MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: School Network infection (hurray)
June 18, 2019, 02:17:33 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 18, 2019, 02:17:33 PM

Login with username, password and session length
 
News
New  Looking for cheap hardware and/or software?
Visit our new Online Store where you will be able to purchase from a reputable vendor by country.
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: School Network infection (hurray)  (Read 2231 times)
NetStrikr
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 15


Bookmark and Share

View Profile
« on: April 22, 2008, 01:23:41 AM »

I have been battling with this for the past week.

The network at the school is infected with wml.exe and trojan downloader-xs.

What do you recommend to remove this. As far as this goes, I am just planning on wipping everything at the end of june.


When I came in as a tech, there was no active Anti-virus or anything. Windows updates had not been done in over a year. This has been on there for a while, with the updates it surfaced. Now I am either in the place to let it be until June and wipe the whole system. If there would be a good and quick way to get this off it would be appreciated.
Logged

There are 10 types of people in this world. Those who know Binary and those who have friends.
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: April 23, 2008, 12:19:01 AM »

I should not be doing this on a network setup.I only do personal computers but as you are the IT tech and are prepared to except the responsibility for the system I will go ahead with the fix.


Please download HijackThis to your desktop..

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
Alternate link
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe

This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.


==========================

Ok.We  need to download ComboFix.exe. This will  give a better view to the files running and also hidden on your computer.

Please visit this webpage for download links, and instructions for running ComboFix


When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new 'HijackThis' log so that we can continue to do any further cleaning that your system may require.

Caution: Never run and remove files with Combofix unless supervised by a security analyst.

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
Logged

An Australian Member of

EDDY
NetStrikr
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 15


Bookmark and Share

View Profile
« Reply #2 on: April 23, 2008, 04:02:43 AM »

I have ran Hijackthis and had a look at the log. Nothing came up. I will post a log on Hijackthis and combo fix tomorrow. I was out 120km's away for to fix a network. Should have the logs up in a little less then 12 hours.
Logged

There are 10 types of people in this world. Those who know Binary and those who have friends.
NetStrikr
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 15


Bookmark and Share

View Profile
« Reply #3 on: April 23, 2008, 08:24:19 PM »

Here is the HijackThis log file. Sorry it took so long, had to reformat a server overnight so I didn't get sleep. UGH  PC Smash

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:31 PM, on 4/23/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.TERMINAL.000\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Progress91E\bin\AdmSrvc.exe
C:\WINDOWS\AIS-Scheduler.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\aswServ.exe
C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe
C:\Program Files\HP\Cissesrv\cissesrv.exe
C:\WINDOWS\system32\cpqrcmc.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\sysdown.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\WINDOWS\system32\lserver.exe
C:\Program Files\Progress91E\jre\bin\java.exe
C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
C:\WINDOWS\System32\svchost.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswMaiSv.exe
C:\Program Files\Alwil Software\Avast4\aswWebSv.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\Program Files\Progress91E\bin\_mprosrv.exe
C:\Program Files\Progress91E\bin\_mprosrv.exe
C:\Program Files\Progress91E\bin\_mprshut.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\Program Files\Progress91E\bin\_mprosrv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ThinkWave\ThinkWave Educator\twe.release.ovl
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\Program Files\PhoChron\YBpublish\YBPublish.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\WINDOWS\system32\scrnsave.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\scrnsave.scr
C:\WINDOWS\system32\scrnsave.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\ServicePackFiles\i386\mstsc.exe
C:\WINDOWS\system32\utilman.exe
C:\WINDOWS\system32\scrnsave.scr
C:\WINDOWS\system32\oxshqfwn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\scrnsave.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\scrnsave.scr
C:\WINDOWS\system32\oxshqfwn.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\WINDOWS\system32\scrnsave.scr
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\oxshqfwn.exe
C:\WINDOWS\system32\scrnsave.scr
C:\WINDOWS\system32\oxshqfwn.exe
C:\WINDOWS\system32\scrnsave.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
Logged

There are 10 types of people in this world. Those who know Binary and those who have friends.
NetStrikr
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 15


Bookmark and Share

View Profile
« Reply #4 on: April 23, 2008, 08:24:45 PM »

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [qvfaywbr] C:\WINDOWS\system32\oxshqfwn.exe
O4 - HKCU\..\Run: [egnjqujc] C:\WINDOWS\system32\tkbuxcjc.exe
O4 - HKCU\..\Run: [Arovax AntiSpyware] C:\Program Files\Arovax AntiSpyware\arovaxantispyware.exe /s
O4 - HKCU\..\Run: [fqlyldcd] C:\WINDOWS\system32\ohsvsvih.exe
O4 - HKLM\..\Policies\Explorer\Run: [idBEDyvNwH] C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1119.bak\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1119.bak\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1119.bak\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" (User '?')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1119.bak\..\Run: []  (User '?')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1119.bak\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1130\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SuzetteC')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1133\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'LaraJ')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1135\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'KatieH')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1136\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'KevinC')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1139\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'SharonP')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1143\..\Run: []  (User 'MarkH')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1147\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Student')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1147\..\RunOnce: [SpybotDeletingB325] command /c del "C:\WINDOWS\system32smp\msrc.exe" (User 'Student')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1184\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'cavellep')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1238\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'JenniferL')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1239\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'MichaelD')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1240\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'MikeW')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1241\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Nadine')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1242\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'AngelaP')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1243\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'shelbyp')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1244\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'DeannaK')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1256\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'dorisa')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1283\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'sandram')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1297\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-90623311-2245266384-3813250855-1298\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [SpybotDeletingB325] command /c del "C:\WINDOWS\system32smp\msrc.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SpybotDeletingB325] command /c del "C:\WINDOWS\system32smp\msrc.exe" (User 'Default user')
O4 - S-1-5-21-90623311-2245266384-3813250855-1239 Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe (User 'MichaelD')
O4 - S-1-5-21-90623311-2245266384-3813250855-1239 User Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe (User 'MichaelD')
O4 - S-1-5-21-90623311-2245266384-3813250855-1241 Startup: LaunchU3.exe.lnk = ? (User 'Nadine')
O4 - S-1-5-21-90623311-2245266384-3813250855-1241 User Startup: LaunchU3.exe.lnk = ? (User 'Nadine')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.terminal.000\windows\system32\mswsock.dll' missing
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {708C978C-BBF5-4038-8DC1-64FF22BCFFB6} (AXScan Control) - https://192.168.0.10/cleanup/tool/BarracudaSpyRemoval.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = JDPS.local
O17 - HKLM\Software\..\Telephony: DomainName = JDPS.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA37D897-DAFC-4330-AD07-ED758584F278}: NameServer = 192.168.0.2,192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = JDPS.local
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AdminService for PROGRESS 9.1E (AdminService9.1E) - Unknown owner - C:\Program Files\Progress91E\bin\AdmSrvc.exe
O23 - Service: AIS-Scheduler - Unknown owner - C:\WINDOWS\AIS-Scheduler.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswWebSv.exe
O23 - Service: Backup Exec System Recovery - Symantec Corporation - C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe
O23 - Service: HP Smart Array SAS/SATA Event Notification Service (Cissesrv) - Hewlett-Packard Company - C:\Program Files\HP\Cissesrv\cissesrv.exe
O23 - Service: HP Insight NIC Agents (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\cpqrcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmghost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgserv\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqMgmt\cqmgstor\cqmgstor.exe
O23 - Service: GEARSecurity - Unknown owner - C:\WINDOWS\System32\GEARSec.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: ProService for 9.1E (ProService9.1E) - Progress Software - C:\Program Files\Progress91E\bin\ProSrvc.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Hewlett-Packard Company - C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe

--
End of file - 25513 bytes
Logged

There are 10 types of people in this world. Those who know Binary and those who have friends.
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #5 on: April 23, 2008, 10:02:51 PM »

And the Combofix Huh???
Logged

An Australian Member of

EDDY
NetStrikr
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 15


Bookmark and Share

View Profile
« Reply #6 on: April 24, 2008, 04:37:11 AM »

Didn't have time to run it. Will post it up tomorrow or today where you are.
Logged

There are 10 types of people in this world. Those who know Binary and those who have friends.
NetStrikr
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 15


Bookmark and Share

View Profile
« Reply #7 on: May 06, 2008, 03:05:19 PM »

I sincerely apologize for the long wait in a reply but combofix is not compatible with Server 2003.
Logged

There are 10 types of people in this world. Those who know Binary and those who have friends.
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #8 on: May 06, 2008, 10:32:14 PM »


  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clipboard by highlighting it and then pressing Ctrl+C.

Code:
Files to delete:
C:\WINDOWS\system32\oxshqfwn.exe
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\WINDOWS\system32\tkbuxcjc.exe
C:\WINDOWS\system32\ohsvsvih.exe

  • In the avenger window, click the Paste Script from Clipboard, button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log, along with a new HijackThis log in your next reply.
==================================


First off please download  Deckard's System Scanner  (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt to here.
Please attach extra.txt to your post.
To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\Deckard\System Scanner\extra.txt

Click Upload.

What DSS will do:
Create a new System Restore point in Windows XP and Vista.
Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.


« Last Edit: May 06, 2008, 10:34:20 PM by Pancake » Logged

An Australian Member of

EDDY
NetStrikr
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 15


Bookmark and Share

View Profile
« Reply #9 on: May 13, 2008, 10:11:54 PM »

I really do apologize for the long wait again but The Avenger is not compatible with Windows Server 2003 and DSS does not work to download.
Logged

There are 10 types of people in this world. Those who know Binary and those who have friends.
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #10 on: May 13, 2008, 10:55:56 PM »

Ok.Try this to fix the files.Also I just got DSS to download without any problem.


Please download OTMoveIt by Oldtimer and save it to your desktop.


Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\oxshqfwn.exe
C:\Documents and Settings\All Users\Application Data\nctcnwrs\johwluti.exe
C:\WINDOWS\system32\tkbuxcjc.exe
C:\WINDOWS\system32\ohsvsvih.exe


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt

(If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.)
Click the red Moveit! button.
Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Reboot into Normal Mode.

In your next reply please include the following:

The OTMoveIt log.
Logged

An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page August 04, 2017, 02:54:59 PM