Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 Wilton216

Wilton216

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 25 April 2008 - 04:42 AM

Good morning,

Last night we were infected with Adtraffic and are now unable to access our company's intranet without being diverted out onto a search page.

I have tried Adaware along with Spybot and they remove the adtraffic cookie, however as soon as Internet Explorer is launched we are forwarded onto the search page and the cookie reappears. This leads me to believe there is a process running or registry entry the programs are missing but I am at a loss as to where.

We also have McAfee 8.5.0i with the latest DAT files installed, 5281, but that has not detected a problem.

What should I do?

Thank you in advance.

Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:10, on 25/04/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\Backup Exec\beremote.exe
D:\Applications\OrCAD\lmgrd.exe
C:\WINDOWS\system32\certsrv.exe
C:\Program Files\Dell\OpenManage\dataeng\bin\dcevt32.exe
D:\Applications\OrCAD\lmgrd.exe
C:\Program Files\Dell\OpenManage\dataeng\bin\dcstor32.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\grovel.exe
D:\Applications\OrCAD\cdslmd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Dell\OpenManage\oma\bin\omsad32.exe
D:\Applications\Licence Files\PADs\Lmgrd.exe
D:\Applications\Licence Files\PADs\Lmgrd.exe
C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
D:\Applications\Licence Files\PADs\mgcld.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\tftpd.exe
C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wins.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvRM.exe
C:\Program Files\McAfee\ProtectionPilot\1.5.0\EVENTPARSER.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Applications\Access\Executive Desktop\EDProcessor.exe
D:\Applications\Goldmine\gmw6.exe
C:\Program Files\Symantec\Backup Exec\BkupExec.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ismserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.tvoneuk.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://intranet.tvoneuk.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://10.1.2.22/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by TV One UK
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.tvoneuk.com
O15 - ESC Trusted Zone: http://support.dell.com
O15 - ESC Trusted Zone: http://support.ap.dell.com
O15 - ESC Trusted Zone: http://support.euro.dell.com
O15 - ESC Trusted Zone: http://www.dell.com
O15 - ESC Trusted Zone: http://www.ap.dell.com
O15 - ESC Trusted Zone: http://www.euro.dell.com
O15 - ESC Trusted Zone: http://www1.euro.dell.com
O15 - ESC Trusted Zone: http://*.robert_d_xp_pro
O15 - ESC Trusted Zone: http://*.tvoneukdom
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://support.dell.com (HKLM)
O15 - ESC Trusted Zone: http://support.ap.dell.com (HKLM)
O15 - ESC Trusted Zone: http://support.euro.dell.com (HKLM)
O15 - ESC Trusted Zone: http://www.dell.com (HKLM)
O15 - ESC Trusted Zone: http://www.ap.dell.com (HKLM)
O15 - ESC Trusted Zone: http://www.euro.dell.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://10.1.2.240
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FE51720F-7298-4F31-A6C1-5CD010BE2296} (Access Protection Configuration Helper) - http://tvoneukdom:82/Data/VIRUSCAN8600/Locale/apconfig.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TVOneUK.local
O17 - HKLM\Software\..\Telephony: DomainName = TVOneUK.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AE1CE71-162A-49F0-9846-FC59DE9F2E2A}: NameServer = 10.1.2.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{A216E1CA-BC9A-40CA-8BB2-06F9C414244E}: NameServer = 10.1.2.239,10.1.2.238
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCDC85CF-F5BB-4108-8C4B-7D7B7AA60625}: NameServer = 10.1.2.238
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TVOneUK.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TVOneUK.local
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beserver.exe
O23 - Service: Cadence License Manager - Macrovision Corporation - D:\Applications\OrCAD\lmgrd.exe
O23 - Service: Systems Management Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\OpenManage\dataeng\bin\dcevt32.exe
O23 - Service: Systems Management Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\OpenManage\dataeng\bin\dcstor32.exe
O23 - Service: McAfee ProtectionPilot 1.5.0 Event Parser (EVENTPARSER150) - Network Associates, Inc. - C:\Program Files\McAfee\ProtectionPilot\1.5.0\EVENTPARSER.EXE
O23 - Service: GoldSync Service (GMService) - FrontRange Solutions Inc. - D:\Applications\Goldmine\gmw6.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: mr2kserv - Unknown owner - C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
O23 - Service: McAfee ProtectionPilot 1.5.0 Server (NAIMSERV150) - Network Associates, Inc. - C:\Program Files\McAfee\ProtectionPilot\1.5.0\NAIMSERV.EXE
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: OM Common Services (omsad) - Dell Inc. - C:\Program Files\Dell\OpenManage\oma\bin\omsad32.exe
O23 - Service: Pads Licence - Macrovision Corporation - D:\Applications\Licence Files\PADs\Lmgrd.exe
O23 - Service: Secure Port Server (Server Administrator) - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
O23 - Service: SyncThru Web Admin Service (SWAS_Core) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe
O23 - Service: SyncThru Web Admin Questra Integration Service (SWAS_Srv_RM) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvRM.exe
O23 - Service: Disk Management Service (VxSvc) - VERITAS Software Corp. - C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe

--
End of file - 10348 bytes

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:55 PM

Posted 14 May 2008 - 06:39 PM

Hello Wilton216. :thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine)

We apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

If you still would like help, please follow the following instructions:

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.



Next
Please do an online scan with Kaspersky WebScanner

Click on Accept Button

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:09:55 PM

Posted 27 May 2008 - 05:19 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users