cmguard.exe?

  • Thread starter Thread starter Jimmy Madden
  • Start date Start date
J

Jimmy Madden

Has anyone seen this? We had it attack our network in the last week.
Found several PCs running this executable which couldn't be killed or
deleted except in Safe mode. Using a TCP monitor, I could see it was
opening hundreds of TCP ports looking to spread. It seemed to install
al lot of spyware, adware, and shopping "services"

We also found winserv.exe and shit.exe on a few of these machines.

Thanks for any guidance.

-Jimmy Madden
 
From: "Jimmy Madden" <[email protected]>

| Has anyone seen this? We had it attack our network in the last week.
| Found several PCs running this executable which couldn't be killed or
| deleted except in Safe mode. Using a TCP monitor, I could see it was
| opening hundreds of TCP ports looking to spread. It seemed to install
| al lot of spyware, adware, and shopping "services"
|
| We also found winserv.exe and shit.exe on a few of these machines.
|
| Thanks for any guidance.
|
| -Jimmy Madden


Jimmy:

You can start by submitting...
cmguard.exe, winserv.exe and shit.exe to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submissions will then be tested against several different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the /* EXACT */ results.


You can also do the following...

1) Download the following three items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the signature files (pattern files) by obtaining the ZIP file.
For example; lpt500.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
3) Reboot your PC into Safe Mode and shutdown as many applications as possible
4) Using both the Trend Sysclean utility and Stinger, perform a Full Scan of your
platform and clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform using both.
6) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) If you are using WinME or WinXP, create a new Restore point

* * Please report back your results * *
 
Back
Top