Jump to content

Trojan.ServStart


Recommended Posts

We have a trojan servStart which is proving difficult to get rid off - so we would appreicate some help.

The contents of the DDS.txt are copied below and I've attached the ark.txt and attach.txt files.

Thanks in adavance

Joe Dempsey

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_32

Run by GreystonesBridge at 15:34:19 on 2012-05-28

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.537 [GMT 1:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: ISS Proventia 9.0.226.2075 *Enabled/Outdated* {1FD5F24D-3D0F-49A8-B23B-5387469F8374}

AV: Symantec Endpoint Protection *Enabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: ISS Proventia 9.0.226.0 *Disabled*

FW: Symantec Endpoint Protection *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files\ISS\issSensors\DesktopProtection\vpatch.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\ISS\issSensors\DesktopProtection\RapUISvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\system32\NOTEPAD.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.ie/

mDefault_Page_URL = hxxp://theglobe.umusic.net

mStart Page = hxxp://theglobe.umusic.net

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [intelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\windows\$hf_mig$\kb887472\sp2qfe\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168275098998

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54}

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxsrvc.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

mASetup: {3DB09851-21CF-48A8-8FD6-0B2BA1CE3645} - Wscript.exe "c:\program files\windows media player\MEDIAPLAYER.VBS"

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\greystonesbridge\application data\mozilla\firefox\profiles\7ro8trc3.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll

FF - plugin: c:\windows\system32\npdeployJava1.dll

FF - plugin: c:\windows\system32\npptools.dll

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 171064]

R1 MpKsl817974bc;MpKsl817974bc;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5e510987-601b-4880-b687-00a2f057a71b}\MpKsl817974bc.sys [2012-5-28 29904]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]

R2 VPatch;ISS Buffer Overflow Exploit Prevention;c:\program files\iss\isssensors\desktopprotection\vpatch.exe [2010-4-9 405770]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2008-8-4 80384]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-8-4 32640]

R3 MakoNT;MakoNT;c:\windows\system32\drivers\isskboep.sys [2010-4-9 80512]

R3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [2008-8-5 50163]

S0 black;black;c:\windows\system32\drivers\blackcat.sys --> c:\windows\system32\drivers\BlackCat.sys [?]

S2 BlackICE;BlackICE;c:\program files\iss\isssensors\desktopprotection\blackd.exe [2010-4-9 2081034]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-10 257696]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-2 23888]

S3 ess;ESS Audio Driver (WDM);c:\windows\system32\drivers\ess.sys [2007-1-8 63360]

S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys --> c:\windows\system32\drivers\ewusbnet.sys [?]

S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys --> c:\windows\system32\drivers\ewusbfake.sys [?]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 129976]

S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20101010.003\naveng.sys --> c:\progra~1\common~1\symant~1\virusd~1\20101010.003\NAVENG.SYS [?]

S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20101010.003\navex15.sys --> c:\progra~1\common~1\symant~1\virusd~1\20101010.003\NAVEX15.SYS [?]

S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2008-8-5 36676]

S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2008-8-5 24344]

.

=============== Created Last 30 ================

.

2012-05-28 13:27:12 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5e510987-601b-4880-b687-00a2f057a71b}\MpKsl817974bc.sys

2012-05-28 07:42:02 6737808 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5e510987-601b-4880-b687-00a2f057a71b}\mpengine.dll

2012-05-26 11:04:36 6737808 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2012-05-02 17:34:58 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-05-02 17:34:58 476960 ----a-w- c:\windows\system32\npdeployJava1.dll

.

==================== Find3M ====================

.

2012-05-04 20:27:29 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-05-04 20:27:29 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-05-02 17:34:22 472864 ----a-w- c:\windows\system32\deployJava1.dll

2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys

2012-04-11 13:10:58 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-04-11 12:35:52 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-04-04 14:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-20 19:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys

2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll

2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-03-01 11:01:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll

2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll

2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec

.

============= FINISH: 15:34:42.08 ===============

attach.zip

ark.zip

Link to post
Share on other sites

Hello and welcome to MBAM forum, greystonesbridgecentre:

Sorry to hear you are infected.

We cannot review scan logs or work on malware removal in this particular sub-section of the forum.

From your many installed AV programs (!!), especially SEP & ISS Proventia, it would appear that this is a business or corporate computer?

If so, please contact corporate support and they will assist you with cleaning your system.

Please contact corporate support ---> HERE.

Please make sure you have malwarebytes.org and salesforce.com in your Safe Sender list in your email program.

In order to assist you better please provide the following information when contacting them:

Cleverbridge Order Reference Number:

Organization name:

Approved Contact name:

If you no longer have access to the order number, you can contact Cleverbridge to obtain information about your order:

Cleverbridge customer service

cs@cleverbridge.com

Phone: +1-866-522-6855

Monday - Friday: 8:00 AM - 8:00 PM (CST)

Thank you very much,

daledoc1

Link to post
Share on other sites

Well this is the wrong sub-forum as this one's purpose "Post your Windows, Hardware, Networking, and Software questions here. Please do not post any questions regarding malware in this forum."

You want to post here; Malware Removal - HijackThis Logs after reading; I'm infected - What do I do now?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.