Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Variant of Sasser


  • Please log in to reply

#1
cas6179

cas6179

    New Member

  • Member
  • Pip
  • 1 posts
Computer boots to logon and you receive the system shutdown window. Just like the sasser virus. Ran Mcafee stinger, spyboot s&d, CW shreeder, trend housecall, and TDS-3 with no luck even finding a virus. The system is up to date with all patches. Here is the Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 6:44:25 PM-Path, on 5/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Research in Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
C:\Program Files\Research in Motion\BlackBerry Enterprise Server\BESAlert.exe
C:\Program Files\Research in Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
C:\Program Files\Research in Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
C:\Program Files\Research in Motion\BlackBerry Enterprise Server\AttachServer\BBConvert.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\bentaa\beremote.exe
C:\Program Files\Research in Motion\BlackBerry Enterprise Server\BlackBerryServer.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Mssql7\Binn\sqlmangr.exe
C:\WINNT\system32\mmc.exe
F:\Hacking Tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = discovery:80
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - Startup: Routing and Remote Access.lnk = C:\WINNT\system32\rrasmgmt.msc
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dtsi.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{587A9145-47B9-47C0-9FA4-5FC804ABAA80}: NameServer = 154.6.105.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{F639284A-9674-4776-A25D-CC7019B880C2}: NameServer = 172.16.1.37
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dtsi.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dtsi.com
O23 - Service: Backup Exec 8.x Agent Accelerator (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\bentaa\beremote.exe
O23 - Service: BlackBerry Attachment Service (BBAttachServer) - Research In Motion Limited - C:\Program Files\Research in Motion\BlackBerry Enterprise Server\AttachServer\BBAttachServer.exe
O23 - Service: BESAlert - Research In Motion Limited - C:\Program Files\Research in Motion\BlackBerry Enterprise Server\BESAlert.exe
O23 - Service: BlackBerry Controller - Research In Motion Limited - C:\Program Files\Research in Motion\BlackBerry Enterprise Server\BlackBerryController.exe
O23 - Service: BlackBerry Database Consistency Service - Research In Motion Limited - C:\Program Files\Research in Motion\BlackBerry Enterprise Server\MDS\bin\DBConsistency.exe
O23 - Service: BlackBerry Mobile Data Server pathfinder - Unknown owner - C:\Program Files\Research in Motion\BlackBerry Enterprise Server\MDS\bin\BMDS.exe" -s jvmpath="C:\Program Files\Java\j2re1.4.2_06\bin\client\jvm.dll" -XX:+DisableExplicitGC -Xss64K -Xmx128M -Xms64M -XX:NewSize=24M -XX:MaxNewSize=64M -XX:NewRatio=2 classpathdir="C:\Program Files\Research in Motion\BlackBerry Enterprise Server\MDS\classpath" wrkdir="C:\Program Files\Research in Motion\BlackBerry Enterprise Server\MDS\Servers\pathfinder" -log.console -rbes "pathfinder (file missing)
O23 - Service: BlackBerry Server pathfinder - Research In Motion Limited - C:\Program Files\Research in Motion\BlackBerry Enterprise Server\BlackBerryServer.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: System Driver Mgr (drvmgr) - Unknown owner - C:\WINNT\system32\drvmgr.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: MSBackup Service (msupdate) - Unknown owner - c:\program files\windowsupdate\panel.{21ec2020-3aea-1069-a2dd-08002b30309d}\nkadm.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\update.exe" /service (file missing)
O23 - Service: MS System Monitor (sysmon) - Unknown owner - c:\winnt\java\classes\svchost.exe (file missing)
O23 - Service: Task Manager (TskMan) - Unknown owner - C:\WINNT\system32\tskman.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)

Any help would be appreciated...
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP