Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Regedit


  • Please log in to reply
10 replies to this topic

#1 TimB48

TimB48

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 03 March 2008 - 03:55 PM

Following a recent problem with a worm, which I believe I have removed, I am no longer able to open regedit successfully. I have trawled through various forums but as yet have not found a solution. I found a post from another member with a similar problem. I am therefore forwarding my HijajackThis log from the affected machine. I would be grateful if anyone could look at it and see if anything is lurking within.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:44 AM

Posted 06 March 2008 - 01:55 AM

Hi and welcome,

Sorry for delay.

Download HijackThis from either of these sites:

http://hijack1.trend-braintree.com/hjt/eval/HJTInstall.exe
http://download.bleepingcomputer.com/hijac.../HJTInstall.exe
http://www.trendsecure.com/portal/en-US/th.../HJTinstall.exe

Save the setup file on your desktop
Double click on it and by default it should install to C:\Program Files\Trend Micro\HijackThis
Continue through the setup and have it create a desktop icon for you
Follow all the prompts, click Finish, and have it start HijackThis
Click the "Do a System Scan and Save a Log File" option
Save the log file and then it should open with Notepad

Go to Edit, Select All and then Edit, Paste to paste the contents of the log here
Make sure you DO NOT fix anything with Hijack This yet. Most of the things in the log are normal or required.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 TimB48

TimB48
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 11 March 2008 - 02:51 PM

Please find below copy of HijackThis log. Sorry for the delay but I have been away.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:46:31, on 11/03/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\Program Files\APC\PowerChute Business Edition\APC\PowerChute Business Edition\agent\pbeagent.exe
D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDatabase.exe
C:\WINNT\system32\Dfssvc.exe
D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDispatcher.exe
D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDeviceManager.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ibmasrsv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
E:\MDaemon\APP\MDAEMON.EXE
C:\WINNT\System32\mnmsrvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
E:\MDaemon\APP\CFEngine.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\RsFsa.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSLP.exe
D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSNMP.exe
C:\WINNT\system32\stisvc.exe
D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTWebServer.exe
C:\Program Files\WinGate\WinGateEngine.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
D:\Program Files\Samsung\Samsung SCX-5x30 Series\SPanel\PSU\Scan2pc.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\WINNT\Samsung\PanelMgr\ssmmgr.exe
C:\WINNT\system32\vcss.EXE
C:\WINNT\system32\internat.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinGate\wgengmon.exe
C:\Program Files\Oxford Software\Osserver32\Osserver.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe
C:\Program Files\Eicon\Diva\diinfo.exe
D:\Program Files\Samsung\Samsung SCX-5x30 Series\SPanel\PSU\Scan2pc.exe
C:\WINNT\Samsung\PanelMgr\ssmmgr.exe
C:\WINNT\system32\vcss.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\WinGate\wgengmon.exe
C:\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.34.10:8080
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
O4 - HKLM\..\Run: [ELBERT_S2P] D:\Program Files\Samsung\Samsung SCX-5x30 Series\SPanel\PSU\Scan2pc.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINNT\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [Vdes] vcss.EXE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [tcipc] rxpc.EXE
O4 - HKCU\..\Run: [Flash Video Streaming Service] fvss.EXE
O4 - HKCU\..\Run: [Vdes] vcss.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Vdes] vcss.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: WinGate Engine Monitor.lnk = C:\Program Files\WinGate\wgengmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap.4sure.it/VS2/bin/myCioAgt.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203237643000
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = blackburn.adrltd.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{436B04CD-C5E9-42CE-A8B3-344231924036}: NameServer = 192.168.34.10,212.23.3.100,212.23.6.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = blackburn.adrltd.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = blackburn.adrltd.co.uk
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - D:\Program Files\APC\PowerChute Business Edition\APC\PowerChute Business Edition\agent\pbeagent.exe
O23 - Service: SyncThru Web Admin Service Database Service (DBService) - Unknown owner - D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDatabase.exe
O23 - Service: SyncThru Web Admin Service Dispatcher Service (DispatcherServiceNT) - Unknown owner - D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDispatcher.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SyncThru Web Admin Service Device Manager Service (DMService) - Unknown owner - D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDeviceManager.exe
O23 - Service: IBM Automatic Server Restart Executable (ibmasrex) - Unknown owner - C:\WINNT\System32\ibmasrex.exe
O23 - Service: IBM Automatic Server Restart (ibmasrsv) - Unknown owner - C:\WINNT\System32\ibmasrsv.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - E:\MDaemon\APP\MDAEMON.EXE
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: SyncThru Web Admin Service SLP Service (SLPService) - Unknown owner - D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSLP.exe
O23 - Service: SyncThru Web Admin Service SNMP Service (SNMPService) - Unknown owner - D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSNMP.exe
O23 - Service: WebConfig for MDaemon (WebConfig) - Alt-N Technologies, Ltd. - E:\MDaemon\WebConfig\WebConfig.exe
O23 - Service: SyncThru Web Admin Service Web Server (WebServiceNT) - Unknown owner - D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTWebServer.exe
O23 - Service: Qbik WinGate Engine (WinGateEngine) - Unknown owner - C:\Program Files\WinGate\WinGateEngine.exe

--
End of file - 8768 bytes


Many Thanks.

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:44 AM

Posted 11 March 2008 - 07:16 PM

Hi,

Thanks for the log.
Are you still haveing trouble accessing regedit?

Let's have a look at another log.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Open the extracted SDFix folder and double click RunThis.bat to start the script.

You will see several choices. (1,2,3,A,B,C,D,U,E)
We just want a log.

Type A & hit enter.
It will take a few minutes to complete the scan. Wait till the log pops up.

Post the C:\SystemReport.txt

It may take 2 posts to get entire log posted.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 TimB48

TimB48
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 13 March 2008 - 03:50 PM

I am posting the systemreport.txt as requested.

Many Thanks.

Attached Files



#6 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:44 AM

Posted 14 March 2008 - 08:24 PM

Hi,

thanks for the log.

Looks OK I think ...

Can you post a fresh hijackthis log please and a log from the following:

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

Click "I accept"

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save report button.
  • Call it Kaspersky.txt
  • Expand the arrow beside "file types" and save as .txt file.
    http://i266.photobucket.com/albums/ii277/s...Kas-Savetxt.gif
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

*Note2
If you have Internet Explorer 7 installed:
If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.
Page will reload and you should be able to carry on scan.


let me know also if you still get errors trying to run regedit.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#7 TimB48

TimB48
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 16 March 2008 - 03:54 PM

Here is the latest HijackThis log together with the result of the Kaspersky scan.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:30:37, on 16/03/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\Program Files\APC\PowerChute Business Edition\APC\PowerChute Business Edition\agent\pbeagent.exe
D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDatabase.exe
C:\WINNT\system32\Dfssvc.exe
D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDispatcher.exe
D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDeviceManager.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ibmasrsv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
E:\MDaemon\APP\MDAEMON.EXE
C:\WINNT\System32\mnmsrvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
E:\MDaemon\APP\CFEngine.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\RsFsa.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSLP.exe
D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSNMP.exe
C:\WINNT\system32\stisvc.exe
D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTWebServer.exe
C:\Program Files\WinGate\WinGateEngine.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Oxford Software\Osserver32\Osserver.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe
D:\Program Files\Samsung\Samsung SCX-5x30 Series\SPanel\PSU\Scan2pc.exe
C:\WINNT\Samsung\PanelMgr\ssmmgr.exe
C:\WINNT\system32\vcss.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\Eicon\Diva\diinfo.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinGate\wgengmon.exe
C:\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.34.10:8080
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
O4 - HKLM\..\Run: [ELBERT_S2P] D:\Program Files\Samsung\Samsung SCX-5x30 Series\SPanel\PSU\Scan2pc.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINNT\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [Vdes] vcss.EXE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [tcipc] rxpc.EXE
O4 - HKCU\..\Run: [Flash Video Streaming Service] fvss.EXE
O4 - HKCU\..\Run: [Vdes] vcss.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Vdes] vcss.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: WinGate Engine Monitor.lnk = C:\Program Files\WinGate\wgengmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap.4sure.it/VS2/bin/myCioAgt.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203237643000
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = blackburn.adrltd.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{436B04CD-C5E9-42CE-A8B3-344231924036}: NameServer = 192.168.34.10,212.23.3.100,212.23.6.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = blackburn.adrltd.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = blackburn.adrltd.co.uk
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - D:\Program Files\APC\PowerChute Business Edition\APC\PowerChute Business Edition\agent\pbeagent.exe
O23 - Service: SyncThru Web Admin Service Database Service (DBService) - Unknown owner - D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDatabase.exe
O23 - Service: SyncThru Web Admin Service Dispatcher Service (DispatcherServiceNT) - Unknown owner - D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDispatcher.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SyncThru Web Admin Service Device Manager Service (DMService) - Unknown owner - D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDeviceManager.exe
O23 - Service: IBM Automatic Server Restart Executable (ibmasrex) - Unknown owner - C:\WINNT\System32\ibmasrex.exe
O23 - Service: IBM Automatic Server Restart (ibmasrsv) - Unknown owner - C:\WINNT\System32\ibmasrsv.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - E:\MDaemon\APP\MDAEMON.EXE
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: SyncThru Web Admin Service SLP Service (SLPService) - Unknown owner - D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSLP.exe
O23 - Service: SyncThru Web Admin Service SNMP Service (SNMPService) - Unknown owner - D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSNMP.exe
O23 - Service: WebConfig for MDaemon (WebConfig) - Alt-N Technologies, Ltd. - E:\MDaemon\WebConfig\WebConfig.exe
O23 - Service: SyncThru Web Admin Service Web Server (WebServiceNT) - Unknown owner - D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTWebServer.exe
O23 - Service: Qbik WinGate Engine (WinGateEngine) - Unknown owner - C:\Program Files\WinGate\WinGateEngine.exe

--
End of file - 8405 bytes




-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 16, 2008 6:16:11 PM
Operating System: Microsoft Windows 2000 Server, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/03/2008
Kaspersky Anti-Virus database records: 633666
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
L:\
P:\
R:\
S:\
U:\
W:\
Z:\

Scan Statistics:
Total number of scanned objects: 125482
Number of viruses found: 4
Number of infected objects: 21
Number of suspicious objects: 0
Duration of the scan process: 01:44:34

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\189.wmf Infected: Backdoor.Win32.IRCBot.bnw skipped
C:\Documents and Settings\Administrator\56.wmf Infected: Backdoor.Win32.Rbot.pgc skipped
C:\Documents and Settings\Administrator\73.wmf Infected: Backdoor.Win32.Rbot.ixz skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\INMEM000.REM Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WNAZCT8M\fud80[1].exe Infected: Backdoor.Win32.Rbot.ixz skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Y7R462S5\fud98[1].exe Infected: Backdoor.Win32.Rbot.pgc skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\tempIpRules.xdb Object is locked skipped
C:\Documents and Settings\madmin$\189.wmf Infected: Backdoor.Win32.IRCBot.bnw skipped
C:\Program Files\Eicon\Diva\data\default.dlf Object is locked skipped
C:\Program Files\McAfee\Managed VirusScan\Agent\Report\CIO60.tmp Object is locked skipped
C:\Program Files\WinGate\cache\cache.idx Object is locked skipped
C:\Program Files\WinGate\HISTORY.CDX Object is locked skipped
C:\Program Files\WinGate\HISTORY.DBF Object is locked skipped
C:\Program Files\WinGate\Logs\DHCP Service.16Mar08.log Object is locked skipped
C:\Program Files\WinGate\Logs\Dialer.16Mar08.log Object is locked skipped
C:\Program Files\WinGate\Logs\DNS Service.16Mar08.log Object is locked skipped
C:\Program Files\WinGate\Logs\FTP Proxy server.16Mar08.log Object is locked skipped
C:\Program Files\WinGate\Logs\GDP Service.16Mar08.log Object is locked skipped
C:\Program Files\WinGate\Logs\Remote Control Service.16Mar08.log Object is locked skipped
C:\Program Files\WinGate\Logs\Scheduler.16Mar08.log Object is locked skipped
C:\Program Files\WinGate\Logs\Winsock Redirector Service.16Mar08.log Object is locked skipped
C:\Program Files\WinGate\Logs\WWW Proxy server.16Mar08.log Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\Debug\NtFrs_0005.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\NETLOGON.CHG Object is locked skipped
C:\WINNT\NTDS\edb.log Object is locked skipped
C:\WINNT\NTDS\ntds.dit Object is locked skipped
C:\WINNT\NTDS\temp.edb Object is locked skipped
C:\WINNT\ntfrs\jet\log\edb.log Object is locked skipped
C:\WINNT\ntfrs\jet\ntfrs.jdb Object is locked skipped
C:\WINNT\ntfrs\jet\temp\tmp.edb Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\189.wmf Infected: Backdoor.Win32.IRCBot.bnw skipped
C:\WINNT\system32\56.wmf Infected: Backdoor.Win32.Rbot.pgc skipped
C:\WINNT\system32\73.wmf Infected: Backdoor.Win32.Rbot.ixz skipped
C:\WINNT\system32\CatRoot\SYSMAST.cbd Object is locked skipped
C:\WINNT\system32\CatRoot\SYSMAST.cbk Object is locked skipped
C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbd Object is locked skipped
C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbk Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\DnsEvent.Evt Object is locked skipped
C:\WINNT\system32\config\NTDS.Evt Object is locked skipped
C:\WINNT\system32\config\NtFrs.Evt Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\CPL.CFG Object is locked skipped
C:\WINNT\system32\dhcp\dhcp.mdb Object is locked skipped
C:\WINNT\system32\dhcp\DhcpSrvLog.Sun Object is locked skipped
C:\WINNT\system32\dhcp\j50.log Object is locked skipped
C:\WINNT\system32\dhcp\tmp.edb Object is locked skipped
C:\WINNT\system32\dns\dns.log Object is locked skipped
C:\WINNT\system32\DTCLog\MSDTC.LOG Object is locked skipped
C:\WINNT\system32\ias\dnary.ldb Object is locked skipped
C:\WINNT\system32\ias\ias.ldb Object is locked skipped
C:\WINNT\system32\ias\ias.mdb Object is locked skipped
C:\WINNT\system32\Readers_sl.EXE Infected: Backdoor.Win32.Rbot.ixz skipped
C:\WINNT\system32\Reader_sll.EXE Infected: Backdoor.Win32.Rbot.pgc skipped
C:\WINNT\system32\RemoteStorage\FsaDb\edb.log Object is locked skipped
C:\WINNT\system32\RemoteStorage\FsaDb\temp.edb Object is locked skipped
C:\WINNT\system32\vcss.EXE Infected: Backdoor.Win32.IRCBot.bnw skipped
C:\WINNT\system32\wins\j50.log Object is locked skipped
C:\WINNT\system32\wins\wins.mdb Object is locked skipped
C:\WINNT\system32\wins\winstmp.mdb Object is locked skipped
C:\WINNT\Temp\JET9101.tmp Object is locked skipped
C:\WINNT\Temp\JETAC78.tmp Object is locked skipped
C:\WINNT\Temp\mcafee_lHl3laPglBUk4QX Object is locked skipped
C:\WINNT\Temp\mcafee_oDkGlJp00t2IMzb Object is locked skipped
C:\WINNT\Temp\sqlite_roCRC7CrTWE5JCH Object is locked skipped
C:\WINNT\vcss.EXE Infected: Backdoor.Win32.IRCBot.bnw skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
D:\Program Files\APC\PowerChute Business Edition\APC\PowerChute Business Edition\agent\data.dat Object is locked skipped
D:\Program Files\APC\PowerChute Business Edition\APC\PowerChute Business Edition\agent\debug.txt Object is locked skipped
D:\Program Files\APC\PowerChute Business Edition\APC\PowerChute Business Edition\agent\EventLog Object is locked skipped
D:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTDB.db Object is locked skipped
E:\ADR\Tim WIP\radmin22\RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
E:\ADR\Tim WIP\radmin22\RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
E:\ADR\Tim WIP\radmin22\RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
E:\ADR\Tim WIP\radmin22\RADMIN22.EXE Gentee: infected - 3 skipped
E:\MDaemon\LOGS\MDaemon-all.log Object is locked skipped
E:\Recruit\Recdata\PDOXUSRS.LCK Object is locked skipped
E:\Recruit\Recdata\ROCV.DB Object is locked skipped
E:\Recruit\Recdata\ROCV.MB Object is locked skipped
E:\Recruit\Recdata\ROCV.PX Object is locked skipped
E:\Recruit\RECNET\PDOXUSRS.NET Object is locked skipped
R:\Recdata\PDOXUSRS.LCK Object is locked skipped
R:\Recdata\ROCV.DB Object is locked skipped
R:\Recdata\ROCV.MB Object is locked skipped
R:\Recdata\ROCV.PX Object is locked skipped
R:\RECNET\PDOXUSRS.NET Object is locked skipped
S:\Tim WIP\radmin22\RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
S:\Tim WIP\radmin22\RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
S:\Tim WIP\radmin22\RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
S:\Tim WIP\radmin22\RADMIN22.EXE Gentee: infected - 3 skipped

Scan process completed.


Many Thanks for your assistance so far with this problem.


PS I am still having problems getting 'regedit' to run.

Edited by TimB48, 16 March 2008 - 03:56 PM.


#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:44 AM

Posted 16 March 2008 - 04:44 PM

Hi,

Looks like some fairly nasty infections here. :blink:

Backdoor.Win32.IRCBot.bnw skipped
Backdoor.Win32.Rbot.pgc skipped
Backdoor.Win32.Rbot.ixz skipped


Generally speaking --- what is this computer used for?

Rbot, IRCbot infections generally open a "backdoor" that will allow unauthorised access to the system.
If system is accessed by the attacker -- they can do anything they want.
Start/stop programs, cause your computer to carry out attacks, steal passwords...
If you do any banking, online shopping on this computer I suggest getting to a known secure computer to change your log-in passwords.
If you use those services --- it would be good to call these companies as well so they can watch your accounts.
And Please don't use this computer for these services till we get it cleaned up or you restore it from a known good image.


Some info to read:
http://www.dslreports.com/faq/10451

The attacker can also make changes to the system to make it less secure -- and therefore gain entry easier.

Attacks of this nature it is generally recommended to format/reinstall.
This is the safest approach. This way you will know the system is clean and safe.

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

I can most likely remove these nasties but truely would be safer with a fresh install.

Let me know what you want to do please.

thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 TimB48

TimB48
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 17 March 2008 - 12:51 PM

Hi Blender,

This PC is a server running WIN 2000 server and is acting as a DC for a small domain of some six other PC's. It is not used for internet banking or anything like that. Credit card details never find their way onto this PC. Network PC's go out via a router and as far as I know none of them is currently affected.

At this moment in time the preferred option would be to deal with the infection, formatting would be a last resort. All data is backed up to a tape drive but all the apps would need installing individually.

So for the moment at least, infection removal is what we want to do. Therefore suggestions/advice welcome. We have Macafee total protection for small business instaled on all PC's but this did not pick up the infections. Your advice on a stronger replacement for a small business would be appreciated.

I am not sure how the PC came to e ifected but I suspect probably due to the exploitation of the Port 445 vulnerability, which has now been deal with.

Many Thanks.

#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:44 AM

Posted 17 March 2008 - 07:39 PM

Hi,

OK... clean we shall try.

You have this update installed?

http://www.microsoft.com/technet/security/...n/MS06-001.mspx

Looks as though that might be another infection vector you ran into.
If not -- I would make sure that patch has been applied to all machines.

--------------------------

Download SDFix and save it to your Desktop.

In the event you already have SDFix, please delete it as this is a new version I need you to download.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Can you also zip & attach your f-bot log please? (I see you ran this earlier)
I'd like to see what else you had before you got here.
C:\f-bot.txt <-- if I remember correctly.

Remote Admin ...
flagged by KAV scan (normal flag cus it is a remote access tool)
You did at one time use this app?
It is legit -- just making sure you are aware of it and/or did use it (cus malware can make use of it if not configured properly/securely)

Let me know how system is running and if regedit is still not accessable.
Still likely work to do.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:44 AM

Posted 18 March 2008 - 07:32 AM

Hi,

me again... :thumbsup:

I am pointing you to wrong place for the f-bot log. :blink:

It is located here:

C:\WINNT\F-Bot.log
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users