bkdr iroffer.b

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

lepetitcrabe

Thread Starter
Joined
Jan 4, 2006
Messages
9
Hi. I left the pc world a couple of years ago to go on mac. Now at work I have a pc (great!) which is not doing great :

- secuser (online antivirus) has found a virus --> bkdr iroffer.b --> can't delete it, the file is used (display.exe in inetpub)

- can't launch cmd (the window opens itself and then closes very rapidly)
- can't launch the task manager (same problem)
- can't launch symantec client security (don't know why)

Please help

Thanks
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
Click on the entry in start menu or on the desktop to run HijackThis
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

lepetitcrabe

Thread Starter
Joined
Jan 4, 2006
Messages
9
here it is :

Logfile of HijackThis v1.99.1
Scan saved at 11:35:58, on 05/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\inetsrv\daemon\display.exe
C:\WINNT\System32\sfmsvc.exe
C:\msp\mspadmin.exe
d:\MSSQL7\binn\sqlservr.exe
C:\WINNT\System32\WINDOW~1\Server\nspmon.exe
C:\WINNT\System32\WINDOW~1\Server\nscm.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\RsFsa.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\ShellExt\rpcxserv.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
d:\MSSQL7\binn\sqlagent.exe
C:\WINNT\System32\svchost.exe
c:\winnt\system32\host.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\msp\wspsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\xukp.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\msp\mailalrt.exe
C:\Program Files\Fichiers communs\System\MSSearch\bin\mssearch.exe
C:\WINNT\System32\WINDOW~1\Server\nspm.exe
C:\WINNT\System32\WINDOW~1\Server\nsum.exe
C:\WINNT\Explorer.EXE
D:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\PROSUM\WOOWEB-PRO V3\woowebp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\macromed\flash\GetFlash.exe
C:\WINNT\system32\MStools1.exe
C:\Program Files\SoftwareDoctor\ErrorDoctor\ErrorDoctor.exe
C:\Documents and Settings\Administrateur.MSD\Bureau\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\RunServices: [Windows Action Logger] mwins.exe
O4 - HKLM\..\RunServices: [svnidat32] svnidat32.exe
O4 - HKLM\..\RunServices: [svnlite32] svnlite32.exe
O4 - HKLM\..\RunServices: [Startup Configuration] mvsp32.exe
O4 - HKLM\..\RunServices: [memreader.exe] memreader.exe
O4 - HKLM\..\RunServices: [Microsoft Service TOols] MStools1.exe
O4 - Startup: WOOWEB-PRO V3.lnk = C:\Program Files\PROSUM\WOOWEB-PRO V3\woowebp.exe
O4 - Global Startup: Gestionnaire de services SQL Server.lnk = D:\MSSQL7\Binn\sqlmangr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127124015187
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.inoculer.com/antivirus/Msie/bitdefender.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = msd.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB4922BB-6A24-42EB-BDD9-692A98808D30}: NameServer = 192.168.0.1,192.168.0.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = msd.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = msd.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Video Card Clock Rate Manager (Actmovie) - Unknown owner - C:\WINNT\security\java\rsvsp.exe (file missing)
O23 - Service: FireDaemon Service: config (config) - Unknown owner - c:\windows\system32\mui\iro\FireDaemon.EXE (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DisplayController - Unknown owner - C:\WINNT\System32\inetsrv\daemon\services.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EthernetController - Unknown owner - C:\WINNT\System32\inetsrv\daemon\services.exe
O23 - Service: Handling the loading of the MAPI API. (Extended MAPI Function Handler) - Unknown owner - C:\Mapi32.exe (file missing)
O23 - Service: Windows Logon (****-U) - Unknown owner - C:\WINNT\system32\Microsoft\Crypto\RSA\S-1-5-18\com1\.Thor\.tmp\aux\.DSC\serv-u\regsvc32.exe (file missing)
O23 - Service: Log - Unknown owner - c:\winnt\system32\Lsasss.exe
O23 - Service: Local Security Authority Server (LSA Server) - Unknown owner - C:\WINNT\system32\lsasrv.exe (file missing)
O23 - Service: avsuite (mssuite) - Unknown owner - C:\WINNT\msuite.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: psydon FTP Server (psydon) - Unknown owner - C:\WINNT\system32\Psydon.exe (file missing)
O23 - Service: RPC Interface (rpcxsv) - Unknown owner - C:\WINNT\system32\ShellExt\rpcxserv.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: security manager (secman) - Unknown owner - c:\scmn.exe (file missing)
O23 - Service: FireDaemon Service: secure (secure) - Unknown owner - c:\windows\system32\mui\iro\FireDaemon.EXE (file missing)
O23 - Service: COM+-Applications (Serv-U) - Unknown owner - C:\WINNT\svchost.exe
O23 - Service: sysmon (sysmon) - Unknown owner - C:\WINNT\system32\sysmon.exe
O23 - Service: IP / TCP Services (TCP-IP) - Unknown owner - c:\winnt\System32\mshelp.exe (file missing)
O23 - Service: TskSrv FTP Server (TskSrv) - Unknown owner - c:\winnt\system32\host.exe
O23 - Service: winupd WIN Update (winupd) - Unknown owner - c:\winnt\system32\com\winupd.exe (file missing)
O23 - Service: Windows Management Adapter (xukp) - Unknown owner - C:\WINNT\system32\xukp.exe
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
That is very badly infected and will be a major problem fixing and I will not guarntee we can remove it all

My honest advice with a computer that is so badly compromised is to format & reinstall

I will attempt to guide you through a fix but I doubt it will be successfull

If you want to try a fix

start with

dowenlaod the trial/evaluation version of
http://www.greatis.com/unhackme/download.htm

install it & follow all prompts and let it fix what it can

tehn reboot &

* Download the Trial/Demo version of Ewido Security Suite here


EWIDO DOWNLOAD

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.


* Click here for info on how to boot to safe mode if you don't already know
how.


How to boot to safe mode

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406


* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:


* Now run Ewido:

* Click on scanner
* Click the Start Scan button to start the scan.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Post back with a fresh HJT log and the ewido scan log
 

lepetitcrabe

Thread Starter
Joined
Jan 4, 2006
Messages
9
Thanks for your help.

