Has anyone seen this? I need HELP!

Hi,

My name is Chuck and my business and home network have been attacked by some kind of Trojan. I have scanned my computers with various virus and spyware products and of found nothing. I am pasting below the actual events, in order, of this attack. I am desperate!!!

Thanks in advance!

Chuck.
______________________________________

I have a virus on my network. It has spread to every computer on my business network, from my house. I have Windows 2003 SBS with 3 clients at my office, and 2 computers at home which I login remotely using the remote webb services on Windows server 2003 SBS.

I will describe the events in order so you can help figure it out with me.

1) My home work station Pops up yesterday with a message from its anti Virus software (ESET) and says outlook is trying to send a malicious code (file name Outlook.exe) to exchange at my office. I don't believe it, only had this antivirus one day. So, I select to send it anyway.

2)I remote into my workstation at work and open that Outlook. I get a message "Outlook is trying to act as a server" from my CA anti-virus. Like a moron, I say run it anyway and then Outlook starts downloading 600mb from my exchange server (2003 SBS). I stoped the download immediately.

3) Ran CA anti-virus, found nothing.

4) Downloaded Wireshark, a Network Sniffer to watch what was happening on my network.

5) Let Outlook do the 600mb download. There was a Outlook update from Microsoft that morning so I decided that it might have something to do with that. (MORON)!

5)I monitored the packets on Wireshark (saved the file if you want it) and watch alot of packets get transfered from Exchnage to my office workstation. I did see emap and shivadiscovery in the packets. Looked those up on google and found out that shiva looks for routers and emap maps everything on your computer.

6) All above was done yesterday. This morning I remotely log onto my office work station and it is SLOW! I open the task manager and see 4 instances of icdeamon running, using 50% of CPU. This never is running.

7) Open Wireshark and start sniffing. What ever is running on my office workstation is now sending packets of data, nonstop, out of one of my routers. The interesting part of this is, the gateway on that computer is 192.168.17.2, yet this virus found a router 192.168.17.253 on the network and is sending data out constantly. I assume it is sending either my email adresses or personal data somewhere. I turn off that computer and start up my laptop.

8) Start outlook on my laptop, which also runs CA, and CA pops up and says, "Outlook is trying to act as a server". This time I didn't say ok, i denyed It and this laptop is running fine.

9) HELP ME!!! I do not want to reformat and load all my workstations at home and work, and redo my server. It will take me a week and I have a business to run!!!!

 

Welcome to MajorGeeks.com!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

Read & RUN ME FIRST Before Asking for Support