Svincent84 Posted February 2, 2009 ID:52774 Share Posted February 2, 2009 Logged in a couple days ago and explorer.exe would not start at all for certain users. Upon running malwarebytes I found two items, one it cleaned and the other it did not. It says it will remove, but when you reboot and run the scan again the infection remains. Item that was not cleaned shows up as rootkit.ads, and the item that was cleaned was hijack.startmenu. The OS is Windows Server 2003 Std. so I cannot run combofix as I get an error that it won't run on a server OS. I have run full scans from Symantec Client Security, and from AVG Anti-Rootkit, neither even detected the problem. Malwarebytes Log:Malwarebytes' Anti-Malware 1.33Database version: 1714Windows 5.2.3790 Service Pack 22/2/2009 9:13:08 AMmbam-log-2009-02-02 (09-13-08).txtScan type: Quick ScanObjects scanned: 67149Time elapsed: 7 minute(s), 24 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS:wincrt32.exe (Rootkit.ADS) -> Delete on reboot.Hijack This Log:Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\WINDOWS\system32\eegssrv.exeC:\WINDOWS\system32\eelogsvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\inetsrv\inetinfo.exeC:\Program Files\Kaseya\Agent\AgentMon.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\RealVNC\VNC4\WinVNC4.exeC:\WINDOWS\system32\SearchIndexer.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Kaseya\Agent\KaUsrTsk.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\SYMANT~1\VPTray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\eegssrv.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exec:\windows\system32\mgmt\mdlagent\KRlyCLis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005O4 - HKLM\..\Run: [Kaseya Agent Service Helper] "C:\Program Files\Kaseya\Agent\KaUsrTsk.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-21-85293784-576776320-2399814746-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'administrator')O4 - HKUS\S-1-5-21-85293784-576776320-2399814746-500\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'administrator')O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')O4 - S-1-5-21-85293784-576776320-2399814746-500 Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'administrator')O15 - ESC Trusted Zone: http://runonce.msn.comO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1213037618171O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cabO16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://kaseya.mdltechnology.com/inc/kaxRemote.dllO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nostrum.localO17 - HKLM\Software\..\Telephony: DomainName = nostrum.localO17 - HKLM\System\CCS\Services\Tcpip\..\{1F934F76-593F-410C-A951-09357F3DCF22}: NameServer = 192.168.10.10O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nostrum.localO17 - HKLM\System\CS1\Services\Tcpip\..\{1F934F76-593F-410C-A951-09357F3DCF22}: NameServer = 192.168.10.10O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exeO23 - Service: Entrust Entelligence Group Share Service (EEGSService) - Entrust® - C:\WINDOWS\system32\eegssrv.exeO23 - Service: Entrust Entelligence Logging Service (eelogsvc) - Entrust® - C:\WINDOWS\system32\eelogsvc.exeO23 - Service: Kaseya Agent (KaseyaAgent) - Kaseya - C:\Program Files\Kaseya\Agent\AgentMon.exeO23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exeO23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 4, 2009 Root Admin ID:53382 Share Posted February 4, 2009 Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the programAdditional links to download the tool:ComboFix.exeComboFix.exeComboFix.exeNote: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you.Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
Svincent84 Posted February 5, 2009 Author ID:53804 Share Posted February 5, 2009 This machine is running server 2003 std. Combo fix will not run on server 2003 apparently (says incompatible OS). I ran a preboot scan with Avast on it and it didn't find anything. Any other thoughts? I still haven't been able to get rid of this. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 6, 2009 Root Admin ID:53892 Share Posted February 6, 2009 Hello Vincent.Couple issues here.1. MBAM is free for HOME USERS, not for Business Users and / or Technicians.2. You're running Windows Server 2003 STD which is not a home user OS and you also mention that multiple users have an issue, also indicating a business.3. By using MBAM on your Server without a license you're violating the EULA.I will still help you to clean the system but not with MBAM unless you want to purchase a license because that is sort of like pirating software.Let me know what you'd like to do and we'll proceed from there.Thanks. Link to post Share on other sites More sharing options...
