Jump to content

Hijack This Log


Recommended Posts

Hello all,

Having quite the issue with some malware on a PC. I can install Malware Bytes but only after re-naming the file. Once installed, I cannot run any of the executable files. I am also unable to run the latest Hijack This, I had an older version that I was able to run from a usb stick. Here is the log results:

Logfile of HijackThis v1.99.1

Scan saved at 6:46:07 PM, on 3/9/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\LANDesk\LDCLient\webportal\sdclientmonitor.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\LANDesk\Shared Files\residentagent.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\LANDesk\LDClient\LocalSch.EXE

C:\WINDOWS\system32\CBA\pds.exe

C:\Program Files\LANDesk\LDCLient\LDIScn32.EXE

C:\Program Files\LANDesk\LDCLient\tmcsvc.exe

C:\PROGRA~1\LANDesk\LDCLient\issuser.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe

C:\Program Files\McAfee\Common Framework\naPrdMgr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\LANDesk\LDCLient\softmon.exe

C:\spm\spmdib.exe

C:\Program Files\UPHClean\uphclean.exe

C:\PROGRA~1\LANDesk\LDClient\collector.exe

C:\WINDOWS\system32\MsgSys.EXE

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\LANDesk\LDCLient\rcgui.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

G:\Work\Tools\Malware Removing Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,

O1 - Hosts: 195.245.119.131 browser-security.microsoft.com

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - C:\WINDOWS\system32\iehelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208550124479

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = F9.internal

O17 - HKLM\Software\..\Telephony: DomainName = F9.internal

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = F9.internal

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = F9.internal

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE

O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe

O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDCLient\tmcsvc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDCLient\issuser.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDCLient\softmon.exe

O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\spm\spmdib.exe

I have tried to run in Safemode to no avail. Any attempts to directly download Malware Bytes redirects me to a invalid site. I cannot remote into this machine using Remote Desktop or VNC.

Please help! This particular user has a very custom setup and would rather attempt to clean his machine before rebuilding it.

-Snake

Link to post
Share on other sites

Well, after poking around, I fixed it. I was a little hesistant to use it (all those warnings) but I had to get this system running.

I ran ComboFix.exe and it found a rootkit that consisted of several files. After it removed them and rebooting, I was able to run Malwarebytes as usual. Here is a copy of the ComboFix log.

ComboFix 09-03-06.02 - mpark 2009-03-09 19:56:38.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1633 [GMT -7:00]

Running from: c:\documents and settings\mpark\Desktop\Combo-Fix.exe

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\mjhita\a.exe

c:\program files\SelectRebates

c:\program files\SelectRebates\SelectRebates.ini

c:\program files\SelectRebates\SelectRebatesDownload.exe

c:\program files\SelectRebates\SelectRebatesUninstall.exe

c:\windows\svcho.exe

c:\windows\sysguard.exe

c:\windows\syssvc.exe

c:\windows\system32\_000003_.tmp.dll

c:\windows\system32\_000008_.tmp.dll

c:\windows\system32\_000009_.tmp.dll

c:\windows\system32\_000016_.tmp.dll

c:\windows\system32\_000017_.tmp.dll

c:\windows\system32\_000018_.tmp.dll

c:\windows\system32\_000019_.tmp.dll

c:\windows\system32\drivers\UACoscuhqen.sys

c:\windows\system32\iehelper.dll

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user.ds

c:\windows\system32\sdra64.exe

c:\windows\system32\UACbicjapik.log

c:\windows\system32\UACbpueaman.log

c:\windows\system32\UACcohvkmhs.dll

c:\windows\system32\UACdmvpkgwy.log

c:\windows\system32\uacinit.dll

c:\windows\system32\UACmlhokpdu.dat

c:\windows\system32\UACnnquqejc.dll

c:\windows\system32\UACqdwejqjj.dll

c:\windows\system32\UACuyqehqti.dll

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected

Restored copy from - c:\windows\system32\dllcache\winlogon.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-02-10 to 2009-03-10 )))))))))))))))))))))))))))))))

.

2009-03-09 19:27 . 2009-03-09 19:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-09 19:27 . 2009-03-09 19:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-09 19:27 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-09 19:27 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-09 18:53 . 2009-03-09 18:54 <DIR> d-------- c:\program files\UltraVNC

2009-03-09 18:03 . 2004-08-04 03:00 221,184 --a------ c:\windows\system32\wmpns.dll

2009-03-09 18:02 . 2009-03-09 19:46 <DIR> d-------- c:\documents and settings\mpark

2009-03-09 15:23 . 2009-03-09 15:23 <DIR> d-------- c:\program files\NewBlue

2009-02-23 18:02 . 2009-03-09 16:43 <DIR> d-------- c:\documents and settings\Cached-TEMP\18mjhita1

2009-02-23 18:00 . 2009-02-23 18:02 <DIR> d-------- c:\documents and settings\Cached-TEMP

2009-02-23 11:38 . 2009-02-23 11:46 5,303,896 --a------ c:\documents and settings\GL01_23_02_2009_V02.mov

2009-02-18 13:58 . 2009-02-19 13:35 <DIR> d-------- c:\documents and settings\mjhita\Application Data\gtk-2.0

2009-02-18 13:58 . 2009-02-18 13:58 <DIR> d-------- c:\documents and settings\mjhita\.thumbnails

2009-02-18 13:05 . 2009-02-18 13:06 <DIR> d-------- c:\documents and settings\mjhita\Application Data\Autodesk

2009-02-18 12:38 . 2009-02-18 12:38 <DIR> d-------- c:\program files\GIMP-2.0

2009-02-18 12:38 . 2009-02-19 13:39 <DIR> d-------- c:\documents and settings\mjhita\.gimp-2.6

2009-02-18 12:38 . 2009-02-18 12:38 <DIR> d-------- c:\documents and settings\mjhita\.gegl-0.0

2009-02-18 12:33 . 2009-02-18 12:33 <DIR> d-------- c:\program files\Turbo Squid Tentacles

2009-02-18 12:33 . 2009-02-18 12:33 <DIR> d-------- c:\program files\Microsoft WSE

2009-02-18 12:29 . 2009-02-18 13:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Autodesk

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-10 03:01 --------- d-----w c:\documents and settings\All Users\Application Data\vulScan

2009-03-10 02:27 --------- d-----w c:\program files\Java

2009-03-10 01:29 --------- d-----w c:\program files\AskPBar

2009-03-09 22:12 --------- d-----w c:\program files\Trillian

2009-02-18 19:31 --------- d-----w c:\program files\Common Files\Autodesk Shared

2009-02-18 19:29 --------- d-----w c:\program files\Autodesk

2009-02-03 18:42 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-03 18:42 --------- d-----w c:\program files\Shiny

2009-02-03 18:42 --------- d-----w c:\program files\Common Files\InstallShield

2009-01-28 22:15 --------- d-----w c:\program files\Common Files\Softimage

2009-01-19 17:50 --------- d-----w c:\program files\Microsoft Works

2008-10-09 17:41 160 ----a-w c:\documents and settings\mjhita\xrt_log.dat

.

------- Sigcheck -------

2008-10-09 10:25 295424 40ffc19a8d4875e9e19cecdc76ef9201 c:\windows\system32\termsrv.dll

2004-08-04 03:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\system32\dllcache\termsrv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPCheckoutOverlay]

@="{80E008A4-EAE7-4867-AEB0-1A245F070F25}"

[HKEY_CLASSES_ROOT\CLSID\{80E008A4-EAE7-4867-AEB0-1A245F070F25}]

2007-12-07 12:07 557056 -ra------ c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPSyncdOverlay]

@="{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}"

[HKEY_CLASSES_ROOT\CLSID\{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}]

2007-12-07 12:07 557056 -ra------ c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPUpdateOverlay]

@="{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}"

[HKEY_CLASSES_ROOT\CLSID\{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}]

2007-12-07 12:07 557056 -ra------ c:\program files\Perforce\p4exp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-05-08 1015808]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-26 178712]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"HideLogonScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceStartMenuLogOff"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]

"Script"=pushprinterconnections.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-10-15 02:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-03-30 10:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]

--a------ 2006-11-17 02:06 136768 c:\program files\McAfee\Common Framework\UdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-03-28 23:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDClientMonitor]

--a------ 2007-11-29 11:40 262144 c:\program files\LANDesk\LDCLient\WebPortal\SDClientMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]

--a------ 2008-01-24 20:50 111952 c:\program files\McAfee\VirusScan Enterprise\shstat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WZCSVC"=2 (0x2)

"upnphost"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\CBA\\pds.exe"=

"c:\\Program Files\\LANDesk\\LDCLient\\tmcsvc.exe"=

"%windir%\\system32\\msgsys.exe"=

"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"137:UDP"= 137:UDP:@xpsp2res.dll,-22001

"138:UDP"= 138:UDP:@xpsp2res.dll,-22002

"139:TCP"= 139:TCP:@xpsp2res.dll,-22004

"445:TCP"= 445:TCP:@xpsp2res.dll,-22005

"67:TCP"= 67:TCP:LANDesk® PXE TCP Port

"67:UDP"= 67:UDP:LANDesk® PXE UDP Port

"9535:TCP"= 9535:TCP:LANDesk® Remote Control Agent TCP Port

"9535:UDP"= 9535:UDP:LANDesk® Remote Control Agent UDP Port

"5900:TCP"= 5900:TCP:vnc5900

"5800:TCP"= 5800:TCP:vnc5800

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [2007-01-09 122880]

R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-10 65536]

R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDCLient\SoftMon.exe [2008-06-28 266240]

R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [2008-06-28 11904]

R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2008-06-28 3328]

R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2008-06-28 3712]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7b0fc0f-0cf8-11de-b104-0007e90789a3}]

\Shell\AutoRun\command - F:\LaunchU3.exe -a

.

.

------- Supplementary Scan -------

.

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\mpark\Application Data\Mozilla\Firefox\Profiles\e843rqn1.default\

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-09 20:02:04

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(772)

c:\program files\Bonjour\mdnsNSP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\rundll32.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

c:\program files\LANDesk\LDCLient\LocalSch.EXE

c:\windows\system32\cba\pds.exe

c:\program files\LANDesk\LDCLient\tmcsvc.exe

c:\progra~1\LANDesk\LDCLient\issuser.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\windows\system32\nvsvc32.exe

c:\spm\spmdib.exe

c:\program files\UPHClean\uphclean.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\progra~1\LANDesk\LDCLient\collector.exe

c:\program files\LANDesk\LDCLient\rcgui.exe

.

**************************************************************************

.

Completion time: 2009-03-09 20:04:56 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-10 03:04:54

Pre-Run: 9,239,101,440 bytes free

Post-Run: 9,451,069,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

233 --- E O F --- 2009-03-10 01:12:56

Link to post
Share on other sites

  • Root Admin

You're not fully clean yet.

Please run this AV scanner.

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.