OverSeer
asked on
How can I remove the "Winhole" trojan?
GFI Languard is detecting 1081 (Winhole) open on one of my systems... Any idea how to close it / remove it? Windows Server 2003 SP2
Use Malwarebytes to remove the system.
ASKER
Malwarebytes only showed 2 registry entries that didn't even have to deal with Winhole... Any other ideas?
Winhole is usually a port that is opened for the trojan. Do Highjack scan and post the log please.
ASKER
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:12 PM, on 4/16/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\VMware\Infrastructur e\VMware Capacity Planner\vcpCollector.exe
C:\Program Files\EMC\PowerCommon\EmcP owSrv.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\IBM\ISC601\AppServer \bin\wasse rvice.exe
C:\Program Files\IBM\ISC601\PortalSer ver\ISCEcl ipse\Eclip seSvc.exe
C:\WINDOWS\system32\cmd.ex e
C:\Program Files\IBM\ISC601\AppServer \java\bin\ javaw.exe
C:\PROGRA~1\MICROS~1\MSSQL \binn\sqls ervr.exe
C:\Program Files\EMC\Navisphere Agent\NaviAgent.Exe
C:\Program Files\QLogic Corporation\SANsurfer\port map.exe
C:\PROGRA~1\QLOGIC~1\SANSU R~1\qlremo te.exe
C:\Program Files\IBM\ISC601\AppServer \java\bin\ java.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Tivoli\TSM\baclient\ dsmcad.exe
C:\PROGRA~1\Tivoli\TSM\Ser ver\dsmsvc .exe
C:\Program Files\Tivoli\TSM\baclient\ dsmcsvc.ex e
C:\Program Files\Tivoli\TSM\console\t smreptsvc. exe
C:\Program Files\UPHClean\uphclean.ex e
C:\Program Files\VMware\VMware License Server\lmgrd.exe
C:\Program Files\VMware\Infrastructur e\Converte r Enterprise\vmware-converte r.exe
C:\Program Files\VMware\VMware License Server\VMWARELM.exe
C:\Program Files\VMware\Infrastructur e\Update Manager\vmware-updatemgr.e xe
C:\Program Files\VMware\Infrastructur e\VirtualC enter Server\vpxd.exe
C:\Program Files\VMware\Infrastructur e\Update Manager\rdevServer.exe
C:\Program Files\VMware\Infrastructur e\Update Manager\vum-webServer.exe
C:\Program Files\VMware\Infrastructur e\VirtualC enter Server\tomcat\bin\Tomcat5. exe
C:\WINDOWS\system32\Search Indexer.ex e
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\winlog on.exe
C:\Program Files\VMware\Infrastructur e\Update Manager\jre-1.5.0-12\bin\j ava.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Broadcom\BACS\BacsTr ay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\EMC\PowerCommon\EmcP owMon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma ngr.exe
C:\Program Files\Java\jre6\bin\jusche d.exe
C:\Program Files\Java\jre6\bin\jqs.ex e
C:\WINDOWS\SYSTEM32\DWRCS. EXE
C:\WINDOWS\SYSTEM32\DWRCST .exe
C:\WINDOWS\system32\Search ProtocolHo st.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://intranet/default.aspx
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://intranet/default.aspx
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://intranet/default.aspx
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://intranet/default.aspx
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Windows Internet Explorer provided by Mepco
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Common Files\Adobe\Acrobat\Active X\AcroIEHe lper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9 C25C1C588A 9} - C:\Program Files\Java\jre6\bin\jp2ssv .dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E ABFE594F69 C} - C:\Program Files\Java\jre6\lib\deploy \jqs\ie\jq s_plugin.d ll
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\BacsTr ay.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusche d.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'NETWORK SERVICE')
O4 - Global Startup: PowerPath Monitor.lnk = C:\Program Files\EMC\PowerCommon\EmcP owMon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma ngr.exe
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://intranet/default.aspx
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {22D82B43-FF26-455A-A96D-A 6C61F056ED 7} (Gif89 xLite Class) - http://10.2.3.254/xplugxLiteTW.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230573154018
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230573147128
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = emepco.com
O17 - HKLM\Software\..\Telephony : DomainName = emepco.com
O17 - HKLM\System\CCS\Services\T cpip\..\{9 F8C9DEB-B1 92-4C9D-A1 73-17D64FD 23972}: NameServer = 10.2.3.10,10.2.2.30
O17 - HKLM\System\CCS\Services\T cpip\..\{B 49CD4DC-BC E4-4EE7-9C 63-ABF4D83 B940A}: NameServer = 10.2.3.10,10.2.2.30
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = emepco.com
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: VMware Capacity Planner Service (Collector) - VMware ,Inc. - C:\Program Files\VMware\Infrastructur e\VMware Capacity Planner\vcpCollector.exe
O23 - Service: IP4700 Trap Catcher (DTCserver) - Unknown owner - C:\Program Files\EMC\Navisphere Agent\dtcsrv.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS. EXE
O23 - Service: EMC PowerPath Service 4.5.1 (EmcPowSrv) - EMC Corporation - C:\Program Files\EMC\PowerCommon\EmcP owSrv.exe
O23 - Service: IBM WebSphere Application Server V6 - ISC 6.0.1 Runtime Service (IBMWAS6Service - ISC 6.0.1 Runtime Service) - Unknown owner - C:\Program Files\IBM\ISC601\AppServer \bin\wasse rvice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver \1050\Inte l 32\IDriverT.exe
O23 - Service: ISC 6.0.1 Help Service - Unknown owner - C:\Program Files\IBM\ISC601\PortalSer ver\ISCEcl ipse\Eclip seSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex e
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU P~1\LUCOMS ~1.EXE
O23 - Service: Navisphere Agent (Navisphere_Agent) - Unknown owner - C:\Program Files\EMC\Navisphere Agent\NaviAgent.Exe
O23 - Service: ONC/RPC Portmapper (oncportmap) - Unknown owner - C:\Program Files\QLogic Corporation\SANsurfer\port map.exe
O23 - Service: QLogic Management Suite Java Agent (QLManagementAgentJava) - Unknown owner - C:\PROGRA~1\QLOGIC~1\SANSU R~1\qlremo te.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TSM Client Acceptor - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\ dsmcad.exe
O23 - Service: TSM Remote Client Agent - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\ dsmagent.e xe
O23 - Service: TSM Scheduler - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\ dsmcsvc.ex e
O23 - Service: TSM Server1 - IBM Corporation - C:\PROGRA~1\Tivoli\TSM\Ser ver\dsmsvc .exe
O23 - Service: TSM SQL backups - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\ dsmcsvc.ex e
O23 - Service: TSMReptSvc - IBM Corporation - C:\Program Files\Tivoli\TSM\console\t smreptsvc. exe
O23 - Service: VMware Mount Service for VirtualCenter (vmountVpx) - VMware, Inc. - C:\Program Files\VMware\Infrastructur e\VirtualC enter Server\vmount2.exe
O23 - Service: VMware License Server - Macrovision Corporation - C:\Program Files\VMware\VMware License Server\lmgrd.exe
O23 - Service: VMware Converter Enterprise Service (vmware-converter) - VMware, Inc. - C:\Program Files\VMware\Infrastructur e\Converte r Enterprise\vmware-converte r.exe
O23 - Service: VMware Update Manager Service (vmware-ufad-vci) - VMware, Inc. - C:\Program Files\VMware\Infrastructur e\Update Manager\vmware-updatemgr.e xe
O23 - Service: VMware VirtualCenter Server (vpxd) - VMware, Inc. - C:\Program Files\VMware\Infrastructur e\VirtualC enter Server\vpxd.exe
O23 - Service: VMware Infrastructure Web Access (webAccess) - Apache Software Foundation - C:\Program Files\VMware\Infrastructur e\VirtualC enter Server\tomcat\bin\Tomcat5. exe
--
End of file - 10101 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:12 PM, on 4/16/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\VMware\Infrastructur e\VMware Capacity Planner\vcpCollector.exe
C:\Program Files\EMC\PowerCommon\EmcP owSrv.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\IBM\ISC601\AppServer \bin\wasse rvice.exe
C:\Program Files\IBM\ISC601\PortalSer ver\ISCEcl ipse\Eclip seSvc.exe
C:\WINDOWS\system32\cmd.ex e
C:\Program Files\IBM\ISC601\AppServer \java\bin\ javaw.exe
C:\PROGRA~1\MICROS~1\MSSQL \binn\sqls ervr.exe
C:\Program Files\EMC\Navisphere Agent\NaviAgent.Exe
C:\Program Files\QLogic Corporation\SANsurfer\port map.exe
C:\PROGRA~1\QLOGIC~1\SANSU R~1\qlremo te.exe
C:\Program Files\IBM\ISC601\AppServer \java\bin\ java.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Tivoli\TSM\baclient\ dsmcad.exe
C:\PROGRA~1\Tivoli\TSM\Ser ver\dsmsvc .exe
C:\Program Files\Tivoli\TSM\baclient\ dsmcsvc.ex e
C:\Program Files\Tivoli\TSM\console\t smreptsvc. exe
C:\Program Files\UPHClean\uphclean.ex e
C:\Program Files\VMware\VMware License Server\lmgrd.exe
C:\Program Files\VMware\Infrastructur e\Converte r Enterprise\vmware-converte r.exe
C:\Program Files\VMware\VMware License Server\VMWARELM.exe
C:\Program Files\VMware\Infrastructur e\Update Manager\vmware-updatemgr.e xe
C:\Program Files\VMware\Infrastructur e\VirtualC enter Server\vpxd.exe
C:\Program Files\VMware\Infrastructur e\Update Manager\rdevServer.exe
C:\Program Files\VMware\Infrastructur e\Update Manager\vum-webServer.exe
C:\Program Files\VMware\Infrastructur e\VirtualC enter Server\tomcat\bin\Tomcat5. exe
C:\WINDOWS\system32\Search Indexer.ex e
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\winlog on.exe
C:\Program Files\VMware\Infrastructur e\Update Manager\jre-1.5.0-12\bin\j ava.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Broadcom\BACS\BacsTr ay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\EMC\PowerCommon\EmcP owMon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma ngr.exe
C:\Program Files\Java\jre6\bin\jusche d.exe
C:\Program Files\Java\jre6\bin\jqs.ex e
C:\WINDOWS\SYSTEM32\DWRCS. EXE
C:\WINDOWS\SYSTEM32\DWRCST .exe
C:\WINDOWS\system32\Search ProtocolHo st.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://intranet/default.aspx
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://intranet/default.aspx
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://intranet/default.aspx
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://intranet/default.aspx
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Window Title = Windows Internet Explorer provided by Mepco
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Common Files\Adobe\Acrobat\Active X\AcroIEHe lper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9 C25C1C588A 9} - C:\Program Files\Java\jre6\bin\jp2ssv .dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E ABFE594F69 C} - C:\Program Files\Java\jre6\lib\deploy \jqs\ie\jq s_plugin.d ll
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\BacsTr ay.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusche d.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'NETWORK SERVICE')
O4 - Global Startup: PowerPath Monitor.lnk = C:\Program Files\EMC\PowerCommon\EmcP owMon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma ngr.exe
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://intranet/default.aspx
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {22D82B43-FF26-455A-A96D-A 6C61F056ED 7} (Gif89 xLite Class) - http://10.2.3.254/xplugxLiteTW.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230573154018
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230573147128
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = emepco.com
O17 - HKLM\Software\..\Telephony : DomainName = emepco.com
O17 - HKLM\System\CCS\Services\T cpip\..\{9 F8C9DEB-B1 92-4C9D-A1 73-17D64FD 23972}: NameServer = 10.2.3.10,10.2.2.30
O17 - HKLM\System\CCS\Services\T cpip\..\{B 49CD4DC-BC E4-4EE7-9C 63-ABF4D83 B940A}: NameServer = 10.2.3.10,10.2.2.30
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = emepco.com
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: VMware Capacity Planner Service (Collector) - VMware ,Inc. - C:\Program Files\VMware\Infrastructur e\VMware Capacity Planner\vcpCollector.exe
O23 - Service: IP4700 Trap Catcher (DTCserver) - Unknown owner - C:\Program Files\EMC\Navisphere Agent\dtcsrv.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS. EXE
O23 - Service: EMC PowerPath Service 4.5.1 (EmcPowSrv) - EMC Corporation - C:\Program Files\EMC\PowerCommon\EmcP owSrv.exe
O23 - Service: IBM WebSphere Application Server V6 - ISC 6.0.1 Runtime Service (IBMWAS6Service - ISC 6.0.1 Runtime Service) - Unknown owner - C:\Program Files\IBM\ISC601\AppServer \bin\wasse rvice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver \1050\Inte l 32\IDriverT.exe
O23 - Service: ISC 6.0.1 Help Service - Unknown owner - C:\Program Files\IBM\ISC601\PortalSer ver\ISCEcl ipse\Eclip seSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex e
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU P~1\LUCOMS ~1.EXE
O23 - Service: Navisphere Agent (Navisphere_Agent) - Unknown owner - C:\Program Files\EMC\Navisphere Agent\NaviAgent.Exe
O23 - Service: ONC/RPC Portmapper (oncportmap) - Unknown owner - C:\Program Files\QLogic Corporation\SANsurfer\port map.exe
O23 - Service: QLogic Management Suite Java Agent (QLManagementAgentJava) - Unknown owner - C:\PROGRA~1\QLOGIC~1\SANSU R~1\qlremo te.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TSM Client Acceptor - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\ dsmcad.exe
O23 - Service: TSM Remote Client Agent - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\ dsmagent.e xe
O23 - Service: TSM Scheduler - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\ dsmcsvc.ex e
O23 - Service: TSM Server1 - IBM Corporation - C:\PROGRA~1\Tivoli\TSM\Ser ver\dsmsvc .exe
O23 - Service: TSM SQL backups - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\ dsmcsvc.ex e
O23 - Service: TSMReptSvc - IBM Corporation - C:\Program Files\Tivoli\TSM\console\t smreptsvc. exe
O23 - Service: VMware Mount Service for VirtualCenter (vmountVpx) - VMware, Inc. - C:\Program Files\VMware\Infrastructur e\VirtualC enter Server\vmount2.exe
O23 - Service: VMware License Server - Macrovision Corporation - C:\Program Files\VMware\VMware License Server\lmgrd.exe
O23 - Service: VMware Converter Enterprise Service (vmware-converter) - VMware, Inc. - C:\Program Files\VMware\Infrastructur e\Converte r Enterprise\vmware-converte r.exe
O23 - Service: VMware Update Manager Service (vmware-ufad-vci) - VMware, Inc. - C:\Program Files\VMware\Infrastructur e\Update Manager\vmware-updatemgr.e xe
O23 - Service: VMware VirtualCenter Server (vpxd) - VMware, Inc. - C:\Program Files\VMware\Infrastructur e\VirtualC enter Server\vpxd.exe
O23 - Service: VMware Infrastructure Web Access (webAccess) - Apache Software Foundation - C:\Program Files\VMware\Infrastructur e\VirtualC enter Server\tomcat\bin\Tomcat5. exe
Scan saved at 4:24:12 PM, on 4/16/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spools
C:\Program Files\VMware\Infrastructur
C:\Program Files\EMC\PowerCommon\EmcP
C:\WINDOWS\System32\svchos
C:\Program Files\IBM\ISC601\AppServer
C:\Program Files\IBM\ISC601\PortalSer
C:\WINDOWS\system32\cmd.ex
C:\Program Files\IBM\ISC601\AppServer
C:\PROGRA~1\MICROS~1\MSSQL
C:\Program Files\EMC\Navisphere Agent\NaviAgent.Exe
C:\Program Files\QLogic Corporation\SANsurfer\port
C:\PROGRA~1\QLOGIC~1\SANSU
C:\Program Files\IBM\ISC601\AppServer
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchos
C:\Program Files\Tivoli\TSM\baclient\
C:\PROGRA~1\Tivoli\TSM\Ser
C:\Program Files\Tivoli\TSM\baclient\
C:\Program Files\Tivoli\TSM\console\t
C:\Program Files\UPHClean\uphclean.ex
C:\Program Files\VMware\VMware License Server\lmgrd.exe
C:\Program Files\VMware\Infrastructur
C:\Program Files\VMware\VMware License Server\VMWARELM.exe
C:\Program Files\VMware\Infrastructur
C:\Program Files\VMware\Infrastructur
C:\Program Files\VMware\Infrastructur
C:\Program Files\VMware\Infrastructur
C:\Program Files\VMware\Infrastructur
C:\WINDOWS\system32\Search
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\winlog
C:\Program Files\VMware\Infrastructur
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Broadcom\BACS\BacsTr
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\EMC\PowerCommon\EmcP
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
C:\Program Files\Java\jre6\bin\jusche
C:\Program Files\Java\jre6\bin\jqs.ex
C:\WINDOWS\SYSTEM32\DWRCS.
C:\WINDOWS\SYSTEM32\DWRCST
C:\WINDOWS\system32\Search
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\BacsTr
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusche
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - Global Startup: PowerPath Monitor.lnk = C:\Program Files\EMC\PowerCommon\EmcP
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
O6 - HKCU\Software\Policies\Mic
O14 - IERESET.INF: START_PAGE_URL=http://intranet/default.aspx
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {22D82B43-FF26-455A-A96D-A
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: VMware Capacity Planner Service (Collector) - VMware ,Inc. - C:\Program Files\VMware\Infrastructur
O23 - Service: IP4700 Trap Catcher (DTCserver) - Unknown owner - C:\Program Files\EMC\Navisphere Agent\dtcsrv.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.
O23 - Service: EMC PowerPath Service 4.5.1 (EmcPowSrv) - EMC Corporation - C:\Program Files\EMC\PowerCommon\EmcP
O23 - Service: IBM WebSphere Application Server V6 - ISC 6.0.1 Runtime Service (IBMWAS6Service - ISC 6.0.1 Runtime Service) - Unknown owner - C:\Program Files\IBM\ISC601\AppServer
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver
O23 - Service: ISC 6.0.1 Help Service - Unknown owner - C:\Program Files\IBM\ISC601\PortalSer
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: Navisphere Agent (Navisphere_Agent) - Unknown owner - C:\Program Files\EMC\Navisphere Agent\NaviAgent.Exe
O23 - Service: ONC/RPC Portmapper (oncportmap) - Unknown owner - C:\Program Files\QLogic Corporation\SANsurfer\port
O23 - Service: QLogic Management Suite Java Agent (QLManagementAgentJava) - Unknown owner - C:\PROGRA~1\QLOGIC~1\SANSU
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TSM Client Acceptor - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\
O23 - Service: TSM Remote Client Agent - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\
O23 - Service: TSM Scheduler - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\
O23 - Service: TSM Server1 - IBM Corporation - C:\PROGRA~1\Tivoli\TSM\Ser
O23 - Service: TSM SQL backups - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\
O23 - Service: TSMReptSvc - IBM Corporation - C:\Program Files\Tivoli\TSM\console\t
O23 - Service: VMware Mount Service for VirtualCenter (vmountVpx) - VMware, Inc. - C:\Program Files\VMware\Infrastructur
O23 - Service: VMware License Server - Macrovision Corporation - C:\Program Files\VMware\VMware License Server\lmgrd.exe
O23 - Service: VMware Converter Enterprise Service (vmware-converter) - VMware, Inc. - C:\Program Files\VMware\Infrastructur
O23 - Service: VMware Update Manager Service (vmware-ufad-vci) - VMware, Inc. - C:\Program Files\VMware\Infrastructur
O23 - Service: VMware VirtualCenter Server (vpxd) - VMware, Inc. - C:\Program Files\VMware\Infrastructur
O23 - Service: VMware Infrastructure Web Access (webAccess) - Apache Software Foundation - C:\Program Files\VMware\Infrastructur
--
End of file - 10101 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:12 PM, on 4/16/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spools
C:\Program Files\VMware\Infrastructur
C:\Program Files\EMC\PowerCommon\EmcP
C:\WINDOWS\System32\svchos
C:\Program Files\IBM\ISC601\AppServer
C:\Program Files\IBM\ISC601\PortalSer
C:\WINDOWS\system32\cmd.ex
C:\Program Files\IBM\ISC601\AppServer
C:\PROGRA~1\MICROS~1\MSSQL
C:\Program Files\EMC\Navisphere Agent\NaviAgent.Exe
C:\Program Files\QLogic Corporation\SANsurfer\port
C:\PROGRA~1\QLOGIC~1\SANSU
C:\Program Files\IBM\ISC601\AppServer
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchos
C:\Program Files\Tivoli\TSM\baclient\
C:\PROGRA~1\Tivoli\TSM\Ser
C:\Program Files\Tivoli\TSM\baclient\
C:\Program Files\Tivoli\TSM\console\t
C:\Program Files\UPHClean\uphclean.ex
C:\Program Files\VMware\VMware License Server\lmgrd.exe
C:\Program Files\VMware\Infrastructur
C:\Program Files\VMware\VMware License Server\VMWARELM.exe
C:\Program Files\VMware\Infrastructur
C:\Program Files\VMware\Infrastructur
C:\Program Files\VMware\Infrastructur
C:\Program Files\VMware\Infrastructur
C:\Program Files\VMware\Infrastructur
C:\WINDOWS\system32\Search
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\winlog
C:\Program Files\VMware\Infrastructur
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Broadcom\BACS\BacsTr
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\EMC\PowerCommon\EmcP
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
C:\Program Files\Java\jre6\bin\jusche
C:\Program Files\Java\jre6\bin\jqs.ex
C:\WINDOWS\SYSTEM32\DWRCS.
C:\WINDOWS\SYSTEM32\DWRCST
C:\WINDOWS\system32\Search
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E
O4 - HKLM\..\Run: [bacstray] C:\Program Files\Broadcom\BACS\BacsTr
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusche
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - Global Startup: PowerPath Monitor.lnk = C:\Program Files\EMC\PowerCommon\EmcP
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
O6 - HKCU\Software\Policies\Mic
O14 - IERESET.INF: START_PAGE_URL=http://intranet/default.aspx
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {22D82B43-FF26-455A-A96D-A
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: VMware Capacity Planner Service (Collector) - VMware ,Inc. - C:\Program Files\VMware\Infrastructur
O23 - Service: IP4700 Trap Catcher (DTCserver) - Unknown owner - C:\Program Files\EMC\Navisphere Agent\dtcsrv.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.
O23 - Service: EMC PowerPath Service 4.5.1 (EmcPowSrv) - EMC Corporation - C:\Program Files\EMC\PowerCommon\EmcP
O23 - Service: IBM WebSphere Application Server V6 - ISC 6.0.1 Runtime Service (IBMWAS6Service - ISC 6.0.1 Runtime Service) - Unknown owner - C:\Program Files\IBM\ISC601\AppServer
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver
O23 - Service: ISC 6.0.1 Help Service - Unknown owner - C:\Program Files\IBM\ISC601\PortalSer
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEU
O23 - Service: Navisphere Agent (Navisphere_Agent) - Unknown owner - C:\Program Files\EMC\Navisphere Agent\NaviAgent.Exe
O23 - Service: ONC/RPC Portmapper (oncportmap) - Unknown owner - C:\Program Files\QLogic Corporation\SANsurfer\port
O23 - Service: QLogic Management Suite Java Agent (QLManagementAgentJava) - Unknown owner - C:\PROGRA~1\QLOGIC~1\SANSU
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TSM Client Acceptor - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\
O23 - Service: TSM Remote Client Agent - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\
O23 - Service: TSM Scheduler - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\
O23 - Service: TSM Server1 - IBM Corporation - C:\PROGRA~1\Tivoli\TSM\Ser
O23 - Service: TSM SQL backups - IBM Corporation - C:\Program Files\Tivoli\TSM\baclient\
O23 - Service: TSMReptSvc - IBM Corporation - C:\Program Files\Tivoli\TSM\console\t
O23 - Service: VMware Mount Service for VirtualCenter (vmountVpx) - VMware, Inc. - C:\Program Files\VMware\Infrastructur
O23 - Service: VMware License Server - Macrovision Corporation - C:\Program Files\VMware\VMware License Server\lmgrd.exe
O23 - Service: VMware Converter Enterprise Service (vmware-converter) - VMware, Inc. - C:\Program Files\VMware\Infrastructur
O23 - Service: VMware Update Manager Service (vmware-ufad-vci) - VMware, Inc. - C:\Program Files\VMware\Infrastructur
O23 - Service: VMware VirtualCenter Server (vpxd) - VMware, Inc. - C:\Program Files\VMware\Infrastructur
O23 - Service: VMware Infrastructure Web Access (webAccess) - Apache Software Foundation - C:\Program Files\VMware\Infrastructur
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.