PDA

View Full Version : Another User with Virtumonde.dll and .plx Issues



Raptors06
2008-10-08, 23:46
I have noticed before posting that many people have apparently had issues with this particular infection. This infection has occurred on the server at the office where I work. I have attempted using Ad-Aware, NOD32, and Spybot S&D to remove this, but Spybot continues to indicate the infection is still in place. Any help is greatly appreciated. Below is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:32:49, on 08-Oct-08
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\3ware\3DM2\3dm2.exe
C:\Program Files\Symantec\Backup Exec\beremote.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\F@H\F@W\Faw.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Eset\RA\Server\nod32ra.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlagent.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\3ware\3DM2\WinAVAlarm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrueCrypt\TrueCrypt.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/
O2 - BHO: (no name) - {03EC8CE0-E697-4339-8BC2-2DDF72716A42} - C:\WINDOWS\system32\pmnmljIx.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {195DE1AE-BD4D-4A45-95E4-C630B2D3250D} - C:\WINDOWS\system32\yayyWqPI.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9A9C01A8-CE35-4EE2-BFFF-C631BC16C61C} - C:\WINDOWS\system32\urqOIcAr.dll (file missing)
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IDScenter] "C:\Program Files\IDScenter\idscenter.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [7468d898] rundll32.exe "C:\WINDOWS\system32\eprcyhve.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1314264020-84704496-786063214-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-21-1314264020-84704496-786063214-500 Startup: Folding@Home 5.03.lnk = ? (User 'Administrator')
O4 - S-1-5-21-1314264020-84704496-786063214-500 User Startup: Folding@Home 5.03.lnk = ? (User 'Administrator')
O4 - S-1-5-18 Startup: Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (User 'Default user')
O4 - Startup: Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe
O4 - Global Startup: 3DM 2.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinAVAlarm.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {15D73F88-277E-42EC-BE97-C64E1C6A18D9} - http://jones-srv-01/centricitypm%2004/Install/CPOPM04Client/CPOPM04Client.cab
O16 - DPF: {297BE6C8-39C6-4850-94A4-22638FF39D12} - http://jones-srv-01/centricitypm04/Install/McKesson04/McKesson04.cab
O16 - DPF: {473372A0-AF4A-4B99-B346-A7327B718981} - http://jones-srv-01/centricitypm04/Install/CPOPM04GoldClient711_2/CPOPM04GoldClient711_2.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1206656513953
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183593641234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183641965015
O16 - DPF: {723A35DD-9BB4-438E-BDDB-988B5E0298C7} - http://jones-srv-01/centricitypm04/Install/StandardPaperForms04/StandardPaperForms04.cab
O16 - DPF: {9188E82F-318B-4C6D-A796-29A6919EAEA2} - http://jones-srv-01/centricitypm%2004/Install/MPM03Components/Default.cab
O16 - DPF: {B1F6F07C-8CEF-4301-BFB7-A217427CD49F} - http://jones-srv-01/centricitypm04/Install/CPOPM04GoldComponents711_2/CPOPM04GoldComponents711_2.cab
O16 - DPF: {B4664E42-5597-40BA-8320-F2885640ED86} - http://jones-srv-01/centricitypm%2004/Install/CPOPM04Components/CPOPM04Components.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://gehciits.webex.com/client/T25L/support/ieatgpc.cab
O16 - DPF: {E839F0A1-4D68-472A-BBB8-08FA530581CF} (MBCInstaller 6.0 object) - http://jones-srv-01/centricitypm%2004/Install/MBCINSTaller60.dll
O16 - DPF: {F839F0A1-4D68-472A-BBB8-08FA530581CF} (GEMSInstaller 7.0 object) - http://jones-srv-01/centricitypm04/Install/MBCINSTaller70.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jones.local
O17 - HKLM\Software\..\Telephony: DomainName = jones.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{06CFA446-789A-45A2-82F4-4D2F75178609}: NameServer = 127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jones.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{06CFA446-789A-45A2-82F4-4D2F75178609}: NameServer = 127.0.0.1
O20 - Winlogon Notify: pmnmljIx - C:\WINDOWS\SYSTEM32\pmnmljIx.dll
O23 - Service: 3DM2 - Unknown owner - C:\Program Files\3ware\3DM2\3dm2.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beserver.exe
O23 - Service: Backup Exec DLO Administration Service (DLOAdminSvcu) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\DLO\DLOAdminSvcu.exe
O23 - Service: Backup Exec DLO Maintenance Service (DLOMaintenanceSvc) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe
O23 - Service: Faw - Unknown owner - C:\F@H\F@W\Faw (file missing)
O23 - Service: Folding@Home client 1 (Folding1d) - Unknown owner - C:\F@H\F@H1\srvany.exe
O23 - Service: Folding@Home client 2 (Folding2d) - Unknown owner - C:\F@H\F@H2\srvany.exe
O23 - Service: Folding@Home client 3 (Folding3d) - Unknown owner - C:\F@H\F@H3\srvany.exe
O23 - Service: Folding@Home client 4 (Folding4d) - Unknown owner - C:\F@H\F@H4\srvany.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NOD32 Remote Administration Server (NOD32RA) - Eset - C:\Program Files\Eset\RA\Server\nod32ra.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 11808 bytes

