Advertisement

11.05.2007 at 07:47AM PST, ID: 22939280
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.8

Windows SBS, 2003

Asked by elliottbreen in HijackThis Software

Tags:

Seems that after Troj/Servu-Gen and Mal/Encpk-M infections found, clients (XP Pro) can no longer connect to internet but emails are working ok. The server also can connect to internet ok but I can no longer connect remotely via RDC.
The clients use DHCP and point to the server for DNS and gateway. The router is on a second NIC. I have tried putting the client on a static IP and pointing directly to the router for gateway and ISP's DNS addresses but no change.
AVG AntiSpyware 7.5 found the following infections:
Dropper.ServU
Trojan.Botspeedometer.A
Backdoor.Usirf.D

I ran HiJackThis and have included the log and startup list. Hope you can help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:30:19, on 05/11/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Virus\AD-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\compaq\hpdiags\hpdiags.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos Enterprise Manager\Library\bin\schdsrvc.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Enterprise Console\CertificationManagerServiceNT.exe
C:\Program Files\Sophos\Remote Management System\EMLibUpdateAgentNT.exe
C:\Program Files\Sophos\Enterprise Console\MgntSvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wins.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\sysdown.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Virus\HiJackThis.exe
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbdownl.exe
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbdlvr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] c:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_wmv8ax] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmv8ds32.ax"
O4 - HKLM\..\RunOnce: [OE_WMPWMPCodec_wmv8dmo] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmv8dmod.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_0] C:\WINDOWS\INF\unregmp2.exe /MigrateLibrary
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_1] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmp.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_3] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmclien.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_4] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmstor.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_6] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmv2clt.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_7] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\blackbox.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_8] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpshell.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_9] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpasf.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_10] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpdxm.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_11] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpencen.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_12] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpsrcwp.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_13] C:\WINDOWS\system32\regsvr32 /s "C:\Program Files\Windows Media Player\mpvis.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_14] C:\WINDOWS\system32\regsvr32 /s "C:\Program Files\Windows Media Player\wmpband.dll"
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_15] C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\audiodev.dll
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_19] "C:\Program Files\Windows Media Player\WMPEnc.exe" /RegServer
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_20] C:\WINDOWS\INF\unregmp2.exe /Shortcuts /RegExts
O4 - HKLM\..\RunOnce: [OE_WMPWMP7_Install_21] "C:\Program Files\Windows Media Player\migrate.exe" /s
O4 - HKLM\..\RunOnce: [OE_WMPWPD_Install_2] C:\WINDOWS\system32\regsvr32.exe /s "C:\WINDOWS\system32\wpdsp.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_1] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmstor.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_2] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmclien.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_4] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmv2clt.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_5] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\blackbox.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_6] C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\msnetobj.dll"
O4 - HKLM\..\RunOnce: [OE_WMPDRM_Install_7] C:\WINDOWS\system32\drmupgds.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - ESC Trusted Zone: http://ardownload.adobe.com
O15 - ESC Trusted Zone: http://www.adobe.com
O15 - ESC Trusted Zone: http://www.bbc.co.uk
O15 - ESC Trusted Zone: http://dw.com.com
O15 - ESC Trusted Zone: http://i.d.com.com
O15 - ESC Trusted Zone: http://www.download.com
O15 - ESC Trusted Zone: http://www.getfreefonts.info
O15 - ESC Trusted Zone: http://www.google-analytics.com
O15 - ESC Trusted Zone: http://www.google.co.uk
O15 - ESC Trusted Zone: http://pagead2.googlesyndication.com
O15 - ESC Trusted Zone: http://www.hydrastore.co.uk
O15 - ESC Trusted Zone: http://download2.konicaminoltaeurope.com
O15 - ESC Trusted Zone: http://www.mailbigfile.com
O15 - ESC Trusted Zone: http://us.mcafee.com
O15 - ESC Trusted Zone: http://*.msmvps.com
O15 - ESC Trusted Zone: http://www.myspace.com
O15 - ESC Trusted Zone: http://x.myspace.com
O15 - ESC Trusted Zone: http://download.nai.com
O15 - ESC Trusted Zone: http://login.passport.com
O15 - ESC Trusted Zone: http://login.passport.net
O15 - ESC Trusted Zone: http://downloads.pcworld.com
O15 - ESC Trusted Zone: http://downloads.planetmirror.com
O15 - ESC Trusted Zone: http://public.planetmirror.com
O15 - ESC Trusted Zone: http://saboteur.planetmirror.com
O15 - ESC Trusted Zone: http://secure.planetmirror.com
O15 - ESC Trusted Zone: http://www.safer-networking.org
O15 - ESC Trusted Zone: http://downloadcenter.samsung.com
O15 - ESC Trusted Zone: http://www.samsung.com
O15 - ESC Trusted Zone: http://downloads.sophos.com
O15 - ESC Trusted Zone: http://www.sophos.com
O15 - ESC Trusted Zone: http://entkb.symantec.com
O15 - ESC Trusted Zone: http://www.sysinternals.com
O15 - ESC Trusted Zone: http://www.telecom-plus-online.co.uk
O15 - ESC Trusted Zone: http://www.telecomplus.org.uk
O15 - ESC Trusted Zone: http://eventlookup.veritas.com
O15 - ESC Trusted Zone: http://seer.support.veritas.com
O15 - ESC Trusted Zone: http://softwareupdate.veritas.com
O15 - ESC Trusted Zone: http://support.veritas.com
O15 - ESC Trusted Zone: http://www.veritas.com
O15 - ESC Trusted Zone: http://www.veryfastsearch.com
O15 - ESC Trusted Zone: http://m.webtrends.com
O15 - ESC Trusted Zone: http://meta.wikimedia.org
O15 - ESC Trusted Zone: http://en.wikipedia.org
O15 - ESC Trusted Zone: http://www.windowsitpro.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124812338453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124812362093
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pioneer.local
O17 - HKLM\Software\..\Telephony: DomainName = pioneer.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{C536480D-73C6-4491-9B0C-0199B1CD671B}: NameServer = 192.168.16.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC56F592-A5A7-45CE-BE5A-56E4DD6E6B20}: NameServer = 192.168.16.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pioneer.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pioneer.local
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Virus\AD-Aware\aawservice.exe
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: DHCP Controller (dhcpcl) - Unknown owner - C:\WINDOWS\system32\dhcp\dhcpcl.exe (file missing)
O23 - Service: HP Insight Diagnostics (hpdiags) - Unknown owner - C:\compaq\hpdiags\hpdiags.exe
O23 - Service: Microsoft Internet Monitoring Service (MSIMonSrv) - Unknown owner - C:\windows\system32\inetservice.exe (file missing)
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Smart Card Updater (SCardUpd) - Unknown owner - C:\WINDOWS\system32\scardupd.exe (file missing)
O23 - Service: Sophos Enterprise Manager Scheduler (SEMScheduler) - Sophos Plc - C:\Program Files\Sophos Enterprise Manager\Library\bin\schdsrvc.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINDOWS\system32\inetservice.exe (file missing)
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Certification Manager - Sophos Plc. - C:\Program Files\Sophos\Enterprise Console\CertificationManagerServiceNT.exe
O23 - Service: Sophos EMLibUpdate Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\EMLibUpdateAgentNT.exe
O23 - Service: Sophos Management Service - Sophos Plc. - C:\Program Files\Sophos\Enterprise Console\MgntSvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe
O23 - Service: Distributed Link Tracking Updater (TrkUpd) - Unknown owner - C:\WINDOWS\system32\trkupd.exe (file missing)

