Process's that I cant account for and more

Discussion in 'Trojan Defence Suite' started by Dale.E, Jan 13, 2004.

Thread Status:
Not open for further replies.
  1. Dale.E

    Dale.E Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    14
    Location:
    Vancouver Isl Nanaimo B.C. Canada
    I have several process's I cant account for on a system I am trying to clean. See the attatched jpg for the task list.

    sks.exe (a keylogger I think)
    fqecs.exe (no idea)
    vadds.exe (no idea)
    rwvs.exe (no idea)

    there are 5 alarms that TDS posts but deleteing them does not work, they just come back:

    Scan Control Dumped @ 07:18:48 13-11-03
    RegVal Trace: Worm.Alcaul: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [WinSrv=C:\winnt\system32\hiddenrun.exe WinSrv.exe]

    RegVal Trace: DDoS.RAT.mIRC-Based: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [Application=C:\winnt\system32\rmtcfg\files\hiddenrun.exe mdll.exe]

    RegVal Trace: Worm.Randex: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft Netview=gesfm32.exe

    RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [System Executable DLL Library=EXECDLL32.EXE

    RegVal Trace: DDoS.RAT.SDBot: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\RunServices [System Executable DLL Library=EXECDLL32.EXE


    I think I sould zip up and send the exe files in but wanted to try a post incase that would be a waste of someones time...
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Dale,

    If you are running on WinNT/2K/XP you should make sure to be running your TDS scan as Admihnistrator or someone that has Andministrative rights on that machine.

    Also...

    Can you please download and run DCS's AutostartViewer from

    http://www.diamondcs.com.au/downloads/asviewer.zip

    Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.


    Thanks
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Dale, welcome to the forum!
    Just want to welcome you and tell you your posting is most certainly no waste of nobody's time, as there are always people learning from it in case it would be innocent.

    Looking forward to Dan's comments on your ASViewer log!
     
  4. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    ...hmmm, while you are at itcan you please post two other logs...

    Can you please download and run HijackThis from

    http://www.mjc1.com/files/merijn/hijackthis.zip

    and scan the system but do *not* try to fix anything yet as many of the items listed are necessary, instead press the "save log" button and copy and paste the log here for someone to review and advise on.

    also,

    Can you please download DCS's OpenPorts program from

    http://www.diamondcs.com.au/downloads/openports.zip

    Unzip openports.exe in your Windows directory, and open up your Command Prompt and type;

    openports > openports.txt

    and then press the Enter key

    Then type;

    openports.txt

    and press the Enter key again, and then copy the contents of the file in Notepad and paste it here for us to review
     
  5. Dale.E

    Dale.E Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    14
    Location:
    Vancouver Isl Nanaimo B.C. Canada
    Thanx for the Welcom, sorry I forgot to say its a win2k system and yes to admin. BTW, re: asviewer, nice util, gona save that one.. :D

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Dave@HAL, 11-13-2003
    c:\winnt\system32\autoexec.nt
    C:\WINNT\system32\mscdexnt.exe
    C:\WINNT\system32\redir.exe
    C:\WINNT\system32\dosx.exe
    c:\winnt\system32\config.nt
    C:\WINNT\system32\himem.sys
    c:\winnt\system.ini [drivers]
    timer=timer.drv
    c:\winnt\system.ini [boot]\shell
    C:\WINNT\Explorer.exe
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINNT\Explorer.exe
    HKCR\vbsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
    mobsync.exe /logon
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG_CC
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
    C:\WINNT\system32\NeroCheck.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System Executable DLL Library
    EXECDLL32.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\pwned
    pwned.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Services
    C:\WINNT\system32\cab\back32.exe C:\WINNT\system32\cab\service.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinSrv
    C:\winnt\system32\hiddenrun.exe WinSrv.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Application
    C:\winnt\system32\rmtcfg\files\hiddenrun.exe mdll.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\vdata
    C:\WINNT\SYSTEM32\fqecs.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Netview
    gesfm32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\davadqqec
    C:\WINNT\SYSTEM32\vadds.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Window manager
    C:\WINNT\SYSTEM32\sks.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinManage
    C:\WINNT\SYSTEM32\rwvs.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fqezza
    hdjge.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\System Executable DLL Library
    EXECDLL32.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\pwned
    pwned.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Netview
    gesfm32.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\fqezza
    hdjge.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MsnMsgr
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
    C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINNT\system32\NETSHELL.dll
    C:\WINNT\system32\webcheck.dll
    C:\WINNT\system32\stobject.dll
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    C:\Program Files\Microsoft Office\Office\OSA9.EXE
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINNT\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINNT\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINNT\system32\msafd.dll
    C:\WINNT\system32\rsvpsp.dll
     
  6. Dale.E

    Dale.E Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    14
    Location:
    Vancouver Isl Nanaimo B.C. Canada
    openports and hijack thi logs:

    DiamondCS OpenPorts v1.0 (-? for help)
    Copyright (C) 2003, DiamondCS - http://www.diamondcs.com.au/openports/
    Free for personal and educational use only. See openports.txt for more details.
    _______________________________________________________________________________

    SYSTEM [0]
    UDP 0.0.0.0:1026 0.0.0.0:0 LISTENING
    SYSTEM [8]
    TCP 192.168.44.16:1127 192.168.44.1:445 ESTABLISHED
    TCP 0.0.0.0:1103 0.0.0.0:0 LISTENING
    TCP 192.168.44.16:139 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:1127 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:1034 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
    TCP 192.168.44.16:1125 0.0.0.0:0 LISTENING
    UDP 192.168.44.16:137 0.0.0.0:0 LISTENING
    UDP 192.168.44.16:138 0.0.0.0:0 LISTENING
    UDP 0.0.0.0:445 0.0.0.0:0 LISTENING
    lsass.exe [224]
    UDP 192.168.44.16:4500 0.0.0.0:0 LISTENING
    UDP 192.168.44.16:500 0.0.0.0:0 LISTENING
    svchost.exe [400]
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
    MSTask.exe [572]
    TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
    fqecs.exe [916]
    TCP 0.0.0.0:19097 0.0.0.0:0 LISTENING
    vadds.exe [948]
    TCP 0.0.0.0:19084 0.0.0.0:0 LISTENING
    sks.exe [964]
    TCP 0.0.0.0:33112 0.0.0.0:0 LISTENING
    rwvs.exe [968]
    TCP 0.0.0.0:35541 0.0.0.0:0 LISTENING


    Logfile of HijackThis v1.97.7
    Scan saved at 8:23:12 AM, on 11/13/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINNT\SYSTEM32\fqecs.exe
    C:\WINNT\SYSTEM32\vadds.exe
    C:\WINNT\SYSTEM32\sks.exe
    C:\WINNT\SYSTEM32\rwvs.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Dave\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [System Executable DLL Library] EXECDLL32.EXE
    O4 - HKLM\..\Run: [pwned] pwned.exe
    O4 - HKLM\..\Run: [Services] C:\WINNT\system32\cab\back32.exe C:\WINNT\system32\cab\service.exe
    O4 - HKLM\..\Run: [WinSrv] C:\winnt\system32\hiddenrun.exe WinSrv.exe
    O4 - HKLM\..\Run: [Application] C:\winnt\system32\rmtcfg\files\hiddenrun.exe mdll.exe
    O4 - HKLM\..\Run: [vdata] C:\WINNT\SYSTEM32\fqecs.exe
    O4 - HKLM\..\Run: [Microsoft Netview] gesfm32.exe
    O4 - HKLM\..\Run: [davadqqec] C:\WINNT\SYSTEM32\vadds.exe
    O4 - HKLM\..\Run: [Window manager] C:\WINNT\SYSTEM32\sks.exe
    O4 - HKLM\..\Run: [WinManage] C:\WINNT\SYSTEM32\rwvs.exe
    O4 - HKLM\..\Run: [fqezza] hdjge.exe
    O4 - HKLM\..\RunServices: [System Executable DLL Library] EXECDLL32.EXE
    O4 - HKLM\..\RunServices: [pwned] pwned.exe
    O4 - HKLM\..\RunServices: [Microsoft Netview] gesfm32.exe
    O4 - HKLM\..\RunServices: [fqezza] hdjge.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37968.9451851852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nanaimo.cs
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nanaimo.cs
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nanaimo.cs
     
  7. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Okay :)

    Can you please move your HijackThis exe to a separate directory such as in Winnt so it will be in the PATH

    Then terminate the following processes

    C:\WINNT\SYSTEM32\fqecs.exe
    C:\WINNT\SYSTEM32\vadds.exe
    C:\WINNT\SYSTEM32\sks.exe
    C:\WINNT\SYSTEM32\rwvs.exe

    Then close all other programs and select and fix the following within HijackThis

    O4 - HKLM\..\Run: [System Executable DLL Library] EXECDLL32.EXE
    O4 - HKLM\..\Run: [pwned] pwned.exe
    O4 - HKLM\..\Run: [Services] C:\WINNT\system32\cab\back32.exe C:\WINNT\system32\cab\service.exe
    O4 - HKLM\..\Run: [WinSrv] C:\winnt\system32\hiddenrun.exe WinSrv.exe
    O4 - HKLM\..\Run: [Application] C:\winnt\system32\rmtcfg\files\hiddenrun.exe mdll.exe
    O4 - HKLM\..\Run: [vdata] C:\WINNT\SYSTEM32\fqecs.exe
    O4 - HKLM\..\Run: [Microsoft Netview] gesfm32.exe
    O4 - HKLM\..\Run: [davadqqec] C:\WINNT\SYSTEM32\vadds.exe
    O4 - HKLM\..\Run: [Window manager] C:\WINNT\SYSTEM32\sks.exe
    O4 - HKLM\..\Run: [WinManage] C:\WINNT\SYSTEM32\rwvs.exe
    O4 - HKLM\..\Run: [fqezza] hdjge.exe
    O4 - HKLM\..\RunServices: [System Executable DLL Library] EXECDLL32.EXE
    O4 - HKLM\..\RunServices: [pwned] pwned.exe
    O4 - HKLM\..\RunServices: [Microsoft Netview] gesfm32.exe
    O4 - HKLM\..\RunServices: [fqezza] hdjge.exe

    Then do a reboot and re-run ASViewer but please make sure to go to the Main menu and have all three top options selected and post the log back here. I'm concerned it will not remove the reg entries as some processes are running hidden and they may be protecting the reg entries from being deleted. So we may have to do other things in safe mode if this doesn't work :)
     
  8. Dale.E

    Dale.E Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    14
    Location:
    Vancouver Isl Nanaimo B.C. Canada
    Ok, Here is the dump you asked for:
    BTW I think that worked but cant verify it as TDS wont work anymore :oops:
    I was not thinking and corrected the date on the PC from 2002 to 2004
    boom no more tds eval on that system, my roveing licence will take a few days to process they say so I am shot for 2 or 3 days now...

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Dave@HAL, 01-13-2004
    c:\winnt\system32\autoexec.nt
    C:\WINNT\system32\mscdexnt.exe
    C:\WINNT\system32\redir.exe
    C:\WINNT\system32\dosx.exe
    c:\winnt\system32\config.nt
    C:\WINNT\system32\himem.sys
    c:\winnt\system.ini [drivers]
    timer=timer.drv
    c:\winnt\system.ini [boot]\shell
    C:\WINNT\Explorer.exe
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINNT\Explorer.exe
    HKCR\vbsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
    mobsync.exe /logon
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG_CC
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
    C:\WINNT\system32\NeroCheck.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MsnMsgr
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
    C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINNT\system32\NETSHELL.dll
    C:\WINNT\system32\webcheck.dll
    C:\WINNT\system32\stobject.dll
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    C:\Program Files\Microsoft Office\Office\OSA9.EXE
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINNT\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINNT\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINNT\system32\msafd.dll
    C:\WINNT\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINNT\system32\setup\wmpocm.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINNT\system32\shmgrate.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINNT\system32\shmgrate.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6A5110B5-E14B-4268-A065-EF89FF33C325}\
    regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINNT\system32\ie4uinit.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}\
    C:\WINNT\system32\updcrl.exe -e -u %SystemRoot%\system32\verisignpub1.crl
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINNT\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\AvgCore\
    \??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys
    HKLM\System\CurrentControlSet\Services\AvgFsh\
    \??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys
    HKLM\System\CurrentControlSet\Services\AvgServ\
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\dmserver\
    C:\WINNT\System32\services.exe
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\NtmsSvc\
    C:\WINNT\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINNT\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\RemoteRegistry\
    C:\WINNT\system32\regsvc.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINNT\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINNT\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\SCardDrv\
    C:\WINNT\system32\scardsvr32.exe -v
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINNT\system32\MSTask.exe
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINNT\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINNT\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINNT\system32\services.exe
    HKLM\System\CurrentControlSet\Services\WinMgmt\
    C:\WINNT\System32\WBEM\WinMgmt.exe
    HKLM\System\CurrentControlSet\Services\WMDM PMSP Service\
    C:\WINNT\system32\mspmspsv.exe
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINNT\system32\svchost.exe -k wugroup
     
  9. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Cool, it does look clean now as regards the startup environment but of course you still have the files there. Also, some of those were viruses and so we should (IMO) work under the assumption that the AV was circumvented.

    You might want to consider redownloading and installing the AV and/or perhaps doing an online AV scan from some place like Panda's ActiveScan

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    Then, once you get situated with the TDS license you can do a followup scan, as you mentioned.

    Regards,

    Dan
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Please send all those suspicious EXE's to submit@diamondcs.com.au (MOST important for the rest of the community)
     
  11. Dale.E

    Dale.E Registered Member

    Joined:
    Jan 13, 2004
    Posts:
    14
    Location:
    Vancouver Isl Nanaimo B.C. Canada
    I guess I should have, but too late now, I have my roming key now and have verifyed the infection is eradicated. I have 2 more systems with trojans to do this week, maybe they will have the same files....
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If you see again that entry in the HOSTS file please replace it with
    64.91.255.87 www.dcsresearch.com
    as that should make the TDS F5 key redirect you to the DCS forum
     
Thread Status:
Not open for further replies.