I recently have a problem with virus in a domain. The domain controllers have windows 2000 adv server sp4 & sp1. In the one that has sp1 we had the sasser virus. I could 'more or less' remove it. The problem is that now the domain controller is infected also and with another virus, it has a virus/trojan MSIWA32.exe found by the Trend Micro office scan. The anti-virus could not quarantine or even remove the virus.
Now in our office we have a lot of problems with domain login and the ones who could do it into the network have the connection really slow!
I have tested a lot of fixes and antivirus/spyware but nothing worked till now.
I ran the hijackthis and here is the log file:
Logfile of HijackThis v1.99.1
Scan saved at 15:04:18, on 23/04/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
Código: Seleccionar todo
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\CA\Alert\ALERT.EXE
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\Program Files\Common Files\CA\BrightStor\CADS\casdscsvc.exe
C:\Program Files\CA\BrightStor ARCserve Backup\RDS.EXE
C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\casmrtbk.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CA\BrightStor ARCserve Backup\Mediasvr.exe
C:\Program Files\CA\iGateway\iGateway.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caloggerd.exe
C:\Program Files\Software602\602LAN SUITE\lansuits.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\sfmprint.exe
C:\WINNT\system32\ntfrs.exe
C:\Program Files\CA\BrightStor ARCserve Backup\caauthd.exe
C:\Program Files\CA\BrightStor ARCserve Backup\LDBServer.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\lserver.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\CA\BrightStor ARCserve Backup\LQServer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\TEMP\CYD19F.EXE
C:\Program Files\CA\BrightStor ARCserve Backup\asalert.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
G:\Tools\virus\FIXtool\SysClean.exe
G:\Tools\virus\aswclnr.exe
G:\Tools\virus\aswclnr.tmp
C:\Program Files\Internet Explorer\iexplore.exe
G:\Tools\virus\FxSasser.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
G:\Tools\virus\FIXtool\VSCANTM.BIN
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ACCESS~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Bridge Class - {E479EDE1-923E-11D3-B82B-00E09871521B} - C:\Program Files\Compass\CmpsIE.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = etcte.uab.es
O17 - HKLM\System\CCS\Services\Tcpip\..\{303F4B36-8203-44B4-8C39-EB72C5420DC0}: NameServer = 158.109.55.60,158.109.55.51
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = etcte.uab.es
O17 - HKLM\System\CS1\Services\Tcpip\..\{303F4B36-8203-44B4-8C39-EB72C5420DC0}: NameServer = 158.109.55.60,158.109.55.51
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = etcte.uab.es
O17 - HKLM\System\CS2\Services\Tcpip\..\{303F4B36-8203-44B4-8C39-EB72C5420DC0}: NameServer = 158.109.55.60,158.109.0.1
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\Common Files\CA\Alert\ALERT.EXE
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: BrightStor AB Database Engine (CASDBEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\DBENG.exe
O23 - Service: BrightStor Discovery Service (CASDiscoverySvc) - Computer Associates - C:\Program Files\Common Files\CA\BrightStor\CADS\casdscsvc.exe
O23 - Service: BrightStor AB Job Engine (CASJobEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\jobeng.exe
O23 - Service: BrightStor AB Message Engine (CASMsgEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\msgeng.exe
O23 - Service: BrightStor AB Service Controller (CASSvcControlSvr) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\caserved.exe
O23 - Service: BrightStor AB Tape Engine (CASTapeEngine) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\tapeeng.exe
O23 - Service: BrightStor AB Domain Server (CASUnivDomainSvr) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\cadiscovd.exe
O23 - Service: CA Remote Procedure Call Server (CATIRPC) - Computer Associates - C:\Program Files\CA\BrightStor ARCserve Backup\Catirpc.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iGateway - Unknown owner - C:\Program Files\CA\iGateway\iGateway.exe
O23 - Service: Integrated Windows Authentication - Unknown owner - C:\Program Files\Common Files\System\MSIWA32.exe (file missing)
O23 - Service: 602LAN SUITE (lansuits) - Software602 - C:\Program Files\Software602\602LAN SUITE\lansuits.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Exploración en tiempo real de OfficeScanNT (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Cortafuegos de OfficeScanNT (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Stateless Packet Filtering (PktFilter) - Unknown owner - C:\PktFilter\pktfltsrv\pktfltsrv.exe (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\os2\_root_\tmp\crss.exe" /service (file missing)
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: stunnel - Unknown owner - C:\stunnel\stunnel-4.11.exe" -service -install (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Zope instance at C:\Program Files\Plone 2\Data (Zope_1884525689) - Unknown owner - C:\Program Files\Plone 2\Zope\bin\PythonService.exeThanks in advance!
