We have InoculateIT virus checker which has reported several *.DLL files as trojan files - category: Darksma.X and Chysne!general which are not a problem now but problem still persists.
HiJackthis log below. faffvtjt.exe does not appear in safe mode and when performing netstat -a -n in safe mode (with networking option) we do not get the incremental IP outband traffic:-
****************************************
Logfile of HijackThis v1.99.1
Scan saved at 17:19:22, on 28/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\faffvtjt.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\system32\dllcache\winsntp.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O1 - Hosts: 192.x.x.x HQ
O1 - Hosts: 192.x.x.x mailserv
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [j4291636] rundll32 C:\WINDOWS\system32\j4291636.dll sook
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\pvryfptf.dll",realset
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HQ.local
O17 - HKLM\Software\..\Telephony: DomainName = HQ.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HQ.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HQ.local
O23 - Service: DomainService - - C:\WINDOWS\system32\faffvtjt.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Memorex Network Analysis Tool - Unknown owner - C:\WINDOWS\system32\dllcache\winsntp.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
We are a small charitable organisation and I am trying to resolve this matter before paying - reluctantly - outsource fees.
Any help appreciated.
TC