--
End of file - 15019 bytes


StartupList report, 05/11/2007, 14:38:40
StartupList version: 1.52.2
Started from : E:\Virus\HiJackThis.EXE
Detected: Windows 2003 SP2 (WinNT 5.02.3790)
Detected: Internet Explorer v7.00 (7.00.6000.16544)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Virus\AD-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\compaq\hpdiags\hpdiags.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos Enterprise Manager\Library\bin\schdsrvc.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Enterprise Console\CertificationManagerServiceNT.exe
C:\Program Files\Sophos\Remote Management System\EMLibUpdateAgentNT.exe
C:\Program Files\Sophos\Enterprise Console\MgntSvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wins.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\sysdown.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\imbservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Virus\HiJackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CPQTEAM = cpqteam.exe
DWPersistentQueuedReporting = c:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
VxTaskbarMgr = C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

OE_WMPWMPCodec_wmv8ax = C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmv8ds32.ax"
OE_WMPWMPCodec_wmv8dmo = C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\wmv8dmod.dll"
OE_WMPWMP7_Install_0 = C:\WINDOWS\INF\unregmp2.exe /MigrateLibrary
OE_WMPWMP7_Install_1 = C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmp.dll
OE_WMPWMP7_Install_3 = C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmclien.dll
OE_WMPWMP7_Install_4 = C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmstor.dll
OE_WMPWMP7_Install_6 = C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\drmv2clt.dll
OE_WMPWMP7_Install_7 = C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\blackbox.dll
OE_WMPWMP7_Install_8 = C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpshell.dll
OE_WMPWMP7_Install_9 = C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpasf.dll
OE_WMPWMP7_Install_10 = C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpdxm.dll
OE_WMPWMP7_Install_11 = C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpencen.dll
OE_WMPWMP7_Install_12 = C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\wmpsrcwp.dll
OE_WMPWMP7_Install_13 = C:\WINDOWS\system32\regsvr32 /s "C:\Program Files\Windows Media Player\mpvis.dll"
OE_WMPWMP7_Install_14 = C:\WINDOWS\system32\regsvr32 /s "C:\Program Files\Windows Media Player\wmpband.dll"
OE_WMPWMP7_Install_15 = C:\WINDOWS\system32\regsvr32 /s C:\WINDOWS\system32\audiodev.dll
OE_WMPWMP7_Install_19 = "C:\Program Files\Windows Media Player\WMPEnc.exe" /RegServer
OE_WMPWMP7_Install_20 = C:\WINDOWS\INF\unregmp2.exe /Shortcuts /RegExts
OE_WMPWMP7_Install_21 = "C:\Program Files\Windows Media Player\migrate.exe" /s
OE_WMPWPD_Install_2 = C:\WINDOWS\system32\regsvr32.exe /s "C:\WINDOWS\system32\wpdsp.dll"
OE_WMPDRM_Install_1 = C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmstor.dll"
OE_WMPDRM_Install_2 = C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmclien.dll"
OE_WMPDRM_Install_4 = C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\drmv2clt.dll"
OE_WMPDRM_Install_5 = C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\blackbox.dll"
OE_WMPDRM_Install_6 = C:\WINDOWS\system32\regsvr32 /s "C:\WINDOWS\system32\msnetobj.dll"
OE_WMPDRM_Install_7 = C:\WINDOWS\system32\drmupgds.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
updateMgr = C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Collect Server Performance Data.job
Low Battery Alarm Program.job
New scan.job
RegCure Program Check.job
RegCure.job
ShadowCopyVolume{01a0c36e-13eb-11da-8681-806e6f6e6963}.job

--------------------------------------------------

Enumerating Download Program Files:

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124812338453

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124812362093

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 8,944 bytes
Report generated in 0.094 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only
Start Free Trial
[+][-]11.05.2007 at 08:47AM PST, ID: 20217393

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]11.07.2007 at 03:01AM PST, ID: 20231021

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]11.07.2007 at 03:17AM PST, ID: 20231093

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]11.08.2007 at 10:35AM PST, ID: 20243746

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]11.13.2007 at 07:03AM PST, ID: 20271917

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]11.13.2007 at 06:09PM PST, ID: 20277126

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zone: HijackThis Software
Tags: 2003
Sign Up Now!
Solution Provided By: devil_himself
Participating Experts: 1
Solution Grade: A
 
 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628