Here are the updated logs (unhackme hasn't found anything)

ewido :

---------------------------------------------------------
ewido anti-malware - Rapport de scan
---------------------------------------------------------

+ Créé le: 14:19:32, 05/01/2006
+ Somme de contrôle: 46B9353C

+ Résultats du scan:

HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48 A454-97CD587C0EF5} -> Spyware.ISTBar : Nettoyer et sauvegarder
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Nettoyer et sauvegarder
HKLM\SOFTWARE\Classes\ISTx.Installer.2 -> Spyware.ISTBar : Nettoyer et sauvegarder
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Nettoyer et sauvegarder
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Nettoyer et sauvegarder
HKU\.DEFAULT\Software\Toolbar -> Spyware.WebSearch : Nettoyer et sauvegarder
HKU\.DEFAULT\Software\Toolbar\PlugIns -> Spyware.WebSearch : Nettoyer et sauvegarder
HKU\.DEFAULT\Software\Toolbar\PlugIns\COMMON -> Spyware.WebSearch : Nettoyer et sauvegarder
HKU\.DEFAULT\Software\Toolbar\Server -> Spyware.WebSearch : Nettoyer et sauvegarder
HKU\.DEFAULT\Software\Toolbar\UrlSearchHooks -> Spyware.WebSearch : Nettoyer et sauvegarder
HKU\S-1-5-21-1229272821-1682526488-725345543-500\Software\Toolbar -> Spyware.WebSearch : Erreur durant le nettoyage
HKU\S-1-5-21-1229272821-1682526488-725345543-500\Software\Toolbar\PlugIns -> Spyware.WebSearch : Erreur durant le nettoyage
HKU\S-1-5-21-1229272821-1682526488-725345543-500\Software\Toolbar\Server -> Spyware.WebSearch : Erreur durant le nettoyage
C:\Documents and Settings\Administrateur\Cookies\[email protected][2].txt -> Spyware.Cookie.Com : Nettoyer et sauvegarder
C:\Documents and Settings\Administrateur\Cookies\[email protected][1].txt -> Spyware.Cookie.Com : Nettoyer et sauvegarder
C:\Documents and Settings\Administrateur.GATEWAY\Cookies\[email protected][2].txt -> Spyware.Cookie.Com : Nettoyer et sauvegarder
C:\secapp.dll -> Backdoor.ServU-based : Nettoyer et sauvegarder
C:\WINNT\$NtUninstallKB832359$\spuninst\67534\HIDDEN32.EXE -> Backdoor.Hupigon.hk : Erreur durant le nettoyage
C:\WINNT\a65d.exe -> Spyware.MediaMotor : Nettoyer et sauvegarder
C:\WINNT\system\raddrv.dll -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : Nettoyer et sauvegarder
C:\WINNT\system32\dfgr32.exe -> Backdoor.ServU-based : Nettoyer et sauvegarder
C:\WINNT\system32\host.exe -> Backdoor.ServU-based : Nettoyer et sauvegarder
C:\WINNT\system32\inetsrv\daemon\display.exe -> Backdoor.Iroffer.b : Nettoyer et sauvegarder
C:\WINNT\system32\java\classes\chb\Sqlserv.exe -> Backdoor.ServU-based : Nettoyer et sauvegarder
C:\WINNT\system32\Lsasss.exe -> Backdoor.ServU-based : Nettoyer et sauvegarder
C:\WINNT\system32\MStools1.exe -> Backdoor.Rbot.alt : Nettoyer et sauvegarder
C:\WINNT\system32\pskill.exe -> Not-A-Virus.NetTool.Win32.PsKill : Nettoyer et sauvegarder
C:\WINNT\system32\secapp.dll -> Backdoor.ServU-based : Nettoyer et sauvegarder
C:\WINNT\system32\ShellExt\rpcxserv.exe -> Backdoor.ServU-based : Nettoyer et sauvegarder
C:\WINNT\system32\sp33d\hidden32.exe -> Backdoor.Hupigon.hk : Nettoyer et sauvegarder
C:\WINNT\system32\sysmon.exe -> Backdoor.ServU-based : Nettoyer et sauvegarder
C:\WINNT\system32\TFTP2380 -> Backdoor.ServU-based : Nettoyer et sauvegarder
C:\WINNT\system32\winmgnt.exe -> Backdoor.ServU-based : Nettoyer et sauvegarder


::Fin du rapport

hjt :

Logfile of HijackThis v1.99.1
Scan saved at 14:30:05, on 05/01/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\inetsrv\daemon\services.exe
C:\WINNT\System32\inetsrv\daemon\ethernet.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\sfmprint.exe
C:\msp\mspadmin.exe
C:\WINNT\Explorer.EXE
d:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WINDOW~1\Server\nspmon.exe
C:\WINNT\System32\WINDOW~1\Server\nscm.exe
D:\MSSQL7\Binn\sqlmangr.exe
C:\WINNT\system32\ntfrs.exe
C:\Program Files\PROSUM\WOOWEB-PRO V3\woowebp.exe
C:\WINNT\system32\RsFsa.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\System32\locator.exe
C:\WINNT\System32\rsvp.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\msp\wspsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\xukp.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\msp\mailalrt.exe
C:\Program Files\Fichiers communs\System\MSSearch\bin\mssearch.exe
C:\WINNT\System32\WINDOW~1\Server\nspm.exe
C:\WINNT\System32\WINDOW~1\Server\nsum.exe
d:\MSSQL7\binn\sqlagent.exe
C:\WINNT\system32\cmd.exe
C:\Documents and Settings\Administrateur.MSD\Bureau\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\RunServices: [Windows Action Logger] mwins.exe
O4 - HKLM\..\RunServices: [svnidat32] svnidat32.exe
O4 - HKLM\..\RunServices: [svnlite32] svnlite32.exe
O4 - HKLM\..\RunServices: [Startup Configuration] mvsp32.exe
O4 - HKLM\..\RunServices: [memreader.exe] memreader.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Startup: WOOWEB-PRO V3.lnk = C:\Program Files\PROSUM\WOOWEB-PRO V3\woowebp.exe
O4 - Global Startup: Gestionnaire de services SQL Server.lnk = D:\MSSQL7\Binn\sqlmangr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127124015187
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.inoculer.com/antivirus/Msie/bitdefender.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = msd.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB4922BB-6A24-42EB-BDD9-692A98808D30}: NameServer = 192.168.0.1,192.168.0.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = msd.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = msd.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Video Card Clock Rate Manager (Actmovie) - Unknown owner - C:\WINNT\security\java\rsvsp.exe (file missing)
O23 - Service: FireDaemon Service: config (config) - Unknown owner - c:\windows\system32\mui\iro\FireDaemon.EXE (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: DisplayController - Unknown owner - C:\WINNT\System32\inetsrv\daemon\services.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EthernetController - Unknown owner - C:\WINNT\System32\inetsrv\daemon\services.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Handling the loading of the MAPI API. (Extended MAPI Function Handler) - Unknown owner - C:\Mapi32.exe (file missing)
O23 - Service: Windows Logon (****-U) - Unknown owner - C:\WINNT\system32\Microsoft\Crypto\RSA\S-1-5-18\com1\.Thor\.tmp\aux\.DSC\serv-u\regsvc32.exe (file missing)
O23 - Service: Log - Unknown owner - c:\winnt\system32\Lsasss.exe (file missing)
O23 - Service: Local Security Authority Server (LSA Server) - Unknown owner - C:\WINNT\system32\lsasrv.exe (file missing)
O23 - Service: avsuite (mssuite) - Unknown owner - C:\WINNT\msuite.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: psydon FTP Server (psydon) - Unknown owner - C:\WINNT\system32\Psydon.exe (file missing)
O23 - Service: RPC Interface (rpcxsv) - Unknown owner - C:\WINNT\system32\ShellExt\rpcxserv.exe (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: security manager (secman) - Unknown owner - c:\scmn.exe (file missing)
O23 - Service: FireDaemon Service: secure (secure) - Unknown owner - c:\windows\system32\mui\iro\FireDaemon.EXE (file missing)
O23 - Service: COM+-Applications (Serv-U) - Unknown owner - C:\WINNT\svchost.exe
O23 - Service: sysmon (sysmon) - Unknown owner - C:\WINNT\system32\sysmon.exe (file missing)
O23 - Service: IP / TCP Services (TCP-IP) - Unknown owner - c:\winnt\System32\mshelp.exe (file missing)
O23 - Service: TskSrv FTP Server (TskSrv) - Unknown owner - c:\winnt\system32\host.exe (file missing)
O23 - Service: winupd WIN Update (winupd) - Unknown owner - c:\winnt\system32\com\winupd.exe (file missing)
O23 - Service: Windows Management Adapter (xukp) - Unknown owner - C:\WINNT\system32\xukp.exe
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
There are just too many unknowns in taht log there

