Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help needed urgent


  • This topic is locked This topic is locked
2 replies to this topic

#1 Filip

Filip

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 27 July 2009 - 02:17 AM

Here is the log of HijackThis. Tried to scan and clean NOD32 4.0 (found nothing), Microsoft Tool (found and cleaned something), Spybot (only tracing cookies), AdAware (only tracing cookies), Malwarebytes (found some trojan download agent, removed)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:49, on 27.7.2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\PROGRA~2\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\WINDOWS\SysWOW64\DWRCS.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Program Files (x86)\GFI\MailArchiver\Core\bin\MArc.Core.exe
C:\Program Files (x86)\GFI\MailArchiver\MAIS\bin\MArc.MAIS.exe
C:\Program Files (x86)\GFI\MailArchiver\Search\bin\MArc.Search.exe
C:\Program Files (x86)\GFI\MailArchiver\Store\bin\MArc.Store.exe
C:\WINDOWS\SysWOW64\megaserv.exe
C:\WINDOWS\SysWOW64\raidserv.exe
C:\Program Files (x86)\RAID Web Console\Javaraid.exe
C:\WINDOWS\system32\javaw.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Documents and Settings\narbanas\Local Settings\Temporary Internet Files\Content.IE5\I101258X\HiJackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME (x86)\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O15 - ESC Trusted Zone: http://download.eset.com
O15 - ESC Trusted Zone: http://*.mail
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1199444392096
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1200317884718
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Fortuna.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{43AD94C3-85E3-4D23-B50E-ACF8AED8D101}: NameServer = 213.147.96.3,213.147.96.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9FE7F87-2930-4966-8F87-21520E1E08B6}: NameServer = 192.168.10.11,192.168.10.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Fortuna.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Fortuna.local
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~2\APC\PowerChute Business Edition\agent\pbeagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SysWOW64\DWRCS.EXE
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: IIS Admin Service (IISADMIN) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: Javaraid - Unknown owner - C:\Program Files (x86)\RAID Web Console\Javaraid.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: GFI MailArchiver Core Service (MAR5Core) - GFI Software Ltd - C:\Program Files (x86)\GFI\MailArchiver\Core\bin\MArc.Core.exe
O23 - Service: GFI MailArchiver Core2 Service (MAR5Core2) - GFI Software Ltd - C:\Program Files (x86)\GFI\MailArchiver\Core2\bin\MArc.Core2.exe
O23 - Service: GFI MailArchiver Import Service (MAR5MAIS) - GFI Software Ltd - C:\Program Files (x86)\GFI\MailArchiver\MAIS\bin\MArc.MAIS.exe
O23 - Service: GFI MailArchiver Search Service (MAR5Search) - GFI Software Ltd - C:\Program Files (x86)\GFI\MailArchiver\Search\bin\MArc.Search.exe
O23 - Service: GFI MailArchiver Store Service (MAR5Store) - GFI Software Ltd - C:\Program Files (x86)\GFI\MailArchiver\Store\bin\MArc.Store.exe
O23 - Service: GFI MailArchiver VSS Writer Service (MAR5VSS) - GFI Software Ltd - C:\Program Files (x86)\GFI\MailArchiver\VSS\bin\MArc.VSS.exe
O23 - Service: MegaServ - Unknown owner - C:\WINDOWS\system32\megaserv.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Message Queuing (MSMQ) - Unknown owner - C:\WINDOWS\system32\mqsvc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: RAID_SERVER - Unknown owner - C:\WINDOWS\SysWOW64\\raidserv.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 7905 bytes


I have a log from malwarebytes too.

Before cleaning Malware bytes

Malwarebytes' Anti-Malware 1.39
Database version: 2492
Windows 5.2.3790 Service Pack 2

24.7.2009 13:55:55
mbam-log-2009-07-24 (13-55-50).txt

Scan type: Quick Scan
Objects scanned: 104357
Time elapsed: 7 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\system32\Winrpc32.dll (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\Winrpc32.dll (Trojan.Agent) -> No action taken.

After cleaning Maylwarebytes

Malwarebytes' Anti-Malware 1.39
Database version: 2492
Windows 5.2.3790 Service Pack 2

26.7.2009 17:46:15
mbam-log-2009-07-26 (17-46-15).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 223401
Time elapsed: 1 hour(s), 8 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


The mail server ended up on the XBL blacklist by Spamhouse.org. Tried to remove it after cleaning but it came back on blacklist after 20 hours. C

Can someone please help me, it's very urgent! Thank you all!!

BC AdBot (Login to Remove)

 


m

#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:08 AM

Posted 05 August 2009 - 12:43 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Shannon

#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:08 AM

Posted 11 August 2009 - 03:45 PM

Due to lack of feedback, this topic has been closed.
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users