The only traces I can find of the worm are:
Registry Values Changed:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE "EnableDCOM" = "N" (Should be "Y")
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa "restrictanonymous" = "1" (Should be "0")
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc (Shouldn't be there!)
I hope someone can help me find the rogue service that it is running under.
This is my HJT logfile:
Logfile of HijackThis v1.99.1 Scan saved at 00:14:56, on 16/08/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINNT\System32\svchost.exe C:\UGSPLM\I-DEAS11\sec\lmgrd.exe C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itconfig_rep.exe C:\UGSPLM\I-DEAS11\sec\eds_id11.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itlocator.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnode_daemon.exe C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnaming.exe C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Office Mouse\moffice.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINNT\SOUNDMAN.EXE C:\Program Files\Office Mouse\MOUSE32A.DAT C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe C:\WINNT\system32\winpnp.exe C:\WINNT\system32\internat.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINNT\system32\mmc.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O1 - Hosts: n127.0.0.1 www.symantec.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office Mouse\moffice.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [Windows PNP] winpnp.exe O4 - HKLM\..\Run: [WINDOWS SYSTEM] botzor.exe O4 - HKLM\..\Run: [csm Win Updates] csm.exe O4 - HKLM\..\RunServices: [Windows PNP] winpnp.exe O4 - HKLM\..\RunServices: [WINDOWS SYSTEM] botzor.exe O4 - HKLM\..\RunServices: [csm Win Updates] csm.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [Windows PNP] winpnp.exe O4 - HKCU\..\RunServices: [Windows PNP] winpnp.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124040838625 O17 - HKLM\System\CCS\Services\Tcpip\..\{D6C51961-3736-48B6-9BCE-E0BB58FEE0BB}: NameServer = 83.146.21.5 83.146.21.6 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: FLEXlm License Manager - Unknown owner - C:\EDS\I-DEAS10\sec\lmgrd.exe (file missing) O23 - Service: I-DEAS License Manager 11.0 - GLOBEtrotter Software Inc. - C:\UGSPLM\I-DEAS11\sec\lmgrd.exe O23 - Service: IT iona_services.config_rep.bensonpc cfr-MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itconfig_rep.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name cfr-MyDomain -ORBname iona_services.config_rep.bensonpc -plugin=config_rep it_jump_start (file missing) O23 - Service: IT iona_services.locator.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itlocator.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.locator.bensonpc -plugin=locator it_jump_start (file missing) O23 - Service: IT iona_services.naming.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnaming.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.naming.bensonpc -plugin=naming it_jump_start (file missing) O23 - Service: IT iona_services.node_daemon.bensonpc MyDomain - Unknown owner - C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\asp\5.1\bin\itnode_daemon.exe" -ORBproduct_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A" -ORBlicense_file "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\licenses.txt" -ORBconfig_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc" -ORBconfig_domains_dir "C:\UGSPLM\I-DEAS11\Iona\OrbixE2A\etc\domains" -ORBdomain_name MyDomain -ORBname iona_services.node_daemon.bensonpc -plugin=node_daemon it_jump_start (file missing) O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe O23 - Service: Microsoft New Game 2 (svehost32) - Unknown owner - C:\WINNT\svehost32.exe
I should add, I'm running AVG Antivirus with latest definitions, Spybot S&D and Ad-Aware SE.
Edited by DJBenz, 15 August 2005 - 05:31 PM.