I am going to ask someone more experienced with this sort of backdoor to look at it before we go any further and I'm doubtful on some of the entries taht MIGHT be legit or might be partr of one of these backdoors

Have you installed IIS and do you use it
 
Joined
Jun 4, 2005
Messages
34
hi

derek asked me to take a look

are you running a server on the infected machine ?
also is this server possibly business related ?
does it contain any confidential or financially important data ?

if the answer to any of the above is yes=>
in that case wiping the disk and reinstalling everything is the only sensible thing to do. period.

if you still want to continue with cleaning:

first thing to do is to disconnect the machine entirely as it is really seriously compromised.
use another machine to read this forum! if the PC is online it will be a losing cause to fix it as they have established some serious backdoors. through those they can reinfect when we try to clean it,,,

i need an uninstall log from hijackthis:

Please create a list of programs that can be removed using Add/Remove Programs
Start HiJackThis
Press 'Config'
Press 'Misc Tools'
Press 'Open Uninstall Manager'
Press 'Save List'
Save the log to a convenient location
Copy the log and post its contents in this thread

also post a startuplist from hijackthis:

open HJT
on the welcome screen click "open misc tools section"
once there scroll untils you find "generate startuplist log"
dont click it yet, instead enable all options by putting checkmarks to both boxes
then click the button "generate startuplist log"
save it then copy its contents here
you may need several posts to include all data, make sure you post everything
 

lepetitcrabe

Thread Starter
Joined
Jan 4, 2006
Messages
9
uninstall list :

Advanced Administrative Tools
ErrorDoctor
ewido anti-malware
HijackThis 1.99.1
Vade Retro pour Outlook et Outlook Express
 

lepetitcrabe

Thread Starter
Joined
Jan 4, 2006
Messages
9
StartupList report, 05/01/2006, 21:17:26
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Administrateur.MSD\Bureau\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\inetsrv\daemon\services.exe
C:\WINNT\System32\inetsrv\daemon\ethernet.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\sfmprint.exe
C:\msp\mspadmin.exe
d:\MSSQL7\binn\sqlservr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WINDOW~1\Server\nspmon.exe
C:\WINNT\System32\WINDOW~1\Server\nscm.exe
C:\WINNT\system32\ntfrs.exe
D:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\PROSUM\WOOWEB-PRO V3\woowebp.exe
C:\WINNT\system32\RsFsa.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\msp\wspsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\xukp.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\msp\mailalrt.exe
C:\Program Files\Fichiers communs\System\MSSearch\bin\mssearch.exe
C:\WINNT\System32\WINDOW~1\Server\nspm.exe
C:\WINNT\System32\WINDOW~1\Server\nsum.exe
d:\MSSQL7\binn\sqlagent.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\ftp.exe
C:\Documents and Settings\Administrateur.MSD\Bureau\vcleaner.exe
C:\Documents and Settings\Administrateur.MSD\Bureau\stng259.exe
C:\Documents and Settings\Administrateur.MSD\Bureau\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrateur.MSD\Menu DÈmarrer\Programmes\DÈmarrage]
WOOWEB-PRO V3.lnk = C:\Program Files\PROSUM\WOOWEB-PRO V3\woowebp.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINNT\Menu DÈmarrer\Programmes\DÈmarrage]
Gestionnaire de services SQL Server.lnk = D:\MSSQL7\Binn\sqlmangr.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Windows Action Logger = mwins.exe
Startup Configuration = mvsp32.exe
memreader.exe = memreader.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINNT\system32\Rundll32.exe C:\WINNT\system32\mscories.dll,Install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Regedit.exe has no CompanyName property! It is either missing or named something else.
- Regedit.exe has no OriginalFilename property! It is either missing or named something else.
- Regedit.exe has no FileDescription property! It is either missing or named something else.

Registry check failed!

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Malicious Software Removal Tool]
InProcServer32 = C:\WINNT\Downloaded Program Files\WebCleaner.dll
CODEBASE = http://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab

[WUWebControl Class]
InProcServer32 = C:\WINNT\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127124015187

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab

[AvxScanOnline Control]
InProcServer32 = C:\WINNT\AvxOScan\BITDEF~1.OCX
CODEBASE = http://www.inoculer.com/antivirus/Msie/bitdefender.cab

[{8AD9C840-044E-11D1-B3E9-00805F499D93}]
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-1_4_2-windows-i586.cab

[ASquaredScanForm Element]
InProcServer32 = C:\WINNT\DOWNLO~1\axscan.ocx
CODEBASE = http://www.windowsecurity.com/trojanscan/axscan.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll
Protocol #14: C:\WINNT\system32\msafd.dll
Protocol #15: C:\WINNT\system32\msafd.dll
Protocol #16: C:\WINNT\system32\msafd.dll
Protocol #17: C:\WINNT\system32\msafd.dll
Protocol #18: C:\WINNT\system32\msafd.dll
Protocol #19: C:\WINNT\system32\msafd.dll
Protocol #20: C:\WINNT\system32\msafd.dll
Protocol #21: C:\WINNT\system32\msafd.dll
Protocol #22: C:\WINNT\system32\msafd.dll

--------------------------------------------------
 

lepetitcrabe

Thread Starter
Joined
Jan 4, 2006
Messages
9
Enumerating Windows NT/2000/XP services

Pilote ACPI Microsoft: System32\DRIVERS\ACPI.sys (system)
Video Card Clock Rate Manager: C:\WINNT\security\java\rsvsp.exe (autostart)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Environnement de prise en charge de rÈseau AFD: \SystemRoot\System32\drivers\afd.sys (autostart)
Avertissement: %SystemRoot%\System32\services.exe (autostart)
Protocole AppleTalk: System32\DRIVERS\sfmatalk.sys (autostart)
Gestion d'applications: %SystemRoot%\system32\services.exe (manual start)
Service d'Ètat ASP.NET: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
Pilote de mÈdia asynchrone RAS: System32\DRIVERS\asyncmac.sys (manual start)
ContrÙleur de disque dur IDE/ESDI standard: System32\DRIVERS\atapi.sys (system)
ATE_PROCMON: \??\C:\Program Files\Anti Trojan Elite\ATEPMon.sys (manual start)
Protocole client ATM ARP: System32\DRIVERS\atmarpc.sys (manual start)
Pilote audio Stub: System32\DRIVERS\audstub.sys (manual start)
Broadcom 440x 10/100 Integrated Controller Driver: System32\DRIVERS\bcm4sbe5.sys (manual start)
BCM V.92 56K Modem: system32\DRIVERS\BCMSM.sys (manual start)
Couche de nÈgociation des informations de dÈmarrage: %SystemRoot%\System32\tcpsvcs.exe (manual start)
Service de transfert intelligent en arriËre-plan: %SystemRoot%\System32\svchost.exe -k BITSgroup (manual start)
Explorateur d'ordinateur: %SystemRoot%\System32\services.exe (autostart)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys (manual start)
Pilote de CD-ROM: System32\DRIVERS\cdrom.sys (system)
Service d'indexation: C:\WINNT\System32\cisvc.exe (manual start)
Gestionnaire de l'Album: %SystemRoot%\system32\clipsrv.exe (manual start)
FireDaemon Service: config: c:\windows\system32\mui\iro\FireDaemon.EXE (autostart)
DefWatch: C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe (autostart)
SystËme de fichiers distribuÈs: %SystemRoot%\system32\Dfssvc.exe (autostart)
DfsDriver: system32\drivers\Dfs.sys (system)
Client DHCP: %SystemRoot%\System32\services.exe (autostart)
Serveur DHCP: %SystemRoot%\System32\tcpsvcs.exe (autostart)
Pilote de disque: System32\DRIVERS\disk.sys (system)
DisplayController: C:\WINNT\System32\inetsrv\daemon\services.exe /name:"DisplayController" /start:"hiderun.exe display.exe windows.conf" (autostart)
Service d'administration du Gestionnaire de disque logique: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Pilote de Gestionnaire de disque logique: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Gestionnaire de disque logique: %SystemRoot%\System32\services.exe (autostart)
SynthÈ logiciel Microsoft DirectMusic (WDM): system32\drivers\DMusic.sys (manual start)
Serveur DNS: %SystemRoot%\System32\dns.exe (autostart)
Client DNS: %SystemRoot%\System32\services.exe (autostart)
EthernetController: C:\WINNT\System32\inetsrv\daemon\services.exe /name:"EthernetController" /start:"ethernet.exe" (autostart)
Journal des ÈvÈnements: %SystemRoot%\system32\services.exe (autostart)
SystËme d'ÈvÈnements de COM+: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido anti-malware\ewidoctrl.exe (autostart)
Handling the loading of the MAPI API.: C:\Mapi32.exe (autostart)
Service de tÈlÈcopie: %systemroot%\system32\faxsvc.exe (manual start)
Pilote de contrÙleur de lecteur de disquettes: System32\DRIVERS\fdc.sys (manual start)
Pilote de lecteur de disquettes: System32\DRIVERS\flpydisk.sys (manual start)
Pilote du Gestionnaire de volume: System32\DRIVERS\ftdisk.sys (system)
Windows Logon: C:\WINNT\system32\Microsoft\Crypto\RSA\S-1-5-18\com1\.Thor\.tmp\aux\.DSC\serv-u\regsvc32.exe (autostart)
Classificateur de paquets gÈnÈrique: System32\DRIVERS\msgpc.sys (manual start)
Recherche du stockage d'instance simple: %SystemRoot%\System32\grovel.exe (manual start)
Pilote de classe HID Microsoft: System32\DRIVERS\hidusb.sys (autostart)
Pilote pour clavier i8042 et souris sur port PS/2: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
Service authentification Internet: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Service d'administration IIS: C:\WINNT\system32\inetsrv\inetinfo.exe (autostart)
Pilote de filtre de trafic IP: \??\C:\WINNT\system32\drivers\ipfltdrv.sys (autostart)
Pilote de tunnelage IP dans IP: System32\DRIVERS\ipinip.sys (manual start)
Traducteur d'adresses rÈseau IP: System32\DRIVERS\ipnat.sys (manual start)
Pilote IPSEC: System32\DRIVERS\ipsec.sys (manual start)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
Pilote de bus Plug-and-Play ISA/EISA: System32\DRIVERS\isapnp.sys (system)
Messagerie inter-sites: %SystemRoot%\System32\ismserv.exe (disabled)
Pilote de la classe Clavier: System32\DRIVERS\kbdclass.sys (system)
Centre de distribution de clÈs Kerberos: %SystemRoot%\System32\lsass.exe (autostart)
MÈlangeur audio Wave de noyau Microsoft: system32\drivers\kmixer.sys (manual start)
Serveur: %SystemRoot%\System32\services.exe (autostart)
Station de travail: %SystemRoot%\System32\services.exe (autostart)
Service d'enregistrement de licences: %SystemRoot%\System32\llssrv.exe (autostart)
Service d'application d'assistance TCP/IP NetBIOS: %SystemRoot%\System32\services.exe (autostart)
Log: c:\winnt\system32\Lsasss.exe (autostart)
Serveur d'impression TCP/IP: %SystemRoot%\System32\tcpsvcs.exe (autostart)
Local Security Authority Server: C:\WINNT\system32\lsasrv.exe (autostart)
Serveur de fichiers pour Macintosh: %SystemRoot%\System32\sfmsvc.exe (autostart)
Serveur d'impression pour Macintosh: %SystemRoot%\System32\sfmprint.exe (autostart)
Pilote de noyau SFM: System32\DRIVERS\sfmsrv.sys (manual start)
Service de notification d'alerte de proxy: C:\msp\mailalrt.exe (autostart)
Affichage des messages: %SystemRoot%\System32\services.exe (disabled)
Partage de Bureau ‡ distance NetMeeting: C:\WINNT\System32\mnmsrvc.exe (manual start)
Pilote de la classe Souris: System32\DRIVERS\mouclass.sys (system)
Pilote HID de souris: System32\DRIVERS\mouhid.sys (manual start)
BDA MPE Filter: system32\DRIVERS\MPE.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
msdirectx: \??\C:\Documents and Settings\Administrateur.MSD\msdirectx.sys (manual start)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (autostart)
Service de publication FTP: C:\WINNT\system32\inetsrv\inetinfo.exe (autostart)
Windows Installer: C:\WINNT\system32\msiexec.exe /V (manual start)
Proxy de service de rÈpartition Microsoft: system32\drivers\MSKSSRV.sys (manual start)
Administration de Microsoft Proxy Server: C:\msp\mspadmin.exe (autostart)
Proxy d'horloge de rÈpartition Microsoft: system32\drivers\MSPCLOCK.sys (manual start)
Proxy de gestion de qualitÈ de rÈpartition Microsoft: system32\drivers\MSPQM.sys (manual start)
Microsoft Search: C:\Program Files\Fichiers communs\System\MSSearch\bin\mssearch.exe (autostart)
MSSQLServer: d:\MSSQL7\binn\sqlservr.exe (autostart)
avsuite: "C:\WINNT\msuite.exe" (autostart)
Convertisseur en T/site-‡-site de rÈpartition Microsoft: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
NAVAP: \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP.sys (manual start)
NAVAPEL: \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS (autostart)
NAVENG: \??\C:\PROGRA~1\FICHIE~1\SYMANT~1\VIRUSD~1\20060104.006\NAVENG.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\FICHIE~1\SYMANT~1\VIRUSD~1\20060104.006\NAVEX15.sys (manual start)
Pilote TAPI NDIS d'accËs ‡ distance: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Protocole mode utilisateur E/S: System32\DRIVERS\ndisuio.sys (manual start)
Pilote rÈseau Ètendu NDIS d'accËs ‡ distance: System32\DRIVERS\ndiswan.sys (manual start)
Interface NetBIOS: System32\DRIVERS\netbios.sys (system)
NetBIOS sur TCP/IP: System32\DRIVERS\netbt.sys (system)
DDE rÈseau: %SystemRoot%\system32\netdde.exe (manual start)
DSDM DDE rÈseau: %SystemRoot%\system32\netdde.exe (manual start)
NetDDE Server: C:\WINNT\system32\netddesrv.exe (disabled)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Ouverture de session rÈseau: %SystemRoot%\System32\lsass.exe (autostart)
Connexions rÈseau: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Pilote de moniteur rÈseau: System32\DRIVERS\NMnt.sys (manual start)
Network News Transfer Protocol (NNTP): C:\WINNT\system32\inetsrv\inetinfo.exe (autostart)
Symantec AntiVirus Client: C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe (autostart)
Diffusion de prÈsentation en ligne: C:\WINNT\System32\Windows Media\NSLite\nslservice.exe (manual start)
Service d'analyse Windows Media: C:\WINNT\System32\WINDOW~1\Server\nspmon.exe (autostart)
Service de programme Windows Media : C:\WINNT\System32\WINDOW~1\Server\nspm.exe (autostart)
Service de stations Windows Media: C:\WINNT\System32\WINDOW~1\Server\nscm.exe (autostart)
Service de monodiffusion Windows Media: C:\WINNT\System32\WINDOW~1\Server\nsum.exe (autostart)
Service de rÈplication de fichiers: %SystemRoot%\system32\ntfrs.exe (autostart)
Fournisseur de la prise en charge de sÈcuritÈ LM NT: %SystemRoot%\System32\lsass.exe (manual start)
MÈdias amovibles: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Pilote de filtre de trafic IPX: System32\DRIVERS\nwlnkflt.sys (manual start)
Pilote de transfert de trafic IPX: System32\DRIVERS\nwlnkfwd.sys (manual start)
orans: \??\C:\WINNT\system32\orans.sys (manual start)
Pilote de classe parallËle: System32\DRIVERS\parallel.sys (manual start)
Pilote de port parallËle: System32\DRIVERS\parport.sys (system)
Pilote de bus PCI: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug-and-Play: %SystemRoot%\system32\services.exe (autostart)
Agent de stratÈgie IPSEC: %SystemRoot%\System32\lsass.exe (autostart)
Miniport rÈseau Ètendu (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Emplacement protÈgÈ: %SystemRoot%\system32\services.exe (autostart)
psydon FTP Server: C:\WINNT\system32\Psydon.exe (autostart)
Pilote de liaison parallËle directe: System32\DRIVERS\ptilink.sys (manual start)
Pilote de connexion automatique d'accËs distant: System32\DRIVERS\rasacd.sys (system)
Gestionnaire de connexion automatique d'accËs distant: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Miniport rÈseau Ètendu (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Gestionnaire de connexions d'accËs distant: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
ParallËle direct: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Pilote de filtre de lecture digitale de CD audio: System32\DRIVERS\redbook.sys (system)
Routage et accËs distant: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Service d'accËs ‡ distance au Registre: %SystemRoot%\system32\regsvc.exe (disabled)
Moteur de stockage Ètendu: C:\WINNT\system32\RsEng.exe (autostart)
Fichier en stockage Ètendu: C:\WINNT\system32\RsFsa.exe (autostart)
MÈdia de stockage Ètendu: C:\WINNT\system32\RsSub.exe (autostart)
Notification de stockage Ètendu: C:\WINNT\system32\RsFsa.exe (manual start)
Localisateur d'appels de procÈdure distante (RPC): %SystemRoot%\System32\locator.exe (autostart)
Appel de procÈdure distante (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
