Trojan.ServStart in Windows XP

[greystonesbridgecentre]

We have a trojan servStart which is proving difficult to get rid off - so we would appreicate some help.

The contents of the DDS.txt are copied below and I've attached the ark.txt and attach.txt files.

Thanks in adavance

Joe Dempsey

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_32

Run by GreystonesBridge at 15:34:19 on 2012-05-28

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.537 [GMT 1:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: ISS Proventia 9.0.226.2075 *Enabled/Outdated* {1FD5F24D-3D0F-49A8-B23B-5387469F8374}

AV: Symantec Endpoint Protection *Enabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: ISS Proventia 9.0.226.0 *Disabled*

FW: Symantec Endpoint Protection *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files\ISS\issSensors\DesktopProtection\vpatch.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\ISS\issSensors\DesktopProtection\RapUISvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\system32\NOTEPAD.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.ie/

mDefault_Page_URL = hxxp://theglobe.umusic.net

mStart Page = hxxp://theglobe.umusic.net

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [intelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\windows\$hf_mig$\kb887472\sp2qfe\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168275098998

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54}

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxsrvc.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

mASetup: {3DB09851-21CF-48A8-8FD6-0B2BA1CE3645} - Wscript.exe "c:\program files\windows media player\MEDIAPLAYER.VBS"

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\greystonesbridge\application data\mozilla\firefox\profiles\7ro8trc3.default\

FF - prefs.js: browser.startup.homepage - about:blank

FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll

FF - plugin: c:\windows\system32\npdeployJava1.dll

FF - plugin: c:\windows\system32\npptools.dll

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 171064]

R1 MpKsl817974bc;MpKsl817974bc;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5e510987-601b-4880-b687-00a2f057a71b}\MpKsl817974bc.sys [2012-5-28 29904]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]

R2 VPatch;ISS Buffer Overflow Exploit Prevention;c:\program files\iss\isssensors\desktopprotection\vpatch.exe [2010-4-9 405770]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2008-8-4 80384]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-8-4 32640]

R3 MakoNT;MakoNT;c:\windows\system32\drivers\isskboep.sys [2010-4-9 80512]

R3 rap;rap;c:\windows\system32\drivers\RapDrv.sys [2008-8-5 50163]

S0 black;black;c:\windows\system32\drivers\blackcat.sys --> c:\windows\system32\drivers\BlackCat.sys [?]

S2 BlackICE;BlackICE;c:\program files\iss\isssensors\desktopprotection\blackd.exe [2010-4-9 2081034]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-10 257696]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-2 23888]

S3 ess;ESS Audio Driver (WDM);c:\windows\system32\drivers\ess.sys [2007-1-8 63360]

S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys --> c:\windows\system32\drivers\ewusbnet.sys [?]

S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys --> c:\windows\system32\drivers\ewusbfake.sys [?]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 129976]

S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20101010.003\naveng.sys --> c:\progra~1\common~1\symant~1\virusd~1\20101010.003\NAVENG.SYS [?]

S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20101010.003\navex15.sys --> c:\progra~1\common~1\symant~1\virusd~1\20101010.003\NAVEX15.SYS [?]

S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2008-8-5 36676]

S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2008-8-5 24344]

.

=============== Created Last 30 ================

.

2012-05-28 13:27:12 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5e510987-601b-4880-b687-00a2f057a71b}\MpKsl817974bc.sys

2012-05-28 07:42:02 6737808 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5e510987-601b-4880-b687-00a2f057a71b}\mpengine.dll

2012-05-26 11:04:36 6737808 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2012-05-02 17:34:58 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-05-02 17:34:58 476960 ----a-w- c:\windows\system32\npdeployJava1.dll

.

==================== Find3M ====================

.

2012-05-04 20:27:29 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-05-04 20:27:29 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-05-02 17:34:22 472864 ----a-w- c:\windows\system32\deployJava1.dll

2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys

2012-04-11 13:10:58 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-04-11 12:35:52 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-04-04 14:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-20 19:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys

2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll

2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-03-01 11:01:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll

2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll

2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec

.

============= FINISH: 15:34:42.08 ===============

mbam-log-2012-05-28 (15-38-21).txt

ark.zip

attach.zip

[D-FRED-BROWN]

Hello greystonesbridgecentre and welcome to Malwarebytes!

I am D-FRED-BROWN and I will be helping you.

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

Please download to your Desktop:

• TDSSKiller.zip from here and extract it (right click on it => "Extract here").
  

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

• Click on the Start Scan button and wait for the scan and disinfection process to be over.
  
• If an infected file is detected, the default action will be Cure, click on Continue
  
• If a suspicious file is detected, the default action will be Skip, click on Continue
  
• If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  
• If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.
  

In your next reply, please include the following (you may need to use two posts to get it all in):

• TDSSKiller_log.txt
  

how the PC is running now?

-------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

Also, please let me know if any problems still remain.

-------------

Please download Security Check by screen317 from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

-------------

In your next reply, please include:

• TDSSKiller logfile
  
• C:\ComboFix.txt
  
• Security Check checkup.txt
  

How is your computer running now?

[greystonesbridgecentre]

After posting yesterday, I did download and use Combofix.

It found an problem with a file called bminstall or biinstall ( I think - I don't have access to the problem computer at the moment).

This led me to look at getting rid of the ISS Desktop protection, which was a hangover from the laptop's previous life in a corporate environment - I managed to find a removal program in the ISS folders and it was removed from laptop.

Everything seems to be running smoothly now - I'm now thinking that ISS Desktop Protection was malfunctioning and that the error in malwarebytes was a sort of false positive.

The laptop runs XP and the registry is full of old and useless entries - it had Symantic/Norton once and that has left bits of itself in the registry.

Ideally, I'd save, reformat and install Windows 7 and then re-install the current software we use but that might be a fairly onerous us

task

Thanks for help - hopefully the problem has now disappeared

Joe

[D-FRED-BROWN]

It sounds like the issue may be resolved... would you still like me to take a look? Please let me know.

[greystonesbridgecentre]

I'll be able to check laptop tomorrow evening (Thursday) and wil report back - thanks for your assistance.

[D-FRED-BROWN]

Sounds good.

[Maurice Naggar]

I'll be able to check laptop tomorrow evening (Thursday) and wil report back - thanks for your assistance.

Kindly advise if all is well.

[greystonesbridgecentre]

Everything is fine now. Thread can be closed.

Joe

[Maurice Naggar]

Thank you for the update. Best to you.

This topic is now closed.