Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware- Spyware on Win 2000 Server


  • Please log in to reply

#16
wolfikraus

wolfikraus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hello,

I have monitored the server a time and found this out:

After a while, services.exe takes alot of cpu power. than firefox apears with this url problem.

Then I checked the automatic updates and saw, that they was set to deactivated...

After I checked auto-update and close the properties I waited half an hour and than the same steps as before apeared... :tazz:

Here is the result from trend micro:
found 15 virus (all in the quarantaine folder from bitdef), 1 spyware; fixed all of them

Regards,
  • 0

Advertisements


#17
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Can you make a HijackThis log next time this sequence happens please?

Also download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Regards,
  • 0

#18
wolfikraus

wolfikraus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
good morning,

this was found by kaspersky online scanner:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, August 18, 2005 09:43:40
Operating System: Microsoft Windows 2000, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 18/08/2005
Kaspersky Anti-Virus database records: 135738
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINNT
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\

Scan Statistics:
Total number of scanned objects: 17656
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 1539 sec

Infected Object Name - Virus Name
C:\WINNT\netinfo.exe Infected: Backdoor.Win32.SdBot.aad
C:\WINNT\system32\orans.sys Infected: Rootkit.Win32.Agent.ae

Scan process completed.

hope this helps :tazz:

CU
Wolfi
  • 0

#19
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Big cheers for KAV.

I think that were the evildoers.

Can you post the WinPFind.txt I asked for?

Then I'll prepare my fix for you.

Regards,
  • 0

#20
wolfikraus

wolfikraus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
hello,

sry for my late respond, but was busy all day long...

here is the WinPFind.txt :

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 16.08.2005 15:20:38 15651665 C:\WINNT\LPT$VPN.787
qoologic 16.08.2005 15:20:38 15651665 C:\WINNT\LPT$VPN.787
SAHAgent 16.08.2005 15:20:38 15651665 C:\WINNT\LPT$VPN.787
UPX! 17.08.2005 20:13:40 262144000 C:\WINNT\MEMORY.DMP
PEC2 17.08.2005 20:13:40 262144000 C:\WINNT\MEMORY.DMP
Umonitor 17.08.2005 20:13:40 262144000 C:\WINNT\MEMORY.DMP
qoologic 17.08.2005 20:13:40 262144000 C:\WINNT\MEMORY.DMP
aspack 17.08.2005 20:13:40 262144000 C:\WINNT\MEMORY.DMP
PTech 17.08.2005 20:13:40 262144000 C:\WINNT\MEMORY.DMP
SAHAgent 17.08.2005 20:13:40 262144000 C:\WINNT\MEMORY.DMP
abetterinternet.com 17.08.2005 20:13:40 262144000 C:\WINNT\MEMORY.DMP
web-nex 17.08.2005 20:13:40 262144000 C:\WINNT\MEMORY.DMP
UPX! 17.08.2005 07:48:08 64000 C:\WINNT\netinfo.exe
UPX! 03.05.2005 11:44:44 25157 C:\WINNT\RMAgentOutput.dll
UPX! 10.01.2005 16:17:24 170053 C:\WINNT\Tsc.exe
PECompact2 16.08.2005 15:20:38 15651665 C:\WINNT\VPTNFILE.787
qoologic 16.08.2005 15:20:38 15651665 C:\WINNT\VPTNFILE.787
SAHAgent 16.08.2005 15:20:38 15651665 C:\WINNT\VPTNFILE.787
UPX! 18.02.2005 18:40:14 1044560 C:\WINNT\vsapi32.dll
aspack 18.02.2005 18:40:14 1044560 C:\WINNT\vsapi32.dll

