Final Word..What is this?

Discussion in 'NOD32 version 2 Forum' started by jaseinatl, Nov 3, 2007.

Thread Status:
Not open for further replies.
  1. jaseinatl

    jaseinatl Registered Member

    Joined:
    Nov 3, 2007
    Posts:
    12
    I have read so many virus reports that I am about to explode. Could someone please help me to plot the best path out of this mess:

    About two weeks ago I started having services randomly fail on my SBS2003. Then about 5 days ago I noticed the server was restarting itself randomly.

    Next I started receiving errors that my server didn't have any idle time and that was potentially hazardous.

    Next, I get all kinds of messages: I need to install Chinese Language Pack for page to view properly--out of nowhere. Plus the server is trying to load a series of webpages that I keep telling it to block. Also, it changed the system time (in my bios as well) to read December 31, 1999. I can reset it, but then either the year will be reset to 2000 or the month, AM sometimes, PM sometimes, all of it sometimes.

    Plus, when I startup I get the message 0SVCHOST: 03-NOV-07 is not a valid date and Task Manager is disabled.

    Nod32 recognizes SYSMON.exe and supposedly deletes it. But it is not only still there, it keeps getting worse. There is also another file OS something that NOD32 finds, deletes but is still there. In all, I have 40 different events that NOD32 thinks it is handling and still nothing. It has infected all of my PCs and I am desperate for help.

    The Biggest Problem is trying to sift through all of the mis-information about Virii out there to determine the best path to take. Please help.

    Jason
     
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    You have a real mess. Do you have clean images? If not, format and start over disconnected from the net.
     
  3. jaseinatl

    jaseinatl Registered Member

    Joined:
    Nov 3, 2007
    Posts:
    12
    My users don't have many special needs. They basically use Office 2003, Outlook, Adobe Acrobat and that's about it. I could create a master image (with the NOD32 client installed) and replicate using ACRONIS Snap Deploy.

    I have installed a clean image on one PC but when I connect the infected drives, even with NOD32 running, it is just a matter of time before I find the same infection on the new drive. How do I get to the data off the infected drives without re-infecting my new drives?

    I thought by isolating each PC and installing a clean image, I could control the virus, but alas I cannot.

    Please help.
    P.S. Thanks for the quick reply.

    Jason
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Get them out of the case, plug them in an isolated PC and boot from a PE/LiveCD environment and scan them with several AVs.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You should contact the ESET Customer Care, they will probably request a log from Autoruns with all registry entries listed.
     
  6. jaseinatl

    jaseinatl Registered Member

    Joined:
    Nov 3, 2007
    Posts:
    12
    Okay, this is rich!

    I removed Infected Drive A from one workstation.

    I replaced Infected Drive B in another workstation with a shiny new 500 Gb Clean Drive

    On the 500 Gb Clean Drive, I partitioned the drive using Windows XP install Disk and installed Windows XPSP2.

    On the 500 Gb Clean Drive, I installed NOD32 and scanned the 500 Gb Clean Drive for viruses---it was clean.

    I applied all necessary updates for Windows XPSP2 on the 500 Gb Clean Drive

    Next I installed the Infected Drive A as a second drive.

    When Windows was completely loaded, I ran NOD32 in Application mode and scaneed Infected Drive A to find about 5 virii.

    I deleted all of the infected files and opened an Explorer window to "My Computer"

    I clicked on Infected Drive A and was given the option to pick which application I should launch and/or associate with that action (doubleclicking a hard drive icon).

    Nod32 Springs into action with a big red Virus Alert! Deletes the file and everything seems fine.

    I reboot

    On a hunch, I open an Explorer window to My Computer and double click a different drive. Same response. Same Virus (SOS).

    I remove the Infected Drive A drive and sure enough I still have the SOS virus...only now it's on my 500 Gb Clean Drive.

    What is up? I didn't even open an explorer window the infected drive....

    How is this virus getting around?

    Please help?

    Jase
     
  7. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Hi Jase,

    Please follow the suggestion Marcos offered in post #5 above and contact ESET Customer Care with a link to this thread.

    Cheers :)
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    My suggestion from your second thread:
    It's also a good idea to follow Marcos' suggestion. A forensic analysis should bring more details.
    It seems that this virus (probably a Virut variant or something with similar behaviour) is using an autorun.inf or attaching itself to Explorer, changing file associations.
    I wish you luck. Virut and his buddies are really nasty.
     
Thread Status:
Not open for further replies.