Another SDBot passing Avast

[an0nymous]

Its a trojan/worm/virus that overwrites sfc.dll which is a legal file. Then Avast detects sfc.dll as a virus, but it must not be deleted, otherwise, windows will not load on next boot. it installs itself as a service name "Windows Bluetooth blah blah" something. how do i trace how this file(bttray.exe) infiltrated our network?

Infected File: http://rapidshare.com/files/45302814/bttray.rar

[Eddy]

Ask the admin to scan the network.

[mauserme]

You should have a copy of sfc.dll in c:\windows\system32\ dllcache\  that, if not also infected, could be used to fix this.  But you should upload the file detected as malware to Virus Total first to make sure this isn't a false positive

http://www.virustotal.com/


BTW, there is a valid bluetooth service that uses a file named bttray.exe to put an icon in your system tray.

[an0nymous]

the unit infected is not possible to have a bluetooth service, its a netvista server without a usb port. sdbot has already infiltrated our network, who knows where came from and where it comes in our network, we have already reinstalled our PDC and BDCs, rescanned all clients, disabled usb access and tightened internet access. For a week there was no sign of activity, then it pops out in the open again.

[mauserme]

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.


After posting the ComboFix log Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  

[an0nymous]

ComboFix 07-07-30.2 - "xxxxxxx" 07/31/2007 10:30:04.1 [GMT 8:00] - NTFS
Microsoft Windows 2000 Advanced Server  5.0.2195.4.1252.1.1033.18.True


(((((((((((((((((((((((((   Files Created from 2007-06-28 to 2007-07-31  )))))))))))))))))))))))))))))))


2007-07-31 10:29   51,200   --a------   C:\WINNT\nircmd.exe
2007-07-31 09:25   1,376,079   --a------   C:\ComboFix.exe
2007-07-30 09:38   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_378.dat
2007-07-28 12:53   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_470.dat
2007-07-25 09:19   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_504.dat
2007-07-25 09:19   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_464.dat
2007-07-25 09:19   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_38c.dat
2007-07-24 13:16   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_43c.dat
2007-07-24 13:15   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_37c.dat
2007-07-24 10:08   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_430.dat
2007-07-24 10:08   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_384.dat
2007-07-18 17:22   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_434.dat
2007-07-18 13:48   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_438.dat
2007-07-18 13:47   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_5e4.dat
2007-07-18 13:47   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_39c.dat
2007-07-18 13:38   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_424.dat
2007-07-18 13:37   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_5e8.dat
2007-07-18 13:37   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_350.dat
2007-07-10 09:30   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_440.dat
2007-07-10 09:08   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_1e8.dat
2007-07-10 08:58   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_374.dat
2007-07-10 08:43   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_638.dat
2007-07-09 17:22   617,840   --a------   C:\Windows2000-KB935966-x86-ENU.EXE
2007-07-07 03:03   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_618.dat
2007-07-07 03:03   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_448.dat
2007-07-05 13:15   <DIR>   d--h-----   C:\WINNT\msdownld.tmp
2007-07-03 13:31   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_5f4.dat
2007-07-03 13:27   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_3f4.dat
2007-07-03 13:23   311,296   --ah-----   C:\DOCUME~1\ITDSetup\NTUSER.DAT
2007-07-03 13:23   <DIR>   d--------   C:\DOCUME~1\ITDSetup\FrontPageTempDir
2007-06-30 08:46   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_614.dat
2007-06-30 07:42   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_808.dat
2007-06-29 15:23   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_630.dat
2007-06-29 15:23   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_44c.dat
2007-06-29 11:00   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_a20.dat
2007-06-29 08:23   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_698.dat
2007-06-28 16:17   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_4e0.dat
2007-06-28 16:15   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_6c0.dat
2007-06-28 16:15   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_3c0.dat
2007-06-28 16:12   <DIR>   d--h-c---   C:\WINNT\$SQLUninstallMDAC27SP1-KB927779-x86-ENU$
2007-06-28 16:11   <DIR>   d--------   C:\Program Files\MSXML 4.0
2007-06-28 13:35   <DIR>   d--------   C:\WINNT\system32\SoftwareDistribution
2007-06-27 13:04   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_4c8.dat
2007-06-27 10:52   <DIR>   d--------   C:\WINNT\DWRCS Uploads
2007-06-14 03:03   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_4f4.dat
2007-06-14 03:02   16,384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_68c.dat
2007-06-13 13:01   54,032   --a------   C:\WINNT\system32\mpr.dll

[an0nymous]

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

06/21/05 01:28p   271   ---h-----   C:\Program Files\desktop.ini
06/21/05 01:28p   21952   ---h-----   C:\Program Files\folder.htt
06/01/07 08:41a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_6a8.dat
06/01/07 08:41a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_51c.dat
05/28/07 08:57a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_4d4.dat
05/28/07 08:56a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_6b4.dat
05/26/07 03:06a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_674.dat
05/25/07 09:59a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_154.dat
05/25/07 08:30a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_4fc.dat
05/24/07 02:43p   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_518.dat
05/23/07 04:25a   8459224   --a------   C:\owc10.exe
05/22/07 10:59a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_688.dat
05/22/07 10:59a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_510.dat
05/22/07 10:10a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_1ec.dat
05/22/07 08:34a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_544.dat
05/22/07 08:34a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_48c.dat
05/22/07 08:33a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_380.dat
05/22/07 01:23p   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_6b0.dat
05/21/07 11:15a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_4d8.dat
05/21/07 11:06a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_948.dat
05/21/07 10:58a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_3b4.dat
05/21/07 10:44a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_52c.dat
05/17/07 08:00a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_694.dat
05/17/07 08:00a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_3b0.dat
05/16/07 03:40p   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_5bc.dat
05/16/07 03:39p   15872   ---------   C:\WINNT\system32\sophosboottasks.exe
05/15/07 10:00p   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_684.dat
05/15/07 08:11a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_520.dat
05/15/07 03:59p   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_3a4.dat
05/15/07 03:27p   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_690.dat
05/15/07 02:06p   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_4b8.dat
05/15/07 02:06p   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_3a8.dat
05/11/07 08:10a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_394.dat
05/11/07 08:10a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_24c.dat
05/11/07 05:46p   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_868.dat
05/11/07 05:43p   82432   --a------   C:\WINNT\system32\msxml4r.dll
05/11/07 05:20p   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_2fc.dat
05/11/07 03:32p   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_388.dat
05/11/07 03:32p   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_250.dat
05/10/07 11:08a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_248.dat
05/10/07 08:15a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_398.dat
05/10/07 08:15a   16384   --a----t-   C:\WINNT\system32\Perflib_Perfdata_254.dat


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [11/18/03 02:33a C:\WINNT\system32\nwiz.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [2007-02-23 09:19:56]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-06-22 09:31:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=1 (0x1)
"disallowrun"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"=command
"2"=command.com
"3"=winpatch.exe
"4"=x.exe
"5"=msnull32.exe
"6"=irn.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= FPNWCLNT RASSFM KDCSVC scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[an0nymous]

R0 aar1210;aar1210;C:\WINNT\system32\drivers\aar1210.sys
R0 DfsDriver;DfsDriver;C:\WINNT\system32\drivers\Dfs.sys
R1 NHostNT1;NetOp Driver 1 ver. 7.65 (2004058);C:\WINNT\system32\Drivers\NHOSTNT1.SYS
R1 SAVOnAccess Control;SAVOnAccess Control;\??\C:\WINNT\system32\Drivers\savonaccesscontrol.sys
R1 SAVOnAccess Filter;SAVOnAccess Filter;\??\C:\WINNT\system32\Drivers\savonaccessfilter.sys
R2 Dfs;Distributed File System;C:\WINNT\system32\Dfssvc.exe
R2 DWMRCS;DameWare Mini Remote Control;C:\WINNT\SYSTEM32\DWRCS.EXE -service
R2 IISADMIN;IIS Admin Service;C:\WINNT\system32\inetsrv\inetinfo.exe
R2 MSFTPSVC;FTP Publishing Service;C:\WINNT\system32\inetsrv\inetinfo.exe
R2 MSSEARCH;Microsoft Search;"C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe"
R2 NetOp Host for NT Service;NetOp Helper ver. 7.65 (2004058);"C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE"
R2 SMTPSVC;Simple Mail Transport Protocol (SMTP);C:\WINNT\system32\inetsrv\inetinfo.exe
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys
R3 NHOSTNT3;NetOp Driver 3 ver. 7.65 (2004058) (NHOSTNT3);C:\WINNT\system32\Drivers\NHOSTNT3.SYS
R3 RT2400;RT2400 Wireless Driver;C:\WINNT\system32\DRIVERS\RT2400.sys
R3 spud;Special Purpose Utility Driver;C:\WINNT\system32\drivers\spud.sys
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
R3 yukonw2k;NDIS5 Miniport Driver for Marvell Yukon Ethernet Controller;C:\WINNT\system32\DRIVERS\yk50x86.sys
S3 NtFrs;File Replication;C:\WINNT\system32\ntfrs.exe
S3 TDASYNC;TDASYNC;C:\WINNT\system32\drivers\TDASYNC.sys
S3 TDIPX;TDIPX;C:\WINNT\system32\drivers\TDIPX.sys
S3 TDNETB;TDNETB;C:\WINNT\system32\drivers\TDNETB.sys
S3 TDSPX;TDSPX;C:\WINNT\system32\drivers\TDSPX.sys
S3 TrkSvr;Distributed Link Tracking Server;C:\WINNT\system32\services.exe
S4 IsmServ;Intersite Messaging;C:\WINNT\System32\ismserv.exe
S4 kdc;Kerberos Key Distribution Center;C:\WINNT\System32\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv   Tapisrv


Contents of the 'Scheduled Tasks' folder
2007-07-30 22:00:00 C:\WINNT\Tasks\Daily.job - C:\Program Files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-31 10:30:32
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\25FB6C90ABD679A499936B2CE47483FB\Usage]
"SAVService"=dword:36ff93d8

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"C:\Program Files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"

Completion time: 07/31/2007 10:31:00

   --- E O F ---

[mauserme]

There's nothing obvious in the ComboFix log.

In addition to the HijackThis log mentioned above please also post a Virus Total scan of sfc.dll

Since the link to bttray.rar scans clean with Dr. Web you might want to submit the exe to Virus Total too

[mauserme]

Here are the Virus Total results for bttray.rar:

Antivirus Version Last Update Result
AhnLab-V3 2007.7.31.1 2007.07.31 -
AntiVir 7.4.0.54 2007.07.30 Worm/Sdbot.635904
Authentium 4.93.8 2007.07.30 W32/Backdoor.BKPG
Avast 4.7.997.0 2007.07.30 Win32:Sdbot-4879
AVG 7.5.0.476 2007.07.30 SHeur.CUK
BitDefender 7.2 2007.07.31 Backdoor.SDBot.DEUQ
CAT-QuickHeal 9.00 2007.07.30 Backdoor.SdBot.bhk
ClamAV 0.91 2007.07.31 Trojan.SdBot-6622
DrWeb 4.33 2007.07.31 -
eSafe 7.0.15.0 2007.07.29 Win32.SdBot.bhk
eTrust-Vet 31.1.5018 2007.07.31 -
Ewido 4.0 2007.07.30 Backdoor.SdBot.bhk
FileAdvisor 1 2007.07.31 -
Fortinet 2.91.0.0 2007.07.31 -
F-Prot 4.3.2.48 2007.07.30 W32/Backdoor.BKPG
F-Secure 6.70.13030.0 2007.07.31 Backdoor.Win32.SdBot.bhk
Ikarus T3.1.1.8 2007.07.30 Backdoor.VB.EV
Kaspersky 4.0.2.24 2007.07.31 Backdoor.Win32.SdBot.bhk
McAfee 5086 2007.07.30 W32/Nirbot.worm
Microsoft 1.2704 2007.07.30 -
NOD32v2 2429 2007.07.30 IRC/SdBot
Norman 5.80.02 2007.07.30 -
Panda 9.0.0.4 2007.07.31 Bck/IRCBot.BAN
Rising 19.34.10.00 2007.07.31 -
Prevx1 V2 2007.07.31 Generic.Malware
Sophos 4.19.0 2007.07.26 -
Sunbelt 2.2.907.0 2007.07.31 Backdoor.Win32.SdBot.bhk
Symantec 10 2007.07.31 W32.Spybot.Worm
TheHacker 6.1.7.159 2007.07.31 Backdoor/SdBot.bhk
VBA32 3.12.2.2 2007.07.30 Backdoor.Win32.SdBot.bhk
VirusBuster 4.3.26:9 2007.07.30 Worm.Rbot.OGL
Webwasher-Gateway 6.0.1 2007.07.31 Worm.Sdbot.635904


Additional information
File size: 628141 bytes
MD5: 7a163915a4a36edfc1d788a2311e46e6
SHA1: 6e5826205ae8648bde2ec42a12a7092109d5ce9c
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=CCCC7B5E00ADAC29B412099E1FCC3600FDBBC8CF


Please get me Virus Total scans for

C:\WINNT\system32\sfc.dll

and

C:\WINNT\system32\dllcache\sfc.dll


How many computers are in your network?  Will you be in a position to isolate them during the cleaning process to prevent reinfection?  And just to confim , what is the OS?

[KenNashua]

Got another one that my company was hit with.  Avast was one of the few that didn't catch it as of 7/31 from VirusTotal.com.  Sophos (which had the best details on it) detects it as W32/Sdbot-DGJ.  Google for all the info.

Checked it on jotti as well:

A-Squared     Found Backdoor.Win32.SdBot.bku
AntiVir    Found TR/Agent.648704
ArcaVir    Found Trojan.Sdbot.Bku
Avast    Found nothing
AVG Antivirus    Found SHeur.BEF
BitDefender    Found Backdoor.Agent.YTM
ClamAV    Found Trojan.SdBot-6612
CPsecure    Found BackDoor.W32.SdBot.bku
Dr.Web    Found BackDoor.IRC.Sdbot.1705
F-Prot Antivirus    Found W32/Backdoor.BJHE
F-Secure Anti-Virus    Found Backdoor:W32/SdBot.BLA, Backdoor.Win32.SdBot.bku
...

[mauserme]

Hi Ken,

What is the file name/path of your detection?

If you need help with this please start a new thread with a Combofix and HijackThis log.  Is your sfc.dll also infected?

[an0nymous]

We have 300+ computers, so far virus is not active for weeks, but using combofix, i found other worms/virus that is unknown to Avast. Remove jpg extension of attached file so as to be added to Avast virus database.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:45:45 AM, on 8/2/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\msdtc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\SYSTEM32\DWRCST.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\explorer.exe
C:\ProcessExplorer\procexp.exe
C:\WINNT\system32\msiexec.exe
C:\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.31.96:11125
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.16.*;<local>
O1 - Hosts: 172.16.30.48 DATASRV
O1 - Hosts: 172.16.30.20 manila-nt
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKUS\S-1-5-21-960170764-1050178008-1734353810-2650\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SQLService')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183016585287
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA2B7189-A0A2-4175-AA8F-8A5F5DF3E312}: NameServer = 172.16.30.24
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: NetOp Helper ver. 7.65 (2004058) (NetOp Host for NT Service) - Danware Data A/S - C:\Program Files\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Seagate Page Server (pageserver) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\pageserver.exe
O23 - Service: Persits Software EmailAgent - Persits Software, Inc. - C:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: Seagate Web Component Server (WebCompServer) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\WebCompServer.exe

--
End of file - 4640 bytes

[mauserme]

We have 300+ computers, so far virus is not active for weeks, but using combofix, i found other worms/virus that is unknown to Avast.

Apparently unknown to Sophos as well ... 

The ComboFix log you posted earlier doesn't show any detections.  Were the detected files newly found on the same computer or a different computer? 

From what I've seen so far this has worm capability so its likely you will find it on many of the computers in your network.  With 300 boxes you may need to decide which to clean and which to reformat.  I mean, its entirely possible to clean them all but you may face insurmountable time constraints.

This reminds me very  much of a situation I recently worked on in which there was a mix of Windows 2000 and XP Pro boxes.  The XP Pro boxes carried the infection without showing symptoms.  Could this be the case for your network?

I would still like to see Virus Total scans for

C:\WINNT\system32\sfc.dll

because I would like to know what infection is there, and

C:\WINNT\system32\dllcache\sfc.dll

because we need to find a clean copy of the file either on this computer or elsewhere.


EDIT:   I can't download the file you attached.  It would be better if you email it to virus(at)avast.com anyway.

Do you recognize the addresses in these lines?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.31.96:11125
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.16.*;<local>
O1 - Hosts: 172.16.30.48 DATASRV
O1 - Hosts: 172.16.30.20 manila-nt
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA2B7189-A0A2-4175-AA8F-8A5F5DF3E312}: NameServer = 172.16.30.24

It looks like your own network but do you handle your own DNS?

[an0nymous]

Yes, we have our own DNS server. They're valid addresses. Worms detected came from other units. sfc.dll was copied from a different clean unit.

SFC Dll: http://rapidshare.com/files/46654406/sfc.zip
Worms passing Avast: http://rapidshare.com/files/46654424/variants.zip