1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help! Server left unlocked, cleaning service people infected system!

Discussion in 'Virus & Other Malware Removal' started by stan1415, Jan 22, 2006.

Thread Status:
Not open for further replies.
  1. stan1415

    stan1415 Thread Starter

    Joined:
    Jan 22, 2006
    Messages:
    1
    Hello,

    Our server was left unlocked and it was used by the cleaning service people at night and is now infected with multiple malware problems. Could anyone help to clean this system? It's an NT 4.0 Server so it may be different from cleaning XP. I tried installing some antispyware products but no luck, everything seems to come back. I am posting my HijackThis log. Please let me know if there is anymore info needed.

    Thanks!
    Stan

    Logfile of HijackThis v1.99.1
    Scan saved at 9:31:17 AM, on 1/22/06
    Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINNT.SBS\System32\smss.exe
    C:\WINNT.SBS\system32\winlogon.exe
    C:\WINNT.SBS\system32\services.exe
    C:\WINNT.SBS\system32\lsass.exe
    C:\ARCserve\DBENG.EXE
    C:\ARCserve\JOBENG.EXE
    C:\ARCserve\RDS.EXE
    C:\ARCserve\MSGENG.EXE
    C:\ARCserve\TAPEENG.EXE
    C:\ARCserve\casmrtbk.exe
    C:\ARCserve\DBAXCHG\dbasvr.exe
    C:\WINNT.SBS\System32\llssrv.exe
    C:\WINNT.SBS\LogWatNT.exe
    C:\WINNT.SBS\System32\tcpsvcs.exe
    C:\MSP\mspadmin.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\Program Files\Trend\OfficeScan\PCCSRV\web\service\ofcservice.exe
    C:\WINNT.SBS\System32\LOCATOR.EXE
    C:\WINNT.SBS\system32\RpcSs.exe
    C:\PROGRA~1\Trend\SMEX\instmon.exe
    C:\WINNT.SBS\system32\tapisrv.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\PROGRA~1\Trend\SMEX\RMonitor.exe
    C:\MSP\wspsrv.exe
    C:\WINNT.SBS\System32\ASDscSvc.exe
    C:\WINNT.SBS\System32\Liccheck.exe
    C:\OfficeScan NT\ofcdog.exe
    D:\ZFAX\SERVER\EPSTIFF.EXE
    D:\ZFAX\SERVER\QM.EXE
    D:\ZFAX\SERVER\ADB.EXE
    D:\ZFAX\MAIL\STM32.EXE
    D:\ZFAX\SERVER\DEVBT.EXE
    D:\ZFAX\SERVER\DEVBT.EXE
    D:\ZFAX\SERVER\DEVPRNT.EXE
    C:\WINNT.SBS\System32\dns.exe
    C:\WINNT.SBS\System32\esserver.exe
    C:\WINNT.SBS\System32\nddeagnt.exe
    C:\MSP\mailalrt.exe
    C:\WINNT.SBS\System32\modemshr.exe
    C:\ExchSrvr\bin\mad.exe
    c:\winnt.sbs\system32\pstores.exe
    C:\WINNT.SBS\system32\rasman.exe
    C:\WINNT.SBS\system32\MSTask.exe
    C:\WINNT.SBS\System32\SENS.EXE
    C:\OfficeScan NT\pccntmon.exe
    C:\WINNT.SBS\System32\wins.exe
    C:\WINNT.SBS\System32\ap9h4qmo.exe
    C:\WINNT.SBS\System32\inetsrv\inetinfo.exe
    C:\WINNT.SBS\system32\rassrv.exe
    C:\WINNT.SBS\system32\spoolss.exe
    C:\EXCHSRVR\connect\msexcimc\bin\msexcimc.exe
    C:\ExchSrvr\bin\events.exe
    C:\PROGRA~1\Trend\SMEX\SmexVS.exe
    C:\PROGRA~1\Trend\SMEX\WebRoot\InstWeb.exe
    C:\PROGRA~1\Trend\SMEX\WebRoot\SmexHS.exe
    C:\WINNT.SBS\SYSTEM32\MDM.EXE
    C:\WINNT.SBS\Explorer.exe
    C:\WINNT.SBS\Profiles\Administrator\Desktop\hijackthis\HijackThis.exe
    C:\WINNT.SBS\system32\rundll32.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = OHARE:80
    F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
    O1 - Hosts: 207.155.252.14 pop3.greater-ohare.com.cnchost.com
    O1 - Hosts: 216.130.185.143 websearch.com
    O1 - Hosts: 216.130.185.143 www.websearch.com
    O1 - Hosts: 216.130.185.143 websearch.com
    O1 - Hosts: 216.130.185.143 www.adwave.com
    O1 - Hosts: 216.130.185.143 adwave.com
    O1 - Hosts: 216.130.185.143 www.xzoomy.com
    O1 - Hosts: 216.130.185.143 xzoomy.com
    O1 - Hosts: 216.130.185.143 www.advnt01.com
    O1 - Hosts: 216.130.185.143 advnt01.com
    O1 - Hosts: 216.130.185.143 websearch.com
    O1 - Hosts: 216.130.185.143 www.adwave.com
    O1 - Hosts: 216.130.185.143 adwave.com
    O1 - Hosts: 216.130.185.143 www.xzoomy.com
    O1 - Hosts: 216.130.185.143 xzoomy.com
    O1 - Hosts: 216.130.185.143 www.advnt01.com
    O1 - Hosts: 216.130.185.143 advnt01.com
    O1 - Hosts: 216.130.185.143 websearch.com
    O1 - Hosts: 216.130.185.143 www.adwave.com
    O1 - Hosts: 216.130.185.143 adwave.com
    O1 - Hosts: 216.130.185.143 www.xzoomy.com
    O1 - Hosts: 216.130.185.143 xzoomy.com
    O1 - Hosts: 216.130.185.143 www.advnt01.com
    O1 - Hosts: 216.130.185.143 advnt01.com
    O2 - BHO: ohb - {22B720C7-5FA6-40A8-9F8F-8584BF669690} - C:\WINNT.SBS\System32\trgen.dll
    O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINNT.SBS\System32\winb2s32.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT.SBS\System32\rtneg3.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT.SBS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [ap9h4qmo] C:\WINNT.SBS\System32\ap9h4qmo.exe
    O4 - HKLM\..\Run: [regsync] C:\WINNT.SBS\System32\regsync.exe
    O4 - HKLM\..\RunOnce: [Register C:\WINNT.SBS\System32\vbrundll.dll] "C:\WINNT.SBS\System32\rundll32.exe" "C:\WINNT.SBS\System32\vbrundll.dll",DllRegisterServer
    O13 - WWW. Prefix: http://
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {1FB464C8-09BB-4017-A2F5-EB742F04392F} (Microsoft Terminal Services Control (redist)) - http://63.216.117.100/tsweb/mstscax.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Greater-Ohare.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Greater-Ohare.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 206.141.192.60 206.141.193.55
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Greater-Ohare.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 206.141.192.60 206.141.193.55
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 206.141.192.60 206.141.193.55
    O23 - Service: ARCserveIT Database Engine (ASDBEngine) - Unknown owner - C:\ARCserve\DBENG.EXE
    O23 - Service: ARCserveIT Discovery Service (ASDiscoverySvc) - Computer Associates - C:\WINNT.SBS\System32\ASDscSvc.exe
    O23 - Service: ARCserveIT Job Engine (ASJobEngine) - Unknown owner - C:\ARCserve\JOBENG.EXE
    O23 - Service: ARCserveIT Message Engine (ASMsgEngine) - Unknown owner - C:\ARCserve\MSGENG.EXE
    O23 - Service: ARCserveIT Tape Engine (ASTapeEngine) - Unknown owner - C:\ARCserve\TAPEENG.EXE
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Cheyenne Alert Notification Server - Cheyenne Division Of Computer Associates International, Inc. - C:\Alert\ALERT.EXE
    O23 - Service: Backup Agent RPC Server (DbaRpcService) - Unknown owner - C:\ARCserve\DBAXCHG\dbasvr.exe
    O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT.SBS\LogWatNT.exe
    O23 - Service: Microsoft Exchange Connector for POP3 Mailboxes (MSPOP3Connector) - Unknown owner - C:\Program Files\POP3 Connector\VMIMB.EXE" /SERVICE (file missing)
    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
    O23 - Service: OfficeScan Master Service (ofcservice) - Trend Micro Inc. - C:\Program Files\Trend\OfficeScan\PCCSRV\web\service\ofcservice.exe
    O23 - Service: Cheyenne Backup Agent for Open Files Service (OpenFileAgent) - Computer Associates International, Inc. - C:\BAOF\OFANT.exe
    O23 - Service: ScanMail_Monitor - Trend Micro Inc. - C:\PROGRA~1\Trend\SMEX\instmon.exe
    O23 - Service: ScanMail_RealTimeScan - Trend Micro Inc. - C:\PROGRA~1\Trend\SMEX\instrts.exe
    O23 - Service: ScanMail_Web - Trend Micro Inc. - C:\PROGRA~1\Trend\SMEX\WebRoot\InstWeb.exe
    O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe
    O23 - Service: Zetafax Connector - Unknown owner - C:\EXCHSRVR\CONNECT\ZETAFAX\stm_gw.exe
    O23 - Service: Zetafax Server (ZetafaxServer) - Unknown owner - D:\ZFAX\SERVER\SYSMAN.EXE
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Download Hoster from here:
    www.funkytoad.com/download/hoster.zip
    Run the program Hoster and press Restore Original Hosts, OK, and Exit Program.

    Fix these with HJT – mark them, close IE, click fix checked

    O2 - BHO: ohb - {22B720C7-5FA6-40A8-9F8F-8584BF669690} - C:\WINNT.SBS\System32\trgen.dll

    O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINNT.SBS\System32\winb2s32.dll

    O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT.SBS\System32\rtneg3.dll

    O4 - HKLM\..\Run: [ap9h4qmo] C:\WINNT.SBS\System32\ap9h4qmo.exe

    O4 - HKLM\..\Run: [regsync] C:\WINNT.SBS\System32\regsync.exe

    O4 - HKLM\..\RunOnce: [Register C:\WINNT.SBS\System32\vbrundll.dll] "C:\WINNT.SBS\System32\rundll32.exe" "C:\WINNT.SBS\System32\vbrundll.dll",DllRegisterServer

    O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll

    DownLoad http://www.downloads.subratam.org/KillBox.zip

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINNT.SBS\System32\trgen.dll
    C:\WINNT.SBS\System32\winb2s32.dll
    C:\WINNT.SBS\System32\rtneg3.dll
    C:\WINNT.SBS\System32\ap9h4qmo.exe
    C:\WINNT.SBS\System32\regsync.exe

    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Empty the recycle bin
    Boot and post a new log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/436232

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice