Author Topic: Scan picked up virus but path does not exist  (Read 10819 times)

0 Members and 1 Guest are viewing this topic.

csmith

  • Guest
Scan picked up virus but path does not exist
« on: March 12, 2006, 10:40:01 AM »
Just did a scan on my Win 2000 server and it came up with a virus which it said it could not deal with.

The path/file was given as
C:\WINNT\system32\os2\com\con\prn\iosys\site\0day_0730\Active.WebCam.v5.0.Cracked.WinAll-CPHV\cphv1acw.zip\Active.WebCam.v5.0.Cracked.WinAll-CPHV.part1.rar\crack\WebCam.EXE\[ASPack]

But in fact this structure only goes down as far as
C:\WINNT\system32\os2\

If I drop the full path name into windows explorer it says 'error'

I'm using avast! 4 Server Edition, (2 years) since Oct 05

It actually found two others also at the same time which it put in the chest and I then deleted .. they were

C:\WINNT\system32\os2\com\con\prn\iosys\site\0day_0730\River_Past_Screen_Recorder_v5.0.3_Incl_Keygen-UCF\ucfsr503.zip\keygen.exe

and

C:\WINNT\system32\wbem\ser.exe

Any suggestions about this .....

Thanks

Chris



Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Scan picked up virus but path does not exist
« Reply #1 on: March 12, 2006, 03:07:43 PM »
Well, I'm not sure if it's really a virus (what was the exact malware name reported?) - but it seems that your server is being abused for unauthorized software distribution - there may  be a lot of illegal software in these folders.

The path uses reserved filenames (con, prn) and it's not possible to manipulate the files in the ordinary way (e.g. using Explorer). Try to use the command line (cmd.exe) and prefix the path with \\?\ - you should be able to access it that way.
You may want to delete the whole folder C:\WINNT\system32\os2, I think?

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Scan picked up virus but path does not exist
« Reply #2 on: March 13, 2006, 06:44:54 PM »
Looks like something fishy is definitely going on there... The "con" in the pathname is a clear indication that someone/something is trying to HIDE some data on your hard drive... I'd recommend also looking at which TCP/IP ports are open - use e.g. tcpview to get a basic overview http://www.sysinternals.com/Utilities/TcpView.html


Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

csmith

  • Guest
Re: Scan picked up virus but path does not exist
« Reply #3 on: March 16, 2006, 07:41:12 AM »
Am having to split my message  as too long for forum ... so please see both parts

YES ... I've definately been hijacked .... hopefully the information below can help you advise me what to do ......

Have used TCPView (Thanks.. I didn't know of this utility)

