painted
asked on
Possible Network Virus, Please Help
I would say about a month ago now, I have noticed on all PC's in our organization, a list of user accounts have began to appear on users machines. I check these user accounts out and they are valid accounts of people that work in our organization, but I cant understand why they would be on these computers. For example, I will look at one of the computers in our billing department and it will have the user profile of the employee who sits at that particular desk, but it will also have other employees from different departments who I know will never log on to that particular machine. One scary thing is that on a couple of our servers we have noticed a couple user profiles on them also. In my organization we use Trend Enterprise and make sure that everything is patched and up to date. I have researched this and havent been able to find anything but my gut feeling is that it is something out there. Can someone please point me in a direction of other things to look at, maybe I am not thinking out of the box. Please help. Thanks
Run the: "FULL SERVICE SCAN"
http://onecare.live.com/site/en-us/default.htm
http://onecare.live.com/site/en-us/default.htm
Sounds indeed suspicious , can you please post a hijack this log from one of the machine where the user accounts suddenly popped up & the strange behaviour appeared ?
this will help us take a better look at the software environment on this server.
this will help us take a better look at the software environment on this server.
ASKER
Here is a Highjack This Log of a user that has multiple profiles on it:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:40 AM, on 4/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\vsi\dlc10\bin\AdmSrvc.e xe
C:\vsi\dlc9\bin\AdmSrvc.ex e
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\CCM\Cc mExec.exe
C:\vsi\dlc9\jre\bin\java.e xe
C:\vsi\dlc10\jre\bin\java. exe
C:\vsi\dlc10\jre\bin\java. exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd. exe
C:\WINDOWS\system32\igfxpe rs.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe
C:\Program Files\Common Files\InstallShield\Update Service\is sch.exe
C:\Program Files\RightFax\Client\FaxC trl.exe
C:\WINDOWS\system32\dla\tf swctrl.exe
C:\Program Files\Common Files\Real\Update_OB\reals ched.exe
C:\Program Files\Java\jre1.5.0_09\bin \jusched.e xe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
C:\PROGRA~1\HEWLET~1\Toolb ox\STATUS~ 1\STATUS~1 .EXE
C:\Program Files\Hewlett-Packard\Tool box\jre\bi n\javaw.ex e
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\FTF584.EXE
c:\program files\ibm\client access\emulator\pcsws.exe
C:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
c:\program files\ibm\client access\emulator\pcsws.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EX E
C:\Program Files\Java\jre1.5.0_09\bin \jucheck.e xe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dell.com/
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.wilsonnc.org/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\system32\dla\tf swshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.5.0_09\bin \ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D} - C:\Program Files\Google\GoogleToolbar Notifier\3 .1.807.174 6\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr ay.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd. exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpe rs.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTA L~1\UPDATE ~1\ISUSPM. exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\Update Service\is sch.exe" -start
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Client Access PC5250 Sound] "C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe "
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\FaxC trl.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf swctrl.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin \jusched.e xe"
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Tool box\hpbpst tp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateMana ger.exe AcRdB7_1_0
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSC lientMsiTr ans\tscuin st.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TS ClientMsiT rans\tscds bl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSC lientMsiTr ans\tscuin st.vbs" (User 'Default user')
O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office12\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_09\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_09\bin \ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\Offic e12\REFIEB AR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0 E3A5CAA8CD 8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = wilson_city.org
O17 - HKLM\Software\..\Telephony : DomainName = wilson_city.org
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = wilson_city.org
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = wilson_city.org
O23 - Service: AdminService for OpenEdge 10.1B (AdminService10.1B) - Unknown owner - C:\vsi\dlc10\bin\AdmSrvc.e xe
O23 - Service: AdminService for PROGRESS 9.1E (AdminService9.1E) - Unknown owner - C:\vsi\dlc9\bin\AdmSrvc.ex e
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: ProService for 9.1E (ProService9.1E) - Progress Software - C:\vsi\dlc9\bin\ProSrvc.ex e
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
--
End of file - 8541 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:40 AM, on 4/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\vsi\dlc10\bin\AdmSrvc.e
C:\vsi\dlc9\bin\AdmSrvc.ex
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\CCM\Cc
C:\vsi\dlc9\jre\bin\java.e
C:\vsi\dlc10\jre\bin\java.
C:\vsi\dlc10\jre\bin\java.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.
C:\WINDOWS\system32\igfxpe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\D
C:\Program Files\Common Files\InstallShield\Update
C:\Program Files\RightFax\Client\FaxC
C:\WINDOWS\system32\dla\tf
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\Java\jre1.5.0_09\bin
C:\WINDOWS\system32\ctfmon
C:\Program Files\Google\GoogleToolbar
C:\PROGRA~1\HEWLET~1\Toolb
C:\Program Files\Hewlett-Packard\Tool
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\FTF584.EXE
c:\program files\ibm\client access\emulator\pcsws.exe
C:\Program Files\IBM\Client Access\Emulator\PCSCM.EXE
c:\program files\ibm\client access\emulator\pcsws.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EX
C:\Program Files\Java\jre1.5.0_09\bin
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\D
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTA
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\Update
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Client Access PC5250 Sound] "C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\FaxC
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Tool
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateMana
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSC
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TS
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSC
O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O23 - Service: AdminService for OpenEdge 10.1B (AdminService10.1B) - Unknown owner - C:\vsi\dlc10\bin\AdmSrvc.e
O23 - Service: AdminService for PROGRESS 9.1E (AdminService9.1E) - Unknown owner - C:\vsi\dlc9\bin\AdmSrvc.ex
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: ProService for 9.1E (ProService9.1E) - Progress Software - C:\vsi\dlc9\bin\ProSrvc.ex
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
--
End of file - 8541 bytes
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Your Highjack This Results
Actions.doc
Actions.doc
If YOU cant go here:
http://onecare.live.com/site/en-US/center/cleanup.htm
And run scans
you Got Worm:Win32/Conficker.B
Microsoft is offering $250,000 to a (Worm:Win32/Conficker.B) FIX
Hope its ME