pskelley
2008-10-09, 17:15
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

This is a nasty infection and before I can help I need to post this information for you.

http://forums.spybot.info/showthread.php?t=288 <<< here

The malware removal forum is set up to help those in need of assistance with their personal computers. This service is free and provided by volunteers.

Note: When the infected computer in question is a company machine in the workplace, and you are an employee.

Your organization must give their permission for assistance to be received in the removal of malware. The intention of this forum is not to replace a company's IT department.

More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

Please inform your IT department or Supervisor when a workplace computer has been infected, immediately.

Thanks for your understanding.


Phil

Raptors06
2008-10-09, 17:22
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

This is a nasty infection and before I can help I need to post this information for you.

http://forums.spybot.info/showthread.php?t=288 <<< here

Phil

I have read that information, and I am the IT person on staff at this location. Management has given consent to seek advice on this particular issue. Thank you.

pskelley
2008-10-09, 17:28
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks...Phil

Raptors06
2008-10-09, 17:43
The scan errors out saying it is running on an incompatible operating system (Server 03). I already have the recovery console installed, so I am assuming that would make no difference on whether or not the scan was successful?

pskelley
2008-10-09, 17:50
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
Sorry, I was hoping it would run. combofix is not supposed to run on Vista either, but usually does.

Let's see what MBAM will do with the System and the infection. You may delete combofix from the Desktop.

Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Thanks

Raptors06
2008-10-09, 18:14
Phil,

I tried installing MBAM, however, after clicking the final install button, the installation errors out with issues in creating a registry key and the inability to register the dll/ocx. I posted the pop-ups below in relation to the installation of MBAM.

"Error creating registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\mbam.exe
RegCreateKeyEx failed; code 1019
System could not allocate the required space in a registry log."

"C:\Program Files\Malwarebytes' Anti-Malware\unbamext.dll
Unable to register the DLL/OCX: RegSvr32
Failed with exit code 0x5."

"C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll
Unable to register the DLL/OCX: RegSvr32
Failed with exit code 0x5."

At each of these pop-ups, you receive the standard "abort, retry, ignore" message.

pskelley
2008-10-09, 18:35
Well, if we can not run any tools, we will try it manually. If that does not work, you may be doing a reformat.

Make sure you can view all files and folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
and you can see there are no instructions for that Operating System?

Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

*** if you can not use ATF-Cleaner, try Clean Manager:
Clean Manager: http://spyware-free.us/tutorials/cleanmgr/

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {03EC8CE0-E697-4339-8BC2-2DDF72716A42} - C:\WINDOWS\system32\pmnmljIx.dll
O2 - BHO: (no name) - {195DE1AE-BD4D-4A45-95E4-C630B2D3250D} - C:\WINDOWS\system32\yayyWqPI.dll (file missing)
O2 - BHO: (no name) - {9A9C01A8-CE35-4EE2-BFFF-C631BC16C61C} - C:\WINDOWS\system32\urqOIcAr.dll (file missing)
O4 - HKLM\..\Run: [7468d898] rundll32.exe "C:\WINDOWS\system32\eprcyhve.dll",b
O20 - Winlogon Notify: pmnmljIx - C:\WINDOWS\SYSTEM32\pmnmljIx.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\system32\pmnmljIx.dll <<< delete that file
C:\WINDOWS\system32\eprcyhve.dll <<< delete that file

If you have problems deleting those, try this tool and instructions

How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Thanks

Raptors06
2008-10-10, 02:20
Ok, now this is really strange. I rebooted the system so that I could manually delete the files you had told me about about reboot. It didn't actually get rid of them. However, after the reboot, just for kicks, I tried to install MBAM, like you had suggested previously. For whatever bizarre reason, it worked. So, I installed it and ran it according to what you had said to do previously with that step since the manual deletion didn't work. I've included the post HJT scan after removing the threats with MBAM. I have included the post-MBAM run logs, as you had requested previously. Can I ask one semi off-topic question though - why in the heck did this work now and not before? And also, what do I need to do from here? Thanks for the help Phil - I do appreciate it.

Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.2.3790 Service Pack 2

10/09/2008 5:51:29 PM
mbam-log-2008-10-09 (17-51-24).txt

Scan type: Full Scan (C:\|F:\|G:\|H:\|)
Objects scanned: 148996
Time elapsed: 44 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7468d898 (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:17:35 PM, on 10/09/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\3ware\3DM2\3dm2.exe
C:\Program Files\Symantec\Backup Exec\beremote.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\F@H\F@W\Faw.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Eset\RA\Server\nod32ra.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlagent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Exchsrvr\bin\store.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\IDScenter\idscenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\3ware\3DM2\WinAVAlarm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.net-studio.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O2 - BHO: (no name) - {03EC8CE0-E697-4339-8BC2-2DDF72716A42} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {195DE1AE-BD4D-4A45-95E4-C630B2D3250D} - C:\WINDOWS\system32\yayyWqPI.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E699AC6-99F5-4809-AC76-660992DCF109} - (no file)
O2 - BHO: (no name) - {9A9C01A8-CE35-4EE2-BFFF-C631BC16C61C} - C:\WINDOWS\system32\urqOIcAr.dll (file missing)
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IDScenter] "C:\Program Files\IDScenter\idscenter.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [7468d898] rundll32.exe "C:\WINDOWS\system32\eprcyhve.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-18 Startup: Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (User 'Default user')
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Global Startup: 3DM 2.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinAVAlarm.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - ESC Trusted Zone: http://www.antsight.com
O15 - ESC Trusted Zone: http://www.apple.com
O15 - ESC Trusted Zone: http://view.atdmt.com
O15 - ESC Trusted Zone: http://uploads.blip.tv
O15 - ESC Trusted Zone: http://www.news.com.au
O15 - ESC Trusted Zone: http://adserving.cpxinteractive.com
O15 - ESC Trusted Zone: http://lasecwww.epfl.ch
O15 - ESC Trusted Zone: http://ads.ak.facebook.com
O15 - ESC Trusted Zone: http://apps.facebook.com
O15 - ESC Trusted Zone: http://www.facebook.com
O15 - ESC Trusted Zone: http://*.fahwiki.net
O15 - ESC Trusted Zone: http://*.foldingforum.org
O15 - ESC Trusted Zone: http://www.gehealthcare.com
O15 - ESC Trusted Zone: http://www.iasishealthcare.com
O15 - ESC Trusted Zone: http://search.live.com
O15 - ESC Trusted Zone: http://www.millbrook.com
O15 - ESC Trusted Zone: http://www.mozilla.com
O15 - ESC Trusted Zone: http://www.mozilla.org
O15 - ESC Trusted Zone: http://ftp-mozilla.netscape.com
O15 - ESC Trusted Zone: http://www.poweradmin.com
O15 - ESC Trusted Zone: http://www.saveflash.com
O15 - ESC Trusted Zone: http://sudowin.sourceforge.net
O15 - ESC Trusted Zone: http://voxel.dl.sourceforge.net
O15 - ESC Trusted Zone: http://fah-web.stanford.edu
O15 - ESC Trusted Zone: http://folding.stanford.edu
O15 - ESC Trusted Zone: http://vspx27.stanford.edu
O15 - ESC Trusted Zone: http://www.stanford.edu
O15 - ESC Trusted Zone: http://stat1.vipstat.com
O15 - ESC Trusted Zone: http://download3.vmware.com
O15 - ESC Trusted Zone: http://register.vmware.com
O15 - ESC Trusted Zone: http://www.vmware.com
O15 - ESC Trusted Zone: http://gehciits.webex.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://ad.yieldmanager.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://127.0.0.1
O16 - DPF: {15D73F88-277E-42EC-BE97-C64E1C6A18D9} - http://jones-srv-01/centricitypm%2004/Install/CPOPM04Client/CPOPM04Client.cab
O16 - DPF: {297BE6C8-39C6-4850-94A4-22638FF39D12} - http://jones-srv-01/centricitypm04/Install/McKesson04/McKesson04.cab
O16 - DPF: {473372A0-AF4A-4B99-B346-A7327B718981} - http://jones-srv-01/centricitypm04/Install/CPOPM04GoldClient711_2/CPOPM04GoldClient711_2.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1206656513953
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183593641234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183641965015
O16 - DPF: {723A35DD-9BB4-438E-BDDB-988B5E0298C7} - http://jones-srv-01/centricitypm04/Install/StandardPaperForms04/StandardPaperForms04.cab
O16 - DPF: {9188E82F-318B-4C6D-A796-29A6919EAEA2} - http://jones-srv-01/centricitypm%2004/Install/MPM03Components/Default.cab
O16 - DPF: {B1F6F07C-8CEF-4301-BFB7-A217427CD49F} - http://jones-srv-01/centricitypm04/Install/CPOPM04GoldComponents711_2/CPOPM04GoldComponents711_2.cab
O16 - DPF: {B4664E42-5597-40BA-8320-F2885640ED86} - http://jones-srv-01/centricitypm%2004/Install/CPOPM04Components/CPOPM04Components.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://gehciits.webex.com/client/T25L/support/ieatgpc.cab
O16 - DPF: {E839F0A1-4D68-472A-BBB8-08FA530581CF} (MBCInstaller 6.0 object) - http://jones-srv-01/centricitypm%2004/Install/MBCINSTaller60.dll
O16 - DPF: {F839F0A1-4D68-472A-BBB8-08FA530581CF} (GEMSInstaller 7.0 object) - http://jones-srv-01/centricitypm04/Install/MBCINSTaller70.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jones.local
O17 - HKLM\Software\..\Telephony: DomainName = jones.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{06CFA446-789A-45A2-82F4-4D2F75178609}: NameServer = 127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jones.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{06CFA446-789A-45A2-82F4-4D2F75178609}: NameServer = 127.0.0.1
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jones.local
O17 - HKLM\System\CS3\Services\Tcpip\..\{06CFA446-789A-45A2-82F4-4D2F75178609}: NameServer = 127.0.0.1
O20 - Winlogon Notify: pmnmljIx - C:\WINDOWS\
O23 - Service: 3DM2 - Unknown owner - C:\Program Files\3ware\3DM2\3dm2.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beserver.exe
O23 - Service: Backup Exec DLO Administration Service (DLOAdminSvcu) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\DLO\DLOAdminSvcu.exe
O23 - Service: Backup Exec DLO Maintenance Service (DLOMaintenanceSvc) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe
O23 - Service: Faw - Unknown owner - C:\F@H\F@W\Faw (file missing)
O23 - Service: Folding@Home client 1 (Folding1d) - Unknown owner - C:\F@H\F@H1\srvany.exe
O23 - Service: Folding@Home client 2 (Folding2d) - Unknown owner - C:\F@H\F@H2\srvany.exe
O23 - Service: Folding@Home client 3 (Folding3d) - Unknown owner - C:\F@H\F@H3\srvany.exe
O23 - Service: Folding@Home client 4 (Folding4d) - Unknown owner - C:\F@H\F@H4\srvany.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NOD32 Remote Administration Server (NOD32RA) - Eset - C:\Program Files\Eset\RA\Server\nod32ra.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 13706 bytes

pskelley
2008-10-10, 02:51
I am not going to be able to answer a lot of questions, having no experience on this Operating System. Since I know that, I typically avoid the system when I see it. On top of that, we have other communication issues. In the middle of the repair, TeaTimer in Spybot has been turned on and had I saw it running, I would have posted instructions for it to be disabled. TeaTimer blocks changes and one of the changes we need to make was to delete these:

