Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware- Spyware on Win 2000 Server

Started by wolfikraus , Aug 17 2005 07:22 AM

  • Please log in to reply

#1
wolfikraus
Posted 17 August 2005 - 07:22 AM

wolfikraus

    Member

  • Member
  • PipPip
  • 22 posts
Hello,

I need help with this BIG problem:

After login as administrator to my Win 2000 Server (Web-Server), IE or Firefox starts withthis URL and want to install a application: http://217.170.4.137/_vti_bin/index.html

PLZ let me now how to solf this problem...

Edited by Metallica, 17 August 2005 - 12:56 PM.

  • 0

Advertisements

#2
Metallica
Posted 17 August 2005 - 07:28 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Please follow the recommendations in this post:
http://www.geekstogo...-Log-t2852.html

and someone will be glad to help you with the resulting HijackThis log.

Regards,

Edited by Metallica, 17 August 2005 - 07:29 AM.

  • 0

#3
wolfikraus
Posted 17 August 2005 - 11:03 AM

wolfikraus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hello,

thx for your advice :-)

I used all the tools shown in the help tutorial except the e^wido, cause I use WebDefender and didnt know if I could install Ewido...

After rebooting and login in it still starts the firefox browser with the url of the topic...

I used Hijack this and created this logfile:

Logfile of HijackThis v1.99.1
Scan saved at 18:57:29, on 17.08.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\hpserver\AsrSrvc.Exe
C:\Programme\Gemeinsame Dateien\Softwin\bdregsvr2.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\hpserver\hpesysvc.exe
C:\WINNT\hpserver\hpevtsvc.exe
C:\WINNT\hpserver\hpipmsvc.exe
C:\WINNT\hpserver\hplersvc.exe
C:\WINNT\hpserver\hppfmsvc.Exe
C:\WINNT\HPServer\HPLER.EXE
C:\WINNT\hpserver\hprccsvc.exe
C:\WINNT\hpserver\hpsdnsvc.exe
C:\Programme\Hewlett-Packard\InstantTopTools\web\hpwebsvc.exe
C:\Programme\Hewlett-Packard\InstantTopTools\web\webs.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\netinfo.exe
C:\Programme\Gemeinsame Dateien\Softwin\XLog\nplogger.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\ias\temp\ntfsr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\ias\temp\winmsg.exe
C:\Programme\TightVNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Softwin\Live\xlivesvr.exe
C:\Programme\Gemeinsame Dateien\Softwin\npcoresrv.exe
C:\Programme\Gemeinsame Dateien\Softwin\Statistics\BDstat.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\ismserv.exe
C:\Programme\Softwin\BitDefender for File Servers\bdfs.exe
C:\WINNT\System32\snmptrap.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
D:\MSSQL7\Binn\sqlmangr.exe
C:\WINNT\system32\taskmgr.exe
C:\Programme\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\cidaemon.exe
D:\web\downloads\tools\HijackThis.exe
C:\WINNT\System32\mdm.exe

O1 - Hosts: 141.225.152.142 onlineaccounts2.abbeynational.co.uk
O1 - Hosts: 141.225.152.142 www3.aibgbonline.co.uk
O1 - Hosts: 141.225.152.142 www.bank.alliance-leicester.co.uk
O1 - Hosts: 141.225.152.142 login.iblogin.com
O1 - Hosts: 141.225.152.142 ww2.bankofscotlandhalifax-online.co.uk
O1 - Hosts: 141.225.152.142 inet.barclays.co.uk
O1 - Hosts: 141.225.152.142 iibank.barclays.co.uk
O1 - Hosts: 141.225.152.142 iibank.cahoot.com
O1 - Hosts: 141.225.152.142 www3.coventrybuildingsociety.co.uk
O1 - Hosts: 141.225.152.142 ww.hsbc.co.uk
O1 - Hosts: 141.225.152.142 login.ebank.offshore.hsbc.co.je
O1 - Hosts: 141.225.152.142 ww3.online-offshore.lloydstsb.com
O1 - Hosts: 141.225.152.142 ww3.online-business.lloydstsb.co.uk
O1 - Hosts: 141.225.152.142 ww3.online.lloydstsb.co.uk
O1 - Hosts: 141.225.152.142 ww3.online.lloydstsb.co.uk
O1 - Hosts: 141.225.152.142 ww3.online-business.lloydstsb.co.uk
O1 - Hosts: 141.225.152.142 ob2.nationet.com
O1 - Hosts: 141.225.152.142 ww3.onlinebanking.natwestoffshore.com
O1 - Hosts: 141.225.152.142 ww1.nwolb.com
O1 - Hosts: 141.225.152.142 ww1.onlinebanking.iombank.com
O1 - Hosts: 141.225.152.142 ww1.www.rbsdigital.com
O1 - Hosts: 141.225.152.142 welcome.smile.co.uk
O1 - Hosts: 141.225.152.142 login.365online.com
O1 - Hosts: 141.225.152.142 wvw.citizensbankonline.com
O1 - Hosts: 141.225.152.142 esecure.regionsnet.com
O1 - Hosts: 141.225.152.142 rollb.associatedbank.com
O1 - Hosts: 141.225.152.142 upb.unionplanters.com
O1 - Hosts: 141.225.152.142 www.onlinebanking.huntington.com
O1 - Hosts: 141.225.152.142 inet.southtrustonlinebanking.com
O1 - Hosts: 141.225.152.142 logon.personal.wamu.com
O1 - Hosts: 141.225.152.142 login.compassweb.com
O1 - Hosts: 141.225.152.142 logon.firstmeritib.com
O1 - Hosts: 141.225.152.142 login.ccfcuonline.org
O1 - Hosts: 141.225.152.142 ww3.etimebanker.bankofthewest.com
O1 - Hosts: 141.225.152.142 ww2.onlinebanking.lasallebank.com
O1 - Hosts: 141.225.152.142 wvw.totallyfreebanking.com
O1 - Hosts: 141.225.152.142 www.online.wellsfargo.com
O1 - Hosts: 141.225.152.142 www.onlinebanking.bankofoklahoma.com
O1 - Hosts: 141.225.152.142 accounts4.keybank.com
O1 - Hosts: 141.225.152.142 logon.bankone.com
O1 - Hosts: 141.225.152.142 www.secure.tdbanknorth.com
O1 - Hosts: 141.225.152.142 www.secure.mvnt4.com
O1 - Hosts: 141.225.152.142 ww.mynfbonline.com
O1 - Hosts: 141.225.152.142 login.forumcuonline.com
O1 - Hosts: 141.225.152.142 www.eds.usersonlnet.com
O1 - Hosts: 141.225.152.142 www.onlineid.bankofamerica.com
O1 - Hosts: 141.225.152.142 wvw.e-gold.com
O1 - Hosts: 141.225.152.142 pcbs.peoples.com
O1 - Hosts: 141.225.152.142 www.global1.onlinebank.com
O1 - Hosts: 141.225.152.142 ww2.mybranch.lafcu.com
O1 - Hosts: 141.225.152.142 login.webbanking.comerica.com
O1 - Hosts: 141.225.152.142 web.banking.firsttennessee.com
O1 - Hosts: 141.225.152.142 logon.members1st.org
O1 - Hosts: 141.225.152.142 www.cib.ibanking-services.com
O1 - Hosts: 141.225.152.142 www.miwebbusbank.ebanking-services.com
O1 - Hosts: 141.225.152.142 wvw.paypal.com
O1 - Hosts: 141.225.152.142 wvw.etrade.com
O1 - Hosts: 141.225.152.142 ww4.fleethomelink.fleet.com
O1 - Hosts: 141.225.152.142 ww3.connect.skyfi.com
O1 - Hosts: 141.225.152.142 www6.usbank.com
O1 - Hosts: 141.225.152.142 www.bvi.bancodevalencia.es
O1 - Hosts: 141.225.152.142 extrant.banesto.es
O1 - Hosts: 141.225.152.142 banesnt.banesto.es
O1 - Hosts: 141.225.152.142 activia.caixagalicia.es
O1 - Hosts: 141.225.152.142 www.bancae.caixapenedes.com
O1 - Hosts: 141.225.152.142 login.caixasabadell.net
O1 - Hosts: 141.225.152.142 oii.cajamadrid.es
O1 - Hosts: 141.225.152.142 login.cajamar.es
O1 - Hosts: 141.225.152.142 login.ccm.es
O1 - Hosts: 141.225.152.142 ww.unicaja.es
O1 - Hosts: 141.225.152.142 www5.bancopopular.es
O1 - Hosts: 141.225.152.142 ww3.bbvanet.com
O1 - Hosts: 141.225.152.142 ww.bayernlb.de
O1 - Hosts: 141.225.152.142 ww2.berliner-volksbank.de
O1 - Hosts: 141.225.152.142 ww7.homebanking-berlin.de
O1 - Hosts: 141.225.152.142 portal09.commerzbanking.de
O1 - Hosts: 141.225.152.142 www.meine.deutsche-bank.de
O1 - Hosts: 141.225.152.142 ww2.dresdner-privat.de
O1 - Hosts: 141.225.152.142 ww.e-banking.helaba.de
O1 - Hosts: 141.225.152.142 ww.hsh-nordbank.de
O1 - Hosts: 141.225.152.142 www.my.hypovereinsbank.de
O1 - Hosts: 141.225.152.142 ww3.homebanking-berlin.de
O1 - Hosts: 141.225.152.142 ww3.homebanking-berlin.de
O1 - Hosts: 141.225.152.142 www.banking.lbbw.de
O1 - Hosts: 141.225.152.142 lrp.sparkasse-banking.de
O1 - Hosts: 141.225.152.142 ww3.homebanking-niedersachsen.de
O1 - Hosts: 141.225.152.142 www.onlinebanking.norisbank.de
O1 - Hosts: 141.225.152.142 www.banking.postbank.de
O1 - Hosts: 141.225.152.142 wvw.internetbanking.gad.de
O1 - Hosts: 141.225.152.142 ww1.portal.izb.de
O1 - Hosts: 141.225.152.142 wvw.kunden-service.lbs.de
O1 - Hosts: 141.225.152.142 ibanking.seb.de
O1 - Hosts: 141.225.152.142 bw7.sparkasse-banking.de
O1 - Hosts: 141.225.152.142 ww2.homebanking-sparkasse.de
O1 - Hosts: 141.225.152.142 ww2.vr-networld-ebanking.de
O1 - Hosts: 141.225.152.142 ww.bics.fr
O1 - Hosts: 141.225.152.142 www.co.caixabank.fr
O1 - Hosts: 141.225.152.142 ww.creditmutuel.fr
O1 - Hosts: 141.225.152.142 internetbank.intesabci.it
O1 - Hosts: 141.225.152.142 ww.extensive.bancalombarda.it
O1 - Hosts: 141.225.152.142 wvw.csebanking.it
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Microsoft Javascript Class - {6E28339B-7A2A-47B6-AEB2-46BA53782373} - C:\WINNT\system32\dllcache\javascript.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [backup.exe] D:\IMAIL\backup.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Programme\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: taskmgr.lnk = C:\WINNT\system32\taskmgr.exe
O4 - Global Startup: Dienst-Manager.lnk = D:\MSSQL7\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://housecall.tre...all/Xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://instantsuppor...alls/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D289E463-771A-4964-B664-F3020E751A56} - http://acs.pandasoft...22-0/srpush.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://www.pandasoft...5/ASPROinst.cab
O16 - DPF: {E43DF60D-D6FA-42AB-921C-FE0A023C5BE1} (eWebEditProLibCtl.eWebEditPro) - http://cms.bitforbit...ewebeditpro.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wwwbfb.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{6171A926-9049-4CC9-BD2D-415DEB27C578}: NameServer = 213.185.130.100,213.185.129.136
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wwwbfb.local
O23 - Service: AsrSrvc - Unknown owner - C:\WINNT\hpserver\AsrSrvc.Exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Programme\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BitDefender for File Servers (BDFS) - Unknown owner - C:\Programme\Softwin\BitDefender for File Servers\bdfs.exe
O23 - Service: BitDefender NPCore (BDNPCORE) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\npcoresrv.exe
O23 - Service: BitDefender Registry v2 (BDREGISTRY) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\bdregsvr2.exe
O23 - Service: BitDefender Statistics (BDSTATSRV) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\Statistics\BDstat.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IMail FINGER Server (FINGRD32) - Ipswitch, Inc. - D:\IMAIL\FINGRD32.exe
O23 - Service: HPComponent - Unknown owner - C:\DMI\win32\bin\hpcmpsvc.exe
O23 - Service: HPEsySvc - Unknown owner - C:\WINNT\hpserver\hpesysvc.exe
O23 - Service: HPEventLog (HPEvtSvc) - Unknown owner - C:\WINNT\hpserver\hpevtsvc.exe
O23 - Service: HPHswSvc - Unknown owner - C:\WINNT\hpserver\hphswsvc.exe
O23 - Service: hpipmsvc - Unknown owner - C:\WINNT\hpserver\hpipmsvc.exe
O23 - Service: HPLerSvc - Unknown owner - C:\WINNT\hpserver\hplersvc.exe
O23 - Service: HPPfmSvc - Unknown owner - C:\WINNT\hpserver\hppfmsvc.Exe
O23 - Service: HPRccSvc - Unknown owner - C:\WINNT\hpserver\hprccsvc.exe
O23 - Service: HPSdnSvc - Unknown owner - C:\WINNT\hpserver\hpsdnsvc.exe
O23 - Service: hpwebsvc - Unknown owner - C:\Programme\Hewlett-Packard\InstantTopTools\web\hpwebsvc.exe
O23 - Service: IMail LDAP Server (ILDAP) - Ipswitch, Inc. - D:\IMAIL\ILDAP.exe
O23 - Service: IMail IMAP4 Server (IMAP4D32) - Ipswitch, Inc. - D:\IMAIL\IMAP4D32.exe
O23 - Service: IMail Monitor Service (IMonitor) - Ipswitch, Inc. - D:\IMAIL\IMonitor.exe
O23 - Service: IMail Web Calendar Service (IWebCal) - Ipswitch, Inc. - D:\IMAIL\IWebCal.exe
O23 - Service: IMail Web Service (IWEBMSG) - Ipswitch, Inc. - D:\IMAIL\iwebmsg.exe
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe
O23 - Service: BitDefender NPLogger (NPLogger) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\XLog\nplogger.exe
O23 - Service: PipeCmd Service (PipeCmdSrv) - Unknown owner - C:\WINNT\system32\PipeCmdSrv.exe (file missing)
O23 - Service: IMail POP3 Server (POP3D32) - Ipswitch, Inc. - D:\IMAIL\POP3D32.exe
O23 - Service: IMail PWD Server (PSERVE) - Ipswitch, Inc. - D:\IMAIL\PSERVE.exe
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINNT\system32\Rpcmon.exe (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\ias\temp\ntfsr.exe" /service (file missing)
O23 - Service: IMail SMTP Server (SMTPD32) - Ipswitch, Inc. - D:\IMAIL\SMTPD32.exe
O23 - Service: IMail Sys Logger Service (SYSLOGD) - Ipswitch, Inc. - D:\IMAIL\SYSLOGD.exe
O23 - Service: IMail WHOIS Server (WHOISD32) - Ipswitch, Inc. - D:\IMAIL\WHOISD32.exe
O23 - Service: Win32SL - Smart Technology Enablers - C:\DMI\win32\bin\win32sl.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programme\TightVNC\WinVNC.exe" -service (file missing)
O23 - Service: BitDefender Update Service (XLiveSvr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Softwin\Live\xlivesvr.exe

I hope you can help me, cause this is a very used web-server...

CU
Wolfi
  • 0

#4
Metallica
Posted 17 August 2005 - 11:48 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I got it. Was there anything usefull in your hosts file before this happened?

If not you can download a new one here:
http://www.mvps.org/...p2002/hosts.htm
Save it to C:\WINNT\SYSTEM32\DRIVERS\ETC\hosts and let it replace the one that's there now.

If this file happens to be present on your computer:
C:\WINNT\system32\dllcache\javascript.dll (probably not)
I would love to have a look at that.

Check the following items in HijackThis.
Close all windows (especially IE) except HijackThis and click Fix checked:

O2 - BHO: Microsoft Javascript Class - {6E28339B-7A2A-47B6-AEB2-46BA53782373} - C:\WINNT\system32\dllcache\javascript.dll (file missing)

Let me know if that solves your problem.
If not, let me know if the C:\WINNT\system32\ias\ folder contains file that are in use by you.

P.S. You do not have to PM me when you reply. I will automatically get emailed.

Regards,
  • 0

#5
wolfikraus
Posted 17 August 2005 - 12:22 PM

wolfikraus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hello,

thx for your quick help...

I saved the host file, fixed with hijack and looked for the javascript.dll (did not found).

But after rebooting the server (and ONLY after rebooting) and login as administrator, the firefox started again with this /§&%/ url...

I never looked at the /ias folder before, but I saw a lot of files there and I do not know waht /ias is and never used any files there... :tazz:

Hope this helps you for a new try :)
  • 0

#6
Metallica
Posted 17 August 2005 - 12:56 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I'd like you to surf to:
http://virusscan.jotti.org/
and upload these files:
C:\WINNT\system32\ias\temp\ntfsr.exe
C:\WINNT\system32\ias\temp\winmsg.exe

Let me know the results.

Also
  • download the Registry Search Tool.
  • Unzip the contents of RegSrch.zip to a convenient location.
  • Double-click on RegSrch.vbs.
  • If you have an anti-virus installed it might prompt you about a running script. Please ignore this warning and allow the script to run.
  • In the "Enter search string (case insensitive) and click OK..." box paste this string:
    • 217.170.4.137
  • Click "OK" to search the registry for that string.
  • Wait for a few minutes while it completes the search.
  • Click "OK" to open the results in WordPad.
  • Copy and paste the entire results into your next post.
I will disable the link in your first post, since that site delivers a nasty payload.

Regards,
  • 0

#7
Metallica
Posted 17 August 2005 - 01:19 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I found some more info. There is another file I'd like you to look for

duh.txt

If it is found let me know where exactly and post the content of the file.

Regards,
  • 0

#8
wolfikraus
Posted 17 August 2005 - 01:21 PM

wolfikraus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hello,

The online-scan result for ntfsr.exe:
Service load:
0% 100%
File: ntfsr.exe
Status:
INFECTED/MALWARE (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain -, results will not be stored in the database.)
MD5 861a21d9fbdaffa373a9d5a845b726dc
Packers detected:
MORPHINE
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found not a virus Program.RemoteAdmin
F-Prot Antivirus
Found nothing
Fortinet
Found RAT/Remoteadmin
Kaspersky Anti-Virus
Found not-a-virus:RemoteAdmin.Win32.RAdmin.21
NOD32
Found Win32/RemoteAdmin application
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

The online-scan result for winmsg.exe:

Service load:
0% 100%
File: winmsg.exe
Status:
INFECTED/MALWARE (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain -, results will not be stored in the database.)
MD5 45e5098bed3685aee85d8806b37e9252
Packers detected:
UPX
Scanner results
AntiVir
Found nothing
ArcaVir
Found Trojan.Servu-based
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found Trojan.Servu.1
Dr.Web
Found not a virus Program.ServUServer.5200
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found not-a-virus:Server-FTP.Win32.Serv-U.5201
NOD32
Found Win32/ServU-Daemon application
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

Registry search tool said: "No instances found"

Thx a lot for your help again :tazz:
  • 0

#9
Metallica
Posted 17 August 2005 - 01:24 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Good. Did you see my post about duh.txt

If I'm right that will contain a list of all the Ip's your computer has infected in the meantime.

Reboot into safe mode and move the entire ias folder to a different location (preferably zipped up)

And can you check when BitDefender was last sucessfully updated?

Regards,
  • 0

#10
wolfikraus
Posted 17 August 2005 - 01:26 PM

wolfikraus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
hi again,

duh.txt was not found on the server...

CU
Wolfi
  • 0

Advertisements

#11
Metallica
Posted 17 August 2005 - 01:30 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Check if there is a .txt file in the ias folder.

Post a new HijackThis log after moving that folder please.

Regards,
  • 0

#12
wolfikraus
Posted 17 August 2005 - 01:31 PM

wolfikraus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
hello,

Im using vnc to connect to server, not sure how to reboot in save mode :tazz:

bitDefender was last updated at 21:28

Regards,
  • 0

#13
wolfikraus
Posted 17 August 2005 - 01:35 PM

wolfikraus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
There are this .txt files in the /ias:

dirchange.txt
help.txt
login.txt
logoff.txt
rules.txt
stat.txt
ustat.txt

Regards,
  • 0

#14
Metallica
Posted 17 August 2005 - 01:47 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I'm afraid of breaking the connection anyway.

I'm convinced there is an RBot running on that server, but I'm not sure about the filename we are looking for.

The files we found are merely tools and could even be necessary.

That server needs a good scan with a decent AV
I'm abit disappointed that BitDefender didn't stop this.

Can you do an online scan?
For example here: http://housecall.trendmicro.com/
Or here: http://www.kaspersky.com/virusscanner

I'm goping to bed shortly and I'll check back in the morning.

Regards,
  • 0

#15
wolfikraus
Posted 17 August 2005 - 01:50 PM

wolfikraus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hello,

I wonder if this file is needed: memory.dmp (256mb) found in the C:\winnt folder...

cause my Sys partition c: is going down to 640mb ... :tazz:

Cu
Wolfi
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP