Another SDBot passing Avast

Its a trojan/worm/virus that overwrites sfc.dll which is a legal file. Then Avast detects sfc.dll as a virus, but it must not be deleted, otherwise, windows will not load on next boot. it installs itself as a service name “Windows Bluetooth blah blah” something. how do i trace how this file(bttray.exe) infiltrated our network?

Infected File: http://rapidshare.com/files/45302814/bttray.rar

Ask the admin to scan the network.

You should have a copy of sfc.dll in c:\windows\system32\ dllcache\ that, if not also infected, could be used to fix this. But you should upload the file detected as malware to Virus Total first to make sure this isn’t a false positive

http://www.virustotal.com/

BTW, there is a valid bluetooth service that uses a file named bttray.exe to put an icon in your system tray.

the unit infected is not possible to have a bluetooth service, its a netvista server without a usb port. sdbot has already infiltrated our network, who knows where came from and where it comes in our network, we have already reinstalled our PDC and BDCs, rescanned all clients, disabled usb access and tightened internet access. For a week there was no sign of activity, then it pops out in the open again.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

After posting the ComboFix log Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

ComboFix 07-07-30.2 - “xxxxxxx” 07/31/2007 10:30:04.1 [GMT 8:00] - NTFS
Microsoft Windows 2000 Advanced Server 5.0.2195.4.1252.1.1033.18.True

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-31 )))))))))))))))))))))))))))))))

2007-07-31 10:29 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-31 09:25 1,376,079 --a------ C:\ComboFix.exe
2007-07-30 09:38 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_378.dat
2007-07-28 12:53 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_470.dat
2007-07-25 09:19 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_504.dat
2007-07-25 09:19 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_464.dat
2007-07-25 09:19 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_38c.dat
2007-07-24 13:16 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_43c.dat
2007-07-24 13:15 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_37c.dat
2007-07-24 10:08 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_430.dat
2007-07-24 10:08 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_384.dat
2007-07-18 17:22 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_434.dat
2007-07-18 13:48 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_438.dat
2007-07-18 13:47 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_5e4.dat
2007-07-18 13:47 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_39c.dat
2007-07-18 13:38 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_424.dat
2007-07-18 13:37 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_5e8.dat
2007-07-18 13:37 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_350.dat
2007-07-10 09:30 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_440.dat
2007-07-10 09:08 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_1e8.dat
2007-07-10 08:58 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_374.dat
2007-07-10 08:43 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_638.dat
2007-07-09 17:22 617,840 --a------ C:\Windows2000-KB935966-x86-ENU.EXE
2007-07-07 03:03 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_618.dat
2007-07-07 03:03 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_448.dat
2007-07-05 13:15 d–h----- C:\WINNT\msdownld.tmp
2007-07-03 13:31 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_5f4.dat
2007-07-03 13:27 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3f4.dat
2007-07-03 13:23 311,296 --ah----- C:\DOCUME~1\ITDSetup\NTUSER.DAT
2007-07-03 13:23 d-------- C:\DOCUME~1\ITDSetup\FrontPageTempDir
2007-06-30 08:46 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_614.dat
2007-06-30 07:42 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_808.dat
2007-06-29 15:23 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_630.dat
2007-06-29 15:23 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_44c.dat
2007-06-29 11:00 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_a20.dat
2007-06-29 08:23 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_698.dat
2007-06-28 16:17 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4e0.dat
2007-06-28 16:15 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_6c0.dat
2007-06-28 16:15 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3c0.dat
2007-06-28 16:12 d–h-c— C:\WINNT$SQLUninstallMDAC27SP1-KB927779-x86-ENU$
2007-06-28 16:11 d-------- C:\Program Files\MSXML 4.0
2007-06-28 13:35 d-------- C:\WINNT\system32\SoftwareDistribution
2007-06-27 13:04 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4c8.dat
2007-06-27 10:52 d-------- C:\WINNT\DWRCS Uploads
2007-06-14 03:03 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4f4.dat
2007-06-14 03:02 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_68c.dat
2007-06-13 13:01 54,032 --a------ C:\WINNT\system32\mpr.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

06/21/05 01:28p 271 —h----- C:\Program Files\desktop.ini
06/21/05 01:28p 21952 —h----- C:\Program Files\folder.htt
06/01/07 08:41a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_6a8.dat
06/01/07 08:41a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_51c.dat
05/28/07 08:57a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4d4.dat
05/28/07 08:56a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_6b4.dat
05/26/07 03:06a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_674.dat
05/25/07 09:59a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_154.dat
05/25/07 08:30a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4fc.dat
05/24/07 02:43p 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_518.dat
05/23/07 04:25a 8459224 --a------ C:\owc10.exe
05/22/07 10:59a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_688.dat
05/22/07 10:59a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_510.dat
05/22/07 10:10a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_1ec.dat
05/22/07 08:34a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_544.dat
05/22/07 08:34a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_48c.dat
05/22/07 08:33a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_380.dat
05/22/07 01:23p 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_6b0.dat
05/21/07 11:15a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4d8.dat
05/21/07 11:06a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_948.dat
05/21/07 10:58a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3b4.dat
05/21/07 10:44a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_52c.dat
05/17/07 08:00a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_694.dat
05/17/07 08:00a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3b0.dat
05/16/07 03:40p 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_5bc.dat
05/16/07 03:39p 15872 --------- C:\WINNT\system32\sophosboottasks.exe
05/15/07 10:00p 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_684.dat
05/15/07 08:11a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_520.dat
05/15/07 03:59p 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3a4.dat
05/15/07 03:27p 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_690.dat
05/15/07 02:06p 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4b8.dat
05/15/07 02:06p 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3a8.dat
05/11/07 08:10a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_394.dat
05/11/07 08:10a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_24c.dat
05/11/07 05:46p 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_868.dat
05/11/07 05:43p 82432 --a------ C:\WINNT\system32\msxml4r.dll
05/11/07 05:20p 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2fc.dat
05/11/07 03:32p 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_388.dat
05/11/07 03:32p 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_250.dat
05/10/07 11:08a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_248.dat
05/10/07 08:15a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_398.dat
05/10/07 08:15a 16384 --a----t- C:\WINNT\system32\Perflib_Perfdata_254.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“nwiz”=“nwiz.exe” [11/18/03 02:33a C:\WINNT\system32\nwiz.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvMediaCenter”=“C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit”

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2007-02-23 09:19:56]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-06-22 09:31:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“disablecad”=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“ShowSuperHidden”=1 (0x1)
“disallowrun”=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
“1”=command
“2”=command.com
“3”=winpatch.exe
“4”=x.exe
“5”=msnull32.exe
“6”=irn.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
“Notification Packages”= FPNWCLNT RASSFM KDCSVC scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@=“service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@=“Driver”

R0 aar1210;aar1210;C:\WINNT\system32\drivers\aar1210.sys
R0 DfsDriver;DfsDriver;C:\WINNT\system32\drivers\Dfs.sys
R1 NHostNT1;NetOp Driver 1 ver. 7.65 (2004058);C:\WINNT\system32\Drivers\NHOSTNT1.SYS
R1 SAVOnAccess Control;SAVOnAccess Control;??\C:\WINNT\system32\Drivers\savonaccesscontrol.sys
R1 SAVOnAccess Filter;SAVOnAccess Filter;??\C:\WINNT\system32\Drivers\savonaccessfilter.sys
R2 Dfs;Distributed File System;C:\WINNT\system32\Dfssvc.exe
R2 DWMRCS;DameWare Mini Remote Control;C:\WINNT\SYSTEM32\DWRCS.EXE -service
R2 IISADMIN;IIS Admin Service;C:\WINNT\system32\inetsrv\inetinfo.exe
R2 MSFTPSVC;FTP Publishing Service;C:\WINNT\system32\inetsrv\inetinfo.exe
R2 MSSEARCH;Microsoft Search;“C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe”
R2 NetOp Host for NT Service;NetOp Helper ver. 7.65 (2004058);“C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE”
R2 SMTPSVC;Simple Mail Transport Protocol (SMTP);C:\WINNT\system32\inetsrv\inetinfo.exe
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
R3 NHOSTNT3;NetOp Driver 3 ver. 7.65 (2004058) (NHOSTNT3);C:\WINNT\system32\Drivers\NHOSTNT3.SYS
R3 RT2400;RT2400 Wireless Driver;C:\WINNT\system32\DRIVERS\RT2400.sys
R3 spud;Special Purpose Utility Driver;C:\WINNT\system32\drivers\spud.sys
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
R3 yukonw2k;NDIS5 Miniport Driver for Marvell Yukon Ethernet Controller;C:\WINNT\system32\DRIVERS\yk50x86.sys
S3 NtFrs;File Replication;C:\WINNT\system32\ntfrs.exe
S3 TDASYNC;TDASYNC;C:\WINNT\system32\drivers\TDASYNC.sys
S3 TDIPX;TDIPX;C:\WINNT\system32\drivers\TDIPX.sys
S3 TDNETB;TDNETB;C:\WINNT\system32\drivers\TDNETB.sys
S3 TDSPX;TDSPX;C:\WINNT\system32\drivers\TDSPX.sys
S3 TrkSvr;Distributed Link Tracking Server;C:\WINNT\system32\services.exe
S4 IsmServ;Intersite Messaging;C:\WINNT\System32\ismserv.exe
S4 kdc;Kerberos Key Distribution Center;C:\WINNT\System32\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv Tapisrv

Contents of the ‘Scheduled Tasks’ folder
2007-07-30 22:00:00 C:\WINNT\Tasks\Daily.job - C:\Program Files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe


catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-31 10:30:32
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes …

scanning hidden registry entries …

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\25FB6C90ABD679A499936B2CE47483FB\Usage]
“SAVService”=dword:36ff93d8

scanning hidden files …

scan completed successfully
hidden files: 0


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Sophos Message Router]
“ImagePath”=“"C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194”

Completion time: 07/31/2007 10:31:00

--- E O F ---

There’s nothing obvious in the ComboFix log.

In addition to the HijackThis log mentioned above please also post a Virus Total scan of sfc.dll

Since the link to bttray.rar scans clean with Dr. Web you might want to submit the exe to Virus Total too

Here are the Virus Total results for bttray.rar:

[b]Antivirus Version Last Update Result
AhnLab-V3 2007.7.31.1 2007.07.31 -
AntiVir 7.4.0.54 2007.07.30 Worm/Sdbot.635904
Authentium 4.93.8 2007.07.30 W32/Backdoor.BKPG
Avast 4.7.997.0 2007.07.30 Win32:Sdbot-4879
AVG 7.5.0.476 2007.07.30 SHeur.CUK
BitDefender 7.2 2007.07.31 Backdoor.SDBot.DEUQ
CAT-QuickHeal 9.00 2007.07.30 Backdoor.SdBot.bhk
ClamAV 0.91 2007.07.31 Trojan.SdBot-6622
DrWeb 4.33 2007.07.31 -
eSafe 7.0.15.0 2007.07.29 Win32.SdBot.bhk
eTrust-Vet 31.1.5018 2007.07.31 -
Ewido 4.0 2007.07.30 Backdoor.SdBot.bhk
FileAdvisor 1 2007.07.31 -
Fortinet 2.91.0.0 2007.07.31 -
F-Prot 4.3.2.48 2007.07.30 W32/Backdoor.BKPG
F-Secure 6.70.13030.0 2007.07.31 Backdoor.Win32.SdBot.bhk
Ikarus T3.1.1.8 2007.07.30 Backdoor.VB.EV
Kaspersky 4.0.2.24 2007.07.31 Backdoor.Win32.SdBot.bhk
McAfee 5086 2007.07.30 W32/Nirbot.worm
Microsoft 1.2704 2007.07.30 -
NOD32v2 2429 2007.07.30 IRC/SdBot
Norman 5.80.02 2007.07.30 -
Panda 9.0.0.4 2007.07.31 Bck/IRCBot.BAN
Rising 19.34.10.00 2007.07.31 -
Prevx1 V2 2007.07.31 Generic.Malware
Sophos 4.19.0 2007.07.26 -
Sunbelt 2.2.907.0 2007.07.31 Backdoor.Win32.SdBot.bhk
Symantec 10 2007.07.31 W32.Spybot.Worm
TheHacker 6.1.7.159 2007.07.31 Backdoor/SdBot.bhk
VBA32 3.12.2.2 2007.07.30 Backdoor.Win32.SdBot.bhk
VirusBuster 4.3.26:9 2007.07.30 Worm.Rbot.OGL
Webwasher-Gateway 6.0.1 2007.07.31 Worm.Sdbot.635904

Additional information
File size: 628141 bytes
MD5: 7a163915a4a36edfc1d788a2311e46e6
SHA1: 6e5826205ae8648bde2ec42a12a7092109d5ce9c
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=CCCC7B5E00ADAC29B412099E1FCC3600FDBBC8CF [/b]

Please get me Virus Total scans for

C:\WINNT\system32\sfc.dll

and

C:\WINNT\system32\dllcache\sfc.dll

How many computers are in your network? Will you be in a position to isolate them during the cleaning process to prevent reinfection? And just to confim , what is the OS?

Got another one that my company was hit with. Avast was one of the few that didn’t catch it as of 7/31 from VirusTotal.com. Sophos (which had the best details on it) detects it as W32/Sdbot-DGJ. Google for all the info.

