Monitoring several laptops for infections and Acrobat reader, MS excel corrupt

[shark74]

Dear Forum experts.
I have a number of issues I am struggling with.. which I hope the forum experts could perhaps share some light on.

I work on a foreign study programme in Africa. The students come from various countries and they bring their laptops, and of course a wide spectrum of viruses, worms etc and general pc and mac related issues. As we are a field based course we have little access to internet, which limits my ability to assess, and fix infections.

As we are all using flash drives, pen drives, portable hard drives, to get documents and other information to and from the students, thus making the spread of viruses-malware-worms etc a real issue. During the previous course I had to re-install XP on two laptops that died on us. Not sure it was due to the course's infections or just general misuse of the two laptops, and I had reports of numerous infections on most of the student's laptops.

The latest course started last week. I was rather careful and checked that all students had up to date antiviruses, and only had two laptops that was seriously infected with diskknight, brontok and ntde1ect.com. These two laptops of course had NO antiviruses of any sort... I have downloaded the recommended programmes from IANAG and will use these to try and clean these two laptops in the next few days.

This brings me to my first question:
Is there any recommendations from the experts on how I should be handling the influx of 20 laptops, checking them, cleaning them .We do not have a LAN network, as we are constantly on the move to different field sites. In general the laptop user's are not really aware of the infections they have and do not really keep their laptops clean. Is there any recommendations in me controlling the spread of viruses and worms for the next three months, other than personally monitoring +20 laptops daily or having to install +20 antivirus programmes. We do not really have the internet facilities to be downloading the big update files, that e.g. Trend Micro and other antivirus progs for example require upon installing the programme. In addition I cannot do online scans for these laptops either...

Any ideas?

Then my second problem.
We have a main core computer that we use as the central computer for giving presentations, to store the deliverables etc on. This poor machine is therefore constantly exposed to infections and other issues. I am running and have Trend Micro PC CILLIN, (up to date etc). It fortunately detected some of the infected flashdrives from the students, and these infections were cleaned etc. However, the laptop recently to start behaving mysteriously. Acrobat Reader and Excel stopped working yesterday, saying the files acrobat was accessing was corrupt, and excel keep crashing. explorer also terminates randomly. The machine has slowed down to a crawl, even if there is no CPU usage....I have done a Trend scan, and this morning got access to Panda online scan and it reports the machine to be clean. On occassion Trend Micro (PCCVScan.exe and PCScansrv.exe) process are running using +60%cpu resources...

HJT file:
Logfile of HijackThis v1.99.1
Scan saved at 10:06:28 AM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\HP UT\bin\hppusg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\X1\X1FileMonitor.exe
C:\Program Files\X1\X1Systray.exe
C:\Program Files\X1\X1.exe
C:\Program Files\X1\X1Service.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\zabkat\xplorer2_lite\xplorer2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCMAIN.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccHCMS.exe
C:\WINDOWS\system32\taskmgr.exe
C:\HJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.wits.ac.za:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\system32\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\HP UT\bin\hppusg.exe" "C:\Program Files\Hewlett-Packard\hp LaserJet 1160_1320 series\HP UT\"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [X1FileMonitor.exe] C:\Program Files\X1\X1FileMonitor.exe
O4 - Startup: X1 System Tray.lnk = C:\Program Files\X1\X1Systray.exe
O4 - Startup: X1.lnk = C:\Program Files\X1\X1.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

I am not sure what I am missing or doing wrong. Any help will be appreciated.
Shark

[PhilliePhan]

Hi shark74,
Sounds like you have your hands full! Best luck to you!

In general the laptop user's are not really aware of the infections they have and do not really keep their laptops clean. Is there any recommendations in me controlling the spread of viruses and worms for the next three months, other than personally monitoring +20 laptops daily or having to install +20 antivirus programmes.
Any ideas?

Outside of educating the student in how to keep their machines clean, I am not sure any other suggestions would have effect....
And, getting students to keep compys clean can be next to impossible. I can't tell you how many times I've heard "My son/daughter came home for vacation and now my computer is really slow..." - And these are College students!
-- Do these computers belong to the students themselves? If your organization owns them, then I would imagine you could dictate what software was installed, etc. If this is the case, I would suggest a product such as
http://www.acronis.com/
http://www.acronis.com/homecomputing...cts/trueimage/

Acronis True Image includes our patented disk imaging backup technology. You can copy your entire PC, including the operating system, applications, user settings, and all data. In the event of a system or disk crash, virus attack or other fatal failures you can restore the entire disk contents in minutes — no reinstallations required!

There are a number of freeware programs that do this as well... But, I still recommend Acronis.

Even if this is not viable for the students' computers, this might be the way to go for the main core computer?

Then my second problem.
We have a main core computer that we use as the central computer for giving presentations, to store the deliverables etc on. This poor machine is therefore constantly exposed to infections and other issues.....
I am not sure what I am missing or doing wrong. Any help will be appreciated.
Shark

I will probably not be here enought this week to assist you in a timely manner - no worries, Judy should be able to help - but, if you can, please do the following:

• Download combofix.exe by sUBs to the infested computer's Desktop.
  