RPC Interface: C:\WINNT\system32\ShellExt\rpcxserv.exe (autostart)
Remote Storage Recall Support: System32\DRIVERS\RSFilter.sys (system)
ContrÙle d'admission QoS (RSVP): %SystemRoot%\System32\rsvp.exe -s (autostart)
Pilote NT de carte Realtek PCI Fast Ethernet ‡ base RTL8139: System32\DRIVERS\RTL8139.SYS (manual start)
Remote Administrator Service: "C:\WINNT\system32\r_server.exe" /service (autostart)
Gestionnaire de comptes de sÈcuritÈ: %SystemRoot%\system32\lsass.exe (autostart)
Prise en charge des cartes ‡ puces: %SystemRoot%\System32\SCardSvr.exe (manual start)
Carte ‡ puce: %SystemRoot%\System32\SCardSvr.exe (manual start)
Planificateur de t‚ches: %SystemRoot%\system32\MSTask.exe (autostart)
Service d'exÈcution par dÈlÈgation: %SystemRoot%\system32\services.exe (autostart)
security manager : c:\scmn.exe (autostart)
FireDaemon Service: secure: c:\windows\system32\mui\iro\FireDaemon.EXE (manual start)
Notification d'ÈvÈnement systËme: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Pilote de filtre Serenum: System32\DRIVERS\serenum.sys (manual start)
Pilote de port sÈrie: System32\DRIVERS\serial.sys (system)
COM+-Applications: C:\WINNT\svchost.exe (autostart)
Partage de connexion Internet: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Services TCP/IP simplifiÈs: %SystemRoot%\System32\tcpsvcs.exe (autostart)
Stockage d'instance simple (SIS): System32\DRIVERS\sis.sys (system)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Simple Mail Transfer Protocol (SMTP): C:\WINNT\system32\inetsrv\inetinfo.exe (autostart)
smwdm: system32\drivers\smwdm.sys (manual start)
Service SNMP: %SystemRoot%\System32\snmp.exe (autostart)
Service de piËge SNMP: %SystemRoot%\System32\snmptrap.exe (manual start)
Spouleur d'impression: %SystemRoot%\system32\spoolsv.exe (autostart)
FireDaemon Service: Spoolserver: c:\winnt\system32\microsoft\crypto\rsa\s-1-5-18\com1\.thor\.tmp\aux\.dsc\serv-u\FireDaemon.EXE (disabled)
spoolv: \??\C:\WINNT\system32\spoolv.sys (manual start)
Pilote d'utilitaire ‡ fonctionnalitÈ spÈcifique: \SystemRoot\System32\drivers\spud.sys (manual start)
SQLServerAgent: d:\MSSQL7\binn\sqlagent.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Pilote de bus logiciel: System32\DRIVERS\swenum.sys (manual start)
SynthÈtiseur de table de sons GC noyau Microsoft: system32\drivers\swmidi.sys (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
PÈriphÈrique audio systËme Microsoft: system32\drivers\sysaudio.sys (manual start)
sysmon : C:\WINNT\system32\sysmon.exe (autostart)
Journaux et alertes de performance: %SystemRoot%\system32\smlogsvc.exe (manual start)
TÈlÈphonie: %SystemRoot%\System32\svchost.exe -k tapisrv (manual start)
IP / TCP Services: c:\winnt\System32\mshelp.exe (autostart)
Pilote du protocole TCP/IP: System32\DRIVERS\tcpip.sys (system)
Pilote de pÈriphÈrique terminal: \SystemRoot\System32\drivers\termdd.sys (disabled)
Services Terminal Server: %SystemRoot%\System32\termsrv.exe (disabled)
Service Trivial FTP: %SystemRoot%\System32\tftpd.exe (manual start)
Telnet: %SystemRoot%\system32\tlntsvr.exe (disabled)
Serveur de suivi de lien distribuÈ: %SystemRoot%\system32\services.exe (autostart)
Client de suivi de lien distribuÈ: %SystemRoot%\system32\services.exe (autostart)
TskSrv FTP Server: c:\winnt\system32\host.exe (autostart)
Pilote de contrÙleur hÙte universel USB Microsoft: System32\DRIVERS\uhcd.sys (manual start)
Pilote de mise ‡ jour microcode: System32\DRIVERS\update.sys (manual start)
Onduleur: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Pilote de concentrateur standard USB Microsoft: System32\DRIVERS\usbhub.sys (manual start)
USB 2.0 Root Hub Support: System32\DRIVERS\usbhub20.sys (manual start)
Classe d'imprimantes USB Microsoft: System32\DRIVERS\usbprint.sys (manual start)
Pilote de stockage de masse USB: System32\DRIVERS\USBSTOR.SYS (manual start)
Gestionnaire d'utilitaires: %SystemRoot%\System32\UtilMan.exe (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
vsdatant: \??\C:\WINNT\system32\vsdatant.sys (manual start)
Horloge Windows: %SystemRoot%\System32\services.exe (autostart)
Service de publication World Wide Web: C:\WINNT\system32\inetsrv\inetinfo.exe (autostart)
Pilote ARP IP d'accËs ‡ distance: System32\DRIVERS\wanarp.sys (manual start)
Pilote WINMM de compatibilitÈ audio WDM Microsoft: system32\drivers\wdmaud.sys (manual start)
Infrastructure de gestion Windows: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Service WINS (Windows Internet Name Service): %SystemRoot%\System32\wins.exe (autostart)
winupd WIN Update: c:\winnt\system32\com\winupd.exe (manual start)
Service de numÈro de sÈrie du lecteur multimÈdia portable: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Extensions du pilote WMI: %SystemRoot%\system32\Services.exe (manual start)
wordpad: "C:\WINNT\wordpad.exe" (disabled)
service WinSock Proxy Microsoft : C:\msp\wspsrv.exe (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Mises ‡ jour automatiques: %systemroot%\system32\svchost.exe -k wugroup (autostart)
WOOWEB PACKET DRIVER: \??\C:\Program Files\PROSUM\WOOWEB-PRO V3\WWBPACK.SYS (manual start)
RAS Support for WooWeb-PRO: \??\C:\Program Files\PROSUM\WOOWEB-PRO V3\WWBPRAS.SYS (system)
Configuration sans fil: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Adapter: C:\WINNT\system32\xukp.exe -service (autostart)
Intel(R) Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
Intel(R) Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\ADMINI~1.MSD\LOCALS~1\Temp\_iu14D2N.tmp|||L

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 36†228 bytes
Report generated in 0,344 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Jun 4, 2005
Messages
34
ok here is what i gather:
there seems to be several illegal FTP servers installed on the machine


open hijackthis, click do a system scan only
checkmark the following items:


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O4 - HKLM\..\RunServices: [Windows Action Logger] mwins.exe
O4 - HKLM\..\RunServices: [svnidat32] svnidat32.exe
O4 - HKLM\..\RunServices: [svnlite32] svnlite32.exe
O4 - HKLM\..\RunServices: [Startup Configuration] mvsp32.exe
O4 - HKLM\..\RunServices: [memreader.exe] memreader.exe
O4 - HKLM\..\RunServices: [Microsoft Service TOols] MStools1.exe
O23 - Service: Video Card Clock Rate Manager (Actmovie) - Unknown owner - C:\WINNT\security\java\rsvsp.exe (file missing)
O23 - Service: FireDaemon Service: config (config) - Unknown owner - c:\windows\system32\mui\iro\FireDaemon.EXE (file missing)
O23 - Service: DisplayController - Unknown owner - C:\WINNT\System32\inetsrv\daemon\services.exe
O23 - Service: EthernetController - Unknown owner - C:\WINNT\System32\inetsrv\daemon\services.exe
O23 - Service: Handling the loading of the MAPI API. (Extended MAPI Function Handler) - Unknown owner - C:\Mapi32.exe (file missing)
O23 - Service: Windows Logon (****-U) - Unknown owner - C:\WINNT\system32\Microsoft\Crypto\RSA\S-1-5-18\com1\.Thor\.tmp\aux\.DSC\serv-u\regsvc32.exe (file missing)
O23 - Service: Log - Unknown owner - c:\winnt\system32\Lsasss.exe
O23 - Service: Local Security Authority Server (LSA Server) - Unknown owner - C:\WINNT\system32\lsasrv.exe (file missing)
O23 - Service: avsuite (mssuite) - Unknown owner - C:\WINNT\msuite.exe (file missing)
O23 - Service: psydon FTP Server (psydon) - Unknown owner - C:\WINNT\system32\Psydon.exe (file missing)
O23 - Service: RPC Interface (rpcxsv) - Unknown owner - C:\WINNT\system32\ShellExt\rpcxserv.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: security manager (secman) - Unknown owner - c:\scmn.exe (file missing)
O23 - Service: FireDaemon Service: secure (secure) - Unknown owner - c:\windows\system32\mui\iro\FireDaemon.EXE (file missing)
O23 - Service: COM+-Applications (Serv-U) - Unknown owner - C:\WINNT\svchost.exe
O23 - Service: sysmon (sysmon) - Unknown owner - C:\WINNT\system32\sysmon.exe
O23 - Service: IP / TCP Services (TCP-IP) - Unknown owner - c:\winnt\System32\mshelp.exe (file missing)
O23 - Service: TskSrv FTP Server (TskSrv) - Unknown owner - c:\winnt\system32\host.exe
O23 - Service: winupd WIN Update (winupd) - Unknown owner - c:\winnt\system32\com\winupd.exe (file missing)
O23 - Service: Windows Management Adapter (xukp) - Unknown owner - C:\WINNT\system32\xukp.exe


then close all browsers and explorer windows

and click fix checked

reboot

rescan with HJT and post a fresh log

a couple of suspicious looking folders:
c:\winnt\system32\com
c:\windows\system32\mui
C:\WINNT\system32\ShellExt
C:\WINNT\System32\inetsrv\daemon
C:\WINNT\system32\Microsoft\Crypto\RSA\S-1-5-18\com1\.Thor\.tmp\aux\.DSC\serv-u

can you tell me whats inside those folders
 

lepetitcrabe

Thread Starter
Joined
Jan 4, 2006
Messages
9
here's the new log :

(i can't access files which are in c:/winnt. When I browse the explorer no files show up !!. Yes, I checked the option : show system files and hidden files)

Logfile of HijackThis v1.99.1
Scan saved at 13:58:54, on 06/01/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\sfmprint.exe
C:\msp\mspadmin.exe
d:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WINDOW~1\Server\nspmon.exe
C:\WINNT\System32\WINDOW~1\Server\nscm.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\RsFsa.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\msp\wspsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\xukp.exe
C:\WINNT\System32\dns.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\msp\mailalrt.exe
C:\Program Files\Fichiers communs\System\MSSearch\bin\mssearch.exe
C:\WINNT\System32\WINDOW~1\Server\nspm.exe
C:\WINNT\System32\WINDOW~1\Server\nsum.exe
d:\MSSQL7\binn\sqlagent.exe
C:\WINNT\Explorer.EXE
D:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\PROSUM\WOOWEB-PRO V3\woowebp.exe
C:\Documents and Settings\Administrateur.MSD\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - Startup: WOOWEB-PRO V3.lnk = C:\Program Files\PROSUM\WOOWEB-PRO V3\woowebp.exe
O4 - Global Startup: Gestionnaire de services SQL Server.lnk = D:\MSSQL7\Binn\sqlmangr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127124015187
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.inoculer.com/antivirus/Msie/bitdefender.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = msd.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB4922BB-6A24-42EB-BDD9-692A98808D30}: NameServer = 192.168.0.1,192.168.0.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = msd.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = msd.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Video Card Clock Rate Manager (Actmovie) - Unknown owner - C:\WINNT\security\java\rsvsp.exe (file missing)
O23 - Service: FireDaemon Service: config (config) - Unknown owner - c:\windows\system32\mui\iro\FireDaemon.EXE (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Handling the loading of the MAPI API. (Extended MAPI Function Handler) - Unknown owner - C:\Mapi32.exe (file missing)
O23 - Service: Windows Logon (****-U) - Unknown owner - C:\WINNT\system32\Microsoft\Crypto\RSA\S-1-5-18\com1\.Thor\.tmp\aux\.DSC\serv-u\regsvc32.exe (file missing)
O23 - Service: Log - Unknown owner - c:\winnt\system32\Lsasss.exe (file missing)
O23 - Service: Local Security Authority Server (LSA Server) - Unknown owner - C:\WINNT\system32\lsasrv.exe (file missing)
O23 - Service: avsuite (mssuite) - Unknown owner - C:\WINNT\msuite.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: psydon FTP Server (psydon) - Unknown owner - C:\WINNT\system32\Psydon.exe (file missing)
O23 - Service: RPC Interface (rpcxsv) - Unknown owner - C:\WINNT\system32\ShellExt\rpcxserv.exe (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: security manager (secman) - Unknown owner - c:\scmn.exe (file missing)
O23 - Service: FireDaemon Service: secure (secure) - Unknown owner - c:\windows\system32\mui\iro\FireDaemon.EXE (file missing)
O23 - Service: COM+-Applications (Serv-U) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: sysmon (sysmon) - Unknown owner - C:\WINNT\system32\sysmon.exe (file missing)
O23 - Service: IP / TCP Services (TCP-IP) - Unknown owner - c:\winnt\System32\mshelp.exe (file missing)
O23 - Service: TskSrv FTP Server (TskSrv) - Unknown owner - c:\winnt\system32\host.exe (file missing)
O23 - Service: winupd WIN Update (winupd) - Unknown owner - c:\winnt\system32\com\winupd.exe (file missing)
O23 - Service: Windows Management Adapter (xukp) - Unknown owner - C:\WINNT\system32\xukp.exe
 
Joined
Jun 4, 2005
Messages
34
hi

i believe there is a rootkit driver that hides the files
are you sure that you have administrator rights on the infected computer ?

lets do the following:


1) Please click the following link: Killbox to download TheKillbox by Option^Explicit
Unzip it to the desktop but do NOT run it yet.
copy the text here in my post, paste it to notepad and save into a convenient place.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

