Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Server 2003 infected with rootkit


  • This topic is locked This topic is locked
3 replies to this topic

#1 manjitr

manjitr

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 09 January 2009 - 12:43 PM

Have a windows 2003 server that has been infected by some kind of rootkit. I had mcafee enterprise running on the server when it was infected. Ran ad-aware and it could not find anything. So I read about MBAM and downloaded MBAM and it found a couple of files and asked for a reboot to delete the files. Rebooted the server and everything was good.

Next day those files reappeared specifically the mscdco.exe file and couple of random named .exe appear in the task manager as running processes. Ran MBAM again and it finds some files many of them similiar to the ones found earlier and asks for a reboot to remove files. After reboot everything is good and the next day the same thing happens and all those files reappear.

Now there are a bunch of tmpx_xxxxxxxxxxx.bk files (where x is a random number and every file is 255KB in size) being created in the windows\system32 folder and sometimes so many of these files are created that they end up eating all the remaining space on the hard drive (approx 1.0 GB)

Thinking mcafee is not doing a good job we purchased nod32 business edition and installed it on the server. Ran a scan with nod32 and it deleted a couple of files but the next day the same set of files reappear.

Any help would be appreciated.

Following is the HiJack This log AFTER running MBAM so most of the files are deleted and won't reappear till a later time.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:12 AM, on 1/9/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
F:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
C:\WINDOWS\system32\certsrv.exe
C:\Program Files\Dell\OpenManage\OMSA\bin\dcevt32.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Group Logic\ExtremeZ-IP\ExtremeZ-IP.EXE
g:\Program Files\FRISK Software International\F-Prot Antivirus for Exchange\FConf.exe
g:\Program Files\FRISK Software International\F-Prot Antivirus for Exchange\FQuar2.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
D:\Program Files\Java\jre6\bin\jqs.exe
G:\Program Files\Network Associates\McAfee GroupShield\bin\SAFeService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
E:\bin\mysqld-max.exe
C:\Program Files\Common Files\McAfee\log and quarantine\bin\i386\NAIlgpip.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Common Files\Network Associates\Outbreak Manager\Outbreak.exe
C:\Program Files\RDS\RsiSvc.exe
C:\WINDOWS\system32\wmiprvse.exe
C:\Program Files\RDS\srscandr.exe
G:\Program Files\Network Associates\McAfee GroupShield\bin\RPCServ.EXE
C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Subversion\bin\SVNService.exe
C:\Program Files\Subversion\bin\svnserve.exe
C:\WINDOWS\system32\lserver.exe
C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\RDS\ddsschednt.exe
C:\Program Files\DisclaimIt\Bin\DsclMgmt.exe
F:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\RDS\dds.exe
C:\Program Files\RDS\spooler.exe
F:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Exchsrvr\bin\store.exe
F:\Program Files\Exchsrvr\bin\emsmta.exe
G:\Program Files\Network Associates\McAfee GroupShield\bin\RPCServ.EXE
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\dllhost.exe
F:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Castelle\FaxPress\FaxTray.Exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\oobechk.exe
C:\WINDOWS\system32\mshta.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
F:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
F:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
F:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag] 
O4 - HKLM\..\Run: [CstlFaxTray] G:\Program Files\Castelle\FaxPress\FaxTray.Exe /s
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [dumusilane] Rundll32.exe "C:\WINDOWS\system32\kayutijo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [dumusilane] Rundll32.exe "C:\WINDOWS\system32\kayutijo.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Start Delivery Services.lnk = C:\Program Files\RDS\DdsLaunch.exe
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\mswsock.dll' missing
O15 - ESC Trusted Zone: http://support.aficio.com
O15 - ESC Trusted Zone: http://search.atomz.com
O15 - ESC Trusted Zone: http://tools.cisco.com
O15 - ESC Trusted Zone: http://www.cisco.com
O15 - ESC Trusted Zone: http://www.ciscounitysupport.com
O15 - ESC Trusted Zone: http://*.cmcnt
O15 - ESC Trusted Zone: http://good.com.cnchost.com
O15 - ESC Trusted Zone: http://owa.crazycrew.net
O15 - ESC Trusted Zone: http://ftp.crystaldecisions.com
O15 - ESC Trusted Zone: http://www.download.com
O15 - ESC Trusted Zone: http://www.eset.com
O15 - ESC Trusted Zone: http://www.ethereal.com
O15 - ESC Trusted Zone: http://subs.geekstogo.com
O15 - ESC Trusted Zone: http://espn.go.com
O15 - ESC Trusted Zone: http://sports.espn.go.com
O15 - ESC Trusted Zone: http://www.good.com
O15 - ESC Trusted Zone: http://*.good.com
O15 - ESC Trusted Zone: http://www.google-analytics.com
O15 - ESC Trusted Zone: http://h20000.www2.hp.com
O15 - ESC Trusted Zone: http://www.java.com
O15 - ESC Trusted Zone: http://usa.kaspersky.com
O15 - ESC Trusted Zone: http://www.kaspersky.com
O15 - ESC Trusted Zone: http://enu.vs.mcafeeasap.com
O15 - ESC Trusted Zone: http://www.mcafeeasap.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://support.ricoh.com
O15 - ESC Trusted Zone: http://sunsdlc1-11-vhost2.sun.com
O15 - ESC Trusted Zone: http://*.sun.com
O15 - ESC Trusted Zone: http://download2.veritas.com
O15 - ESC Trusted Zone: http://www.veritas.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://192.168.2.99
O15 - ESC Trusted IP range: http://192.168.4.10
O15 - ESC Trusted IP range: http://192.168.2.28
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cmclv.com
O17 - HKLM\Software\..\Telephony: DomainName = cmclv.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DA88885-7004-4091-9B86-AFCDBF50DD14}: NameServer = 192.168.2.99,192.168.2.98
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cmclv.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{3DA88885-7004-4091-9B86-AFCDBF50DD14}: NameServer = 192.168.2.99,192.168.2.98
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cmclv.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{3DA88885-7004-4091-9B86-AFCDBF50DD14}: NameServer = 192.168.2.99,192.168.2.98
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: BlackBerry Attachment Service (BBAttachServer) - Research In Motion Limited - F:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
O23 - Service: BlackBerry Controller - Research In Motion Limited - F:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryController.exe
O23 - Service: BlackBerry Database Consistency Service - Research In Motion Limited - F:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\bin\DBConsistency.exe
O23 - Service: BlackBerry Dispatcher - Research In Motion Limited - F:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryDispatcher.exe
O23 - Service: BlackBerry Mobile Data Service - Research In Motion - F:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\bin\bmds.exe
O23 - Service: BlackBerry Policy Service - Research In Motion Limited - F:\Program Files\Research In Motion\BlackBerry Enterprise Server\ITAdminServer.exe
O23 - Service: BlackBerry Router - Research In Motion Limited - F:\Program Files\Research In Motion\BlackBerry Enterprise Server\BypassRouter\BlackberryRouter.exe
O23 - Service: BlackBerry Alert (BlackBerry Server Alert) - Research In Motion Limited - F:\Program Files\Research In Motion\BlackBerry Enterprise Server\BESAlert.exe
O23 - Service: BlackBerry Synchronization Service (BlackBerry SyncServer) - Research In Motion Limited - F:\Program Files\Research In Motion\BlackBerry Enterprise Server\SyncServer\BlackBerrySyncServer.exe
O23 - Service: Dell OpenManage Server Agent Event Monitor (dcevt32) - Dell Inc. - C:\Program Files\Dell\OpenManage\OMSA\bin\dcevt32.exe
O23 - Service: Dell OpenManage Server Agent (dcstor32) - Dell Inc. - C:\Program Files\Dell\OpenManage\OMSA\bin\dcstor32.exe
O23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Program Files\RDS\ddsschednt.exe
O23 - Service: DisclaimIt Management (DsclMgmt) - Franz Krainer - C:\Program Files\DisclaimIt\Bin\DsclMgmt.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: ExtremeZ-IP File Server for Macintosh (ExtremeZ-IP) - Group Logic - C:\Program Files\Group Logic\ExtremeZ-IP\ExtremeZ-IP.EXE
O23 - Service: F-Prot Configuration - FRISK Software International - g:\Program Files\FRISK Software International\F-Prot Antivirus for Exchange\FConf.exe
O23 - Service: F-Prot Quarantine - FRISK Software International - g:\Program Files\FRISK Software International\F-Prot Antivirus for Exchange\FQuar2.exe
O23 - Service: FaxPress E2K Connector (CMCNT) (FPCon(CMCNT)) - Unknown owner - G:\Program Files\Castelle\FaxPress\FPCon\FPCon.exe
O23 - Service: Shell Hardware Dectection Service (HWDect) - Unknown owner - C:\WINDOWS\system32\inetsrv\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee GroupShield - Network Associates, Inc. - G:\Program Files\Network Associates\McAfee GroupShield\bin\SAFeService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: mr2kserv - Unknown owner - C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
O23 - Service: Microsoft File Manager Services (mscdcosd) - Unknown owner - C:\WINDOWS\system32\mscdco.exe
O23 - Service: MySql - Unknown owner - E:\bin\mysqld-max.exe
O23 - Service: McAfee Log Service (Network Associates Log Service) - Network Associates, Inc. - C:\Program Files\Common Files\McAfee\log and quarantine\bin\i386\NAIlgpip.exe
O23 - Service: McAfee Outbreak Manager (Outbreak Manager) - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\Outbreak Manager\Outbreak.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Program Files\RDS\RsiSvc.exe
O23 - Service: Protected Storage Manager (rspp) - Unknown owner - cmd /c start C:\WINDOWS\system32\wmiprvse.exe (file missing)
O23 - Service: ScanRouterDriverV2 - Ricoh Co.,Ltd. - C:\Program Files\RDS\srscandr.exe
O23 - Service: Secure Port Server (Server Administrator) - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
O23 - Service: SOption - RICOH Company Ltd. - C:\Program Files\RDS\SOption.exe
O23 - Service: SVNService - Clansoft - C:\Program Files\Subversion\bin\SVNService.exe
O23 - Service: Disk Management Service (VxSvc) - VERITAS Software Corp. - C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe

--

BC AdBot (Login to Remove)

 


#2 manjitr

manjitr
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 09 January 2009 - 05:43 PM

The files are back. Here is the updated HiJack This scan

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:40:55 PM, on 1/9/2009Platform: Windows 2003 SP2 (WinNT 5.02.3790)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeD:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec\Backup Exec\RAWS\beremote.exeF:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exeC:\WINDOWS\system32\certsrv.exeC:\Program Files\Dell\OpenManage\OMSA\bin\dcevt32.exeC:\WINDOWS\system32\Dfssvc.exeC:\WINDOWS\System32\dns.exeD:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Group Logic\ExtremeZ-IP\ExtremeZ-IP.EXEg:\Program Files\FRISK Software International\F-Prot Antivirus for Exchange\FConf.exeg:\Program Files\FRISK Software International\F-Prot Antivirus for Exchange\FQuar2.exeC:\WINDOWS\system32\inetsrv\inetinfo.exeC:\WINDOWS\System32\ismserv.exeD:\Program Files\Java\jre6\bin\jqs.exeG:\Program Files\Network Associates\McAfee GroupShield\bin\SAFeService.exeC:\Program Files\Network Associates\Common Framework\FrameworkService.exeC:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exeC:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exeE:\bin\mysqld-max.exeC:\Program Files\Common Files\McAfee\log and quarantine\bin\i386\NAIlgpip.exeC:\WINDOWS\system32\ntfrs.exeC:\Program Files\Common Files\Network Associates\Outbreak Manager\Outbreak.exeC:\Program Files\RDS\RsiSvc.exeC:\WINDOWS\system32\wmiprvse.exeC:\Program Files\RDS\srscandr.exeG:\Program Files\Network Associates\McAfee GroupShield\bin\RPCServ.EXEC:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exeC:\WINDOWS\system32\tcpsvcs.exeC:\WINDOWS\System32\snmp.exeC:\Program Files\Subversion\bin\SVNService.exeC:\Program Files\Subversion\bin\svnserve.exeC:\WINDOWS\system32\lserver.exeC:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exeC:\WINDOWS\System32\wins.exeC:\Program Files\RDS\ddsschednt.exeC:\Program Files\DisclaimIt\Bin\DsclMgmt.exeF:\Program Files\Exchsrvr\bin\exmgmt.exeC:\Program Files\RDS\dds.exeC:\Program Files\RDS\spooler.exeF:\Program Files\Exchsrvr\bin\mad.exeC:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exeC:\WINDOWS\System32\MsgSys.EXEC:\WINDOWS\System32\svchost.exeF:\Program Files\Exchsrvr\bin\store.exeF:\Program Files\Exchsrvr\bin\emsmta.exeG:\Program Files\Network Associates\McAfee GroupShield\bin\RPCServ.EXEc:\windows\system32\inetsrv\w3wp.exeC:\WINDOWS\system32\dllhost.exeF:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryAgent.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\dmadmin.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\system32\msnaoed.exeC:\WINDOWS\system32\tpszxyd.sysC:\WINDOWS\system32\noytcyr.exeC:\WINDOWS\system32\wsldoekd.exeC:\WINDOWS\system32\afisicx.exeC:\WINDOWS\system32\roytctm.exeC:\WINDOWS\system32\tdydowkc.exeC:\WINDOWS\system32\mabidwe.exeC:\WINDOWS\system32\soxpeca.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\rdpclip.exeC:\WINDOWS\Explorer.EXEG:\Program Files\Castelle\FaxPress\FaxTray.ExeC:\Program Files\Network Associates\Common Framework\UpdaterUI.exeC:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exeD:\Program Files\Java\jre6\bin\jusched.exeD:\Program Files\ESET\ESET NOD32 Antivirus\egui.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeF:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exeF:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exeF:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exeF:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exeD:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\udxfytw.sysR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htmR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htmR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [url="http://windowsupdate.microsoft.com/"]http://windowsupdate.microsoft.com/[/url]F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [AuCaption] DSA OMSA ReminderO4 - HKLM\..