and the results are

aspnet.exe:584   TCP   iesf:40000   iesf:0   LISTENING   
ctfmon.exe:684   TCP   iesf:3068   iesf:0   LISTENING   
ctfmon.exe:684   TCP   iesf:31909   iesf:0   LISTENING   
dnsadm.exe:788   TCP   iesf:2200   iesf:0   LISTENING   
eventlog.exe:824   TCP   iesf:8899   iesf:0   LISTENING   
IBackground.exe:1832   TCP   iesf:1052   iesf:0   LISTENING   
IBackground.exe:1832   TCP   iesf:1052   ibackup.com:https   CLOSE_WAIT   
inetinfo.exe:1272   TCP   iesf:ftp   iesf:0   LISTENING   
inetinfo.exe:1272   TCP   iesf:smtp   iesf:0   LISTENING   
inetinfo.exe:1272   TCP   iesf:http   iesf:0   LISTENING   
inetinfo.exe:1272   TCP   iesf:https   iesf:0   LISTENING   
inetinfo.exe:1272   TCP   iesf:1043   iesf:0   LISTENING   
inetinfo.exe:1272   TCP   iesf:9149   iesf:0   LISTENING   
inetinfo.exe:1272   UDP   iesf:1044   *:*      
inetinfo.exe:1272   UDP   iesf:3456   *:*      
inetinfo.exe:740   TCP   iesf:1028   iesf:0   LISTENING   
inetinfo.exe:740   TCP   iesf:1032   iesf:0   LISTENING   
inetinfo.exe:740   TCP   iesf:1036   iesf:0   LISTENING   
inetinfo.exe:740   TCP   iesf:30001   iesf:0   LISTENING   
inetinfo.exe:740   TCP   iesf:1027   iesf:0   LISTENING   
inetinfo.exe:740   TCP   iesf:1027   localhost:1028   ESTABLISHED   
inetinfo.exe:740   TCP   iesf:1028   localhost:1027   ESTABLISHED   
inetinfo.exe:740   TCP   iesf:1031   iesf:0   LISTENING   
inetinfo.exe:740   TCP   iesf:1031   localhost:1032   ESTABLISHED   
inetinfo.exe:740   TCP   iesf:1032   localhost:1031   ESTABLISHED   
inetinfo.exe:740   TCP   iesf:1035   iesf:0   LISTENING   
inetinfo.exe:740   TCP   iesf:1035   localhost:1036   ESTABLISHED   
inetinfo.exe:740   TCP   iesf:1036   localhost:1035   ESTABLISHED   
inetinfo.exe:768   TCP   iesf:1026   iesf:0   LISTENING   
inetinfo.exe:768   TCP   iesf:1030   iesf:0   LISTENING   
inetinfo.exe:768   TCP   iesf:1034   iesf:0   LISTENING   
inetinfo.exe:768   TCP   iesf:30003   iesf:0   LISTENING   
inetinfo.exe:768   TCP   iesf:1025   iesf:0   LISTENING   
inetinfo.exe:768   TCP   iesf:1025   localhost:1026   ESTABLISHED   
inetinfo.exe:768   TCP   iesf:1026   localhost:1025   ESTABLISHED   
inetinfo.exe:768   TCP   iesf:1029   iesf:0   LISTENING   
inetinfo.exe:768   TCP   iesf:1029   localhost:1030   ESTABLISHED   
inetinfo.exe:768   TCP   iesf:1030   localhost:1029   ESTABLISHED   
inetinfo.exe:768   TCP   iesf:1033   iesf:0   LISTENING   
inetinfo.exe:768   TCP   iesf:1033   localhost:1034   ESTABLISHED   
inetinfo.exe:768   TCP   iesf:1034   localhost:1033   ESTABLISHED   
inetservice.exe:892   TCP   iesf:3333   iesf:0   LISTENING   
inetservice.exe:892   TCP   iesf:4068   iesf:0   LISTENING   
inetservice.exe:892   TCP   iesf:41909   iesf:0   LISTENING   
LSASS.EXE:268   UDP   iesf:isakmp   *:*      
msdtc.exe:1284   TCP   iesf:1042   iesf:0   LISTENING   
mstask.exe:1064   TCP   iesf:1037   iesf:0   LISTENING   
scvhost.exe:1056   TCP   iesf:8787   iesf:0   LISTENING   
sqlservr.exe:992   TCP   iesf:ms-sql-s   iesf:0   LISTENING   
sqlservr.exe:992   UDP   iesf:ms-sql-m   *:*      
svchost.exe:440   TCP   iesf:epmap   iesf:0   LISTENING   
svchost.exe:440   UDP   iesf:epmap   *:*      
System:8   TCP   iesf:microsoft-ds   iesf:0   LISTENING   
System:8   TCP   iesf:1045   iesf:0   LISTENING   
System:8   TCP   iesf:http   firewall.conserveschool.org:64038   ESTABLISHED   
System:8   TCP   iesf:http   firewall.conserveschool.org:64040   TIME_WAIT   
System:8   TCP   iesf:http   firewall.conserveschool.org:64052   ESTABLISHED   
System:8   TCP   iesf:http   c-24-14-148-204.hsd1.il.comcast.net:59342   TIME_WAIT   
System:8   TCP   iesf:http   c-24-23-4-210.hsd1.ca.comcast.net:4860   ESTABLISHED   
System:8   TCP   iesf:http   px3so.cg.shawcable.net:49816   ESTABLISHED   
System:8   TCP   iesf:http   58-186-9-xxx-dynamic.hcm.fpt.vn:17078   ESTABLISHED   
System:8   TCP   iesf:http   58-186-9-xxx-dynamic.hcm.fpt.vn:17096   ESTABLISHED   
System:8   TCP   iesf:http   pm2-cwco-64-71-208-83.havilandtelco.com:3339   TIME_WAIT   
System:8   TCP   iesf:http   ip68-4-82-226.oc.oc.cox.net:4694   ESTABLISHED   
System:8   TCP   iesf:http   proxy.newingtoncollege.nsw.edu.au:9062   ESTABLISHED   
System:8   TCP   iesf:http   ip70-161-65-125.hr.hr.cox.net:2963   TIME_WAIT   
System:8   TCP   iesf:http   ip70-161-65-125.hr.hr.cox.net:2997   ESTABLISHED   
System:8   TCP   iesf:http   ip70-161-65-125.hr.hr.cox.net:3000   ESTABLISHED   
System:8   TCP   iesf:http   mail.ycis.edu.hk:1164   ESTABLISHED   
System:8   TCP   iesf:http   mtl-a46-041:4914   TIME_WAIT   
System:8   TCP   iesf:http   fj5011.inktomisearch.com:52670   TIME_WAIT   
System:8   TCP   iesf:http   fj5011.inktomisearch.com:54872   TIME_WAIT   
System:8   TCP   iesf:http   bbcache-8.singnet.com.sg:9026   ESTABLISHED   
System:8   TCP   iesf:http   bbcache-9.singnet.com.sg:5862   ESTABLISHED   
System:8   TCP   iesf:http   bbcache-10.singnet.com.sg:53944   TIME_WAIT   
System:8   TCP   iesf:http   bbcache-10.singnet.com.sg:54620   ESTABLISHED   
System:8   TCP   iesf:http   bbcache-11.singnet.com.sg:57310   TIME_WAIT   
System:8   TCP   iesf:http   gw.pool-2.nat.net.kht.ru:4443   ESTABLISHED   
System:8   TCP   iesf:http   gw.pool-2.nat.net.kht.ru:5345   ESTABLISHED   
System:8   TCP   iesf:http   gw.pool-2.nat.net.kht.ru:5948   ESTABLISHED   
System:8   TCP   iesf:http   195.245.109.122:48225   TIME_WAIT   
System:8   TCP   iesf:http   195.245.109.122:48294   TIME_WAIT   
System:8   TCP   iesf:http   195.245.109.122:48323   TIME_WAIT   
System:8   TCP   iesf:http   195.245.109.122:48488   TIME_WAIT   
System:8   TCP   iesf:http   195.245.109.122:48708   TIME_WAIT   
System:8   TCP   iesf:http   195.245.109.122:48762   TIME_WAIT   
System:8   TCP   iesf:http   195.245.109.122:48882   TIME_WAIT   
System:8   TCP   iesf:http   195.245.109.122:48907   TIME_WAIT   
System:8   TCP   iesf:http   195.245.109.122:48927   TIME_WAIT   
System:8   TCP   iesf:http   195.245.109.122:48930   TIME_WAIT   
System:8   TCP   iesf:http   195.245.109.122:48936   TIME_WAIT   
System:8   TCP   iesf:http   195.245.109.122:48964   TIME_WAIT   
System:8   TCP   iesf:http   195.245.109.122:48966   TIME_WAIT   
System:8   TCP   iesf:http   195.245.109.122:48995   TIME_WAIT   
System:8   TCP   iesf:http   195.245.109.122:49001   TIME_WAIT   
System:8   TCP   iesf:http   195.245.109.122:49008   TIME_WAIT   
System:8   TCP   iesf:http   195.245.109.122:49015   TIME_WAIT   
System:8   TCP   iesf:http   202.128.229.45:29675   ESTABLISHED   
System:8   TCP   iesf:http   lj9059.inktomisearch.com:52729   TIME_WAIT   
System:8   TCP   iesf:http   lj9059.inktomisearch.com:52759   TIME_WAIT   
System:8   TCP   iesf:http   lj9115.inktomisearch.com:49744   TIME_WAIT   
System:8   TCP   iesf:http   lj9115.inktomisearch.com:49933   TIME_WAIT   
System:8   TCP   iesf:http   cache-ntc-ac06.proxy.aol.com:44648   TIME_WAIT   
System:8   TCP   iesf:http   202.163.208.30:2363   ESTABLISHED   
System:8   TCP   iesf:http   202.163.208.30:2420   ESTABLISHED   
System:8   TCP   iesf:http   202.163.208.30:2451   ESTABLISHED   
System:8   TCP   iesf:http   proxy5-14.adl2.internode.on.net:18679   ESTABLISHED   
System:8   TCP   iesf:http   proxy5-14.adl2.internode.on.net:19030   ESTABLISHED   
System:8   TCP   iesf:http   proxy6-14.adl2.internode.on.net:18858   ESTABLISHED   
System:8   TCP   iesf:http   proxy7-14.adl2.internode.on.net:23159   ESTABLISHED   
System:8   TCP   iesf:http   203.210.245.216:57945   ESTABLISHED   
System:8   TCP   iesf:http   203.210.245.216:51420   ESTABLISHED   
System:8   TCP   iesf:http   adsl.hnpt.com.vn:48634   ESTABLISHED   
System:8   TCP   iesf:http   adsl.hnpt.com.vn:48040   ESTABLISHED   
System:8   TCP   iesf:http   wttaos01.imsbiz.com:57952   TIME_WAIT   
System:8   TCP   iesf:http   pool-71-252-226-75.dllstx.fios.verizon.net:61405   TIME_WAIT   
System:8   TCP   iesf:http   pool-70-107-168-252.ny325.east.verizon.net:4771   ESTABLISHED   
System:8   TCP   iesf:http   203.210.245.216:40456   ESTABLISHED   
System:8   TCP   iesf:http   adsl.hnpt.com.vn:35946   TIME_WAIT   
System:8   TCP   iesf:netbios-ssn   iesf:0   LISTENING   
System:8   UDP   iesf:microsoft-ds   *:*      
System:8   UDP   iesf:netbios-ns   *:*      
System:8   UDP   iesf:netbios-dgm   *:*      
System:8   TCP   iesf:http   pm2-cwco-64-71-208-83.havilandtelco.com:3405   TIME_WAIT   
System:8   TCP   iesf:http   pool-70-107-168-252.ny325.east.verizon.net:4772   TIME_WAIT   
System:8   TCP   iesf:http   egspd42239.ask.com:41943   TIME_WAIT   
System:8   TCP   iesf:http   adsl.hnpt.com.vn:24114   ESTABLISHED   
System:8   TCP   iesf:http   203.15.122.35:35745   ESTABLISHED   
System:8   TCP   iesf:http   adsl.hnpt.com.vn:11724   ESTABLISHED   
System:8   TCP   iesf:http   203.15.122.35:12649   TIME_WAIT   
System:8   TCP   iesf:http   cache6.syd.ops.aspac.uu.net:11525   TIME_WAIT   
System:8   TCP   iesf:http   cache4.syd.ops.aspac.uu.net:28285   ESTABLISHED   
System:8   TCP   iesf:http   203.15.122.35:52425   ESTABLISHED   
System:8   TCP   iesf:http   203.15.122.35:34562   ESTABLISHED   
System:8   TCP   iesf:http   203.15.122.35:21624   ESTABLISHED   
System:8   TCP   iesf:http   202.138.134.149:49820   TIME_WAIT   
System:8   TCP   iesf:http   pm2-cwco-64-71-208-83.havilandtelco.com:3410   ESTABLISHED   
System:8   TCP   iesf:http   proxy3.utas.edu.au:57172   TIME_WAIT   
System:8   TCP   iesf:http   70.27.166.146:51393   ESTABLISHED   
System:8   TCP   iesf:http   ip-69-33-143-130.nyc.megapath.net:1174   ESTABLISHED   
System:8   TCP   iesf:http   ip-69-33-143-130.nyc.megapath.net:1173   ESTABLISHED   
System:8   TCP   iesf:http   ip-69-33-143-130.nyc.megapath.net:1172   TIME_WAIT   
System:8   TCP   iesf:http   proxy.newingtoncollege.nsw.edu.au:9087   FIN_WAIT1   
Tapii.exe:1092   TCP   iesf:1   iesf:0   LISTENING   
WinVNC.exe:1180   TCP   iesf:5800   iesf:0   LISTENING   
WinVNC.exe:1180   TCP   iesf:5900   iesf:0   LISTENING   
WinVNC.exe:1180   TCP   iesf:5900   p627-adslbkksp13.c.csloxinfo.net:1312   ESTABLISHED   

===================================
My problem  is I do not understand what I'm looking at here.

I do not know how to close/open ports

There is definately something strange going on with the server as my ISP just sent me a warning

I've postered their warning at

http://www.shambles.net/avast/ispwarningmarch06.txt

which might be helpful to see what the malware? is doing.

In fact my ISP has given me 48 hours to solve this or they are pulling the plug

=====================================


csmith

  • Guest
Re: Scan picked up virus but path does not exist
« Reply #4 on: March 16, 2006, 07:41:59 AM »
PART TWO of post

=====================================
I'm using my server (Win2000 server SP2) as a web server
Win 2000 IIS
I use remote backup to a company iBackup to make backups
I use VNC to remotely manage the machine myself
I use WS_FTP for uploading/downloading files
SQL database is running
Visitor to the website are allowed to use a form to upload suggested website details for me to add
see example form at the bottom of the page
http://www.shambles.net/pages/learning/infolit/startpage/#addalink

The server is dedicated & is in a datahosting centre

Other strange anomolies I've noticed

When I restart the machine .... the prompt window has "log off administrator" rather that "Restart Machine" ... which it has always been at when restarting (remotely) for the last 3 years .... I'm a 1,000 miles away from the server physically.

Also noticed twice that that when I've recently shutdown the machine remotely (with RESTART) it has prompted me to say that there is another user online ... I've never seen that before ... but it did get the adrenalin flowing. (still is)

Today when I connected I found that although AVAST server was installed all the modules has been switched off !!!!  .... in fact I only use the standard one anyway

===================================================

I've just switched it back on and and now doing another "Thorough Scan"
including archived files
Virus Database 0611-0, 03/14/06

RESULTS ARE (viruses found)
=====================
File Name: C:\WINNT\system32\os2\com\con\prn\iosys\site\0day_0730\Active.WebCam.v5.0.Cracked.WinAll-CPHV\cphv1acw.zip\Active.WebCam.v5.0.Cracked.WinAll-CPHV.part1.rar\crack\WebCam.EXE\[ASPack]
Malware Name: Win32:Crypto
Malware Type: Virus/Worm
VPS version: 0611-0, 03/14/2006

Action .. DELETED Permanently  (except final results say ERROR .. cannot delete)

=====================
File Name: C:\WUTemp\Tool\ser.exe
Malware Name: Win32:Trojan-gen. {Other}
Malware Type: Virus/Worm
VPS version: 0611-0, 03/14/2006

Action .. DELETED Permanently .. seemed successful

====================

FINAL RESULTS OF SCAN
(Drat I cannot seem to 'right click' to copy&past)
Quite a number of files are shown as 'cannot scan'

SO copied using Screen Shots
see

http://www.shambles.net/avast/screen1.jpg
and
http://www.shambles.net/avast/screen2.jpg


======================
======================

I've just read about
Win32.Crypto
at
http://www.avp.ch/AVPVE/newexe/win32/crypto.stm
and it sounds all doom and gloom ;-(
but does not tell me how to get rid of it .. or repair what it has done.

=======================

MORE INFO

When I look in the folder
C:\WINNT\system32\os2

(a)
I find a file  oso001.009
with propertie
type of file: "009 FILE"
size 105KB


(b)
I find a folder named "dll"
and inside are two files
"doscalls.dll"
type of file: application extension
size 12,646 bytes

and
"netapi.dll"
type of file: application extension
size 247,860 bytes

====================================

Finally

In the TASK Manager

Applications running are
see
http://www.shambles.net/avast/screen3.jpg


Processes are
see
http://www.shambles.net/avast/screen4.jpg
and
http://www.shambles.net/avast/screen5.jpg

=====================================

Sorry this is rather long .... but trying to consider all the information that might help you help me with what to do.

Thanks

Desperately fighting panic ;-(

Chris


Actually I do like your prompt when AVAST finds something wrong ... "No Need to Panic" ;-)

csmith

  • Guest
Re: Scan picked up virus but path does not exist
« Reply #5 on: March 16, 2006, 11:59:37 AM »
Sorry Guys

A third part to this posting .. more info

I had a look at the User Profiles
see screen shot at
http://www.shambles.net/avast/userprofiles16march06.jpg

I don't remember seeing this
TsInternetUser
profile before .... but that might just be because I've not noticed it and it's been there all the time.

Also now when I go to the Control Panel
I cannot find a "Users and Passwords"
icon in the options ... it's not there.

Thanks

Chris

csmith

  • Guest
Re: Scan picked up virus but path does not exist
« Reply #6 on: March 16, 2006, 04:28:43 PM »
I've found a whole bunch of exe files in
C:\WUTemp\Tool
see screenshot at
http://www.shambles.net/avast/WUtemp_screenshot.jpg

Can I just delete all of these?

They may be part of my problem

Chris

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Scan picked up virus but path does not exist
« Reply #7 on: March 16, 2006, 04:35:34 PM »
C:\WUTemp\Tool
Files on this path could be deleted.
They belong to temporary Windows updates. They will be regenerated when you go to windows update site again  ;)
The best things in life are free.

csmith

  • Guest
Re: Scan picked up virus but path does not exist
« Reply #8 on: March 20, 2006, 10:36:25 AM »
Really disappointed with the support this time from the Avast Team

Avast (server edition) seems to have allowed Win32:Crypto virus/worm into my server and doesn't seem to be able to do anything about it now here.

I had higher expectations especially after the initial installation help.

Chris

 ???

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Scan picked up virus but path does not exist
« Reply #9 on: March 20, 2006, 11:03:31 AM »
Well, I really don't think that the virus is your problem.
According to the path, the malware is stored in a RAR archive - so there's no surprise about avast! not detecting it previously (the Standard Shield doesn't scan RAR or similar archives when writing by default - it would slow down your system very badly). It also means that you are not infected - the virus inside of a RAR archive is not dangerous. (Actually, it might not really be a virus at all - these warez releases are usually packed with very strange packers, and it may even be a false alarm on a crack file... but that's not the point here).

You should delete the whole C:\WINNT\system32\os2\com folder, including subfolders (or even C:\WINNT\system32\os2, I'm not sure if this folder belongs to Win2000 system) - it might contain gigabytes of illegal software.

Then, you should secure your system regarding network access. I'm no expert on network stuff, so I don't know how the stuff got uploaded to your server and how it's downloaded from there - could be misconfigured FTP, web server, or even some remote control stuff...

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Scan picked up virus but path does not exist
« Reply #10 on: March 21, 2006, 01:23:42 AM »
Also, is the server fully patched? This might be a warez problem allowed by unpatched IIS...
If at first you don't succeed, then skydiving's not for you.

stevegilmore

  • Guest
Re: Scan picked up virus but path does not exist
« Reply #11 on: March 24, 2006, 08:15:24 PM »
When I did a W2K Server install a few years ago, before I was even finished someone found the server and started uploading their 'downloads' onto it. I had the latest versions of the most popular movies that were just released to the theatres. I just couldn't get to them.

The first  W2K Server releases did not have Security set by default, meaning anyone could do anything on it from anywhere. Like you, It was very difficult to find the files and they could not be accessed because of their length.

I fixed it by taking it off of the Network, formatting and reinstalling, install all Service Packs and Security features and secure firewalls, then plugging it back into the network.  It was much quicker then trying to undo the damage, not knowing the extent of the damage.

csmith

  • Guest
Re: Scan picked up virus but path does not exist
« Reply #12 on: July 24, 2006, 07:21:57 PM »
Better Late Than Never

Just to report back that I did delete everthing in the folder
C:\WINNT\system32\os2 ...
and there were no bad effects ... all rubbish files put there by someone.

Did some more scans to check the disk clean.

.. and all has been OK since then .... until the next hacker ;-(

Thanks to those who helped with the suggestions  .......

I have been very pleased with avast! Server Edition but I may well be moving to a managed hosting facility where someone will take over the security role ...