Hidden Folder Virus

Discussion in 'Windows - Virus and spyware problems' started by allancth, May 18, 2009.

  1. allancth

    allancth Member

    Joined:
    Jun 16, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    11
    Hi all,

    Please help. I suspect virus has infected the file server in our network. The virus automatically hide some specific folders. I try unhiding it by using GUI (i.e., uncheck hidden checkbox) and even tried to run the command attrib /d /s -h but it automatically hide the folders after a few seconds. Below is the HijackThis log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:18:44 PM, on 19/05/2009
    Platform: Windows 2003 SP2 (WinNT 5.02.3790)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\SAV\DefWatch.exe
    C:\WINDOWS\system32\Dfssvc.exe
    C:\WINDOWS\System32\dns.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\cba\pds.exe
    C:\WINDOWS\System32\ismserv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
    C:\WINDOWS\system32\ntfrs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\SAV\Rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Executive Software\Undelete\UdServe.exe
    C:\WINDOWS\System32\wins.exe
    C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\WINDOWS\system32\ams_ii\iao.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\PC Auto Shutdown\AutoShutdown.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SAV\VPTray.exe
    C:\Program Files\Genie-Soft\GBMServer8\GBMAgent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\logon.scr
    C:\Program Files\Genie-Soft\GBMServer8\GBM8.EXE
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\rdpclip.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\pas\loadqm.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SAV\VPTray.exe
    C:\Program Files\PC Auto Shutdown\AutoShutdown.exe
    C:\Program Files\Genie-Soft\GBMServer8\GBMAgent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.handybackup.net/install/index.5.4.6.php
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 131.107.1.240:8080
    O1 - Hosts: 131.107.1.40 dns.xxx.com.pg
    O1 - Hosts: 131.107.1.40 mail.xxx.com.pg
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [loadqm] "C:\WINDOWS\system32\pas\loadqm.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
    O4 - HKLM\..\Run: [GBMServer8Agent] C:\Program Files\Genie-Soft\GBMServer8\GBMAgent.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O14 - IERESET.INF: START_PAGE_URL=http://www.apcstart.com
    O15 - ESC Trusted Zone: http://www.apcstart.com
    O15 - ESC Trusted Zone: http://view.atdmt.com
    O15 - ESC Trusted Zone: http://mail.xxx.com.pg
    O15 - ESC Trusted Zone: http://www.xxx.com.pg
    O15 - ESC Trusted Zone: http://h20000.www2.hp.com
    O15 - ESC Trusted Zone: http://welcome.hp.com
    O15 - ESC Trusted Zone: http://runonce.msn.com
    O15 - ESC Trusted Zone: http://www.soft32.com
    O15 - ESC Trusted Zone: http://www.symantec.com
    O15 - ESC Trusted Zone: http://www.windowsmedia.com
    O15 - ESC Trusted Zone: http://*.windowsupdate.com
    O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
    O15 - ESC Trusted IP range: http://131.107.1.152
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1229649981437
    O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1229649967015
    O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
    O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxx.local
    O17 - HKLM\Software\..\Telephony: DomainName = xxx.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DF338EFA-3A2D-485E-943D-8F773C40A5CE}: NameServer = 131.107.1.1
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxx.local
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intel Alert Handler - LANDesk Software Ltd. - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
    O23 - Service: Intel Alert Originator - LANDesk Software Ltd. - C:\WINDOWS\system32\ams_ii\iao.exe
    O23 - Service: Intel File Transfer - LANDesk Software Ltd. - C:\WINDOWS\system32\cba\xfr.exe
    O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\cba\pds.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NetOp Helper ver. 9.10 (2008197) (NetOp Host for NT Service) - Danware Data A/S - C:\Program Files\Danware Data\NetOp Remote Control\Host\NHOSTSVC.EXE
    O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
    O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe (file missing)
    O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
    O23 - Service: Executive Software Undelete (UndeleteService) - Executive Software International - C:\Program Files\Executive Software\Undelete\UdServe.exe

    --
    End of file - 8617 bytes

    Please advice. Your help would be greatly appreciated.
     
    allancth, May 18, 2009
    #1
  2. elliott

    elliott Regular member

    Joined:
    Jan 21, 2004
    Messages:
    791
    Likes Received:
    0
    Trophy Points:
    26
    I'm admit I am not much for reading logs however make sure your protection software is up to date and go into its configuration menu make sure to check any boxes refering to scanning hidden folders and archive folders for more help and other sotware options check out this thread here on afterdawn it is kept updated. http://forums.afterdawn.com/thread_view.cfm/292257
     
    elliott, May 24, 2009
    #2

Share This Page