Virus on win 2003

ahh the brother is a network printer attached to router. And now the logs
Thnx

 

Any idea what these ports are being used for?

I think they might be for flash but you already have the latest version.

Source: http://www.zdnet.com/blog/security/...connect-enterprise-server-vulnerabilities/881

 

I added a patch from Adobe to my Flash server version 2

 

Just out of curiosity, which patch?

Are you able to close those ports for testing purposes? You may have those ports forwarded in the router settings. Do you know how to close these ports for the time being before we proceed with removing the malware on your PC again?

I do not know too much about network printers, but does each computer that makes use of the Brother 410 printer HAVE to connect to the network to obtain the printer driver? Or is the printer driver simply installed on each machine (doesn't have to connect to network to gather the driver)?

 

patch is to replace my sever flash v 2.0 but other which is v2.05 to protect against those ports open. Yes, i know how to close ports on router. And each pc on network have installed its own drivers... just the connect with the printer and sent the jod to it. even ill stop that server also. But when i do watherver deinfection or running logs i close disable the network on this machine.. So no internet connection or printer is posible

 

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
NetSvcs: xm1prov -  File not found
DRV - (ultra) --  File not found
DRV - (TosIde) --  File not found
DRV - (symmpi) --  File not found
DRV - (symc8xx) --  File not found
DRV - (symc810) --  File not found
DRV - (sym_u3) --  File not found
DRV - (sym_hi) --  File not found
DRV - (Simbad) --  File not found
DRV - (ql2300) --  File not found
DRV - (ql2200) --  File not found
DRV - (ql2100) --  File not found
DRV - (ql1280) --  File not found
DRV - (ql1240) --  File not found
DRV - (ql12160) --  File not found
DRV - (Ql10wnt) --  File not found
DRV - (ql1080) --  File not found
DRV - (perc2hib) --  File not found
DRV - (perc2) --  File not found
DRV - (PDRFRAME) --  File not found
DRV - (PDRELI) --  File not found
DRV - (PDFRAME) --  File not found
DRV - (PDCOMP) --  File not found
DRV - (nfrd960) --  File not found
DRV - (mraid35x) --  File not found
DRV - (lp6nds35) --  File not found
DRV - (ipsraidn) --  File not found
DRV - (IpInIp) --  File not found
DRV - (IntelIde) --  File not found
DRV - (iirsp) --  File not found
DRV - (i2omp) --  File not found
DRV - (i2omgmt) --  File not found
DRV - (hpt3xx) --  File not found
DRV - (hpn) --  File not found
DRV - (esgiguard) --  File not found
DRV - (elxstor) --  File not found
DRV - (dpti2o) --  File not found
DRV - (dellcerc) --  File not found
DRV - (dac960nt) --  File not found
DRV - (cpqfcalm) --  File not found
DRV - (cpqcissm) --  File not found
DRV - (cpqarry2) --  File not found
DRV - (Cpqarray) --  File not found
DRV - (CmdIde) --  File not found
DRV - (Changer) --  File not found
DRV - (cd20xrnt) --  File not found
DRV - (BTWUSB) --  File not found
DRV - (BTWDNDIS) --  File not found
DRV - (BTDriver) --  File not found
DRV - (BtAudio) --  File not found
DRV - (Atdisk) --  File not found
DRV - (AliIde) --  File not found
DRV - (aic78xx) --  File not found
DRV - (aic78u2) --  File not found
DRV - (afcnt) --  File not found
DRV - (adpu320) --  File not found
DRV - (adpu160m) --  File not found
DRV - (Abiosdsk) --  File not found
[COLOR="DarkRed"]:services [/COLOR]
xm1prov
[COLOR="DarkRed"]:files[/COLOR]
C:\Documents and Settings\onf1.dat
C:\Documents and Settings\onf2016.dat
C:\Documents and Settings\onf2020.dat
C:\Documents and Settings\sh1.exe
C:\Documents and Settings\sh2016.exe
C:\Documents and Settings\sh2020.exe
C:\Documents and Settings\Administrador\Escritorio\988uzglz.exe
C:\WINDOWS\system32\onf1.dat
C:\WINDOWS\system32\onf2016.dat
C:\WINDOWS\system32\onf2020.dat
C:\WINDOWS\system32\sh1.exe
C:\WINDOWS\system32\sh2016.exe
C:\WINDOWS\system32\sh2020.exe
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Thanks chas

 

like a new data, i blocked port 1935 on router and no more infection comes. So do you consider the lack of security using Flas Media server 2.0?. as adobe suggest.