Checked it on jotti as well:

A-Squared Found Backdoor.Win32.SdBot.bku
AntiVir Found TR/Agent.648704
ArcaVir Found Trojan.Sdbot.Bku
Avast Found nothing
AVG Antivirus Found SHeur.BEF
BitDefender Found Backdoor.Agent.YTM
ClamAV Found Trojan.SdBot-6612
CPsecure Found BackDoor.W32.SdBot.bku
Dr.Web Found BackDoor.IRC.Sdbot.1705
F-Prot Antivirus Found W32/Backdoor.BJHE
F-Secure Anti-Virus Found Backdoor:W32/SdBot.BLA, Backdoor.Win32.SdBot.bku

Hi Ken,

What is the file name/path of your detection?

If you need help with this please start a new thread with a Combofix and HijackThis log. Is your sfc.dll also infected?

We have 300+ computers, so far virus is not active for weeks, but using combofix, i found other worms/virus that is unknown to Avast. Remove jpg extension of attached file so as to be added to Avast virus database.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:45:45 AM, on 8/2/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\msdtc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\SYSTEM32\DWRCST.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\explorer.exe
C:\ProcessExplorer\procexp.exe
C:\WINNT\system32\msiexec.exe
C:\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.31.96:11125
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.16.*;
O1 - Hosts: 172.16.30.48 DATASRV
O1 - Hosts: 172.16.30.20 manila-nt
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKUS\S-1-5-21-960170764-1050178008-1734353810-2650..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User ‘SQLService’)
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183016585287
O17 - HKLM\System\CCS\Services\Tcpip..{EA2B7189-A0A2-4175-AA8F-8A5F5DF3E312}: NameServer = 172.16.30.24
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: NetOp Helper ver. 7.65 (2004058) (NetOp Host for NT Service) - Danware Data A/S - C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Seagate Page Server (pageserver) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\pageserver.exe
O23 - Service: Persits Software EmailAgent - Persits Software, Inc. - C:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: Seagate Web Component Server (WebCompServer) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\WebCompServer.exe


End of file - 4640 bytes

Apparently unknown to Sophos as well … :slight_smile:

The ComboFix log you posted earlier doesn’t show any detections. Were the detected files newly found on the same computer or a different computer?

From what I’ve seen so far this has worm capability so its likely you will find it on many of the computers in your network. With 300 boxes you may need to decide which to clean and which to reformat. I mean, its entirely possible to clean them all but you may face insurmountable time constraints.

This reminds me very much of a situation I recently worked on in which there was a mix of Windows 2000 and XP Pro boxes. The XP Pro boxes carried the infection without showing symptoms. Could this be the case for your network?

I would still like to see Virus Total scans for

C:\WINNT\system32\sfc.dll

because I would like to know what infection is there, and

C:\WINNT\system32\dllcache\sfc.dll

because we need to find a clean copy of the file either on this computer or elsewhere.

EDIT: I can’t download the file you attached. It would be better if you email it to virus(at)avast.com anyway.

Do you recognize the addresses in these lines?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.31.96:11125
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.16.*;
O1 - Hosts: 172.16.30.48 DATASRV
O1 - Hosts: 172.16.30.20 manila-nt
O17 - HKLM\System\CCS\Services\Tcpip..{EA2B7189-A0A2-4175-AA8F-8A5F5DF3E312}: NameServer = 172.16.30.24

It looks like your own network but do you handle your own DNS?

Yes, we have our own DNS server. They’re valid addresses. Worms detected came from other units. sfc.dll was copied from a different clean unit.

SFC Dll: http://rapidshare.com/files/46654406/sfc.zip
Worms passing Avast: http://rapidshare.com/files/46654424/variants.zip

In Windows XP, if c:\windows\system32\sfc.dll goes missing a copy will immediately be retrieved from c:\windows\system32\dllcache. I believe Windows 2000 will do the same but I do not have a Windows 2000 computer to test this on. So, put a known clean, known compatable copy of sfc.dll in C:\WINNT\system32\dllcache\ and then rename C:\WINNT\system32\sfc.dll to C:\WINNT\system32\sfc.old. If my theory is correct you will now find a clean sfc.dll in the same directory (probably at the bottom of the list); if not you will have to copy it there after the rename.

We are doing this because I would now like you to run ComboFix and SDFix on the infected machine(s), and post both logs. My concern is that if C:\WINNT\system32\sfc.dll gets re-infected before these programs are run, then deletion by either of these programs without having a clean replacement could give you boot problems. Ideally this deletion will occur and Windows will automatically replace the deleted file with the clean one you put in the dll cache. But check manually before the reboot.

Here’s a link and directions for SDFix:

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press “Enter”.
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically ‘C:\SDFix’) Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Also, keep in mind that the computers must be isolated, clean from infected, in order to prevent reinfection.

EDIT: Corrected some file paths.