Indy_IT_Support
asked on
Identify what my network is infected with
Hello,
I have a random issue that has been appearing on my network for the last 2 months.
the machines boot up but use the stored profile to authentiicate the user. then the machine does not map the network shares. Outlook cannot connect to exchange.
I cannot execute start->run->cmd or start-> run-> regedit
if i login to the same computer with another users profile everything works fine, and if I log the original user into another computer everything works fine. it just seems to effect the one user on the one machine.
I have run all kinds of online malware scans and virus scans, nothing comes up.
the first couple of times we just wiped the machines and reloaded them. but it has happened enough now that i need to figure out where it is coming from.
I have a corporate firewall with MS firewall enabled on the laptops, we use symantec corporate edition.
I have no idea what this is or how it keeps getting on to my machines.
Has anyone run into this before, can it be cleaned and how do Istop it from crawling through my network?
Thanks,
I have a random issue that has been appearing on my network for the last 2 months.
the machines boot up but use the stored profile to authentiicate the user. then the machine does not map the network shares. Outlook cannot connect to exchange.
I cannot execute start->run->cmd or start-> run-> regedit
if i login to the same computer with another users profile everything works fine, and if I log the original user into another computer everything works fine. it just seems to effect the one user on the one machine.
I have run all kinds of online malware scans and virus scans, nothing comes up.
the first couple of times we just wiped the machines and reloaded them. but it has happened enough now that i need to figure out where it is coming from.
I have a corporate firewall with MS firewall enabled on the laptops, we use symantec corporate edition.
I have no idea what this is or how it keeps getting on to my machines.
Has anyone run into this before, can it be cleaned and how do Istop it from crawling through my network?
Thanks,
ASKER
no errors when running the regedit or cmd. Screen flashes to a blue background then back to the desktop, but no resemblance of the app actually trying to run.
here is hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:28:25 PM, on 5/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Intel\AMT\atchksrv.e xe
C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4A11D78F\b omgar-scc. exe
C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4A11D78F\b omgar-scc. exe
C:\Program Files\Bonjour\mDNSResponde r.exe
C:\WINDOWS\system32\cisvc. exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\IFXSPM GT.exe
C:\WINDOWS\system32\IFXTCS .exe
C:\Program Files\Common Files\InterVideo\RegMgr\iv iRegMgr.ex e
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\ProtectTools\Embedde d Security Software\PSDsrvc.EXE
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shar ed\hpqwmie x.exe
C:\WINDOWS\system32\cidaem on.exe
C:\WINDOWS\system32\cidaem on.exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\Program Files\HPQ\IAM\bin\asghost. exe
C:\Program Files\ProtectTools\Embedde d Security Software\PSDrt.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper. exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTra y.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\iPod\bin\iPodService .exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUV olumeWatch er.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\HEWLET~1\Toolb ox\STATUS~ 1\STATUS~1 .EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Tool box\jre\bi n\javaw.ex e
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREF OX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system 32\userini t.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.6.0_01\bin \ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0 445EE16191 0} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B 03D0EC1000 0} - C:\Program Files\HPQ\IAM\Bin\ItIeAddI N.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0 819E2EAAC9 3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs ync.exe /logon
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra y.exe
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Tool box\hpbpst tp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUV olumeWatch er.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad obe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECaptureS elLinks.ht ml
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppendSe lLinks.htm l
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IECapture. html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien t.dll/Acro IEAppend.h tml
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office12\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_01\bin \ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.6.0_01\bin \ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~2\Offic e12\REFIEB AR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4 D110FDC1FB 8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-B E107C0EC16 6} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0 060082AA75 C} (GpcContainer Class) - https://justmarketing.webex.com/client/T26L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = justmarketing.local
O17 - HKLM\Software\..\Telephony : DomainName = justmarketing.local
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = justmarketing.local
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = justmarketing.local
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg .dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc. exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
O23 - Service: Intel(R) AMT System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.e xe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev xx.exe
O23 - Service: Bomgar Jump Client [1242421781-1242421826] (bomgar-ps-1242421781-1242 421826) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4A0DDA14\b omgar-scc. exe (file missing)
O23 - Service: Bomgar Jump Client [1242683279-1242683324] (bomgar-ps-1242683279-1242 683324) - Bomgar Corporation - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4A11D78F\b omgar-scc. exe
O23 - Service: Bomgar Support Customer Client [1242683279] (bomgar-scc-1242683279) - Bomgar Corporation - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4A11D78F\b omgar-scc. exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde r.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shar ed\hpqwmie x.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver \1050\Inte l 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPM GT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS .exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iv iRegMgr.ex e
O23 - Service: lmab_device - Lexmark International, Inc. - C:\WINDOWS\system32\LMabco ms.exe
O23 - Service: Intel(R) Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel. exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveServic e) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedde d Security Software\PSDsrvc.EXE
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLi veShare9.e xe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 12096 bytes
here is hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:28:25 PM, on 5/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\WINDOWS\System32\svchos
C:\Program Files\Intel\AMT\atchksrv.e
C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4A11D78F\b
C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4A11D78F\b
C:\Program Files\Bonjour\mDNSResponde
C:\WINDOWS\system32\cisvc.
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\IFXSPM
C:\WINDOWS\system32\IFXTCS
C:\Program Files\Common Files\InterVideo\RegMgr\iv
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\System32\svchos
C:\Program Files\ProtectTools\Embedde
C:\WINDOWS\System32\svchos
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchos
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Shar
C:\WINDOWS\system32\cidaem
C:\WINDOWS\system32\cidaem
C:\WINDOWS\system32\Ati2ev
C:\Program Files\HPQ\IAM\bin\asghost.
C:\Program Files\ProtectTools\Embedde
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTra
C:\WINDOWS\system32\ctfmon
C:\Program Files\iPod\bin\iPodService
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUV
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\HEWLET~1\Toolb
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Tool
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREF
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
F2 - REG:system.ini: UserInit=C:\WINDOWS\system
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTra
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Tool
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUV
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClien
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4
O16 - DPF: {5ED80217-570B-4DA9-BF44-B
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: Intel(R) AMT System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.e
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: Bomgar Jump Client [1242421781-1242421826] (bomgar-ps-1242421781-1242
O23 - Service: Bomgar Jump Client [1242683279-1242683324] (bomgar-ps-1242683279-1242
O23 - Service: Bomgar Support Customer Client [1242683279] (bomgar-scc-1242683279) - Bomgar Corporation - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4A11D78F\b
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shar
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPM
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iv
O23 - Service: lmab_device - Lexmark International, Inc. - C:\WINDOWS\system32\LMabco
O23 - Service: Intel(R) Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveServic
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLi
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 12096 bytes
is this Bomgar service Legit ? , and you are using this version of Bomgar internally ?
O23 - Service: Bomgar Jump Client [1242421781-1242421826] (bomgar-ps-1242421781-1242 421826) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-4A0DDA14\b omgar-scc. exe (file missing)
other than that the log looks fine , could be user profile corruption, could you please check event logs for any errors originated from USERENV or SYSTEM or any other related events
O23 - Service: Bomgar Jump Client [1242421781-1242421826] (bomgar-ps-1242421781-1242
other than that the log looks fine , could be user profile corruption, could you please check event logs for any errors originated from USERENV or SYSTEM or any other related events
ASKER
Yes Bomgar is legit.
-------------------------- ---------- ---------- -
Userinit: Event 1000
Could not execute the following script \\justmarketing.local\SysV ol\justmar keting.loc al\scripts \mountdriv es.cmd. The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------------- -
Userenv: Event 1521
Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.
DETAIL - The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------------- ---------- -------
UserEnv: Event 1053
Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-------------------------- ---------- ------
--------------------------
Userinit: Event 1000
Could not execute the following script \\justmarketing.local\SysV
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------------
Userenv: Event 1521
Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.
DETAIL - The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------------
UserEnv: Event 1053
Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
--------------------------
Check that this machine has proper DNS settings and that it is using a valid DNS server.
if you did find an issue and fix it , you may need to run the commands
ipconfig /flushdns
ipcionfig /registerdns
if you did find an issue and fix it , you may need to run the commands
ipconfig /flushdns
ipcionfig /registerdns
Also , Event ID 1521 seems to be very important here, please check this article for resolution part
http://www.chicagotech.net/winissues/roamingprofile1.htm
http://www.chicagotech.net/winissues/roamingprofile1.htm
ASKER
So I feel comfortable saying that the issue has been resolved.
But i dont understand exactly how.
so I disabled the Windows XP System Restore. and then ran my virus software barrage, and all kinds of stuff came up and was quarantined/cleaned. and after several restarts the machine is back to acting and functioning normally.
Symantec didnt show me exactly what the bug was, everything was genereic, backdoor.trojan and another called Trojan Horse.
can you tell me why this worked, I am not sure I fully understand what the XP System Restore does?
But i dont understand exactly how.
so I disabled the Windows XP System Restore. and then ran my virus software barrage, and all kinds of stuff came up and was quarantined/cleaned. and after several restarts the machine is back to acting and functioning normally.
Symantec didnt show me exactly what the bug was, everything was genereic, backdoor.trojan and another called Trojan Horse.
can you tell me why this worked, I am not sure I fully understand what the XP System Restore does?
It must be those generic.backdoor trojans/trojan horse that that your antivirus found and quarantine that caused the problem. They can stop utilities e.g. cmd, regedit etc from working.
Glad to know it's been resolved.
System Restore creates a restore point or snapshot of the systems configuration so that the Administrator can easily return a system back to a known good configuration.
Questions about System Restore is answered here:
http://www.5starsupport.com/faq/xp-system-restore.htm
Glad to know it's been resolved.
System Restore creates a restore point or snapshot of the systems configuration so that the Administrator can easily return a system back to a known good configuration.
Questions about System Restore is answered here:
http://www.5starsupport.com/faq/xp-system-restore.htm
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you both very much,
my last question is a risk question.
so I now know that i was infected and that I "believe" that I have resolved the issue.
how comfortable (if you were in my shoes) should I be with putting this machine back on my network?
Thanks again for all your help.
my last question is a risk question.
so I now know that i was infected and that I "believe" that I have resolved the issue.
how comfortable (if you were in my shoes) should I be with putting this machine back on my network?
Thanks again for all your help.
if there is no more unexpected behaviour , and the machine's antivirus is up & running , receiving updates from server, as well as latest windows update, I can say it is ok to put the machine back in the network.
however, if your environment is a high risk (financial,etc..) one , I believe rebuilding the machine with a fresh image is always the safest bet, you can keep it offline for a day or so under testing , then decide where to take it from there.
however, if your environment is a high risk (financial,etc..) one , I believe rebuilding the machine with a fresh image is always the safest bet, you can keep it offline for a day or so under testing , then decide where to take it from there.
ASKER
Thank You very much Admin3k, your assistance was very helpful.
you can try to login as that user & check his %TEMP% folder & temporary internet files for the existence of any binaries /executables.
what errors do you get when running regedit /cmd ?
also can you please post a hijack this log from this user's profile