Code:
C:\WINNT\security\java\rsvsp.exe
c:\windows\system32\mui\iro\FireDaemon.EXE
C:\WINNT\system32\Microsoft\Crypto\RSA\S-1-5-18\com1\.Thor\.tmp\aux\.DSC\serv-u\regsvc32.exe
C:\Mapi32.exe
c:\winnt\system32\Lsasss.exe
C:\WINNT\system32\lsasrv.exe
C:\WINNT\msuite.exe
C:\WINNT\system32\Psydon.exe
C:\WINNT\system32\ShellExt\rpcxserv.exe
C:\WINNT\system32\r_server.exe
c:\scmn.exe 
c:\windows\system32\mui\iro\FireDaemon.EXE
C:\WINNT\svchost.exe
C:\WINNT\system32\sysmon.exe
c:\winnt\System32\mshelp.exe
c:\winnt\system32\host.exe
c:\winnt\system32\com\winupd.exe
C:\WINNT\system32\xukp.exe
6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again..

Let the system reboot.

once the system is back up, run hijackthis again, checkmark/fix the following items in the log:


O23 - Service: Video Card Clock Rate Manager (Actmovie) - Unknown owner - C:\WINNT\security\java\rsvsp.exe (file missing)
O23 - Service: FireDaemon Service: config (config) - Unknown owner - c:\windows\system32\mui\iro\FireDaemon.EXE (file missing)
O23 - Service: DisplayController - Unknown owner - C:\WINNT\System32\inetsrv\daemon\services.exe
O23 - Service: EthernetController - Unknown owner - C:\WINNT\System32\inetsrv\daemon\services.exe
O23 - Service: Handling the loading of the MAPI API. (Extended MAPI Function Handler) - Unknown owner - C:\Mapi32.exe (file missing)
O23 - Service: Windows Logon (****-U) - Unknown owner - C:\WINNT\system32\Microsoft\Crypto\RSA\S-1-5-18\com1\.Thor\.tmp\aux\.DSC\serv-u\regsvc32.exe (file missing)
O23 - Service: Log - Unknown owner - c:\winnt\system32\Lsasss.exe
O23 - Service: Local Security Authority Server (LSA Server) - Unknown owner - C:\WINNT\system32\lsasrv.exe (file missing)
O23 - Service: avsuite (mssuite) - Unknown owner - C:\WINNT\msuite.exe (file missing)
O23 - Service: psydon FTP Server (psydon) - Unknown owner - C:\WINNT\system32\Psydon.exe (file missing)
O23 - Service: RPC Interface (rpcxsv) - Unknown owner - C:\WINNT\system32\ShellExt\rpcxserv.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: security manager (secman) - Unknown owner - c:\scmn.exe (file missing)
O23 - Service: FireDaemon Service: secure (secure) - Unknown owner - c:\windows\system32\mui\iro\FireDaemon.EXE (file missing)
O23 - Service: COM+-Applications (Serv-U) - Unknown owner - C:\WINNT\svchost.exe
O23 - Service: sysmon (sysmon) - Unknown owner - C:\WINNT\system32\sysmon.exe
O23 - Service: IP / TCP Services (TCP-IP) - Unknown owner - c:\winnt\System32\mshelp.exe (file missing)
O23 - Service: TskSrv FTP Server (TskSrv) - Unknown owner - c:\winnt\system32\host.exe
O23 - Service: winupd WIN Update (winupd) - Unknown owner - c:\winnt\system32\com\winupd.exe (file missing)
O23 - Service: Windows Management Adapter (xukp) - Unknown owner - C:\WINNT\system32\xukp.exe



then reboot again
rescan with HTJ and post a fresh log
 

lepetitcrabe

Thread Starter
Joined
Jan 4, 2006
Messages
9
Ok,... nothing is doing good to this f.... computer. I think I'd better format.

Logfile of HijackThis v1.99.1
Scan saved at 18:20:16, on 04/01/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmsvc.exe
C:\msp\mspadmin.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\locator.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\msp\wspsrv.exe
C:\msp\mailalrt.exe
C:\WINNT\Explorer.EXE
D:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\PROSUM\WOOWEB-PRO V3\woowebp.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Administrateur.MSD\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - Startup: WOOWEB-PRO V3.lnk = C:\Program Files\PROSUM\WOOWEB-PRO V3\woowebp.exe
O4 - Global Startup: Gestionnaire de services SQL Server.lnk = D:\MSSQL7\Binn\sqlmangr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127124015187
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.inoculer.com/antivirus/Msie/bitdefender.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = msd.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB4922BB-6A24-42EB-BDD9-692A98808D30}: NameServer = 192.168.0.1,192.168.0.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = msd.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = msd.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Video Card Clock Rate Manager (Actmovie) - Unknown owner - C:\WINNT\security\java\rsvsp.exe (file missing)
O23 - Service: FireDaemon Service: config (config) - Unknown owner - c:\windows\system32\mui\iro\FireDaemon.EXE (file missing)
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Handling the loading of the MAPI API. (Extended MAPI Function Handler) - Unknown owner - C:\Mapi32.exe (file missing)
O23 - Service: Windows Logon (****-U) - Unknown owner - C:\WINNT\system32\Microsoft\Crypto\RSA\S-1-5-18\com1\.Thor\.tmp\aux\.DSC\serv-u\regsvc32.exe (file missing)
O23 - Service: Local Security Authority Server (LSA Server) - Unknown owner - C:\WINNT\system32\lsasrv.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: psydon FTP Server (psydon) - Unknown owner - C:\WINNT\system32\Psydon.exe (file missing)
O23 - Service: RPC Interface (rpcxsv) - Unknown owner - C:\WINNT\system32\ShellExt\rpcxserv.exe (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: security manager (secman) - Unknown owner - c:\scmn.exe (file missing)
O23 - Service: FireDaemon Service: secure (secure) - Unknown owner - c:\windows\system32\mui\iro\FireDaemon.EXE (file missing)
O23 - Service: COM+-Applications (Serv-U) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: sysmon (sysmon) - Unknown owner - C:\WINNT\system32\sysmon.exe (file missing)
O23 - Service: IP / TCP Services (TCP-IP) - Unknown owner - c:\winnt\System32\mshelp.exe (file missing)
O23 - Service: TskSrv FTP Server (TskSrv) - Unknown owner - c:\winnt\system32\host.exe (file missing)
O23 - Service: winupd WIN Update (winupd) - Unknown owner - c:\winnt\system32\com\winupd.exe (file missing)
O23 - Service: Windows Management Adapter (xukp) - Unknown owner - C:\WINNT\system32\xukp.exe (file missing)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top