\Run: [AuFlag] O4 - HKLM\..\Run: [CstlFaxTray] G:\Program Files\Castelle\FaxPress\FaxTray.Exe /sO4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKeyO4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitserviceO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [dumusilane] Rundll32.exe "C:\WINDOWS\system32\kayutijo.dll",s (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [dumusilane] Rundll32.exe "C:\WINDOWS\system32\kayutijo.dll",s (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: []  (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: []  (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exeO4 - Global Startup: Start Delivery Services.lnk = C:\Program Files\RDS\DdsLaunch.exeO10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\mswsock.dll' missingO15 - ESC Trusted Zone: [url="http://support.aficio.com"]http://support.aficio.com[/url]O15 - ESC Trusted Zone: [url="http://search.atomz.com"]http://search.atomz.com[/url]O15 - ESC Trusted Zone: [url="http://tools.cisco.com"]http://tools.cisco.com[/url]O15 - ESC Trusted Zone: [url="http://www.cisco.com"]http://www.cisco.com[/url]O15 - ESC Trusted Zone: [url="http://www.ciscounitysupport.com"]http://www.ciscounitysupport.com[/url]O15 - ESC Trusted Zone: http://*.cmcntO15 - ESC Trusted Zone: [url="http://good.com.cnchost.com"]http://good.com.cnchost.com[/url]O15 - ESC Trusted Zone: [url="http://owa.crazycrew.net"]http://owa.crazycrew.net[/url]O15 - ESC Trusted Zone: [url="http://ftp.crystaldecisions.com"]http://ftp.crystaldecisions.com[/url]O15 - ESC Trusted Zone: [url="http://www.download.com"]http://www.download.com[/url]O15 - ESC Trusted Zone: [url="http://www.eset.com"]http://www.eset.com[/url]O15 - ESC Trusted Zone: [url="http://www.ethereal.com"]http://www.ethereal.com[/url]O15 - ESC Trusted Zone: [url="http://subs.geekstogo.com"]http://subs.geekstogo.com[/url]O15 - ESC Trusted Zone: [url="http://espn.go.com"]http://espn.go.com[/url]O15 - ESC Trusted Zone: [url="http://sports.espn.go.com"]http://sports.espn.go.com[/url]O15 - ESC Trusted Zone: [url="http://www.good.com"]http://www.good.com[/url]O15 - ESC Trusted Zone: http://*.good.comO15 - ESC Trusted Zone: [url="http://www.google-analytics.com"]http://www.google-analytics.com[/url]O15 - ESC Trusted Zone: [url="http://h20000.www2.hp.com"]http://h20000.www2.hp.com[/url]O15 - ESC Trusted Zone: [url="http://www.java.com"]http://www.java.com[/url]O15 - ESC Trusted Zone: [url="http://usa.kaspersky.com"]http://usa.kaspersky.com[/url]O15 - ESC Trusted Zone: [url="http://www.kaspersky.com"]http://www.kaspersky.com[/url]O15 - ESC Trusted Zone: [url="http://enu.vs.mcafeeasap.com"]http://enu.vs.mcafeeasap.com[/url]O15 - ESC Trusted Zone: [url="http://www.mcafeeasap.com"]http://www.mcafeeasap.com[/url]O15 - ESC Trusted Zone: [url="http://runonce.msn.com"]http://runonce.msn.com[/url]O15 - ESC Trusted Zone: [url="http://support.ricoh.com"]http://support.ricoh.com[/url]O15 - ESC Trusted Zone: [url="http://sunsdlc1-11-vhost2.sun.com"]http://sunsdlc1-11-vhost2.sun.com[/url]O15 - ESC Trusted Zone: http://*.sun.comO15 - ESC Trusted Zone: [url="http://download2.veritas.com"]http://download2.veritas.com[/url]O15 - ESC Trusted Zone: [url="http://www.veritas.com"]http://www.veritas.com[/url]O15 - ESC Trusted Zone: http://*.windowsupdate.comO15 - ESC Trusted Zone: [url="http://runonce.msn.com"]http://runonce.msn.com[/url] (HKLM)O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)O15 - ESC Trusted IP range: [url="http://192.168.2.99"]http://192.168.2.99[/url]O15 - ESC Trusted IP range: [url="http://192.168.4.10"]http://192.168.4.10[/url]O15 - ESC Trusted IP range: [url="http://192.168.2.28"]http://192.168.2.28[/url]O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cmclv.comO17 - HKLM\Software\..