Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

US Dept. of Justice Trojan... anyone know what it does?

Status
Not open for further replies.
msdonb

msdonb

IS-IT--Management
Joined
Dec 20, 2007
Messages
61
Our company was just hit with a trojan inside a spoofed USDOJ e-mail. Looked somewhat legitimate, but haven't been able to find a fix anywhere? Does anyone know anything about this or how to get rid of it? Not sure what kind of damage it does, but if it's a keylogger I need a fix asap because it's on an important machine. Thanks all for your help:

 
Sort by date Sort by votes
Run your corporate antivirus or whatever antivirus you are using. Then download hijackthis from the link below. Do a system scan and save a logfile but do not attempt to fix anything unless you know what you are doing as not everything it shows is bad. Post the logfile on here.




There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:42 AM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\InfoTronics\Attendance Enterprise\AESECURITY.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
C:\WINDOWS\TEMP\FO7417.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Program Files\Funk Software\Proxy Host\phtray.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKUS\S-1-5-21-1407314042-2911943238-11517781-1009\..\Run: [Sonic RecordNow!] (User 'maryp')
O4 - HKUS\S-1-5-21-1407314042-2911943238-11517781-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'maryp')
O4 - HKUS\S-1-5-21-1407314042-2911943238-11517781-1009\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'maryp')
O4 - S-1-5-21-1407314042-2911943238-11517781-1009 Startup: Lotus Notes.lnk = C:\Lotus\Notes\notes.exe (User 'maryp')
O4 - S-1-5-21-1407314042-2911943238-11517781-1009 Startup: PowerReg Scheduler V3.exe (User 'maryp')
O4 - S-1-5-21-1407314042-2911943238-11517781-1009 User Startup: Lotus Notes.lnk = C:\Lotus\Notes\notes.exe (User 'maryp')
O4 - S-1-5-21-1407314042-2911943238-11517781-1009 User Startup: PowerReg Scheduler V3.exe (User 'maryp')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - O16 - DPF: {69B502DF-D12F-4FD7-9892-D8DFA2D96474} (OfficeScan Management Console) - O17 - HKLM\System\CCS\Services\Tcpip\..\{AF5F9FBA-1548-4D8C-A67B-89FF22D14C34}: NameServer = 199.2.252.10,204.97.212.10
O23 - Service: Attendance Enterprise Security Manager (AeSecurity) - InfoTronics, Inc. - C:\Program Files\InfoTronics\Attendance Enterprise\AESECURITY.EXE
O23 - Service: Attendance Enterprise Service (AeService) - InfoTronics, Inc. - C:\Program Files\InfoTronics\Attendance Enterprise\AESERVICE.EXE
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Proxy Host Service (ProxyHostService) - Funk Software, Inc. - C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 7694 bytes
 
Upvote 0 Downvote
The only thing I see wrong on that logfile is this

O17 - HKLM\System\CCS\Services\Tcpip\..\{AF5F9FBA-1548-4D8C-A67B-89FF22D14C34}: NameServer = 199.2.252.10,204.97.212.10

If this computer is on dial up, then go to control panel, administrative tools, then services. Stop and disable the messenger service.

Also have you tried any rootkit scanners?



There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
The computer is NOT on dialup, however the name servers referenced in that registry entry are the correct addresses we use for DNS. Would you still consider this to be a threat?
 
Upvote 0 Downvote
The original DOJ complaint trojan's been around for a couple of months, so if you just got blipped by this one yesterday, you probably got the new variant described here:


We got an emergency notification/profile release at midnite, based on detection of a fresh and rather large detected SPAM run.

If you have the hardware capability to do so, blacklisting the listed URL's/IP's at your 'net pipe would be an excellent idea.--The Bug Guy
 
Upvote 0 Downvote
can you confirm what FO7417.EXE does? i do not recognize it but if you can't either then delete it and clear your temp files.
 
Upvote 0 Downvote
Try a few scans with Dr web and Mwav!



Note: this is a stand alone, it doesn't install to start/programmes.

Download Mwav,



double click on it and it will extract to C:\kaspersky. Click
on the kaspersky folder and click on Kavupd, a black dos window will open
and it will update the programme for you, be patient it will take 5-10
minutes to download the new definitions. Once it's updated, click on
mwavscan
to launch the programme.

Use the defaults of:

Memory
startup folders
Registry
system folders
services

Choose drive , all drives and, click scan all files
and then click scan/clean. After it finishes scanning and cleaning post
the log here with a new hijack this log.

Note: this is a very thorough scanner, it might take anything up to an hour
or more, depending on how many drives you have and how badly infected your
pc is.



Highlight the section of Mwav which says " virus log information "
which lists infected items and hold CTRL + C to Copy then paste it here. The
I just need the infected items list.





* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is
found,
click the yes button when it asks you if you want to cure it. This is only a
short scan.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
* Back at the main window, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the
files found: IPB Image
* If so, click it and then click the next icon right below and select Move
incurable as you'll see in next image:
IPB Image
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it
can't be cured. (this in case if we need samples)
* After selecting, in the Dr.Web CureIt menu on top, click file and choose
save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will
be moved/deleted during reboot.




Post a new hijack this, the dr web scan log and the Mwav log!



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
pechenegs,

Thank you very much for this information, I will surely implement these fixes as soon as possible. Will post results as soon as the scans finish. This will definately be of great benefit for the future as well.

Thanks!
 
Upvote 0 Downvote
Thu Feb 28 12:13:36 2008 => ***** Scanning complete. *****

Thu Feb 28 12:13:36 2008 => Total Number of Files Scanned: 3330
Thu Feb 28 12:13:36 2008 => Total Number of Virus(es) Found: 0
Thu Feb 28 12:13:36 2008 => Total Number of Disinfected Files: 0
Thu Feb 28 12:13:36 2008 => Total Number of Files Renamed: 0
Thu Feb 28 12:13:36 2008 => Total Number of Deleted Files: 0
Thu Feb 28 12:13:36 2008 => Total Number of Errors: 2
Thu Feb 28 12:13:36 2008 => Time Elapsed: 00:03:39
Thu Feb 28 12:13:36 2008 => Virus Database Date: 2008/01/11
Thu Feb 28 12:13:36 2008 => Virus Database Count: 507730

Thu Feb 28 12:13:36 2008 => Scan Completed.




No virus found through Kaspersky
 
Upvote 0 Downvote
Dr. Web scan complete.... no viruses found...
 
Upvote 0 Downvote
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:03 PM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\InfoTronics\Attendance Enterprise\AESECURITY.EXE
C:\Program Files\InfoTronics\Attendance Enterprise\AESERVICE.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
C:\WINDOWS\TEMP\EX1C6D.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\RDS\PLTBar.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Program Files\Funk Software\Proxy Host\phtray.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RDS\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RDS\RMClient\MplSetUp.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKUS\S-1-5-21-1407314042-2911943238-11517781-1009\..\Run: [Sonic RecordNow!] (User 'maryp')
O4 - HKUS\S-1-5-21-1407314042-2911943238-11517781-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'maryp')
O4 - HKUS\S-1-5-21-1407314042-2911943238-11517781-1009\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'maryp')
O4 - S-1-5-21-1407314042-2911943238-11517781-1009 Startup: Lotus Notes.lnk = C:\Lotus\Notes\notes.exe (User 'maryp')
O4 - S-1-5-21-1407314042-2911943238-11517781-1009 Startup: PowerReg Scheduler V3.exe (User 'maryp')
O4 - S-1-5-21-1407314042-2911943238-11517781-1009 User Startup: Lotus Notes.lnk = C:\Lotus\Notes\notes.exe (User 'maryp')
O4 - S-1-5-21-1407314042-2911943238-11517781-1009 User Startup: PowerReg Scheduler V3.exe (User 'maryp')
O4 - Global Startup: Auto Document Link.lnk = C:\Program Files\RDS\PLDlnk.exe
O4 - Global Startup: Function Palette.lnk = C:\Program Files\RDS\PLTBar.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SmartDeviceMonitor for Client.lnk = C:\Program Files\RDS\RMClient\PMClient.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - O16 - DPF: {69B502DF-D12F-4FD7-9892-D8DFA2D96474} (OfficeScan Management Console) - O17 - HKLM\System\CCS\Services\Tcpip\..\{AF5F9FBA-1548-4D8C-A67B-89FF22D14C34}: NameServer = 199.2.252.10,204.97.212.10
O23 - Service: Attendance Enterprise Security Manager (AeSecurity) - InfoTronics, Inc. - C:\Program Files\InfoTronics\Attendance Enterprise\AESECURITY.EXE
O23 - Service: Attendance Enterprise Service (AeService) - InfoTronics, Inc. - C:\Program Files\InfoTronics\Attendance Enterprise\AESERVICE.EXE
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Proxy Host Service (ProxyHostService) - Funk Software, Inc. - C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 8294 bytes
 
Upvote 0 Downvote
where does it say the virus is, what is it's location and what is finding it?

If you can find the file you should upload it to certain companies like kaspersky so they can analyse it!


yhis is a compnay computer, can't your IT dept deal with it or are you it? don't you use acronis or ghost to roll back.

If you want, we can try some more tools but I need to know that the company you are working for are ok to proceed as some companies have users who screw up trying to fix their infected pcs and lose a company vital data!



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Welcome back pecheneges!

Steve: N.M.N.F.
Playing the blues isn't about feeling better. It's about making other people feel worse.
 
Upvote 0 Downvote
cheers sg, how are you?

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
I am the network administrator for this company. We have safeguards in place to protect the data on our servers (i.e. Acronis, BackupExec) however this bug hit our gal in human resources and we do not image all of our client pcs for roll back. Trend Micro OfficeScan is on the machine, however the initial post I read about this virus stated that it couldn't be detected up by any major antivirus software. And it wasn't. But the user said that she opened the attachment and extracted the contents, and executed the .scr file, which brought up a PDF complaint form. I assume that was plenty to activate the trojan in that e-mail, but I'm not seeing any activity from that machine. I'm monitoring all the ports on the machine, but haven't seen anything yet... just thought this was gonna be a disaster...
 
Upvote 0 Downvote
ok, lets see if we can find it!


Download WinPFind3U.exe to your Desktop and double-click on it to
extract the files. It will create a folder named WinPFind3u on your
desktop.





* Open the WinPFind3u folder and double-click on WinPFind3U.exe to start
the program.
o In the Processes group click Non-Microsoft
o In the Win32 Services group click Non-Microsoft
o In the Driver Services group click Non-Microsoft
o In the Registry group click Non-Microsoft
o In the Files Created Within group click 60 days Make sure
Non-Microsoft only is CHECKED
o In the Files Modified Within group select 30 days Make sure
Non-Microsoft only is CHECKED
o In the File String Search group select Non-Microsoft

On the extra scans list press select all
* Now click the Run Scan button on the toolbar.
* The program will be scanning huge amounts of data so depending on your
system it could take a long time to complete. Let it run unhindered until it
finishes.
* When the scan is complete Notepad will open with the report file
loaded in it.
* Save that notepad file

Use the Reply button and attach the notepad file here. I will review
it when it comes in.



go to this site to get silent runners,



once in the web page

Right click

and choose Save As...Save it to your Desktop. Make sure you have disabled
any programs
that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.).
Double
click on 'Silent Runners' to run it. This will take a few minutes. It will
create a file called 'Startup Programs' followed by your computer name and
current date. Open up that file and post all the contents here in your next
post..ph...=post&id=134981 and save it to your Desktop.



NOTE: If you have downloaded ComboFix previously please delete that
version and download it again!



Download ComboFix from
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe"]Here[/URL]
or
Here
to your Desktop.

Reboot to Safe mode:

Restart your computer and begin tapping the F8 key on your keyboard just
before Windows starts to load. If done right a Windows Advanced Options menu
will appear. Select the Safe Mode option and press Enter.

Perform the following actions in Safe Mode.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a
    HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its
running. That may cause it to stall



post the combo and the silent runners logs and can you attache the wpfind in notepad as it will be a very big log!





Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Yes, did you find this file?

C:\WINDOWS\TEMP\FO7417.EXE

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Silent Runners Results:

"Silent Runners.vbs", revision 56, Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Sonic RecordNow!" = (empty string) [file not found]
"DellSupport" = ""C:\Program Files\DellSupport\DSAgnt.exe" /startup" ["Gteko Ltd."]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"DellTransferAgent" = ""C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"diagent" = ""C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"ProxyHostTrayIcon" = ""C:\Program Files\Funk Software\Proxy Host\phtray.exe"" ["Funk Software, Inc."]
"NWTRAY" = "NWTRAY.EXE" ["Novell, Inc."]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"Client Access Service" = ""C:\Program Files\IBM\Client Access\cwbsvstr.exe"" ["IBM Corporation"]
"Client Access Help Update" = ""C:\Program Files\IBM\Client Access\cwbinhlp.exe"" ["IBM Corporation"]
"Client Access Check Version" = ""C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN" ["IBM Corporation"]
"Client Access Express Welcome" = ""C:\Program Files\IBM\Client Access\cwbwlwiz.exe"" ["IBM Corporation"]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"OfficeScanNT Monitor" = ""C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow" ["Trend Micro Inc."]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"JobHisInit" = "C:\Program Files\RDS\RMClient\JobHisInit.exe" ["RICOH COMPANY,LTD."]
"MplSetUp" = "C:\Program Files\RDS\RMClient\MplSetUp.exe" ["RICOH COMPANY,LTD."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {HKLM...CLSID} = "Microsoft Office Binder Unbind"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]
"{02040CD1-EF11-11D5-BC3F-0003473F5BF0}" = "HotShell Shell Extension"
-> {HKLM...CLSID} = "HotShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\eFax Messenger Plus\hotshell.dll" ["j2 Global Communications, Inc."]
"{AF4F7471-FCFB-11d0-80B6-0080C838D5F9}" = "OfficeScan NT"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Trend Micro\OfficeScan Client\tmdshell.dll" ["Trend Micro Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Aedebug\
<<!>> "Debugger" = "C:\Lotusshared\Notes\qnc.exe -p %ld -e %ld -g" [null data]

HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "GinaDLL" = "NWGINA.DLL" ["Novell, Inc."]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"nwv1_0"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> PCANotify\DLLName = "PCANotify.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
HotShellExt\(Default) = "{02040CD1-EF11-11D5-BC3F-0003473F5BF0}"
-> {HKLM...CLSID} = "HotShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\eFax Messenger Plus\hotshell.dll" ["j2 Global Communications, Inc."]
NetWareMenuItems\(Default) = "{e3bbbfc0-f61f-11cf-bb16-00c04fd371f4}"
-> {HKLM...CLSID} = "Menu Handlers for NetWare Capture"
\InProcServer32\(Default) = "novnpnt.dll" ["Novell, Inc."]
OfficeScan NT\(Default) = "{AF4F7471-FCFB-11d0-80B6-0080C838D5F9}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Trend Micro\OfficeScan Client\tmdshell.dll" ["Trend Micro Inc."]
PLTbMenu\(Default) = "{0923E181-20C7-4aed-ADF0-782ED052C930}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\RDS\PLTbMenu.dll" ["RICOH Company Ltd."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
OfficeScan NT\(Default) = "{AF4F7471-FCFB-11d0-80B6-0080C838D5F9}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Trend Micro\OfficeScan Client\tmdshell.dll" ["Trend Micro Inc."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
NetWareMenuItems\(Default) = "{e3bbbfc0-f61f-11cf-bb16-00c04fd371f4}"
-> {HKLM...CLSID} = "Menu Handlers for NetWare Capture"
\InProcServer32\(Default) = "novnpnt.dll" ["Novell, Inc."]
NetWareServerMenu\(Default) = "{9b173360-732b-11ce-aa22-00805f9834b0}"
-> {HKLM...CLSID} = "Shell Extensions for NetWare Trees and Servers"
\InProcServer32\(Default) = "novnpnt.dll" ["Novell, Inc."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\dell.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "juliej" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Auto Document Link" -> shortcut to: "C:\Program Files\RDS\PLDlnk.exe" ["RICOH Company Ltd."]
"Function Palette" -> shortcut to: "C:\Program Files\RDS\PLTBar.exe" ["RICOH Company Ltd."]
"Logitech Desktop Messenger" -> shortcut to: "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" ["Logitech"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Service Manager" -> shortcut to: "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n" [MS]
"SmartDeviceMonitor for Client" -> shortcut to: "C:\Program Files\RDS\RMClient\PMClient.exe" ["RICOH COMPANY,LTD."]