Svincent84 Posted February 6, 2009 Author ID:54090 Share Posted February 6, 2009 I basically just ran every scanning utility I could think of once I knew it had an infection and didn't really think about licensing as they do not normally run this software on the server. The only reason I post here for help is because Malwarebytes is the only utility that has picked up on this rootkit. I do understand your issue here and can respect it. If you are willing to help outside of using Malwarebytes I definitely won't turn down the offer. To clarify the "certain users" portion of my first post. The domain admin is the only user that ever logs into this machine normally. Upon noticing exporer wouldn't start I tried the local admin and was able to log in normally the first time, but upon logging off and logging back on it experienced the same problem. I then created a test user and tried it and have been able to log in normally, even after I gave it local admin rights. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 7, 2009 Root Admin ID:54245 Share Posted February 7, 2009 Please download the following scanning tool. GMEROpen the zip file and copy the file gmer.exe to your Desktop.Double click on gmer.exe and run it.It may take a minute to load and become available.Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOGZip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.Click OK and quit the GMER program.How To Use Compressed (Zipped) Folders in Windows XPCompress and uncompress files (zip files) in Vista Link to post Share on other sites More sharing options...
Svincent84 Posted February 7, 2009 Author ID:54289 Share Posted February 7, 2009 Log is attached. Thank you very much for continuing to help me.gmerlog.zipgmerlog.zip Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 7, 2009 Root Admin ID:54372 Share Posted February 7, 2009 Please download this, place a blank CD in your burner and double-click on the downloaded file. It will automatically burn the CD for you.At the bottom left should be 2 flags. If you use your mouse and click on the British flag the interface should switch to English for you.Have it scan ALL files. There is no way that I'm aware of to save a log, so you may need to write down any special errors or infections found and their outcome.Requires access to a working computer with a CD/DVD burner to create a bootable CD.Avira AntiVir Rescue System - downloadAvira AntiVir Rescue SystemAvira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to: repair a damaged system, rescue data, scan the system for virus infections.Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.Rescue CD screen resolution problemPlease see the post here if you're unable to view the entire screen of Avira. Link to post Share on other sites More sharing options...
Svincent84 Posted February 7, 2009 Author ID:54535 Share Posted February 7, 2009 I won't have access to this machine until Monday, and it may be Tuesday before I can run this. I will reply with the outcome at that point. Thanks again. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 8, 2009 Root Admin ID:54615 Share Posted February 8, 2009 Okay no problem. I'll check back with you later on. Link to post Share on other sites More sharing options...
Svincent84 Posted February 10, 2009 Author ID:55290 Share Posted February 10, 2009 Ran this earlier in the day with no luck. When it starts to boot off the disk it hits a blank screen and locks up. From looking at their forum it appears to be a driver issue and has not been resolved yet. I did some more playing and was able to delete the profiles that were having problems and let them recreate. So far after doing this they are not having any more issues, so I am starting to wonder if the initial problem wasn't the item that got cleaned with the first sweep and this isn't some sort of false positive since MBAM is the only program reporting it. Is there anything suspicious in the hijack this or gmer logs, or could this be due to one of their legitimate apps they have running? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 11, 2009 Root Admin ID:55374 Share Posted February 11, 2009 Well I'd suggest running a CHKDSK on the volume. If you have time you may want to use the /R switch but you want to make sure all data is backed up and note that the /R switch can take a VERY LONG time to run depending on the size of the drive. I would at least run the basic check. CHKDSK C: /F Then run an online Scanner to verify any potential Malware or Virus.Java VersionRun Kaspersky Online AV ScannerPlease go to Kaspersky website and perform an online antivirus scan.Read through the requirements and privacy statement and click on Accept button.It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.When the downloads have finished, click on Settings.Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programsArchivesMail databases[*]Click on My Computer under Scan and then put the kettle on![*]Once the scan is complete, it will display the results. Click on View Scan Report.[*]You will see a list of infected items there. Click on Save Report As....[*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.[*]Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.ActiveX versionRun Kaspersky Online AV ScannerUsing Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html and click the Accept button at the end of the page.Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. Read the Requirements and limitations before you click Accept. Allow the ActiveX download if necessary. Once the database has downloaded, click Next. Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK. Click on "My Computer" and then put the kettle on!When the scan has completed, click Save Report As... Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt) Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving. Link to post Share on other sites More sharing options...
