Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows server 2003, no desktop, no taskbar, no working explorer.exe, probable spyware svchost.exe and spoolsv.exe and alg.exe, multiple attacks


  • This topic is locked This topic is locked
2 replies to this topic

#1 trislasis

trislasis

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 06 November 2009 - 10:11 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:30 PM, on 11/6/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Documents and Settings\ISTAdm\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\WINDOWS\System32\ismserv.exe
C:\WINDOWS\System32\llssrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\Program Files\NetTime\NeTmSvNT.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lserver.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\ThinPrint Client\Thnclnt32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\DWRCS Uploads\Ad-AwareInstallation.exe
C:\DOCUME~1\ISTAdm\LOCALS~1\Temp\mia5.tmp\Ad-AwareInstallation.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\system32\ntbackup.exe
C:\WINDOWS\system32\rsmsink.exe
C:\WINDOWS\DWRCS Uploads\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 1.1.1.1:80
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ShutdownEventCheck] %systemroot%\system32\dumprep 0 -s
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\RunOnce: [UniblueRegistryBooster] "C:\Program Files\Uniblue\RegistryBooster 2010\launcher.exe" delay 20000
O4 - Global Startup: PDFCreator.lnk = C:\Program Files\PDFCreator\PDFCreator.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\istadm\windows\system32\mswsock.dll' missing
O15 - ESC Trusted Zone: http://*.cetrk.com
O15 - ESC Trusted Zone: http://www.google.com.tr
O15 - ESC Trusted Zone: http://01370891984.channel13.facebook.com
O15 - ESC Trusted Zone: http://www.facebook.com
O15 - ESC Trusted Zone: http://www.google-analytics.com
O15 - ESC Trusted Zone: http://www.inndir.com
O15 - ESC Trusted Zone: http://live.iobit.com
O15 - ESC Trusted Zone: http://search.live.com
O15 - ESC Trusted Zone: http://server.iad.liveperson.net
O15 - ESC Trusted Zone: http://www.macwindows.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://microsoftwindowscom.tt.omtrdc.net
O15 - ESC Trusted Zone: http://www.rarlab.com
O15 - ESC Trusted Zone: http://cwt.trendmicro-europe.com
O15 - ESC Trusted Zone: http://go.trendmicro.com
O15 - ESC Trusted Zone: http://housecall.trendmicro.com
O15 - ESC Trusted Zone: http://shop.trendmicro.com
O15 - ESC Trusted Zone: http://m.webtrends.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1233910548673
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1233910671251
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ist.duravit.net
O17 - HKLM\Software\..\Telephony: DomainName = ist.duravit.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{C508F412-1BEF-4142-A95C-A1324CE35F05}: NameServer = 10.2.2.35,10.122.2.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ist.duravit.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ist.duravit.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ist.duravit.net
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NetTime (NetTimeSvc) - Subjective Software - C:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe

--
End of file - 8300 bytes

---------------------------------------------------------------------------------------------------------------------------------

Logfile of Advanced SystemCare 3 Security Analyzer
Scan saved at 3:18:31 PM, on 11/6/2009
Platform: Windows 2003 Server (WinNT 5.2)
MSIE: Internet Explorer v8.0 (8.0.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\WINDOWS\System32\ismserv.exe
C:\WINDOWS\System32\llssrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\Program Files\NetTime\NeTmSvNT.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lserver.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\ThinPrint Client\Thnclnt32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\DWRCS Uploads\Ad-AwareInstallation.exe
C:\DOCUME~1\ISTAdm\LOCALS~1\Temp\mia5.tmp\Ad-AwareInstallation.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\RunOnce: [UniblueRegistryBooster] "C:\Program Files\Uniblue\RegistryBooster 2010\launcher.exe" delay 20000
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1233910548673
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1233910671251
O23 - Service: Application Experience Lookup Service (AeLookupSvc) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Alerter - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\alg.exe
O23 - Service: Application Management (AppMgmt) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: Windows Audio (AudioSrv) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\svchost.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Computer Browser (Browser) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Indexing Service (CiSvc) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\cisvc.exe
O23 - Service: ClipBook (ClipSrv) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\clipsrv.exe
O23 - Service: Cryptographic Services (CryptSvc) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Distributed File System (Dfs) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\Dfssvc.exe
O23 - Service: DHCP Client (Dhcp) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: DHCP Server (DHCPServer) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\tcpsvcs.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\dmadmin.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\svchost.exe
O23 - Service: DNS Server (DNS) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\dns.exe
O23 - Service: DNS Client (Dnscache) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: Error Reporting Service (ERSvc) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\svchost.exe
O23 - Service: Event Log (Eventlog) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\services.exe
O23 - Service: Human Interface Device Access (HidServ) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\svchost.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Intersite Messaging (IsmServ) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\ismserv.exe
O23 - Service: Kerberos Key Distribution Center (kdc) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\lsass.exe
O23 - Service: Server (lanmanserver) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: License Logging (LicenseService) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\llssrv.exe
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Messenger - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: FTP Publishing Service (MSFtpsvc) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\inetsrv\inetinfo.exe
O23 - Service: Network DDE (NetDDE) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\netdde.exe
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\netdde.exe
O23 - Service: Net Logon (Netlogon) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\lsass.exe
O23 - Service: Network Connections (Netman) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\svchost.exe
O23 - Service: NetTime (NetTimeSvc) - Subjective Software - C:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: File Replication Service (NtFrs) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\ntfrs.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\services.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\lsass.exe
O23 - Service: Protected Storage (ProtectedStorage) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Routing and Remote Access (RemoteAccess) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Remote Registry (RemoteRegistry) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\locator.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Resultant Set of Policy Provider (RSoPProv) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\RSoPProv.exe
O23 - Service: Special Administration Console Helper (sacsvr) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\svchost.exe
O23 - Service: Security Accounts Manager (SamSs) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\lsass.exe
O23 - Service: Smart Card (SCardSvr) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\SCardSvr.exe
O23 - Service: Task Scheduler (Schedule) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\svchost.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Secondary Logon (seclogon) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\svchost.exe
O23 - Service: System Event Notification (SENS) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\svchost.exe
O23 - Service: Print Spooler (Spooler) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\spoolsv.exe
O23 - Service: File Server Storage Reports Manager (SrmReports) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\srmhost.exe
O23 - Service: File Server Resource Manager (SrmSvc) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Microsoft Software Shadow Copy Provider (swprv) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\svchost.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephony (TapiSrv) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\svchost.exe
O23 - Service: Terminal Services (TermService) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\svchost.exe
O23 - Service: Terminal Server Licensing (TermServLicensing) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\lserver.exe
O23 - Service: Themes - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\svchost.exe
O23 - Service: Distributed Link Tracking Server (TrkSvr) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Terminal Services Session Directory (Tssdis) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\tssdis.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\ups.exe
O23 - Service: Virtual Disk Service (vds) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\vds.exe
O23 - Service: Volume Shadow Copy (VSS) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\vssvc.exe
O23 - Service: Windows Time (W32Time) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: World Wide Web Publishing Service (W3SVC) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\svchost.exe
O23 - Service: WebClient - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\svchost.exe
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\svchost.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\system32\svchost.exe
O23 - Service: Wireless Configuration (WZCSVC) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\svchost.exe
O23 - Service: Network Provisioning Service (xmlprov) - Unknown - C:\Documents and Settings\ISTAdm\WINDOWS\System32\svchost.exe