Enabled Scheduled Tasks:
------------------------

"aebackup" -> launches: "C:\Documents and Settings\maryp\Desktop\aebackup.lnk" [file not found]
"Poll All Time Clocks" -> launches: "C:\Program Files\InfoTronics, Inc\Attendance Enterprise\AeLoader.exe //v //c:{8FF5CDBD-FACA-433E-8B29-074DFB15AE63} /P:{46855DD5-61DD-47F3-AA68-98FD8D04198F} /C:Default" [file not found]
"Reapply schedule" -> launches: "C:\Program Files\InfoTronics, Inc\Attendance Enterprise\AeLoader.exe //v //c:{8FF5CDBD-FACA-433E-8B29-074DFB15AE63} /P:{E0908E48-38C3-497D-9033-606EE3CA3EC4} /C:Default" [file not found]
"Recompute All Employees" -> launches: "C:\Program Files\InfoTronics, Inc\Attendance Enterprise\AeLoader.exe //v //c:{8FF5CDBD-FACA-433E-8B29-074DFB15AE63} /P:{08CD7E18-B472-4397-B61D-960F953FF25E} /C:Default" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\netware\NWWS2NDS.DLL" ["Novell, Inc."]
000000000005\LibraryPath = "%SystemRoot%\system32\netware\NWWS2SAP.DLL" ["Novell, Inc."]
000000000006\LibraryPath = "%SystemRoot%\system32\netware\NWWS2SLP.DLL" ["Novell, Inc."]
000000000007\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {HKLM...CLSID} = "Web Browser Applet Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [file not found]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 2 domain names to IP addresses,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Attendance Enterprise Security Manager, AeSecurity, "C:\Program Files\InfoTronics\Attendance Enterprise\AESECURITY.EXE" ["InfoTronics, Inc."]
Attendance Enterprise Service, AeService, "C:\Program Files\InfoTronics\Attendance Enterprise\AESERVICE.EXE" ["InfoTronics, Inc."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.exe" ["Creative Technology Ltd"]
MSSQLSERVER, MSSQLSERVER, "C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe -sMSSQLSERVER" [MS]
OfficeScanNT Listener, tmlisten, "C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe" ["Trend Micro Inc."]
OfficeScanNT Personal Firewall, OfcPfwSvc, "C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe" ["Trend Micro Inc."]
OfficeScanNT RealTime Scan, ntrtscan, "C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe" ["Trend Micro Inc."]
Proxy Host Service, ProxyHostService, ""C:\Program Files\Funk Software\Proxy Host\ph32svc.exe"" ["Funk Software, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]


Keyboard Driver Filters:
------------------------

HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <<!>> "aw_host" [file not found]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
pcAnywhere Remote Printing\Driver = "awmon.dll" ["Symantec Corporation"]
Proxy Remote Printing\Driver = "PHPMONNT.DLL" ["Funk Software, Inc."]
SmartDeviceMonitor\Driver = "RPNV2MON.DLL" ["RICOH COMPANY,LTD."]


---------- (launch time: 2008-02-29 09:01:15)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 46 seconds, including 18 seconds for message boxes)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

xit
  • Locked
  • News News
Just a sad, sad story. What are people thinking?
Replies
4
Views
451
edfair
edfair
DrB0b
  • Locked
  • Question Question
Crytowall 3.0 and How I dealt with it
Replies
7
Views
762
DrB0b
DrB0b
BionicJohn
  • Locked
  • Question Question
URUASY.A Ransomware Trojan - Help needed with removal
Replies
6
Views
623
BionicJohn
BionicJohn
harebrain
  • Locked
  • Question Question
Does Microsoft call you?
Replies
15
Views
1K
jlockley
jlockley
jlockley
  • Locked
  • Question Question
Virus? (posted in Windows, but perhaps it belongs here)
Replies
3
Views
504
jlockley
jlockley

Part and Inventory Search

Sponsor

Back
Top