Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor Users?


  • This topic is locked This topic is locked
1 reply to this topic

#1 NVADA

NVADA

  • Deactivated
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 16 July 2008 - 11:50 PM

G'day... Someone or something has changed my account passwords. I've since reset them using the Admin account. There are three accounts, two user accounts and the admin. I fear that if I change the admin one I will get locked out if there is indeed a backdoor on my PC. Any help would be greatly appreciated as I'm not in the mood (no one is unless it's all scripted :)) for a fresh install. Decker's log below.... Ta

ps... As far as I can tell nothing seems too odd and only a few things need tweaking (I think?) and is why I'm leaving it to someone who is more knowledgable about these logs.... again, thankyou...

Deckard's System Scanner v20071014.68
Run by Scott on 2008-07-17 14:18:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
67: 2008-07-17 04:18:56 UTC - RP67 - Deckard's System Scanner Restore Point
66: 2008-07-16 23:56:26 UTC - RP66 - System Checkpoint
65: 2008-07-15 20:13:38 UTC - RP65 - System Checkpoint
64: 2008-07-14 19:13:39 UTC - RP64 - System Checkpoint
63: 2008-07-13 18:13:38 UTC - RP63 - System Checkpoint


-- First Restore Point --
1: 2008-06-06 16:21:25 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Scott.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:27 PM, on 17/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Scott\My Documents\Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Scott.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212821700250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212825952421
O17 - HKLM\System\CCS\Services\Tcpip\..\{94564D39-0A73-47C3-8881-5744AB1284E5}: NameServer = 61.9.195.193,61.9.194.49
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4185 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_01AB1028&REV_01\4&5855BE9&0&40F0
Manufacturer: Intel
Name: Intel® PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_01AB1028&REV_01\4&5855BE9&0&40F0
Service: E100B


-- Files created between 2008-06-17 and 2008-07-17 -----------------------------

2008-07-17 13:47:57 0 d-------- C:\Program Files\Trend Micro
2008-07-17 13:38:31 0 dr-h----- C:\Documents and Settings\Scott\Recent
2008-07-14 10:50:30 0 d-------- C:\Documents and Settings\Sue\Application Data\Google
2008-07-04 19:03:44 0 d-------- C:\Documents and Settings\Sue\Application Data\WinRAR
2008-07-03 20:59:45 0 d-------- C:\Program Files\Soulseek
2008-06-24 09:14:49 0 d-------- C:\Documents and Settings\Scott\Application Data\Teleca
2008-06-24 09:12:48 0 d-------- C:\Documents and Settings\Scott\Application Data\Sony Ericsson
2008-06-24 09:09:10 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-06-24 09:08:32 0 d-------- C:\Program Files\Common Files\Teleca Shared


-- Find3M Report ---------------------------------------------------------------

2008-07-09 23:24:53 0 d-------- C:\Documents and Settings\Scott\Application Data\mIRC
2008-07-09 23:24:26 0 d-------- C:\Program Files\mIRC
2008-06-24 10:19:14 0 d-------- C:\Program Files\Common Files
2008-06-12 18:27:38 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-11 20:57:01 0 d-------- C:\Documents and Settings\Scott\Application Data\InfraRecorder
2008-06-11 20:28:39 0 d-------- C:\Program Files\InfraRecorder
2008-06-11 20:10:09 0 d-------- C:\Program Files\Windows Media Connect 2
2008-06-10 20:11:49 0 d-------- C:\Documents and Settings\Scott\Application Data\WinRAR
2008-06-08 19:39:32 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-06-08 19:38:58 0 d-------- C:\Program Files\Microsoft Works
2008-06-08 19:24:50 0 d-------- C:\Documents and Settings\Scott\Application Data\Adobe
2008-06-07 21:24:12 0 d-------- C:\Program Files\CCleaner
2008-06-07 21:16:22 0 d-------- C:\Program Files\Microsoft.NET
2008-06-07 21:05:07 0 d-------- C:\Documents and Settings\Scott\Application Data\ATI
2008-06-07 20:43:08 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-06-07 20:39:17 0 d-------- C:\Program Files\AVG
2008-06-07 20:36:10 0 d-------- C:\Program Files\ATI Technologies
2008-06-07 20:34:17 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-07 20:30:11 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-07 20:16:30 0 d-------- C:\Documents and Settings\Scott\Application Data\Macromedia
2008-06-07 20:16:17 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-07 20:06:16 0 d-------- C:\Program Files\SigmaTel
2008-06-07 19:08:02 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-07 19:00:14 0 d-------- C:\Program Files\Messenger
2008-06-07 18:59:50 0 d-------- C:\Program Files\Movie Maker
2008-06-07 18:57:27 0 d-------- C:\Program Files\Windows NT
2008-06-07 17:50:58 0 d-------- C:\Documents and Settings\Scott\Application Data\Identities
2008-06-07 12:06:32 0 d-------- C:\Program Files\Common Files\ODBC
2008-06-07 12:06:28 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-06-07 12:06:01 62 --ahs---- C:\Documents and Settings\Scott\Application Data\desktop.ini
2008-06-07 02:26:55 0 d-------- C:\Program Files\Intel
2008-06-07 02:17:53 0 d-------- C:\Program Files\microsoft frontpage
2008-06-07 02:17:39 0 -rahs---- C:\MSDOS.SYS
2008-06-07 02:17:39 0 -rahs---- C:\IO.SYS
2008-06-07 02:17:39 0 --a------ C:\CONFIG.SYS
2008-06-07 02:17:39 0 --a------ C:\AUTOEXEC.BAT
2008-06-07 02:15:29 0 d-------- C:\Program Files\Common Files\MSSoap
2008-06-07 02:14:47 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-06-07 02:14:20 0 d--h----- C:\Program Files\WindowsUpdate
2008-06-07 02:14:06 0 d-------- C:\Program Files\MSN Gaming Zone
2008-05-12 10:49:00 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [22/03/2005 05:20 PM C:\WINDOWS\stsystra.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [02/04/2008 08:07 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [04/07/2008 08:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 10:12 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
"C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\Launcher.exe




-- End of Deckard's System Scanner: finished at 2008-07-17 14:20:50 ------------

Attached Files



BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:31 AM

Posted 05 August 2008 - 02:01 PM

Welcome to the BleepingComputer Forums. Since it has been a few days, please post a new Deckard's System Scanner which includes the HijackThis log. Please see Preparation Guide for use before posting about your potential Malware problem. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users