The AV eng found these.
Hacktool.Rootkit
Infostealer
Trojan Horse
Trojan.Dropper
W32.Aimdes.C@mm
Should note the AV eng was not Avast
Afterwards I could not load Avast or any other AV and tools such as regedt32, Sysinternals process explorer, hijack this ect. No policies were written. I could run regedt32 remotely and found nothing in the run files and such.
I found the problem in HKLM_MS_winnt_CV_image file execution. This had all the files you could think of connected to Av spy ware and tools linked to “Debugger”=“ntsd -d” This is a win2k debugger file.
I also had a folder I386 on the Sys drive which is not in our images we use. it was 1.1 gig in size and half uncompressed winxp install with a slew of .mof files such as 2AA23BB86A5EBD8BC2D820944E55B233.mof
I exported a clean reg of “HKLM_MS_winnt_CV_image file execution” from a good PC and imported the good one remotely. One this was done I regained control of the infected PC. I should mention I hand cleaned the PC of infected files that were left over after the av scan before hand.
My first step is to use process explorer to see what is going on in the background and see if I can shutdown the active files causing the problems down there by getting a handle on the sys. Only this time I couldn’t open it. I haven’t tried to rename it and see if it will open. i will import the bad reg back in and see if this works. I assume it will.
I am alarmed that a infected PC appears to Down loaded over 1 gig of files across our network. This XP install copy came from a OEM dell disk with most of the OEM stuff stripped out.
If any one is interested I have reg entry and info backed up including text file list of folder and the entire I386 folder minus viruses of course.
If we used Avast none of this would have been a problem. It seems to me the last several months the payload have been changing. this particular one allowed the pc to operate as normal for the user but it killed SAP and ACAD there by alerting the user to a problem.
Roger Berning