Process's that I cant account for and more

I have several process's I cant account for on a system I am trying to clean. See the attatched jpg for the task list.

sks.exe (a keylogger I think)
fqecs.exe (no idea)
vadds.exe (no idea)
rwvs.exe (no idea)

there are 5 alarms that TDS posts but deleteing them does not work, they just come back:

Scan Control Dumped @ 07:18:48 13-11-03
RegVal Trace: Worm.Alcaul: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [WinSrv=C:\winnt\system32\hiddenrun.exe WinSrv.exe]

RegVal Trace: DDoS.RAT.mIRC-Based: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [Application=C:\winnt\system32\rmtcfg\files\hiddenrun.exe mdll.exe]

RegVal Trace: Worm.Randex: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft Netview=gesfm32.exe

RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [System Executable DLL Library=EXECDLL32.EXE

RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\RunServices [System Executable DLL Library=EXECDLL32.EXE

I think I sould zip up and send the exe files in but wanted to try a post incase that would be a waste of someones time...

 

Hi Dale,

If you are running on WinNT/2K/XP you should make sure to be running your TDS scan as Admihnistrator or someone that has Andministrative rights on that machine.

Also...

Can you please download and run DCS's AutostartViewer from

http://www.diamondcs.com.au/downloads/asviewer.zip

Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.


Thanks

 

Hi Dale, welcome to the forum!
Just want to welcome you and tell you your posting is most certainly no waste of nobody's time, as there are always people learning from it in case it would be innocent.

Looking forward to Dan's comments on your ASViewer log!

 

...hmmm, while you are at itcan you please post two other logs...

Can you please download and run HijackThis from

http://www.mjc1.com/files/merijn/hijackthis.zip

and scan the system but do *not* try to fix anything yet as many of the items listed are necessary, instead press the "save log" button and copy and paste the log here for someone to review and advise on.

also,

Can you please download DCS's OpenPorts program from

http://www.diamondcs.com.au/downloads/openports.zip

Unzip openports.exe in your Windows directory, and open up your Command Prompt and type;

openports > openports.txt

and then press the Enter key

Then type;

openports.txt

and press the Enter key again, and then copy the contents of the file in Notepad and paste it here for us to review

 

Thanx for the Welcom, sorry I forgot to say its a win2k system and yes to admin. BTW, re: asviewer, nice util, gona save that one..

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Dave@HAL, 11-13-2003
c:\winnt\system32\autoexec.nt
C:\WINNT\system32\mscdexnt.exe
C:\WINNT\system32\redir.exe
C:\WINNT\system32\dosx.exe
c:\winnt\system32\config.nt
C:\WINNT\system32\himem.sys
c:\winnt\system.ini [drivers]
timer=timer.drv
c:\winnt\system.ini [boot]\shell
C:\WINNT\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINNT\Explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
mobsync.exe /logon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG_CC
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
C:\WINNT\system32\NeroCheck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System Executable DLL Library
EXECDLL32.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\pwned
pwned.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Services
C:\WINNT\system32\cab\back32.exe C:\WINNT\system32\cab\service.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinSrv
C:\winnt\system32\hiddenrun.exe WinSrv.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Application
C:\winnt\system32\rmtcfg\files\hiddenrun.exe mdll.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\vdata
C:\WINNT\SYSTEM32\fqecs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Netview
gesfm32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\davadqqec
C:\WINNT\SYSTEM32\vadds.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Window manager
C:\WINNT\SYSTEM32\sks.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinManage
C:\WINNT\SYSTEM32\rwvs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fqezza
hdjge.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\System Executable DLL Library
EXECDLL32.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\pwned
pwned.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Netview
gesfm32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\fqezza
hdjge.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MsnMsgr
C:\Program Files\MSN Messenger\MsnMsgr.Exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINNT\system32\NETSHELL.dll
C:\WINNT\system32\webcheck.dll
C:\WINNT\system32\stobject.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office\OSA9.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINNT\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINNT\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINNT\system32\msafd.dll
C:\WINNT\system32\rsvpsp.dll

 

openports and hijack thi logs:

DiamondCS OpenPorts v1.0 (-? for help)
Copyright (C) 2003, DiamondCS - http://www.diamondcs.com.au/openports/
Free for personal and educational use only. See openports.txt for more details.
_______________________________________________________________________________

SYSTEM [0]
UDP 0.0.0.0:1026 0.0.0.0:0 LISTENING
SYSTEM [8]
TCP 192.168.44.16:1127 192.168.44.1:445 ESTABLISHED
TCP 0.0.0.0:1103 0.0.0.0:0 LISTENING
TCP 192.168.44.16:139 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1127 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1034 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 192.168.44.16:1125 0.0.0.0:0 LISTENING
UDP 192.168.44.16:137 0.0.0.0:0 LISTENING
UDP 192.168.44.16:138 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 0.0.0.0:0 LISTENING
lsass.exe [224]
UDP 192.168.44.16:4500 0.0.0.0:0 LISTENING
UDP 192.168.44.16:500 0.0.0.0:0 LISTENING
svchost.exe [400]
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
MSTask.exe [572]
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
fqecs.exe [916]
TCP 0.0.0.0:19097 0.0.0.0:0 LISTENING
vadds.exe [948]
TCP 0.0.0.0:19084 0.0.0.0:0 LISTENING
sks.exe [964]
TCP 0.0.0.0:33112 0.0.0.0:0 LISTENING
rwvs.exe [968]
TCP 0.0.0.0:35541 0.0.0.0:0 LISTENING

Logfile of HijackThis v1.97.7
Scan saved at 8:23:12 AM, on 11/13/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\SYSTEM32\fqecs.exe
C:\WINNT\SYSTEM32\vadds.exe
C:\WINNT\SYSTEM32\sks.exe
C:\WINNT\SYSTEM32\rwvs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Dave\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [System Executable DLL Library] EXECDLL32.EXE
O4 - HKLM\..\Run: [pwned] pwned.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\cab\back32.exe C:\WINNT\system32\cab\service.exe
O4 - HKLM\..\Run: [WinSrv] C:\winnt\system32\hiddenrun.exe WinSrv.exe
O4 - HKLM\..\Run: [Application] C:\winnt\system32\rmtcfg\files\hiddenrun.exe mdll.exe
O4 - HKLM\..\Run: [vdata] C:\WINNT\SYSTEM32\fqecs.exe
O4 - HKLM\..\Run: [Microsoft Netview] gesfm32.exe
O4 - HKLM\..\Run: [davadqqec] C:\WINNT\SYSTEM32\vadds.exe
O4 - HKLM\..\Run: [Window manager] C:\WINNT\SYSTEM32\sks.exe
O4 - HKLM\..\Run: [WinManage] C:\WINNT\SYSTEM32\rwvs.exe
O4 - HKLM\..\Run: [fqezza] hdjge.exe
O4 - HKLM\..\RunServices: [System Executable DLL Library] EXECDLL32.EXE
O4 - HKLM\..\RunServices: [pwned] pwned.exe
O4 - HKLM\..\RunServices: [Microsoft Netview] gesfm32.exe
O4 - HKLM\..\RunServices: [fqezza] hdjge.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37968.9451851852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nanaimo.cs
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nanaimo.cs
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nanaimo.cs

 

Okay

Can you please move your HijackThis exe to a separate directory such as in Winnt so it will be in the PATH

Then terminate the following processes

C:\WINNT\SYSTEM32\fqecs.exe
C:\WINNT\SYSTEM32\vadds.exe
C:\WINNT\SYSTEM32\sks.exe
C:\WINNT\SYSTEM32\rwvs.exe

Then close all other programs and select and fix the following within HijackThis

O4 - HKLM\..\Run: [System Executable DLL Library] EXECDLL32.EXE
O4 - HKLM\..\Run: [pwned] pwned.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\cab\back32.exe C:\WINNT\system32\cab\service.exe
O4 - HKLM\..\Run: [WinSrv] C:\winnt\system32\hiddenrun.exe WinSrv.exe
O4 - HKLM\..\Run: [Application] C:\winnt\system32\rmtcfg\files\hiddenrun.exe mdll.exe
O4 - HKLM\..\Run: [vdata] C:\WINNT\SYSTEM32\fqecs.exe
O4 - HKLM\..\Run: [Microsoft Netview] gesfm32.exe
O4 - HKLM\..\Run: [davadqqec] C:\WINNT\SYSTEM32\vadds.exe
O4 - HKLM\..\Run: [Window manager] C:\WINNT\SYSTEM32\sks.exe
O4 - HKLM\..\Run: [WinManage] C:\WINNT\SYSTEM32\rwvs.exe
O4 - HKLM\..\Run: [fqezza] hdjge.exe
O4 - HKLM\..\RunServices: [System Executable DLL Library] EXECDLL32.EXE
O4 - HKLM\..\RunServices: [pwned] pwned.exe
O4 - HKLM\..\RunServices: [Microsoft Netview] gesfm32.exe
O4 - HKLM\..\RunServices: [fqezza] hdjge.exe

Then do a reboot and re-run ASViewer but please make sure to go to the Main menu and have all three top options selected and post the log back here. I'm concerned it will not remove the reg entries as some processes are running hidden and they may be protecting the reg entries from being deleted. So we may have to do other things in safe mode if this doesn't work

 

Ok, Here is the dump you asked for:
BTW I think that worked but cant verify it as TDS wont work anymore
I was not thinking and corrected the date on the PC from 2002 to 2004
boom no more tds eval on that system, my roveing licence will take a few days to process they say so I am shot for 2 or 3 days now...

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Dave@HAL, 01-13-2004
c:\winnt\system32\autoexec.nt
C:\WINNT\system32\mscdexnt.exe
C:\WINNT\system32\redir.exe
C:\WINNT\system32\dosx.exe
c:\winnt\system32\config.nt
C:\WINNT\system32\himem.sys
c:\winnt\system.ini [drivers]
timer=timer.drv
c:\winnt\system.ini [boot]\shell
C:\WINNT\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINNT\Explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
mobsync.exe /logon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG_CC
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
C:\WINNT\system32\NeroCheck.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MsnMsgr
C:\Program Files\MSN Messenger\MsnMsgr.Exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINNT\system32\NETSHELL.dll
C:\WINNT\system32\webcheck.dll
C:\WINNT\system32\stobject.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office\OSA9.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINNT\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINNT\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINNT\system32\msafd.dll
C:\WINNT\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINNT\system32\setup\wmpocm.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
C:\WINNT\system32\shmgrate.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
C:\WINNT\system32\shmgrate.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{6A5110B5-E14B-4268-A065-EF89FF33C325}\
regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINNT\system32\ie4uinit.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}\
C:\WINNT\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINNT\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\AvgCore\
\??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys
HKLM\System\CurrentControlSet\Services\AvgFsh\
\??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys
HKLM\System\CurrentControlSet\Services\AvgServ\
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\dmserver\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\NtmsSvc\
C:\WINNT\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINNT\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\RemoteRegistry\
C:\WINNT\system32\regsvc.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINNT\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINNT\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\SCardDrv\
C:\WINNT\system32\scardsvr32.exe -v
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINNT\system32\MSTask.exe
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINNT\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINNT\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\WinMgmt\
C:\WINNT\System32\WBEM\WinMgmt.exe
HKLM\System\CurrentControlSet\Services\WMDM PMSP Service\
C:\WINNT\system32\mspmspsv.exe
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINNT\system32\svchost.exe -k wugroup

 

Cool, it does look clean now as regards the startup environment but of course you still have the files there. Also, some of those were viruses and so we should (IMO) work under the assumption that the AV was circumvented.

You might want to consider redownloading and installing the AV and/or perhaps doing an online AV scan from some place like Panda's ActiveScan

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Then, once you get situated with the TDS license you can do a followup scan, as you mentioned.

Regards,

Dan

 

Please send all those suspicious EXE's to submit@diamondcs.com.au (MOST important for the rest of the community)

 

I guess I should have, but too late now, I have my roming key now and have verifyed the infection is eradicated. I have 2 more systems with trojans to do this week, maybe they will have the same files....

 

If you see again that entry in the HOSTS file please replace it with
64.91.255.87 www.dcsresearch.com
as that should make the TDS F5 key redirect you to the DCS forum