troubleshooting Question

trojan or virus? hijacklog...

Avatar of jcsfrei
jcsfrei asked on
OS Security
7 Comments1 Solution781 ViewsLast Modified:
Hi all
Can anyone help me with this hijack log? yesterday and today a lot of html files got corrupted and appeared many executables with random filenames with 57kb. Searched a lot of sites, used mcafee, symantec and housecall and nothing was detected. Hope the hijack log can help discover the problem.
I put a few xxx in network configurations, hope wont be a trouble.
Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 21:41:41, on 07/12/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\dataeng\bin\dcevt32.exe
C:\Program Files\Dell\OpenManage\dataeng\bin\dcstor32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
c:\program files\shatter it\nc_net\output\nc_net.exe
C:\Program Files\Dell\OpenManage\oma\bin\omsad32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
D:\iisPRT\IIs5Recycle.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
C:\WINNT\system32\logon.scr
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\macromed\flash\GetFlash.exe
D:\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag] 
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Update Visual] jamey.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124915042234
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxxx
O17 - HKLM\System\CCS\Services\Tcpip\..\{78173241-A853-4DF5-952D-BBC764539C99}: NameServer = 10.250.1.2,10.250.1.3,xxx.xxx.xxx.xxx
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A9A555B-43A1-419D-866A-23328C7DCB1D}: NameServer = 10.250.1.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxxxx
O17 - HKLM\System\CS1\Services\Tcpip\..\{78173241-A853-4DF5-952D-BBC764539C99}: NameServer = 10.250.1.2,10.250.1.3,xxx.xxx.xxx.xxx
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xxxxx
O17 - HKLM\System\CS2\Services\Tcpip\..\{78173241-A853-4DF5-952D-BBC764539C99}: NameServer = 10.250.1.2,10.250.1.3,xxx.xxx.xxx.xxx
O23 - Service: Systems Management Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\OpenManage\dataeng\bin\dcevt32.exe
O23 - Service: Systems Management Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\OpenManage\dataeng\bin\dcstor32.exe
O23 - Service: Persits Software Email Agent (EmailAgent) - Persits Software, Inc. - C:\PROGRA~1\PERSIT~1\AspEmail\EMAILA~1\BIN\EMAILA~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: mr2kserv - Unknown owner - C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
O23 - Service: Nagios Agent (NC_Net) -   - c:\program files\shatter it\nc_net\output\nc_net.exe
O23 - Service: OM Common Services (omsad) - Dell Inc. - C:\Program Files\Dell\OpenManage\oma\bin\omsad32.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - D:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Secure Port Server (Server Administrator) - Unknown owner - %SystemDrive%\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe (file missing)
O23 - Service: Disk Management Service (VxSvc) - VERITAS Software Corp. - C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe

ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 1 Answer and 7 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 7 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros