB] and a [SPACE] following delims=)FOR /F "tokens=2* delims=	 " %%A IN ('REG QUERY "HKLM\System\CurrentControlSet\Services\Ramdriv\Parameters" /v DiskSize') DO SET DiskSize=%%BSet RamDrive=UnknownIF %DiskSize% == 0x200000 Set RamDrive=2 MBIF %DiskSize% == 0x400000 Set RamDrive=4 MBIF %DiskSize% == 0x800000 Set RamDrive=8 MBIF %DiskSize% == 0x1000000 Set RamDrive=16 MBIF %DiskSize% == 0x2000000 Set RamDrive=32 MBIF %DiskSize% == 0x3000000 Set RamDrive=48 MBIF %DiskSize% == 0x4000000 Set RamDrive=64 MBIF %DiskSize% == 0x8000000 Set RamDrive=128 MB:_StartclsECHO.ECHO   WARNING!! - Everything on the RamDrive will be lost!ECHO   Make sure no programs are currently accessing the RamDrive.ECHO.ECHO   Current Size of Ramdrive %Temp%= %RamDrive% ECHO.ECHO   1. Clear onlyECHO   2. Resize to 2 MBECHO   3. Resize to 4 MBECHO   4. Resize to 8 MBECHO   5. Resize to 16 MBECHO   6. Resize to 32 MBECHO   7. Resize to 48 MBECHO   8. Resize to 64 MBECHO   9. Resize to 128 MBECHO   0. ExitECHO.SET Choice=SET /P Choice=  Enter Choice:IF /I '%CHOICE%' GEQ 'a' GOTO _StartIF /I '%Choice%'==''  GOTO _StartIF /I '%Choice%'=='1' GOTO _ClearIF /I '%Choice%'=='2' Set DiskSize=0x0200000IF /I '%Choice%'=='3' Set DiskSize=0x0400000IF /I '%Choice%'=='4' Set DiskSize=0x0800000IF /I '%Choice%'=='5' Set DiskSize=0x1000000IF /I '%Choice%'=='6' Set DiskSize=0x2000000IF /I '%Choice%'=='7' Set DiskSize=0x3000000IF /I '%Choice%'=='8' Set DiskSize=0x4000000IF /I '%Choice%'=='9' Set DiskSize=0x8000000IF /I '%Choice%'=='0' exitGOTO _Begin:_Clear@Echo Offecho.echo BEFOREdir %ramdrv%\for /D %%f in (%ramdrv%\*) do ( if /i not "%%f" == "%ramdrv%\Documents And Settings" rmdir /s /q "%%f" )del %ramdrv%\* /q 2>nul 1>nulecho.echo AFTERdir %ramdrv%\GOTO End:_Begin@Echo OffECHO.rem Test for Sherpya's Firefox pluginset XFireFox=Nif exist "%ramdrv%\Documents And Settings\Default User\Application Data\Mozilla\Firefox\profiles.ini" set XFireFox=Y%SystemRoot%\system32\devcon disable ramdrivif errorlevel = 1 goto _ERRORReg Add HKLM\System\CurrentControlSet\Services\RamDriv\Parameters /v DiskSize /t REG_DWORD /d %DiskSize% /fECHO.ECHO Re-enabling RAM drive%SystemRoot%\system32\devcon enable ramdrivrem If Sherpya Firefox plugin used reload the Documents and Settings folder if "%XFireFox%" == "N" GOTO End echo Firefox Firestarter reinitiated.start /wait %SystemDrive%\Programs\Firefox\FireStarter.exeecho.echo RAM drive change complete.echo.dir %ramdrv%GOTO END:_ERRORecho.Echo Unable to change size of RAM drive.Echo Something is accessing the %ramdrv% drive.pauseExit:Endecho.echo Press any key to exit.pause > nulExit

Edited by EdP
Link to comment
Share on other sites
b2cm

b2cm

Posted
Posted

Thanks Ed.Unless you want Sysclean on the menu, you can just copy Sysclean and (the latest definition file) to anywhere on BartPE CD. Once BartPE is loaded, copy it to anywhere on the hard drive and run it from there. The lpt$vpn file must be where the sysclean executable is.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...