If you suspect you're infected and have trouble finding what is causing the infection, I'd suggest giving this handy tool a try.
"McAfee GetSusp is intended for users who suspect undetected malware on their system. By using a combination of clever heuristics and querying McAfee's online database of known clean files to gather suspicious files, GetSusp eliminates the user's need for deep technical knowledge of computer systems to isolate undetected malware. McAfee GetSusp is recommended as a tool of first choice when analyzing a suspect machine."
Get it from here:
Once GetSusp identifies and collects the suspect files, post the logs here and we community members can help.
Technical Product Manager, McAfee Labs
Thanks for posting the logs. The network log shows hundreds of dns connections; a sign that the malware is attempting to resolve numerous domain names - typical of mass mailers.
GetSusp is unable to scan for rootkits currently. You could try rootkit detective: http://vil.nai.com/vil/stinger/rkstinger.aspx If it finds the rootkit, it will provide an option to delete the file on reboot.
Rootkit detective found 1 hidden registry value - for inprocserver32 - data=bot.
The log shows that this file has a value mismatch.
Before I delete this value - can you confirm that this value should be removed?
Thank you for the assistance
The Registry value-data mismatch does not appear to be malware related.
You may want to consider opening a ticket with McAfee support to have a technician locate the malicious file on this system.
Just an update - ended up identifying the source of the infection and cleaning it as of yesterday.
Malwarebytes - identified wonjia.sys as a rootkit.agent (Could not remove infection)
McAfee 8.5.0i - Access Protection for blocking mass mailing worms was blocking random IP port 25 connections (could not remove infection)
MS Malacious Software Removal - identified Trojan WinNT/Bubnix.gen!A (did not list file name & could not remove infection)
Hitman Pro 3.5 - connected wonjia.sys to WinNT/Bubnix.gen!A
Research on Bubnix.gen!A - provided information on randomly generated filename.sys located in C:\windows\system32\drivers (this is where wonjia.sys was) - and 3 registry entries at the following locations (Note: a search in registry for Wonjia = 0 results)
Both the filename wonjia.sys and registry entries where unreadable. - Date of wonjia.sys file was consistent with current system/date time - constantly updating itself.
Worm did install its own SMTP Server on a MS Windows Server 2003 - which was also a DNS server.
Worm was cleaned by booting into safemode - running rkill then running MS Malacious software removal tool. Upon cleanup and reboot infection was verified to be removed - system has been stable for 12+ hours and counting.
McAfee's Access Protection for mass mailing worms - did not 100% protect the system - 4 spam vendors blocked the IP and domain due to reports from there customers & systems.
The following applications did not identify the infection
The following applications did successfully identify an issue but failed to clean the infection in normal operating mode
Malwarebytes - Unsuccessful in removing the infection in combination with RKill
MS Malacious Software Removal Tool - Successfully removed the infection in combination with RKill
Hope this helps anyone else in regards to fighting this type of infection.
Vinno - thank you for your assistance - it was greatly appreciated.
Glad you were able to resolve the issue
Hope you had a chance to submit the file "wonjia.sys" to McAfee Labs so that detection could be authored.
Sorry to post on a thread that is answered but my problem is somewhat similar to the one described by the origianal poster. I got IRC communication blocked and mass mailing blocked from the access protection log (I am using VSE 8.7i with EPO 4.5). I performed full scan and it detected and deleted some trojans and viruses but I still get the mass mailing blocked message. I have also used the Getsusp tool and I have attached the resulting report. How can I remove the hidden worm?
gsusp_121410_101430.zip 24.4 K