Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Malware etc...


  • Please log in to reply
6 replies to this topic

#1 HeavyHanded

HeavyHanded

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 25 October 2008 - 06:39 AM

Hello all, I am in need of help with my Computer! HP xw8000 running Windows Server 2000, IEExplorer 6. Am having serious system slowdown with occasional failures to shutdown when selected. Am having multiple redirections of browser, many times to something called "Registry Defender.com". Also many executables are not launching properly and require multiple attempts, even though the .exe files show up in the Task Manager. Have run spybot, ad aware, avast, hijackthis (logfle included), cwshreder, and stinger to no avail. It's getting worse. On my last re-start, only the wallpaper came up. In order to post, I had to launch "explorer" through IEExplorer as the task manager and IEExplorer were the only windows I could get to launch, and "explorer" wouldn't respond when started with TaskManager. Had to run HijackThis through the \Winnt\System32\CMD.exe, and ran the other software yesterday when it was only acting somewhat screwy. Starting in safe-mode does not help. As always, I appreciate any insight/assistance. Additionally, I'm having problems getting software to properly install/uninstall, and Bit defender won't install on my system at all. I had spybot and stopzilla running at the time I believe I was infected. Spybot blocked a slew of attempted registry changes (I'm kicking myself in the butt for not recording the actual entries), but when I started up the next morning, my troubles began.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:47 PM, on 10/24/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\3CTftpSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\aswServ.exe
C:\Axeda\Connector\aremote.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\GM\gm_mapper.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmprint.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\calc.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [4173da56] rundll32.exe "C:\WINNT\system32\dijipire.dll",b
O4 - HKLM\..\Run: [CPM4240e9ca] Rundll32.exe "c:\winnt\system32\tarugaro.dll",a
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: calc.exe.lnk = C:\WINNT\system32\calc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1215437863421
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O20 - AppInit_DLLs: c:\winnt\system32\milifuse.dll,c:\winnt\system32\jobagiyu.dll,c:\winnt\system32\viheheji.dll,c:\winnt\system32\tarugaro.dll,C:\WINNT\system32\payezavu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\tarugaro.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\tarugaro.dll
O23 - Service: 3Com TFTP Server (3CTftpSvc) - Unknown owner - C:\WINNT\3CTftpSvc.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswWebSv.exe
O23 - Service: Axeda Access Remote - Axeda Systems - C:\Axeda\Connector\aremote.exe
O23 - Service: DHCP Client DhcpNtLmSsp (DhcpNtLmSsp) - Unknown owner - C:\WINNT\system32\acluik.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: gm_mapper - Unknown owner - C:\WINNT\GM\gm_mapper.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Operator/Local%20Settings/Temporary%20Internet%20Files/Content.IE5/YQE5L18U/Pic.jpg

--
End of file - 5549 bytes

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:16 PM

Posted 25 October 2008 - 07:33 AM

Hello HeavyHanded

Welcome to BleepingComputer :thumbsup:
========================
Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
===========================================
Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
      FIle - Lop check
      File - Purity Scan
      Under Basic scans:
      Rootkit Search -Yes
      Drivers -Non Microsoft
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Attach the information back here. I will review it when it comes in.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 HeavyHanded

HeavyHanded
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 27 October 2008 - 08:34 AM

Kahdah, thanks for the assist. The heat is on me here (work machine), and I'm waiting on the vendor for the OS restore disk. I'm not so sure that'll help though, as it leaves all the partition info intact and only formats the C: drive. I hope you can make use of the logfile. Thank you sincerely again.

HH

Attached Files



#4 HeavyHanded

HeavyHanded
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 27 October 2008 - 10:11 AM

Kahdah, I've run out of time. The vendor for my machine finally got the restore disk to me, and my boss is insisting I use it. Like I said, it does leave some things untouched (like the striped drives), so it remains to be seen if this will fix my troubles. Rather than have you waste time you could better use helping someone else, I'd suggest you drop my petition for now. I'll add another reply to let you know how things are doing, hopefully by 2:00pm EST.
Thanks again HH

#5 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:16 PM

Posted 27 October 2008 - 11:35 AM

Ok no problem.
Let me know.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#6 HeavyHanded

HeavyHanded
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 27 October 2008 - 01:16 PM

Kahdah, The re-install went w/out a hitch, and I got to pump one of the service techs for more info about my system. It feeds a digital press, and apparently some of the files it sends to the press over the DHCP server look just like a virus to most real-time scanning apps. It seems that there is very little I can do as far as active scanning, including Spybot's tea timer, that won't interfere with the normal functioning of the equipment. It's possible that I blocked a necessary registry change, and when I uninstalled Spybot and Stopzilla as part of my troubleshooting, something that was lurking on my machine was left with a free hand to cause trouble. Looks like I need to do a lot more backing-up on a regular basis. If you get a chance, I'd still very much appreciate if you could take a look at the OTScanIt log and let me know what you think. Thanks a lot, I've learned quite a bit that I didn't know last week, not the least of which is that there are good people volunteering to help the unwary.

:thumbsup:

Edited by HeavyHanded, 27 October 2008 - 01:18 PM.


#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:16 PM

Posted 27 October 2008 - 07:57 PM

Hi if you have done a full reinstall then your log is clean.

You are welcome.

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
==========
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users