Svincent84 Posted February 11, 2009 Author ID:55649 Share Posted February 11, 2009 The initial problem was explorer.exe would not run on the domain admin account. Couldn't start if from task manager (it would start then immediately stop) and couldn't rename it and run it. I tried logging into the local admin account and was able to log in normally the first time, but after I logged off and back on explorer.exe would not run on that account either. I created a test account and gave it local admin rights and was able to scan from there and removed hijack.startmenu. During this scan MBAM found rootkit.ads which it has not been able to remove. After removing the hijack.startmenu explorer.exe would still not run, until I deleted the affected local profiles and let them recreate, at which point everything began running normally again.So far I have run everything under the sun that I can think of and MBAM is the only program that detects this rootkit, which is why I am wondering if this is a false positive.Kaspersky found no threats:--------------------------------------------------------------------------------KASPERSKY ONLINE SCANNER 7 REPORT Wednesday, February 11, 2009 Operating System: Microsoft Windows Server 2003, Standard Edition Service Pack 2 (build 3790) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Wednesday, February 11, 2009 20:04:44 Records in database: 1783690--------------------------------------------------------------------------------Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yesScan area - My Computer: A:\ C:\ D:\ E:\Scan statistics: Files scanned: 26684 Threat name: 0 Infected objects: 0 Suspicious objects: 0 Duration of the scan: 01:15:09No malware has been detected. The scan area is clean.The selected area was scanned.HIJACK THIS LOGS:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:49:38 PM, on 2/11/2009Platform: Windows 2003 SP2 (WinNT 5.02.3790)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\WINDOWS\system32\eegssrv.exeC:\WINDOWS\system32\eelogsvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\inetsrv\inetinfo.exeC:\Program Files\Kaseya\Agent\AgentMon.exec:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exec:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\RealVNC\VNC4\WinVNC4.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Kaseya\Agent\KaUsrTsk.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\PROGRA~1\SYMANT~1\VPTray.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Java\jre6\bin\jqs.exec:\windows\system32\mgmt\mdlagent\KRlyCLis.exeC:\WINDOWS\system32\SearchIndexer.exeC:\WINDOWS\system32\eegssrv.exeC:\WINDOWS\system32\SearchProtocolHost.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htmR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htmR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htmR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [Kaseya Agent Service Helper] "C:\Program Files\Kaseya\Agent\KaUsrTsk.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [vptray] "C:\PROGRA~1\SYMANT~1\VPTray.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')O15 - ESC Trusted Zone: http://runonce.msn.comO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1213037618171O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cabO16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://kaseya.mdltechnology.com/inc/kaxRemote.dllO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nostrum.localO17 - HKLM\Software\..\Telephony: DomainName = nostrum.localO17 - HKLM\System\CCS\Services\Tcpip\..\{1F934F76-593F-410C-A951-09357F3DCF22}: NameServer = 192.168.10.10O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nostrum.localO17 - HKLM\System\CS1\Services\Tcpip\..\{1F934F76-593F-410C-A951-09357F3DCF22}: NameServer = 192.168.10.10O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exeO23 - Service: Entrust Entelligence Group Share Service (EEGSService) - Entrust® - C:\WINDOWS\system32\eegssrv.exeO23 - Service: Entrust Entelligence Logging Service (eelogsvc) - Entrust® - C:\WINDOWS\system32\eelogsvc.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Kaseya Agent (KaseyaAgent) - Kaseya - C:\Program Files\Kaseya\Agent\AgentMon.exeO23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exeO23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe--End of file - 6310 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 12, 2009 Root Admin ID:55790 Share Posted February 12, 2009 Well if it's a FP then why did you have an issue in the first place?Like I said. I can not help you clean the system with MBAM because you're in violation of the EULA of the product.So are you okay now or would you like me to continue to assist you? Link to post Share on other sites More sharing options...
Svincent84 Posted February 12, 2009 Author ID:55883 Share Posted February 12, 2009 I didn't know it was an FP, and I still don't. That's just what I'm thinking at the moment since I resolved all the issues the machine was having and no other scan/program has even found any trace of this rootkit. I think I'm going to leave this one alone for the time being and watch it. If there are no more problems I won't worry about it.Thanks a lot for continuing to help me. I really appreciate it. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 13, 2009 Root Admin ID:56062 Share Posted February 13, 2009 Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you. Link to post Share on other sites More sharing options...
Recommended Posts