| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 136255 | 2014-02-09 06:33:00 | HJT Log for Windows Server 2008 | radium (8645) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1367218 | 2014-02-09 06:33:00 | Hello Guys I have got some stubborn Malware installed on a Domain Controller, It is sending our large amounts of spam Here is the HJT Log File Any assistance is appreciated - Speedy? Wainuitech... :) I have spotted some flagged entries, but want some advice To date I have run Malwarebytes, Superantispyware, Trend Micro.... Logfile of Trend Micro HijackThis v2.0.5 Scan saved at 7:18:21 PM, on 2/9/2014 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v9.00 (9.00.8112.16526) FIREFOX: 28.0 (en-US) Boot mode: Normal Running processes: C:\Program Files (x86)\Flow Software\FlowMonitor.exe C:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\Apache2\bin\ApacheMonitor.exe C:\Program Files (x86)\Flow Software\FlowMonitor.exe C:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\Apache2\bin\ApacheMonitor.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\Administrator\Documents\HJT\HijackThis.ex e R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://iesetup.dll/SoftAdmin.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=userinit.exe, O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files (x86)\Trend Micro\Security Agent\TmIEPlg32.dll O2 - BHO: Soda PDF Helper - {5CFCAFF6-5BB0-4864-B626-021C99ED82E5} - C:\Program Files (x86)\Soda PDF\PDFIEHelper.dll O3 - Toolbar: Soda PDF Toolbar - {980EB9EC-6EB5-4258-BDDB-EFE25C5F99EF} - C:\Program Files (x86)\Soda PDF\PDFIEPlugin.dll O4 - HKLM\..\Run: [WinVNC] "C:\Program Files (x86)\UltraVNC\winvnc.exe" -servicehelper O4 - HKLM\..\Run: [Cobian Backup 10 Interface] "C:\Program Files (x86)\Cobian Backup 10\cbInterface.exe" -service O4 - HKLM\..\Run: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files (x86)\Brownie\BrstsW64.exe Autorun O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files (x86)\Trend Micro\Security Agent\pccntmon.exe" -HideWindow O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-21-2370433984-202841576-1820059870-1115\..\Run: [~] C:\Users\pos\Desktop\DeskLock.exe (User 'pos') O4 - Global Startup: FlowMonitor.lnk = C:\Program Files (x86)\Flow Software\FlowMonitor.exe O4 - Global Startup: Monitor Apache Servers.lnk = Apache2\bin\ApacheMonitor.exe O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O15 - Trusted IP range: http://10.17.1.68 O15 - ESC Trusted Zone: http://www.100percent.co.nz O15 - ESC Trusted Zone: http://*.feed2js.org O15 - ESC Trusted Zone: ftp.flow.net.nz O15 - ESC Trusted Zone: http://*.furnituretogo.co.nz O15 - ESC Trusted Zone: http://www.google.co.nz O15 - ESC Trusted Zone: http://dhl.df.lth.se O15 - ESC Trusted Zone: http://3347-mozilla.voxcdn.com O15 - ESC Trusted IP range: http://10.17.1.254 O16 - DPF: {3141A4B9-16D5-4B76-B1EB-B595C8308D42} (Security Server Management Console) - serverexo.dimockh.local:4343 O16 - DPF: {357A8DEC-0CAC-4D8D-9869-C2C356B844F7} (RSVideo Control) - 10.17.1.68:8080 O16 - DPF: {8157E81A-275D-4BE8-A7A9-E36E62DF9C68} (Encrypt Class) - serverexo.dimockh.local:4343 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - fpdownload2.macromedia.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dimockh.local O17 - HKLM\System\CCS\Services\Tcpip\..\{CAA41F4A-35AC-42A7-BBBF-85ABDABE09FB}: NameServer = 10.17.1.254 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dimockh.local O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dimockh.local O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files (x86)\Trend Micro\Security Agent\TmIEPlg32.dll O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: Apache2 - Apache Software Foundation - c:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\Apache2\bin\Apache.exe O23 - Service: BrYNSvc - Brother Industries, Ltd. - C:\Program Files (x86)\Browny02\BrYNSvc.exe O23 - Service: Cobian Backup 10 Volume Shadow Copy service (cbVSCService) - CobianSoft, Luis Cobian - C:\Program Files (x86)\Cobian Backup 10\cbVSCService.exe O23 - Service: Cobian Backup 10 (CobianBackup10) - Luis Cobian, CobianSoft - C:\Program Files (x86)\Cobian Backup 10\cbService.exe O23 - Service: @%systemroot%\system32\dfssvc.exe,-101 (Dfs) - Unknown owner - C:\Windows\system32\dfssvc.exe (file missing) O23 - Service: @dfsrress.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSRs.exe (file missing) O23 - Service: @%systemroot%\system32\dns.exe,-49157 (DNS) - Unknown owner - C:\Windows\system32\dns.exe (file missing) O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: FlowMonitorService - Flow Software Limited - C:\Program Files (x86)\Flow Software\FlowMonitorS.exe O23 - Service: FlowService (ACL Member:3569) (FlowWinService$DEE41FC4-BCB8-4883-9446-FD856A0813F5$3569) - Flow Software Limited - C:\Program Files (x86)\Flow Software\FlowService.exe O23 - Service: @%SystemRoot%\System32\ismserv.exe,-1 (IsmServ) - Unknown owner - C:\Windows\System32\ismserv.exe (file missing) O23 - Service: @%SystemRoot%\System32\kdcsvc.dll,-1 (kdc) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\System32\ntdsmsg.dll,-1 (NTDS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: Trend Micro Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Security Agent\ntrtscan.exe O23 - Service: Trend Micro Security Server Master Service (ofcservice) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\web\service\ofcservice.exe O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%Systemroot%\system32\rqs.exe,-200 (rqs) - Unknown owner - C:\Windows\system32\rqs.exe (file missing) O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: Soda PDF Helper Service - LULU Software - C:\Program Files (x86)\Soda PDF\HelperService.exe O23 - Service: Soda PDF Service - LULU Software - C:\Program Files (x86)\Soda PDF\ConversionService.exe O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Unknown owner - C:\Windows\system32\sysdown.exe (file missing) O23 - Service: Trend Micro Smart Scan Service (TMiCRCScanService) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Security Server\PCCSRV\wss\iCRCService.exe O23 - Service: Trend Micro Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Security Agent\tmlisten.exe O23 - Service: Trend Micro Security Agent NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\Security Agent\TmProxy.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files (x86)\UltraVNC\winvnc.exe O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) -- End of file - 9963 bytes Thanks, Radium |
radium (8645) | ||
| 1367219 | 2014-02-09 06:59:00 | Where did you get Soda PDF from?? You didnt get it from Cnet did you?? | Speedy Gonzales (78) | ||
| 1367220 | 2014-02-09 07:02:00 | Soda was installed a couple of years ago by head office administrators, so I can't answer that sorry. Zip files keep appearing in the downloads folder of the main user account and they contain email splitter.exe - which as far as I can tell is what emails out all this spam, I have removed ZBOT (Zeus) off one of the workstations already... |
radium (8645) | ||
| 1367221 | 2014-02-09 07:08:00 | mm is that file on the hdd somewhere?? If you think its got malware what did malwarebytes find?? If you did a full scan? | Speedy Gonzales (78) | ||
| 1367222 | 2014-02-09 07:14:00 | Speedy - Yep Always do a full scan here is the log file Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2014.02.07.08 Windows Server 2008 R2 x64 NTFS Internet Explorer 8.0.7600.16385 administrator :: SERVEREXO [administrator] 2/8/2014 1:02:46 PM MBAM-log-2014-02-08 (14-59-04).txt Scan type: Full scan (C:\|E:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 699501 Time elapsed: 1 hour(s), 53 minute(s), 11 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 6 C:\Users\pos\AppData\Local\Microsoft\Windows\Tempo rary Internet Files\Content.IE5\ZO019UK9\FromDocToPDF[1].exe (PUP.Optional.MindSpark.A) -> No action taken. C:\Users\pos\AppData\Local\Microsoft\Windows\Tempo rary Internet Files\Low\Content.IE5\WVGDL04E\DUBrute.2.2[1].zip (PUP.HackTool.BruteForce) -> No action taken. C:\Users\pos\AppData\Local\Microsoft\Windows\Tempo rary Internet Files\Low\Content.IE5\YVH12CS5\Xscan[1].rar (Trojan.Agent) -> No action taken. C:\Users\pos\AppData\Local\Temp\3\Rar$EXa0.526\ema il spliter.exe (Backdoor.Agent) -> No action taken. C:\Users\pos\Downloads\2014-02-07_downloadAll.zip (Backdoor.Agent) -> No action taken. C:\Users\pos\Downloads\email spliter.exe (Backdoor.Agent) -> No action taken. (end) After this was run I did remove all infections |
radium (8645) | ||
| 1367223 | 2014-02-09 07:19:00 | Delete the temp files. Since it looks like most of them are in temp folders. And go here to delete the other 2 C:\Users\pos\Downloads |
Speedy Gonzales (78) | ||
| 1367224 | 2014-02-09 07:27:00 | Thanks, I had deleted those files in the download folder but they do keep reappearing, (after several hours) I will clear out all the temp folders now, Oh and I have also run tdsskiller, hitman pro as well, all clean. Is there any entries in the HJT Log that look suspicious or any other scans you can recommend? Thanks for your help... |
radium (8645) | ||
| 1367225 | 2014-02-09 07:36:00 | Only one I'm not sure about is this. I take it this is to lock the computer?? O4 - HKUS\S-1-5-21-2370433984-202841576-1820059870-1115\..\Run: [~] C:\Users\pos\Desktop\DeskLock.exe (User 'pos') |
Speedy Gonzales (78) | ||
| 1367226 | 2014-02-09 07:40:00 | I just found this when I went to log in to the standard user account it is some BS Lujosoft Desktop Lock - Which should not be there.... Will sort it out. Thanks |
radium (8645) | ||
| 1367227 | 2014-02-10 07:37:00 | blitz the hard drive and reinstall. you're never going to be sure did I remove the malware or not. | nmercer (3899) | ||
| 1 2 | |||||