I did deploy Avast with my very own two hands and ten fingers…
In our country, computer science teachers do everything; as you probably noticed, I’m just an “amateur”. I have a tiny education in Computer Science. I studied Chemistry at the university; in the late 70’s, when the computers were just an idea…
Your Distributed Network Manager look like a great software. I didn’t see the prices.
We have no Windows Server (just Samba Linux PDC) and Win2k/XP workstations. Should it work?
Autorun.exe analysis by Virustotal:
Complete scanning result of "Autorun.exe", received in VirusTotal at 04.06.2007, 14:49:14 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.4.5.0 04.06.2007 no virus found
AntiVir 7.3.1.48 04.06.2007 no virus found
Authentium 4.93.8 04.06.2007 no virus found
Avast 4.7.936.0 04.05.2007 no virus found
AVG 7.5.0.447 04.05.2007 no virus found
BitDefender 7.2 04.06.2007 no virus found
CAT-QuickHeal 9.00 04.05.2007 no virus found
ClamAV devel-20070312 04.06.2007 no virus found
DrWeb 4.33 04.06.2007 no virus found
eSafe 7.0.15.0 04.06.2007 no virus found
eTrust-Vet 30.7.3546 04.06.2007 no virus found
Ewido 4.0 04.06.2007 no virus found
FileAdvisor 1 04.06.2007 No threat detected
Fortinet 2.85.0.0 04.06.2007 no virus found
F-Prot 4.3.1.45 04.04.2007 no virus found
F-Secure 6.70.13030.0 04.06.2007 no virus found
Ikarus T3.1.1.3 04.06.2007 Trojan-PWS.Legmir
Kaspersky 4.0.2.24 04.06.2007 no virus found
McAfee 5002 04.05.2007 no virus found
Microsoft 1.2405 04.06.2007 no virus found
NOD32v2 2171 04.06.2007 no virus found
Norman 5.80.02 04.05.2007 no virus found
Panda 9.0.0.4 04.06.2007 no virus found
Prevx1 V2 04.06.2007 no virus found
Sophos 4.16.0 04.06.2007 no virus found
Sunbelt 2.2.907.0 04.03.2007 no virus found
Symantec 10 04.06.2007 no virus found
TheHacker 6.1.6.085 04.04.2007 no virus found
VBA32 3.11.3 04.04.2007 Trojan.PWS.Legmir
VirusBuster 4.3.7:9 04.05.2007 no virus found
Webwasher-Gateway 6.0.1 04.06.2007 no virus found
But… 90 Professional versions bought?
The ADNM has the necessary tools to deploy avast installation in a network of workstations without server.
I’m sorry this is taking so long, ymai. If this was a single computer or two we would be done already.
I think the Virus Total detections for autorun.exe are false positives, especially so if you have a Soltek motherboard or video card. Do you know if either of these are present?
There is one more scan I would like to see that may give us a clue about autorun.exe based on file creation dates. This will also do on more check for malware.
Download ComboFix from Here or Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.
After this scan we should be able to proceed with cleaning.
Please don’t. I have been at work the whole afternoon. The Internet connexion was really awful. It was not possible to come back here.
I think the Virus Total detections for autorun.exe are false positives, especially so if you have a Soltek motherboard or video card. Do you know if either of these are present?You hit it!! This is my only workstation with a Soltek motherboard. The original motherboard has gone out of use two years ago. It was then replaced. I didn't find any other autorun.exe file on any other computer.
There is one more scan I would like to see that may give us a clue about autorun.exe based on file creation dates. This will also do on more check for malware.
I’m afraid my wife won’t let me go to school during the easter weekend. You’ll have a rest.
I have good news. It seems that the infection is rather recent as computers that have not been used during the week between march 19 and march 23 are out of problem. That’s a huge number: around 35-40 workstations.
HijackThis find the mpn.exe in the register on most other computers. No real difficulty to get rid of it. Then, reboot the computer and rename the mpn.exe to mpn.exe.bak
I had one really resistant computer that freezed when I tried to launch any program. Fortunately, I have a Ghost image dating from February! I used it. I’ll just have to look twice for the Windows and Avast updates.
I didn’t have time enough to perform an Avast boot scan on all the “cured” PC’s.
The only question, for the moment, seems to be: where does that mpn.exe come from? Is the source still somewhere on the LAN. Is an Avast scan able to find it?
I have three days to think and search for the answer.
Many, many thanks again for your work.
Certainly not. The Linux workstations are protected with ClamAv.
The windows workstations that are not connected to the Internet are protected with ClamWin.
Some others use another commercial antivirus. But Avast is our favorite.
The ADNM has the necessary tools to deploy avast installation in a network of workstations without server.
[/quote]
Good to know that.
Good for her. Easter should be a time of rest.
This is something of a guess but it seems logical to me. The entry point was the old version of VNC - this allowed a hacker into the LAN. The u.exe file (or m.exe in some cases) was downloaded and, as you saw on your own computer, u.exe acted as either an installer or downloader for mpn.exe. I suspect if you had not caught this when you did additional files would have been downloaded as well.
Is the source still on your computer(s)? If you have updated VNC on all the computers and removed u.exe (or possibly other single-letter.exe files) I think not.
I will give you two fixes that you can choose from. I tend to favor automatic (program based) fixes over manual but, as you said, with the number of computers you’re working with the manual option may be the way to go.
Option 1
Schedule an avast! boot scan, including archives. Reboot and let the scan run, putting in quarantine anything found.
When done make sure your folder options are set to Show Hidden Files and Folders. Then check your root directory for u.exe and m.exe. Delete these if present.
If there are any other unusual files in the root upload to Virus Total to determine if they too should be deleted.
Option 2
This method poses some risk if done incorrectly but I’m sure you are capable of using it safely. Keep in mind that this is specific to the exact hijackthis line listed below - if you see lines that differ post a copy so I can look at it.
Open Hijackthis and click the button labled Do a System Scan Only. When the scan is finished place a check mark next to this line
O4 - HKLM..\Run: [MPNet] C:\WINNT\system32\mpn.exe
Then click the button labled Fix Checked. This will remove the start up entry from the registry but the file will still be present.
Next, boot into safe mode and delete this file
C:\WINNT\system32\mpn.exe
Finally, make sure your folder options are set to show Hidden Files and Folders and check your root directory for u.exe and m.exe. Delete these if present.
If there are any other unusual files in the root upload them to Virus Total to determine if they too should be deleted.
If you run into any other unusual circumstances or suspect files please feel free to post again. I would also be very interested in occasional progress reports if you don’t mind.
Also keep in mind the laptops you mentioned may have been compromised as well. They should be checked before they are allowed back on the LAN.
mauserme, you’re really a saver. Thanks to you, the solution arises…
Unfortunately, not for lambs we are used to eat for easter in our tradition.
The entry point was the old version of VNC - this allowed a hacker into the LAN.So, first of all, I'll update VNC. I saw the installed version is 4.1.0 almost everywhere. But I certainly installed several 4.1.1 versions recently, as I found that installation file version on my installation directory.
When done make sure your folder options are set to Show Hidden Files and Folders.It's the default situation.
Then check your root directory for u.exe and m.exe. Delete these if present.Just what I did this afternoon.
O4 - HKLM\..\Run: [MPNet] C:\WINNT\system32\mpn.exeI feel like a 04 - HKLM... killer. That's what i made before deleting u.exe files (no m.exe files found on my LAN; I found it @home)
If you run into any other unusual circumstances or suspect files please feel free to post again.Great! You are great.
I would also be very interested in occasional progress reports if you don't mind.It will be my pleasure. But next week.
Also keep in mind the laptops you mentioned may have been compromised as well. They should be checked before they are allowed back on the LAN.I'll send a mail to all my colleagues, for Merry Easter and Happy Malware Fighting. Merry Easter to you.
Nor for the cooks, but that effort is excusable 
... no m.exe files found on my LAN; I found it @homeThe m.exe file is probably a different situation on your daughter's computer. I hadn't given it much thought since you said you would reformat that one, but if you want to avoid that I would be happy to look at her Hijackthis log.
Merry Easter to you.And to you ymai. See you next week :)
I promised to come back. So, there am I.
Unfortunately, I don’t have good news.
I scratched all the VNC 4.1.0 (yes, 4.1.0) and installed 4.1.2 versions instead.
I tried to update Windows. Some PC’s don’t seem to want updating. Maybe because of a too narrow Internet bandwidth. Not sure because of an hyperactive worm activity: the router doesn’t look too busy.
Nevertheless, I tried to cure each computer with HijackThis for the mpn.exe key. I halted all mpn.exe processes in the taskmanager (sometimes one occurrence, sometimes two). Then, I shift+Deleted the mpn.exe in the System32 directory and any U.exe file.
A few minutes later, they are all back: in the registry, in the taskmanager and in the System32 directory.
I tried to reboot the computers just after the cleaning. They are always back with that #@%!!$@ mpn.exe
There must be some kind of zombie on the LAN waiting for infecting other computers.
Because we must be back to business next monday, I’m afraid I won’t be able to solve the problem by myself, even with your invaluable help. I need a professional with hands on my LAN.
One more time, many, many thanks for your help.
So many computers … So little time …
I think deleting from safe mode might have worked as they wouldn’t have loaded into memory but I understand the constraints you’re under. I will miss the challenge
Mmmmhhhh… You’d better bet on a good horse.
I’ll try, but if the Windows update doesn’t work, I’m afraid the worm will come back at the first boot on the LAN.
I shall come back.
Keep the computers isolated - all turned off except the one you are working on.
For all those who are still interested for this topic…
We found that the
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5
subdirectories of the infected computers contains plenty of copies of the mpn.exe file. We just Shift+Deleted them.
We have been working one day and a half with a professional tech to cure about 30 computers. For some of them, it was rather difficult to eliminate the mpn.exe file. Coming back again and again and again.
The advices of Mauserme work (For he’s a jolly good fellow).
At the present moment, the mpn.exe doesn’t seem to come back after:
- kill mpn.exe in the task manager
- shift+delete mpn.exe in the system32 directory
- when present, shift+delete U.exe file in the c:\ directory
- eliminate mpn.exe in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key of the registry
- shift+delete the subdirectories of C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5
- reboot
- update Windows
Still superinfection problems (DriveCleaner or other commercial popups) on some computers. But I think this will be rather easy to eliminate.
Thanks for the update ymai. I wish I was able to be there helping
When you have things well under control you may want to try running Rogue Remover against your Drive Cleaner problem. It may help