Jump to content

Outbound internet traffic, Winlogon Log hook, Appinit dll's


Recommended Posts

I think I see what's happening here but need a bit more advice, overall this trojan is trying to redirect and exhibits a lot of outbound to GODADDY and other sites possibly without a browser open:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 2:48:20 PM, on 11/1/2010

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\msdtc.exe

c:\centenn.ial\audit\CAgent32.exe

c:\centenn.ial\audit\xferwan.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\IBMIASRW.EXE

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Kepware\KEPServerEX 5\server_eventlog.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\rserver30\RServer3.exe

D:\Program Files\Siemens\SIT\BIN\SIMATICITIPC.EXE

d:\program files\siemens\sit\bin\starterservice.exe

D:\Program Files\Siemens\SIT\BIN\RISAGENT.EXE

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\WINDOWS\system32\kktools\userdump.exe

C:\Program Files\VMware\VMware Converter\vmware-ufad.exe

D:\Program Files\Siemens\SIT\BIN\Ris.EXE

D:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe

C:\Program Files\Kepware\KEPServerEX 5\server_runtime.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rserver30\FamItrfc.Exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Kepware\KEPServerEX 5\server_admin.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Program Files\Siemens\SIT\BIN\DiagnosticIconTool.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

d:\program files\siemens\sit\bin\ism.exe

C:\WINDOWS\system32\CubeRestoreDefaults.exe

D:\Program Files\Siemens\SIT\BIN\PRGSERV.EXE

D:\Program Files\Siemens\SIT\BIN\FFSYSSRV.EXE

D:\Program Files\Siemens\SIT\BIN\EVLSERV.EXE

D:\Program Files\Siemens\SIT\BIN\NCSERV.EXE

D:\Program Files\Siemens\SIT\BIN\COMMNG.EXE

D:\Program Files\Siemens\SIT\BIN\RACRMSRV.EXE

D:\Program Files\Siemens\SIT\BIN\RACSERV.EXE

D:\Program Files\Siemens\SIT\BIN\SOPSrv.EXE

D:\Program Files\Siemens\SIT\BIN\DBSERVER.EXE

D:\Program Files\Siemens\SIT\BIN\SITL.EXE

D:\Program Files\Siemens\SIT\BIN\msdserv.exe

D:\Program Files\Siemens\SIT\BIN\NETCHK.EXE

D:\Program Files\Siemens\SIT\BIN\MSGCLI.EXE

D:\Program Files\Siemens\SIT\BIN\SOPSRV.EXE

D:\Program Files\Siemens\SIT\BIN\SITMESCfgSrv.exe

D:\Program Files\Siemens\SIT\BIN\COServer.exe

D:\Program Files\Siemens\SIT\bin\LbkSrv.exe

D:\Program Files\Siemens\SIT\OEE\BIN\OEESRV.EXE

D:\Program Files\Siemens\SIT\BIN\MSDServ.EXE

D:\Program Files\Siemens\SIT\OEE\BIN\OEEDcolSrv.exe

D:\Program Files\Siemens\SIT\BIN\PPAOBCOMSRV.EXE

D:\Program Files\Siemens\SIT\BIN\RTDB.EXE

D:\Program Files\Siemens\SIT\BIN\CUBEGSIR.EXE

D:\Program Files\Siemens\SIT\BPM\bin\BPMServer.exe

D:\Program Files\Siemens\SIT\MM\Server\MMSrv.exe

D:\Program Files\Siemens\SIT\MM\SERVER\MMPrv.exe

D:\PROGRAM FILES\SIEMENS\SIT\BIN\OPCLIENT.EXE

D:\Program Files\Siemens\SIT\POM\bin\POM.exe

D:\Program Files\Siemens\SIT\bin\DA_RUN.exe

D:\Program Files\Siemens\SIT\BIN\PPASRVCNF.EXE

D:\Program Files\Siemens\SIT\PMCOMInterface\bin\IFCOMSRV.exe

D:\Program Files\Siemens\SIT\PM\BIN\IFPM_RUN.exe

D:\Program Files\Siemens\SIT\PM\BIN\G2.EXE

D:\Program Files\Siemens\SIT\DIS\bin\DIS.exe

D:\Program Files\Siemens\SIT\PMCOMInterface\bin\ComEngine.exe

D:\PROGRAM FILES\SIEMENS\SIT\BIN\PPASCHEDULERSRV.EXE

D:\Program Files\Siemens\SIT\BIN\PPAArcSrv.EXE

D:\Program Files\Siemens\SIT\DIS\BIN\DISDLLHOST.exe

D:\Program Files\Siemens\SIT\DIS\BIN\DISDLLHOST.exe

D:\Program Files\Siemens\SIT\DIS\BIN\DISDLLHOST.exe

D:\Program Files\Siemens\SIT\DIS\BIN\DISDLLHOST.exe

D:\Program Files\Siemens\SIT\DIS\BIN\DISDLLHOST.exe

D:\Program Files\Siemens\SIT\DIS\BIN\DISDLLHOST.exe

D:\Program Files\Siemens\SIT\DIS\BIN\DISDLLHOST.exe

D:\Program Files\Siemens\SIT\DIS\BIN\DISDLLHOST.exe

D:\Program Files\Siemens\SIT\DIS\BIN\DISDLLHOST.exe

D:\PROGRAM FILES\SIEMENS\SIT\BIN\DAENGINE.EXE

D:\Program Files\Siemens\SIT\PDEFM\bin\PDefM.exe

D:\Program Files\Siemens\SIT\PM\BIN\COGSI.exe

D:\Program Files\Siemens\SIT\PM\BIN\COGSI.exe

D:\Program Files\Siemens\SIT\PM\BIN\COGSI.exe

D:\Program Files\Siemens\SIT\PM\BIN\OEEGSI.exe

D:\Program Files\Siemens\SIT\PM\BIN\BPMGSI.exe

D:\Program Files\Siemens\SIT\PM\BIN\PDEFMGSI.exe

D:\Program Files\Siemens\SIT\PM\BIN\sitmesGSI.exe

D:\Program Files\Siemens\SIT\PM\BIN\SQBGSI.exe

D:\Program Files\Siemens\SIT\PM\BIN\DISPMGSI.Interface.exe

D:\Program Files\Siemens\SIT\PM\BIN\MMGSI.exe

D:\Program Files\Siemens\SIT\PM\BIN\POMGSI.exe

D:\Program Files\Siemens\SIT\bin\CSExtEng.exe

D:\PROGRA~1\SIEMENS\SIT\BIN\PPACOM~1.EXE

D:\Program Files\Siemens\SIT\bin\CSExtEng.exe

D:\Program Files\Siemens\SIT\bin\CSExtEng.exe

C:\WINDOWS\System32\svchost.exe

D:\Program Files\Siemens\SIT\bin\CSExtEng.exe

D:\Program Files\Siemens\SIT\PM\FC\LauncherTW.EXE

D:\Program Files\Siemens\SIT\PM\FC\twng.exe

D:\Program Files\Siemens\SIT\MMClient\Display\MMDisplay.exe

D:\Program Files\Siemens\SIT\POMD\bin\POMD.exe

C:\WINDOWS\system32\OpcEnum.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Double-Take Software\Double-Take\DoubleTake.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\rserver30\FamItrf2.Exe

C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/softAdmin.htm

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Discovery User Input] c:\Discovery\User Input\userin32.exe

O4 - HKLM\..\Run: [KEPServerEX 5.2] "C:\Program Files\Kepware\KEPServerEX 5\server_admin.exe" -autorun

O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')

O4 - HKUS\S-1-5-21-3293973892-3684435604-1944709767-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - S-1-5-21-3293973892-3684435604-1944709767-500 Startup: Shortcut to timesync.bat.lnk = D:\Brock Solutions\timesync.bat (User '?')

O4 - Startup: Shortcut to timesync.bat.lnk = D:\Brock Solutions\timesync.bat

O4 - Global Startup: SIMATIC IT Monitor.lnk = D:\Program Files\Siemens\SIT\BIN\DITLauncher.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O15 - ESC Trusted Zone: http://www.webservicex.net

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = *****

O17 - HKLM\Software\..\Telephony: DomainName = ****

O17 - HKLM\System\CCS\Services\Tcpip\..\{02BC803B-18DD-4388-AB58-4713FE8EBF52}: NameServer = ***

O17 - HKLM\System\CCS\Services\Tcpip\..\{0A0601CD-30A0-45B6-BBFA-026C81A83023}: NameServer = ***

O17 - HKLM\System\CCS\Services\Tcpip\..\{1739B4DE-3231-4564-BB34-9600DE695793}: NameServer = ****

O17 - HKLM\System\CCS\Services\Tcpip\..\{1D4C8C99-E15A-4913-83BE-79E1F86D8DF1}: NameServer = ****

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = *****

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = brockhome.net

O17 - HKLM\System\CS1\Services\Tcpip\..\{02BC803B-18DD-4388-AB58-4713FE8EBF52}: NameServer = ****

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = brockhome.net

O20 - AppInit_DLLs: bafugibe.dll,rehosaki.dll,fagopitu.dll,yumafofa.dll,hakurevi.dll

O20 - Winlogon Notify: LogHook - LogHook.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Automation License Manager Service (almservice) - SIEMENS AG - D:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: CentennialClientAgent - Centennial Software Limited - c:\centenn.ial\audit\CAgent32.exe

O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - c:\centenn.ial\audit\xferwan.exe

O23 - Service: Double-Take Management Service (CoreManagementService) - Double-Take Software - C:\Program Files\Double-Take Software\Double-Take\Service\CoreManagementService.exe

O23 - Service: Double-Take - Double-Take Software - C:\Program Files\Double-Take Software\Double-Take\DoubleTake.exe

O23 - Service: Double-Take Recall (DTRecall) - Double-Take Software - C:\Program Files\Double-Take Software\Double-Take\DTRecall.exe

O23 - Service: Double-Take Virtual Recovery Assistant Service (DtVmM_Svc) - Double-Take Software - C:\Program Files\Double-Take Software\Double-Take\VRA\DtVmM_Svc.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: IBM Automatic Server Restart Service for IPMI (ibmiasrw) - IBM Corporation - C:\WINDOWS\system32\IBMIASRW.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: KEPServerEX 5.2 Event Logger (KEPServerEXLoggerV5) - Kepware Technologies - C:\Program Files\Kepware\KEPServerEX 5\server_eventlog.exe

O23 - Service: KEPServerEX 5.2 (KEPServerEXV5) - Kepware Technologies - C:\Program Files\Kepware\KEPServerEX 5\server_runtime.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe

O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe

O23 - Service: Simatic It IPC (SimaticItIPCService) - siemens - D:\Program Files\Siemens\SIT\BIN\SIMATICITIPC.EXE

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE

O23 - Service: StarterService - Unknown owner - d:\program files\siemens\sit\bin\starterservice.exe

O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

O23 - Service: VMware Converter Service (ufad-p2v) - VMware, Inc. - C:\Program Files\VMware\VMware Converter\vmware-ufad.exe

--

End of file - 12942 bytes

Link to post
Share on other sites

Hello ,

And :D My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the Quick Scan button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop

  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

Link to post
Share on other sites

  • 3 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.