Hello,

I'm having a serious problem with an infection on our HP Indigo Press Manager server. This is costing our company a lot of money in man hours and press downtime.

This machine is running:
- Windows XP Professional SP2
- EI 6.0.2900.2180.xpsp_sp2_gdr.070227-2254 (not to be upgraded per Hewlett Packard)
- Symantec AntiVirus Corporate Edition (will not run autoprotect in normal boot)

When I run scans, I repeatedly find the following:
- Virtumonde
- Win32.Agent.brf
- Win32.Agent.qt
- Smitfraud-C.
- Smitfraud-C.CoreService
- Tracking Cookies including Zedo, DoubleClick and HitBox

I have tried the following:
- Spybot S&D (Normal and Safe Modes)
- Adaware SE (Normal and Safe Modes)
- Symantec AntiVirus Corporate Edition (Safe Mode only)
- HijackThis.exe v1.99.1

HJT will not provide me a log file for the scan. It just terminates when I click "Save Log". I was able to get a startuplist.txt which I will include below:

****startuplist.txt****

StartupList report, 7/23/2007, 4:00:08 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\unicorn\Desktop\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Hewlett-Packard\HP Indigo Monitors\HpDrvMon.exe
C:\Program Files\Hewlett-Packard\HP Indigo Monitors\HpEvtMon.exe
C:\PROGRA~1\HEWLET~1\ISEE\MOTIVE~1\bin\mad.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\hp indigo RIP\TurboRIP\viewer_service\TurboViewer.exe
C:\PROGRA~1\HEWLET~1\ISEE\MOTIVE~1\COMMON~1\MOTIVE~1.EXE
C:\Program Files\Miramar\PC MACLAN\ATSERVER.EXE
C:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\hp\svctools\common\wccproxy\share\wccproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\HP\HP AutoUpdate\HPWuSchd2.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\WINDOWS\svhost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\WNSXS~1\regsvr32.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\IndigoServe\Bin\Isrv2.exe
C:\Program Files\hp indigo RIP\TurboRIP\exe\rip.exe
C:\Program Files\Hewlett-Packard\ISEE\MotiveChorus\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\unicorn\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\unicorn\Start Menu\Programs\Startup]
hp indigo press Start.lnk = C:\unicorn\perl\bin\perl.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
hp IndigoServe 3.1.lnk = C:\IndigoServe\Bin\Isrv2.exe
HP ISEE.lnk = C:\Program Files\Hewlett-Packard\ISEE\MotiveChorus\bin\matcli.exe
RIP Restart Service.lnk = C:\Program Files\hp indigo RIP\TurboRIP\exe\restart_sys_service.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /installquiet
LTWinModem1 = ltmsg.exe 9
CPQEASYACC = C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
srmclean = C:\Cpqs\Scom\srmclean.exe
vptray = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
RoxioEngineUtility = "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
RoxioDragToDisc = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
Miramar Systems, Inc. = C:\Program Files\Miramar\PC MACLAN\atmsg.exe
HP AutoUpdate = "C:\Program Files\HP\HP AutoUpdate\HPWuSchd2.exe"
SecureWeb = C:\WINDOWS\system32\MCp0b7QA.exe
Salestart = "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
poolsv = "C:\WINDOWS\poolsv.exe"
uwas7cw = "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
svhost = "C:\WINDOWS\svhost.exe"
MemoryManager = rundll32.exe "C:\WINDOWS\system32\krjlpvjb.dll",forkonce

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Lerm = "C:\WINDOWS\system32\WNSXS~1\regsvr32.exe" -vt yazb
Gvrvpsxm = "C:\Program Files\Common Files\M?crosoft\s?rvices.exe"
WinTouch = C:\Documents and Settings\unicorn\Application Data\WinTouch\WinTouch.exe
SfKg6w = C:\Documents and Settings\unicorn\Application Data\Microsoft\Windows\sqxagpg.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[Compaq]
SetRefresh = C:\Program Files\Compaq\SetRefresh\SetRefresh.exe

[OptionalComponents]
*No values found*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=%WINSYSDIR%\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

At1.job
At10.job
At11.job
At12.job
At13.job
At14.job
At15.job
At16.job
At17.job
At18.job
At19.job
At2.job
At20.job
At21.job
At22.job
At23.job
At24.job
At3.job
At4.job
At5.job
At6.job
At7.job
At8.job
At9.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,157 bytes
Report generated in 0.125 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

****EOF****

Any help will be greatly appreciated as this is effecting our production.

Thanks,
Kent Ohler
Signature Media

By renaming HijackThis.exe to scanner.exe, I was able to generate the following report:

****hijackthis.log****

Logfile of HijackThis v1.99.1
Scan saved at 5:39:23 PM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\HP\HP AutoUpdate\HPWuSchd2.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\Hewlett-Packard\HP Indigo Monitors\HpDrvMon.exe
C:\Program Files\Hewlett-Packard\HP Indigo Monitors\HpEvtMon.exe
C:\WINDOWS\svhost.exe
C:\PROGRA~1\HEWLET~1\ISEE\MOTIVE~1\bin\mad.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\WNSXS~1\regsvr32.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\IndigoServe\Bin\Isrv2.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Hewlett-Packard\ISEE\MotiveChorus\bin\mpbtn.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\hp indigo RIP\TurboRIP\viewer_service\TurboViewer.exe
C:\PROGRA~1\HEWLET~1\ISEE\MOTIVE~1\COMMON~1\MOTIVE~1.EXE
C:\Program Files\Miramar\PC MACLAN\ATSERVER.EXE
C:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\hp\svctools\common\wccproxy\share\wccproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\hp indigo RIP\TurboRIP\exe\rip.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\unicorn\Desktop\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {134A3887-8215-82C9-1C11-828DCA25D7B9} - C:\WINDOWS\system32\lkcvbzfa.dll
O2 - BHO: (no name) - {2D1F2983-FA13-4FF4-ADB4-F65F847B2A26} - C:\WINDOWS\system32\sstqp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll
O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\WINDOWS\system32\xqtrdkqr.dll
O2 - BHO: (no name) - {941508F8-CCD9-44E0-AC29-4F1E141373F7} - C:\WINDOWS\system32\pmnlmnm.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
O4 - HKLM\..\Run: [HP AutoUpdate] "C:\Program Files\HP\HP AutoUpdate\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SecureWeb] C:\WINDOWS\system32\MCp0b7QA.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\krjlpvjb.dll",forkonce
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Lerm] "C:\WINDOWS\system32\WNSXS~1\regsvr32.exe" -vt yazb
O4 - HKCU\..\Run: [Gvrvpsxm] "C:\Program Files\Common Files\M?crosoft\s?rvices.exe"
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\unicorn\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\unicorn\Application Data\Microsoft\Windows\sqxagpg.exe
O4 - Startup: hp indigo press Start.lnk = C:\unicorn\perl\bin\perl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: hp IndigoServe 3.1.lnk = C:\IndigoServe\Bin\Isrv2.exe
O4 - Global Startup: HP ISEE.lnk = C:\Program Files\Hewlett-Packard\ISEE\MotiveChorus\bin\matcli.exe
O4 - Global Startup: RIP Restart Service.lnk = C:\Program Files\hp indigo RIP\TurboRIP\exe\restart_sys_service.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sigpress.com
O17 - HKLM\Software\..\Telephony: DomainName = sigpress.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C796E5A-D6C9-4B9B-8ADD-D62F42A0F123}: NameServer = 24.173.242.85,24.28.99.62
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sigpress.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sigpress.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: pmnlmnm - C:\WINDOWS\SYSTEM32\pmnlmnm.dll
O20 - Winlogon Notify: sstqp - C:\WINDOWS\system32\sstqp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: HpDrvMon (hpdrvmon) - Hewlett Packard - C:\Program Files\Hewlett-Packard\HP Indigo Monitors\HpDrvMon.exe
O23 - Service: HpEvtMon (hpevtmon) - Hewlett Packard - C:\Program Files\Hewlett-Packard\HP Indigo Monitors\HpEvtMon.exe
O23 - Service: HP ISEE (HP_Services) - Motive Communications, Inc. - C:\PROGRA~1\HEWLET~1\ISEE\MOTIVE~1\bin\mad.exe
O23 - Service: hp indigo RIP (IPTech TurboRIP) - IPTech, Inc. - C:\Program Files\hp indigo RIP\TurboRIP\exe\rip.exe
O23 - Service: hp indigo RIP Viewer (IPTech TurboViewer) - Unknown owner - C:\Program Files\hp indigo RIP\TurboRIP\viewer_service\TurboViewer.exe
O23 - Service: ISEEInit - Unknown owner - C:\Program Files\Hewlett-Packard\ISEE\RemoteSupport\bin\srvany.exe
O23 - Service: Miramar AppleTalk File Server - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATSERVER.EXE
O23 - Service: Miramar AppleTalk Print Server - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WCCProxy - Hewlett-Packard Company - C:\PROGRA~1\hp\svctools\common\wccproxy\share\wccproxy.exe



****EOF****

Hello again,

Is there anything I can do for this machine? Our press is pretty much down because of this (the server controlls the press, so an unhappy server is an unhappy press).

Not trying to nag or jump the queue, but we're really in a bad way here.

Thanks,
-Kent

Hello

This forum is setup for people with personal computers who are helped by volunteers.

I have to ask why a large company would be asking for assistance in such a forum, instead of pulling in the companies IT and Server management?

Which surely would be the route to take in a serious situation.

Hello

This forum is setup for people with personal computers who are helped by volunteers.

I have to ask why a large company would be asking for assistance in such a forum, instead of pulling in the companies IT and Server management?

Which surely would be the route to take in a serious situation.

Hello Tashi,

Thanks for the reply. We're actually a small company of 55 employees. What we are trying to avoid at this point is having a technician come out and re-image the server (something that will cost us money and lead to the loss of some data).

Also, we're keen on doing the best we can to ensure this doesn't happen again (though HP does not allow some things to be upgraded).

I understand if you are reluctant to help us with this issue because of the nature of our equipment. I have to try.

Thanks,
-Kent

Hello.

Do you have a Corporate license to run Spybot-S&D?

http://forums.spybot.info/showpost.php?p=44554&postcount=3 :)

Hello.

Do you have a Corporate license to run Spybot-S&D?

http://forums.spybot.info/showpost.php?p=44554&postcount=3 :)

I didn't realize there was such a thing.

We're going to go ahead and reimage. We're already two days down at this point.

Thanks anyway for your time.

Hello.

I don't know what the legal implications for a business may be in having a compromised server, possibly a back door/remote access trojan is involved. In a nutshell, you need professional IT assessment and advice.

Best regards.

This topic has been archived.