Endpoint Protection

I have a very bad issue,

I guess this is a new issue, it is probably a virus attack I have around 30 PCs with this issue. The main issues we had was when typed IPCONFIG in CMD the ip shows 0.0.0.0
to both ip address and subnet mask.i checked the network connection the Local area connection icon was not available, the PC was isolated from the network.

services such as

1) themes
2) remote procedure call RPC
3)server
4)Network connections
5) automatic updates
6) Cryptographic Services
7)DHCP client
8)Windows Installer

were killed and cannot be started...but SAV was running but cannot detect any thing. I can’t change anything or install any programs.i repaired the OS (winxp) it was ok for some time but again it started.

We use ghost imaging system, i formatted the C drive and ghosted with a clean image, it was ok for some but didn’t work.

I’ve  tried reading
<fck:meta http-equiv="Content-Type" content="text/html; charset=utf-8"><fck:meta content="Word.Document" name="ProgId"><fck:meta content="Microsoft Word 12" name="Generator"><fck:meta content="Microsoft Word 12" name="Originator">support.microsoft.com/kb/329050</fck:meta></fck:meta></fck:meta></fck:meta>

support.microsoft.com/kb/269019

support.microsoft.com/kb/822123

Need advice and help...

if anyone has such issues like to share progress ideas....

 

Hi,

Do you have this issue for all the users, including the local administrator? Also, in control panel , please confirm that the network card is enabled inside the network connections section.
If you want, you can contact technical support and get the Loadpoint Diagnostic utility. That way if there are any suspecious files, we can submit them to the security response.

Aniket

 This looks like a typical Kernel rootkit..which is hiding from Windows API and is blocking all security and updates so that it cannot be detected.
over here Loadpoint might not help but still it would be.

I guess you have already tried, Disabling system restore, downloading the RapidRelase defs and running full scan in safe mode...if not the please try that first..

Run GMER or Sysinternals RootkitRevealer as it might help..

Please run the autoruns tool and let us know if you find anything suspecious in the processes, services, drivers.

PLease refer to the article below for further information: https://www-secure.symantec.com/connect/articles/how-find-suspected-threats-your-computer

Best,
Aniket

Just an FYI, RootkitRevealer isn't going to find all rootkits.

I found a solution but it’s not ok because we are unable to find the source file that infects it.

It’s a simple registry file, in the registry file below these values were missing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

Netsvcs

Then the Pc was actually back to normal but I cannot determine whether it is fully ok .

The registry file that was infected.(infected.reg) The registry file that was replaced (replaced.reg)

If any idea, pls update.