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Part of the report from Hijack website

Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services alg.exe Added by W32/Tilebot-EU WORM!, Note: not to be confused with see_Here located in C:\Windows\System32\ this infection is locate in C:\Windows\
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services aspnet_state.exe Related to Microsoft Windows Operating System and is the ASP State Service.
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services cisvc.exe Microsoft Content Index service
Services clipsrv.exe No Record
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services Dfssvc.exe No Record
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services tcpsvcs.exe No Record
Services dmadmin.exe Related to Veritas logical disk manager
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services dns.exe Troj/Wollf-M
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services DNTUS26.EXE Related to Dameware_NT_Utilities program that allows remote access and control of a computer. This is a common program for hackers to install on a computer, so if it is installed, and you did not install it, it should be removed. Note: Located in C:\%WINDIR%\System32 (XP/WinNT/2K)
Services DWRCS.EXE Related to DameWare Development
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services services.exe Spanish Windows 2000 applications managing
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services IS360srv.exe No Record
Services ismserv.exe No Record
Services lsass.exe Part of Windows Vista Note:Located in C:\%WINDIR%\System32
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services llssrv.exe No Record
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services FrameworkService.exe McAfee/CA related
Services Mcshield.exe Related to McAfee_Virus_Shield Note: Located in \%Program Files%\McAfee\VirusScan Enterprise\
Services VsTskMgr.exe Related to Network Associates Virus protection software. Previously known as McAfee.
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services inetinfo.exe Added by the Troj/Sdbot-AMX TROJAN! Read the link, rootkit type stealth involved.
Services netdde.exe Spanish Windows 2000 network DDE
Services netdde.exe Spanish Windows 2000 network DDE
Services lsass.exe Part of Windows Vista Note:Located in C:\%WINDIR%\System32
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services NeTmSvNT.exe No Record
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services ntfrs.exe No Record
Services lsass.exe Part of Windows Vista Note:Located in C:\%WINDIR%\System32
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services services.exe Spanish Windows 2000 applications managing
Services lsass.exe Part of Windows Vista Note:Located in C:\%WINDIR%\System32
Services lsass.exe Part of Windows Vista Note:Located in C:\%WINDIR%\System32
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services locator.exe No Record
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services RSoPProv.exe No Record
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services lsass.exe Part of Windows Vista Note:Located in C:\%WINDIR%\System32
Services SCardSvr.exe The application belonging to the Microsoft Windows Operating System, which provides the authentication facilities for smart security cards on your local system.
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services pctsAuxs.exe No Record
Services pctsSvc.exe No Record
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services spoolsv.exe Added by the Troj/IRCBot-VA TROJAN! Note: This worm\trojan is located in C:\%WINDIR%\
Services srmhost.exe No Record
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services smlogsvc.exe Spanish Windows 2000 performance logs and alerts
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services lserver.exe No Record
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services tssdis.exe No Record
Services ups.exe power management application from APC PowerChute.
Services vds.exe Microsoft Windows Server 2003 R2 Virtual Disk Service
Services vssvc.exe Related to ShadowCopy service implemented into Windows XP and onwards. This service allows files which are modified to be backed up automatically by the operating system.
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services WinVNC.exe Related to RealVNC remote control software. Note: Located in \%WINDIR%\System32\rc\
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus
Services svchost.exe Trojan-PSW.Win32.Sagic.15 Virus




I need a real help, please. This will save a lot.


P.S. taskmanager is working, so i could install antispyware and scaned. find smth like hopgin virus which is infecting wins and other viruses and cleaned them
But rest infected windows original processes so i dont know how to disinfect them. MMC console and remote event manager is not working but i can see services remotely. Also smth like "winlogon.cmd" is working at startup and after a restart it say "at least one of services failed". All this happenned after i updated a lot windows and reboot.

Edited by trislasis, 06 November 2009 - 10:58 AM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:38 AM

Posted 10 November 2009 - 07:27 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:38 AM

Posted 16 November 2009 - 09:34 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users