Checking %System% folder...
PTech 03.08.2005 10:33:42 520456 C:\WINNT\SYSTEM32\LegitCheckControl.DLL
PECompact2 05.08.2005 03:31:56 1457496 C:\WINNT\SYSTEM32\MRT.exe
aspack 05.08.2005 03:31:56 1457496 C:\WINNT\SYSTEM32\MRT.exe
qoologic 17.08.2005 05:38:24 12959505 C:\WINNT\SYSTEM32\pav.sig
aspack 17.08.2005 05:38:24 12959505 C:\WINNT\SYSTEM32\pav.sig
SAHAgent 17.08.2005 05:38:24 12959505 C:\WINNT\SYSTEM32\pav.sig
winsync 17.08.2005 05:38:24 12959505 C:\WINNT\SYSTEM32\pav.sig
Umonitor 03.06.2005 00:44:46 551696 C:\WINNT\SYSTEM32\RASDLG.DLL
aspack 12.09.2000 12:58:26 160256 C:\WINNT\SYSTEM32\ShrLk21.dll
winsync 10.12.1999 14:00:00 1309184 C:\WINNT\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts
127.0.0.1 download1.shopathomeselect.com #[ADW_SAHAGENT.A]
127.0.0.1 www.shopathomeselect.com #[Adware.SAHAgent]
127.0.0.1 web-nexus.net #[Adw.Web-Nexus.WebNexusAdServer]
127.0.0.1 dl.web-nexus.net #[eTrust.Win32.Qoologic]
127.0.0.1 dl.web-nexus.net #[eTrust.Win32.Qoologic]
127.0.0.1 stech.web-nexus.net
127.0.0.1 www.web-nexus.net
127.0.0.1 agentq.vpptechnologies.com
127.0.0.1 generic.vpptechnologies.com
127.0.0.1 images2.vpptechnologies.com
127.0.0.1 main.vpptechnologies.com #[IE-SpyAd]
127.0.0.1 media-0.vpptechnologies.com
127.0.0.1 media-1.vpptechnologies.com
127.0.0.1 media-4.vpptechnologies.com
127.0.0.1 media-5.vpptechnologies.com
127.0.0.1 media-6.vpptechnologies.com
127.0.0.1 media-a.vpptechnologies.com
127.0.0.1 media-b.vpptechnologies.com
127.0.0.1 media-c.vpptechnologies.com
127.0.0.1 media-d.vpptechnologies.com
127.0.0.1 media-e.vpptechnologies.com
127.0.0.1 media-f.vpptechnologies.com
127.0.0.1 msxml.vpptechnologies.com
127.0.0.1 static.vpptechnologies.com #[hotsearchbar.com]
127.0.0.1 xml.vpptechnologies.com #[BlazeFind]
127.0.0.1 ad-w-a-r-e.com #[Win32.Canbede]
127.0.0.1 www.ad-w-a-r-e.com
127.0.0.1 abetterinternet.com #[Downloader.Stubby.A]
127.0.0.1 belt.abetterinternet.com
127.0.0.1 c.abetterinternet.com #[Adware-BetterInet application]
127.0.0.1 download.abetterinternet.com #[Adware.StopPopupAdsNow]
127.0.0.1 download2.abetterinternet.com #[Parasite.Transponder]
127.0.0.1 s.abetterinternet.com
127.0.0.1 st.abetterinternet.com
127.0.0.1 static.abetterinternet.com
127.0.0.1 thinstall.abetterinternet.com
127.0.0.1 www.abetterinternet.com #[Trojan-Downloader.Win32.Stubby.d]


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
SH 17.08.2005 07:48:08 64000 C:\WINNT\netinfo.exe
H 17.08.2005 22:48:26 922890 C:\WINNT\ShellIconCache
H 22.07.2005 03:28:12 0 C:\WINNT\inf\oem17.inf
H 17.08.2005 08:09:36 0 C:\WINNT\inf\oem19.inf
H 17.08.2005 22:57:24 1024 C:\WINNT\system32\config\default.LOG
H 18.08.2005 13:05:18 1024 C:\WINNT\system32\config\SECURITY.LOG
H 18.08.2005 14:02:08 8192 C:\WINNT\system32\config\software.LOG
H 17.08.2005 22:55:42 6 C:\WINNT\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 10.12.1999 14:00:00 68880 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 19.06.2003 21:05:04 304912 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 19.06.2003 21:05:04 242448 C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation 10.12.1999 14:00:00 130832 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 29.08.2002 10:32:28 293376 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 10.12.1999 14:00:00 121616 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 10.12.1999 14:00:00 36624 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 30.10.2001 08:10:00 77824 C:\WINNT\SYSTEM32\joy.cpl
Sun Microsystems 16.08.2005 19:44:00 53352 C:\WINNT\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 19.06.2003 21:05:04 56080 C:\WINNT\SYSTEM32\LICCPA.CPL
Microsoft Corporation 10.12.1999 14:00:00 122640 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 10.12.1999 14:00:00 307472 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 10.12.1999 14:00:00 17168 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 10.12.1999 14:00:00 42256 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 19.06.2003 21:05:04 41232 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 19.06.2003 21:05:04 92432 C:\WINNT\SYSTEM32\powercfg.cpl
Microsoft Corporation 19.06.2003 21:05:04 83728 C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation 19.06.2003 21:05:04 129296 C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation 10.12.1999 14:00:00 5904 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 10.12.1999 14:00:00 61200 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 29.08.2002 10:32:28 293376 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 03.06.2005 00:44:58 66832 C:\WINNT\SYSTEM32\dllcache\msmq.cpl
IBM Corporation 07.10.1999 01:12:54 94720 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation 10.12.1999 14:00:00 42256 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
06.12.2002 21:10:12 375 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Dienst-Manager.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
01.07.2003 11:23:12 516 C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\taskmgr.lnk

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINNT\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Konsole : C:\WINNT\System32\msjava.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer-Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
backup.exe D:\IMAIL\backup.exe
WinVNC "C:\Programme\TightVNC\WinVNC.exe" -servicehelper
gcasServ "C:\Programme\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SpybotSD TeaTimer C:\Programme\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
ShowSuperHidden 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
disablecad 0
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 18.08.2005 14:02:21


thank you for your help!

Regards,
  • 0

#21
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
The only thing I'm not familiar with is this one:
C:\WINNT\SYSTEM32\ShrLk21.dll

It is mentioned at some dubious sites.
Please have that one scanned at http://virusscan.jotti.org/

Post the results.

Regards,
  • 0

#22
wolfikraus

wolfikraus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
hello,

here is the result for shrlk21.dll (there is 2more files named like this on the server: shrlk21.ocx and shrpubw.exe) :

File: ShrLk21.dll
Status:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 be224926d630880faa9341709e87ac8c
Packers detected:
ASPACK
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

CU
Wolfi
  • 0

#23
wolfikraus

wolfikraus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
HELP!!!!

There is a Remote Software on the screen beside the time in the taskbar!!!!!

Its from Radmin, called Remote Administrator... I stopped and disabled the Service...

Now I need really HELP!!!!!
  • 0

#24
wolfikraus

wolfikraus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hello,

here is the newest HiJack log:

Logfile of HijackThis v1.99.1
Scan saved at 08:00:03, on 19.08.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\hpserver\AsrSrvc.Exe
C:\Programme\Gemeinsame Dateien\Softwin\bdregsvr2.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\hpserver\hpesysvc.exe
C:\WINNT\hpserver\hpevtsvc.exe
C:\WINNT\hpserver\hpipmsvc.exe
C:\WINNT\hpserver\hplersvc.exe
C:\WINNT\HPServer\HPLER.EXE
C:\WINNT\hpserver\hppfmsvc.Exe
C:\WINNT\hpserver\hprccsvc.exe
C:\WINNT\hpserver\hpsdnsvc.exe
C:\Programme\Hewlett-Packard\InstantTopTools\web\hpwebsvc.exe
C:\Programme\Hewlett-Packard\InstantTopTools\web\webs.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\netinfo.exe
C:\Programme\Gemeinsame Dateien\Softwin\XLog\nplogger.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\ias\temp\winmsg.exe
C:\Programme\TightVNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Softwin\Live\xlivesvr.exe
C:\Programme\Gemeinsame Dateien\Softwin\npcoresrv.exe
C:\Programme\Gemeinsame Dateien\Softwin\Statistics\BDstat.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\ismserv.exe
C:\Programme\Softwin\BitDefender for File Servers\bdfs.exe
C:\WINNT\System32\snmptrap.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\Explorer.EXE
C:\Programme\Microsoft AntiSpyware\gcasServ.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
D:\MSSQL7\Binn\sqlmangr.exe
C:\WINNT\system32\taskmgr.exe
C:\Programme\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\mmc.exe
D:\web\downloads\tools\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [backup.exe] D:\IMAIL\backup.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Programme\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: taskmgr.lnk = C:\WINNT\system32\taskmgr.exe
O4 - Global Startup: Dienst-Manager.lnk = D:\MSSQL7\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://housecall.tre...all/Xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://instantsuppor...alls/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D289E463-771A-4964-B664-F3020E751A56} - http://acs.pandasoft...22-0/srpush.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://www.pandasoft...5/ASPROinst.cab
O16 - DPF: {E43DF60D-D6FA-42AB-921C-FE0A023C5BE1} (eWebEditProLibCtl.eWebEditPro) - http://cms.bitforbit...ewebeditpro.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wwwbfb.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{6171A926-9049-4CC9-BD2D-415DEB27C578}: NameServer = 213.185.130.100,213.185.129.136
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wwwbfb.local
O23 - Service: AsrSrvc - Unknown owner - C:\WINNT\hpserver\AsrSrvc.Exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Programme\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BitDefender for File Servers (BDFS) - Unknown owner - C:\Programme\Softwin\BitDefender for File Servers\bdfs.exe
O23 - Service: BitDefender NPCore (BDNPCORE) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\npcoresrv.exe
O23 - Service: BitDefender Registry v2 (BDREGISTRY) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\bdregsvr2.exe
O23 - Service: BitDefender Statistics (BDSTATSRV) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\Statistics\BDstat.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IMail FINGER Server (FINGRD32) - Ipswitch, Inc. - D:\IMAIL\FINGRD32.exe
O23 - Service: HPComponent - Unknown owner - C:\DMI\win32\bin\hpcmpsvc.exe
O23 - Service: HPEsySvc - Unknown owner - C:\WINNT\hpserver\hpesysvc.exe
O23 - Service: HPEventLog (HPEvtSvc) - Unknown owner - C:\WINNT\hpserver\hpevtsvc.exe
O23 - Service: HPHswSvc - Unknown owner - C:\WINNT\hpserver\hphswsvc.exe
O23 - Service: hpipmsvc - Unknown owner - C:\WINNT\hpserver\hpipmsvc.exe
O23 - Service: HPLerSvc - Unknown owner - C:\WINNT\hpserver\hplersvc.exe
O23 - Service: HPPfmSvc - Unknown owner - C:\WINNT\hpserver\hppfmsvc.Exe
O23 - Service: HPRccSvc - Unknown owner - C:\WINNT\hpserver\hprccsvc.exe
O23 - Service: HPSdnSvc - Unknown owner - C:\WINNT\hpserver\hpsdnsvc.exe
O23 - Service: hpwebsvc - Unknown owner - C:\Programme\Hewlett-Packard\InstantTopTools\web\hpwebsvc.exe
O23 - Service: IMail LDAP Server (ILDAP) - Ipswitch, Inc. - D:\IMAIL\ILDAP.exe
O23 - Service: IMail IMAP4 Server (IMAP4D32) - Ipswitch, Inc. - D:\IMAIL\IMAP4D32.exe
O23 - Service: IMail Monitor Service (IMonitor) - Ipswitch, Inc. - D:\IMAIL\IMonitor.exe
O23 - Service: IMail Web Calendar Service (IWebCal) - Ipswitch, Inc. - D:\IMAIL\IWebCal.exe
O23 - Service: IMail Web Service (IWEBMSG) - Ipswitch, Inc. - D:\IMAIL\iwebmsg.exe
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe
O23 - Service: BitDefender NPLogger (NPLogger) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\XLog\nplogger.exe
O23 - Service: PipeCmd Service (PipeCmdSrv) - Unknown owner - C:\WINNT\system32\PipeCmdSrv.exe (file missing)
O23 - Service: IMail POP3 Server (POP3D32) - Ipswitch, Inc. - D:\IMAIL\POP3D32.exe
O23 - Service: IMail PWD Server (PSERVE) - Ipswitch, Inc. - D:\IMAIL\PSERVE.exe
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\Rpcmon.exe (file missing)
O23 - Service: IMail SMTP Server (SMTPD32) - Ipswitch, Inc. - D:\IMAIL\SMTPD32.exe
O23 - Service: IMail Sys Logger Service (SYSLOGD) - Ipswitch, Inc. - D:\IMAIL\SYSLOGD.exe
O23 - Service: IMail WHOIS Server (WHOISD32) - Ipswitch, Inc. - D:\IMAIL\WHOISD32.exe
O23 - Service: Win32SL - Smart Technology Enablers - C:\DMI\win32\bin\win32sl.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programme\TightVNC\WinVNC.exe" -service (file missing)
O23 - Service: BitDefender Update Service (XLiveSvr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\Live\xlivesvr.exe

Regards,
  • 0

#25
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Actually the log looks good.

Can you rename C:\WINNT\SYSTEM32\ShrLk21.dll to ShrLk21.bak

That is usually a good way to find out which file is using it.

Let me know.
  • 0

Advertisements


#26
wolfikraus

wolfikraus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
hello,

I renamed it and nothing happend...

Regards,
  • 0

#27
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
OK that means it was not in use. As soon as something tries to load it you will get an error.

Can you change the Startpage of the browser now and empty it's cache?

Let me know if the change "sticks"

Regards,
  • 0

#28
wolfikraus

wolfikraus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
hello,

atm everything is calm on the server, but I would like to test, if there are still virus, trojs, malls and so on on the system... could you give me a good advice how to check for this...

CU
  • 0

#29
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Assuming that what we can't see might be hidden by a rootkit, you can try:
http://www.sysintern...itrevealer.html

If you want back full control of what runs and what not, here is a great tool:
http://www.diamondcs...u/processguard/
Recommendations on how to set up: http://www.commontol...secure_pg3.html

Regards,
  • 0

#30
wolfikraus

wolfikraus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hello,

thank you very much for your help :tazz:

cause Im not sure if this happens again I decided to sepupt a second webserver with win2ksp4...

Can you give me a brief advice witch AV I should install and how to process to secure the server from beginning ...


Thank you
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP