Jump to content

PUM.hijack.help and hijack.controlpanelstyle

mrodger6

By mrodger6
in Resolved Malware Removal Logs

 Share

Recommended Posts

mrodger6

mrodger6

Posted
Posted

Guys

The PUM.hijack.help and hijack.controlpanelstyle were found on server and removed with malwarebytes. However, there is still an issue when you remotely login a shutdown command is being sent to various systems within our network. I ran Microsoft Malicious software removal tools, Kaspersky antivirus and nothing is found. So I run hijackthis and below is my resulting log. I would like you guys to review and give me your thioughts.

Thanks

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 4:06:41 PM, on 2/27/2013

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers MP4\avp.exe

C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe

C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe

C:\WINDOWS\IntelliAdminRC4\Agent32.exe

C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe

C:\WINDOWS\IntelliAdminRC4\Agent32.exe

C:\WINDOWS\system32\ntfrs.exe

C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe

C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Symantec\Backup Exec\beremote.exe

C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers MP4\avp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers MP4\avp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\TEMP\KAVREM~1\6D2E72~1\exec\KK.exe

C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\rdpclip.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers MP4\avp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\WINDOWS\system32\mmc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\rdpclip.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers MP4\avp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://rasdbs:1311/?authType=ntlm&locallogin=true&application=omsa

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers MP4\avp.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-519517236-197921458-495535119-1532\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'JPOAdmin')

O4 - HKUS\S-1-5-21-519517236-197921458-495535119-18512\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')

O4 - HKUS\S-1-5-21-519517236-197921458-495535119-18738\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'JPService09')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: prnRpt.bat

O4 - Global Startup: prntRpts.bat

O4 - Global Startup: prntRptSlnt.vbs

O4 - Global Startup: reporting.bat

O4 - Global Startup: reports.bat

O4 - Global Startup: runPrntRprt.bat

O4 - Global Startup: runReporting.bat

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O4 - Global Startup: silentReporting.vbs

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O15 - ESC Trusted Zone: http://runonce.msn.com

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196270844281

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://dell.webex.com/client/T25L/support/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jonesplastic.com

O17 - HKLM\Software\..\Telephony: DomainName = jonesplastic.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{073BBE8F-11B8-48F7-8F75-D673A62E77CC}: NameServer = 10.1.12.8

O17 - HKLM\System\CCS\Services\Tcpip\..\{98757B22-158A-46A8-B09D-AE6C8755FBAA}: NameServer = 10.1.2.70,10.1.12.8

O17 - HKLM\System\CCS\Services\Tcpip\..\{A79191B3-886A-4721-8BFE-8FB09E30B395}: NameServer = 10.1.12.8

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jonesplastic.com

O17 - HKLM\System\CS1\Services\Tcpip\..\{073BBE8F-11B8-48F7-8F75-D673A62E77CC}: NameServer = 10.1.12.8

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers MP4\avp.exe

O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beremote.exe

O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\benetns.exe

O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\pvlsvr.exe

O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\bengine.exe

O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beserver.exe

O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe

O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: IntelliAdminRC4 - Unknown owner - C:\WINDOWS\IntelliAdminRC4\Agent32.exe

O23 - Service: Kaspersky Lab Network Agent (klnagent) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe

O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe

O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe

--

End of file - 8868 bytes

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Welcome to the forum, please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs here.....DDS.txt and Attach.txt

(please don't put logs in code or quotes)

P2P Warning:

If you're using Peer 2 Peer software such as uTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Quit all running programs.

Please download and run RogueKiller to your desktop.

http://tigzy.geeksto...ueKillerX64.exe <---use this one for 64 bit systems

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)

MrC

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>
The removal of malware isn't instantaneous, please be patient.

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.