• Alternate Download
  
• (If you already have a previous version, delete it and download a new version).
• Double click combofix.exe & follow the prompts.
  Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

• Produce a log for you. ( C:\Combofix.txt)
• Restore your Internet connection.

IMPORTANT:

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

Please post the log for us and we'll go from there.

Judy or I will try to check back as time permits - I don't work with malware too often these days due to other commitments.

Cheers
PP

[shark74]

Dear PP.
Thanks for the help so far.
Yes, the issue is that 15 of the 20 laptops are student owned, and only 5 is under my control. Will explore acronis.
For combofix, please find attaced the .txt file. Trend micro picked up a malware(?) in the combofix setup, so not sure if combofix ran good.
but any help would be appreciated.
Otherwise, thanks 4 your time
Shark74

[jholland1964]

Can you turn on System Restore. Uninstall ComboFix. Then download and run it again and post the new log.

[PhilliePhan]

Can you turn on System Restore. Uninstall ComboFix. Then download and run it again and post the new log.

Actually, hold off on this for a bit until I can put together a CFScript to run with it since we're going to need to run it again anyway...

[PhilliePhan]

Hi Shark74,

-- I do think a tool such as Acronis would be beneficial. Obviously, if you were to use it on a student's compy, there would be privacy issues that would come into play.
Of course, if you are the one tasked with cleaning their computers, that I think that would override any privacy concerns....


-- Your combofix log shows a lot of malware autorunning via external drive, as you suspected.

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{439bddb1-a2b3-11dc-aaf1-0016d457db95}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{c57f052a-ca63-11dc-ab0c-0016d457db95}]
\Shell\Auto\command - F:\Pictures.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Pictures.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{eee99ee9-9a63-11dc-aae3-0016d457db95}]
\Shell\AutoRun\command - asfsadfasddfasfsd.exe
etc.....

I am going to remove all those registry keys, but that is only a temporary measure until the next time an infected drive is accessed...
A tool such as Flash-Disinfector by sUBs
http://www.techsupportforum.com/sect...isinfector.exe may help when you have the drives in your possession.

-- Do you know what this is? --> C:\WINDOWS\system32\PolicyBU.reg
I imagine it tweaks Explorer Policy registry values. Probably nothing to worry about.
What about this one? --->C:\toolkit_widget.gif

Anyhoo, let's do this:


-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag and drop CFScript.txt into/over ComboFix.exe to start ComboFix

-- Let Combofix run as before and post us that log and we'll go from there.

Cheers
PP

[shark74]

Dear PP.
Thanks for the prompt response.
I do not know what the two items are you pointed out.
C:\WINDOWS\system32\PolicyBU.reg
C:\toolkit_widget.gif
Will clean them....
Yes... that ntde1ect.com infections you pointing out... turned me old before my time last year, it was bad,


Also followed your instructions and here be the combofix log 3 requested.
Thanks for your time...

Shark74

[PhilliePhan]

Dear PP.
Thanks for the prompt response.
I do not know what the two items are you pointed out.
C:\WINDOWS\system32\PolicyBU.reg
C:\toolkit_widget.gif
Will clean them....
Yes... that ntde1ect.com infections you pointing out... turned me old before my time last year, it was bad,


Also followed your instructions and here be the combofix log 3 requested.
Thanks for your time...

Shark74

Happy to help

-- Actually, if you could Zip and attach
C:\WINDOWS\system32\PolicyBU.reg
C:\toolkit_widget.gif
C:\f8caf2971233e80203
for me, that would be great.

I doubt that they are anything to worry about, but I'd like to see them before sounding the "all clear."

-- Combofix looks OK - It did not find any of the files I was looking for (those referenced by the reg keys), so I doubt they are on your compy.


-- I am not sure what could be causing the Wifi connection problems you mentioned in previous post - could it have to do with the new addition of MTN F@stLink Data Card?



I would like to see the following:
-- Kaspersky Online Scanlog (from the Read Me First Sticky post)
-- Update AVG Anti-spyware definitions and get me that scanlog as well, please. (also in Read Me)
-- And a fresh HijackThis log

And we'll see what remains to be done.

Best
PP

[shark74]

Dear JHolland and PP.
I did check, the system restore was on according to the system restore check box, but ran combofix twice, and it said no restore system was there in each scan...even checked in safemode, the checkbox was ticked and combofix not picking it up...
My trend micro is also running at tripple ram useage as what other times, +120....
CPU constantly up in 40-50%

Will wait for PP's feedback...
Thanks for your time...
Shark

[shark74]

Dear PP.
Thanks,
Well I found out that my wifi error was not related to laptop issues, but with all the downloads I went over my gig limit.
Anyhow, so I am using a cellphone modem, that be the MTN data card.
So this is making all internet much slower. Will attempt Kaspersky in a moment, but attaching the zipped files you requested.
Regarding the ntde1ect.com..when I installed Trend Micro earlier in January I think that took care of of ntde1ect issue, which might have left some reference in the registry to the worm/malware. ????

Will post kaspersky and avg -as soon...

Thanks
S