\Telephony: DomainName = cmclv.comO17 - HKLM\System\CCS\Services\Tcpip\..\{3DA88885-7004-4091-9B86-AFCDBF50DD14}: NameServer = 192.168.2.99,192.168.2.98O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cmclv.comO17 - HKLM\System\CS1\Services\Tcpip\..\{3DA88885-7004-4091-9B86-AFCDBF50DD14}: NameServer = 192.168.2.99,192.168.2.98O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cmclv.comO17 - HKLM\System\CS2\Services\Tcpip\..\{3DA88885-7004-4091-9B86-AFCDBF50DD14}: NameServer = 192.168.2.99,192.168.2.98O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: afisicx - Unknown owner - C:\WINDOWS\system32\afisicx.exeO23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exeO23 - Service: BlackBerry Attachment Service (BBAttachServer) - Research In Motion Limited - F:\Program Files\Research In Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exeO23 - Service: BlackBerry Controller - Research In Motion Limited - F:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryController.exeO23 - Service: BlackBerry Database Consistency Service - Research In Motion Limited - F:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\bin\DBConsistency.exeO23 - Service: BlackBerry Dispatcher - Research In Motion Limited - F:\Program Files\Research In Motion\BlackBerry Enterprise Server\BlackBerryDispatcher.exeO23 - Service: BlackBerry Mobile Data Service - Research In Motion - F:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\bin\bmds.exeO23 - Service: BlackBerry Policy Service - Research In Motion Limited - F:\Program Files\Research In Motion\BlackBerry Enterprise Server\ITAdminServer.exeO23 - Service: BlackBerry Router - Research In Motion Limited - F:\Program Files\Research In Motion\BlackBerry Enterprise Server\BypassRouter\BlackberryRouter.exeO23 - Service: BlackBerry Alert (BlackBerry Server Alert) - Research In Motion Limited - F:\Program Files\Research In Motion\BlackBerry Enterprise Server\BESAlert.exeO23 - Service: BlackBerry Synchronization Service (BlackBerry SyncServer) - Research In Motion Limited - F:\Program Files\Research In Motion\BlackBerry Enterprise Server\SyncServer\BlackBerrySyncServer.exeO23 - Service: Dell OpenManage Server Agent Event Monitor (dcevt32) - Dell Inc. - C:\Program Files\Dell\OpenManage\OMSA\bin\dcevt32.exeO23 - Service: Dell OpenManage Server Agent (dcstor32) - Dell Inc. - C:\Program Files\Dell\OpenManage\OMSA\bin\dcstor32.exeO23 - Service: Dds Scheduler Deamon (DdsSched) - RICOH Company Ltd. - C:\Program Files\RDS\ddsschednt.exeO23 - Service: DisclaimIt Management (DsclMgmt) - Franz Krainer - C:\Program Files\DisclaimIt\Bin\DsclMgmt.exeO23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeO23 - Service: ExtremeZ-IP File Server for Macintosh (ExtremeZ-IP) - Group Logic - C:\Program Files\Group Logic\ExtremeZ-IP\ExtremeZ-IP.EXEO23 - Service: F-Prot Configuration - FRISK Software International - g:\Program Files\FRISK Software International\F-Prot Antivirus for Exchange\FConf.exeO23 - Service: F-Prot Quarantine - FRISK Software International - g:\Program Files\FRISK Software International\F-Prot Antivirus for Exchange\FQuar2.exeO23 - Service: FaxPress E2K Connector (CMCNT) (FPCon(CMCNT)) - Unknown owner - G:\Program Files\Castelle\FaxPress\FPCon\FPCon.exeO23 - Service: Shell Hardware Dectection Service (HWDect) - Unknown owner - C:\WINDOWS\system32\inetsrv\svchost.exe (file missing)O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: mabidwe - Unknown owner - C:\WINDOWS\system32\mabidwe.exeO23 - Service: McAfee GroupShield - Network Associates, Inc. - G:\Program Files\Network Associates\McAfee GroupShield\bin\SAFeService.exeO23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exeO23 - Service: mr2kserv - Unknown owner - C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exeO23 - Service: Microsoft File Manager Services (mscdcosd) - Unknown owner - C:\WINDOWS\system32\mscdco.exeO23 - Service: MySql - Unknown owner - E:\bin\mysqld-max.exeO23 - Service: McAfee Log Service (Network Associates Log Service) - Network Associates, Inc. - C:\Program Files\Common Files\McAfee\log and quarantine\bin\i386\NAIlgpip.exeO23 - Service: noytcyr - Unknown owner - C:\WINDOWS\system32\noytcyr.exeO23 - Service: McAfee Outbreak Manager (Outbreak Manager) - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\Outbreak Manager\Outbreak.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exeO23 - Service: roytctm - Unknown owner - C:\WINDOWS\system32\roytctm.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: Ridoc Server Information Service (RsiSvc) - RICOH Company Ltd. - C:\Program Files\RDS\RsiSvc.exeO23 - Service: Protected Storage Manager (rspp) - Unknown owner - cmd /c start C:\WINDOWS\system32\wmiprvse.exe (file missing)O23 - Service: ScanRouterDriverV2 - Ricoh Co.,Ltd. - C:\Program Files\RDS\srscandr.exeO23 - Service: Secure Port Server (Server Administrator) - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exeO23 - Service: SOption - RICOH Company Ltd. - C:\Program Files\RDS\SOption.exeO23 - Service: soxpeca - Unknown owner - C:\WINDOWS\system32\soxpeca.exeO23 - Service: SVNService - Clansoft - C:\Program Files\Subversion\bin\SVNService.exeO23 - Service: tdydowkc - Unknown owner - C:\WINDOWS\system32\tdydowkc.exeO23 - Service: Disk Management Service (VxSvc) - VERITAS Software Corp. - C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exeO23 - Service: wsldoekd - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe


#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:04:34 PM

Posted 25 January 2009 - 01:16 PM

Is this a business computer?
If it is, are you the domain administrator? If you are not, have you informed your domain administrator, (business manager, Systems Analyst, or Information Technology (IT) Specialist)?

I ask because I do not help in cleaning business or corporate computers for several reasons:
  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.
So I am sorry we won't be able to help you in this case, and accordingly I have closed the topic.

QuickBooks delivers a full set of solutions designed to help small businesses succeed.

You would need to ask if they are the domain administrator, or if the domain administrator has been informed.

Remember that any infection on such a network could jump terminals in a computer network.

The network admin needs to be informed.
When a computer is part of a domain, it mostly means that it logs into a windows file server, with domain control of passwords etc.

Although it is possible to be set in error, it is almost always a business related use.
Indicators in HijackThis log.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.shop.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.shop.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.shop.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.shop.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = KMCP.local
O17 - HKLM\Software\..\Telephony: DomainName = KMCP.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = KMCP.local
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:04:34 PM

Posted 02 February 2009 - 08:54 AM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users