 

Sorry but what do you mean?

Ok good. Was the server online or offline when you found this out?

I'm not sure what you mean here either.

 

I blocked the redirection (NAT) port 1935 to this server. And yes Flash server was not used for a while (some yeras in fact), and yes it was out of date. This port is still blocked on router (it has no redirection to any internal IP). SO my question is: May i consider this circunstance as the origin of the infection?.
Thnx to be patient and for my english and here comes your OTL action ( the one suggested by THISISU. Wanna me to proceed with the rest of the MGTools logs?

 

sorry didn't attached my logs after clean

 

Yes.

Can you also get me a new OTL log? Just press the http://img683.imageshack.us/img683/4483/quickscanotl.png button.

Could be. The version you had was indeed a few years old.

Source: http://www.adobe.com/support/flashmediaserver/downloads_updaters.html

 

here they are thnx

 

Code:

Conexiones activas

  Proto  Direcci¢n local        Direcci¢n remota       Estado
  TCP    127.0.0.1:1027         127.0.0.1:19350        ESTABLISHED
  TCP    127.0.0.1:19350        127.0.0.1:1027         ESTABLISHED

It should be 19350. According to your logs it is still open.

You already downloaded this update correct? >> Flash Media Server 2.0.5

Hard to tell from your logs since it isn't very specific on the version.

 

After you have completed the above, please run this OTL fix.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O29 - HKLM SecurityProviders - (credssp.dll) - File not found
[2011/11/28 11:16:10 | 000,000,090 | ---- | M] () -- C:\WINDOWS\System32\shsyn.exe
[2011/11/28 11:15:50 | 000,000,055 | ---- | M] () -- C:\WINDOWS\System32\onfsyn.dat
@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\drivers\Cat.DB:SummaryInformation
@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\cmd.exe:SummaryInformation
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Datos de programa\TEMP:430C6D84
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Datos de programa\TEMP:DFC5A2B2
[COLOR="DarkRed"]:files[/COLOR]
C:\Documents and Settings\onfsyn.dat
C:\Documents and Settings\shsyn.exe

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

The above script should not reboot your PC. If it does, go ahead and let it reboot.
If the script does not reboot your PC. I would prefer if you did not reboot it yourself.

Let me know how thing are running afterwards

 

ok done, Actually i have closed all redirections from router to this computer starting at 1000 to 1935 (except a hole i need for some applications but it is not any of 1027 or 1935. So it is impossible to access this computer from out side on ports 1027 or 1935. This are the results of the last action taken. Thnx

 

You mean 19350? You keep saying 1935 which is not the exploitable port.

This log looks good. I want to make sure you close port 19350 before we proceed.

Let me know when you have done so.

 

Al most 48 hours without attack. all my ports from 1000 to 1935 are now closed. Only one exception in this range cause we need it for program needings. i guess it was 1027 port the origin of that infection attacking to Flash Media Server?. Always and from ever port 19350 is closed on ROUTER. I have been looking in the Firewall exceptions.. and it doesnt appear explicitly. But there are lots of "vshost.exe" exceptions and one : execute a dll like an application (rundll.exe). Why should be allowed to be ativated through Firewall??

 

Yes it appears that way if port 19350 was indeed closed. According to some of your logs that port was being accessed / established.

That's apart of Visual Studio 2005 Tools for Office Second Edition Runtime
Source: http://msdn.microsoft.com/en-us/library/ms185331(v=vs.80).aspx (and your logs)
I'm doubting this is a problem but I could be wrong.

You're right according to your logs that Firewall port isn't open.

Ok so things are running well? Please run C:\MGtools\GetLogs.bat and attach the latest MGlogs.zip.