Some kind of malware that isn't being detected

Discussion in 'ESET Smart Security' started by tiuk, Mar 30, 2010.

Thread Status:
Not open for further replies.
  1. tiuk

    tiuk Registered Member

    Joined:
    Jan 14, 2010
    Posts:
    9
    This has been bothering me for a few days; I have tried everything I can think of and have not been able to figure out what exactly is going on. Here are the symptoms:

    Lots of systems have these in the event log:
    ^^in this case, 192.168.6.* is my network, the address that the updates are being sent to (192.168.1.1) is not supposed to be defined (addresses have been changed from actual values to substitutes in this post for security reasons).

    I ran an nmap scan on 192.168.1.1, some of the results were:
    I have no idea what or where this device is.

    Several systems have messages in their Application event log from "Service1" event ID 0, mostly "Service started successfully." and "Service stopped successfully." The started messages always come immediately after the stopped messages. Sometimes there is a "Service cannot be started. The handle is invalid." message, followed by a stop and then a start. I have no idea what Service1 is. These messages began on each system on the same date as the DNS messages.

    I just formatted a system (unrelated), and while working on it the network drives stopped working. I tried browsing to the UNC paths, which worked, then tried the DFS UNC paths, which didn't. I looked up the error message (network location cannot be reached) which pointed me to this KB article. The "SMBDeviceEnabled" key under [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters] was missing. Re-added it, rebooted, and the drives worked again. The article mentions "This may occur when registry entries for NetBT were corrupted, incorrect or missing. Normally, this issue occurs if the system has been compromised."

    Out of the blue several systems have had "c:\program files\Messenger\msmsgs.exe" opening on startup. We do not use Messenger and this has never happened before all this other stuff started happening.

    Not sure if it's related, but I noticed "S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 8:00 AM 14336]" loading on startup, not sure if it did before.

    On one of my systems Windows Explorer was taking a long time to open (~1 minute when clicking on a drive letter shortcut). Ran combofix, MalwareBytes' Anti-Malware, and SuperAntiSpyware, none of which appeared to find anything or help. I did a system restore to the day before the strange messages for dnsapi and Service1 appeared in the event log, rebooted, and it seems to be alright now.

    Sorry for the long post. I know it's a strange collection of events but I really am at my wit's end, I can't help but think there is something very wrong going on here, and I need to get to the bottom of it. Any help or suggestions would be most appreciated.

    Thank you

    [edit]Forgot to mention, I'm running ESS 4.0.474.0 with Virus signature db 4986, scans haven't come up with anything.
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
Thread Status:
Not open for further replies.