Right click Start > Explore and navigate to these files/folders and delete them if there.
C:\WINDOWS\system32\pmnmljIx.dll <<< delete that file
C:\WINDOWS\system32\eprcyhve.dll <<< delete that file

One of the items is running in the latest HJT log:
O4 - HKLM\..\Run: [7468d898] rundll32.exe "C:\WINDOWS\system32\eprcyhve.dll",b

and I do not know, since I see no communication from you concerning having issues removing it, if it is there because TeaTimer was turned on or because you missed it, or because Vundo morphed and replaced it.

The next issue I have is that in the first HJT log, there were two items in the "Trusted Zone":
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)

http://www.bleepingcomputer.com/tutorials/tutorial42.html#O15Diag <<< see this

and in the, most recent HJT log there are about 35, to my knowledge these must be allowed manually (added) and I can not think of any reason anyone would do this in the middle of what obviously has to be a complex repair.

If you could explain the reasons for the issues I brought up, it might help me as I consider the direction to take at this point.

Thanks

Raptors06
2008-10-10, 16:31
Phil,

I'll try to answer all of the questions - I had forgotten to tell you about the deletion of those files. But I'll start at the top.

I had disabled TeaTimer from the beginning through Spybot, but for whatever reason, it reenabled itself, possibly upon restart? Nonetheless, it's been disabled now and is no longer running.

At first, deletion of C:\WINDOWS\system32\pmnmljIx.dll did not work, and was supposed to delete upon reboot. However, it has been deleted now, and should not be on the system any longer. As far as C:\WINDOWS\system32\eprcyhve.dll, I never could find the file in the sys32 folder at all. Hidden files and folders is turned on by default in Explorer, but I could not find the file anywhere. So, as of now, neither file seems to be residing on the system at all.

The trusted zone issue was resolved. The previous IT person that was employed here had added those sites to the trusted zone through IE. I have taken all of those sites out of the trusted zone, and HJT now confirms that. I have attached a new HJT that I have just run this morning when I came in. It is attached below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:25 AM, on 10/10/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\3ware\3DM2\3dm2.exe
C:\Program Files\Symantec\Backup Exec\beremote.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\F@H\F@W\Faw.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Eset\RA\Server\nod32ra.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlagent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Exchsrvr\bin\store.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\IDScenter\idscenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\3ware\3DM2\WinAVAlarm.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.net-studio.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O2 - BHO: (no name) - {03EC8CE0-E697-4339-8BC2-2DDF72716A42} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {195DE1AE-BD4D-4A45-95E4-C630B2D3250D} - C:\WINDOWS\system32\yayyWqPI.dll (file missing)
O2 - BHO: (no name) - {7E699AC6-99F5-4809-AC76-660992DCF109} - (no file)
O2 - BHO: (no name) - {9A9C01A8-CE35-4EE2-BFFF-C631BC16C61C} - C:\WINDOWS\system32\urqOIcAr.dll (file missing)
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IDScenter] "C:\Program Files\IDScenter\idscenter.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [7468d898] rundll32.exe "C:\WINDOWS\system32\eprcyhve.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-18 Startup: Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (User 'Default user')
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Global Startup: 3DM 2.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinAVAlarm.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {15D73F88-277E-42EC-BE97-C64E1C6A18D9} - http://jones-srv-01/centricitypm%2004/Install/CPOPM04Client/CPOPM04Client.cab
O16 - DPF: {297BE6C8-39C6-4850-94A4-22638FF39D12} - http://jones-srv-01/centricitypm04/Install/McKesson04/McKesson04.cab
O16 - DPF: {473372A0-AF4A-4B99-B346-A7327B718981} - http://jones-srv-01/centricitypm04/Install/CPOPM04GoldClient711_2/CPOPM04GoldClient711_2.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1206656513953
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183593641234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183641965015
O16 - DPF: {723A35DD-9BB4-438E-BDDB-988B5E0298C7} - http://jones-srv-01/centricitypm04/Install/StandardPaperForms04/StandardPaperForms04.cab
O16 - DPF: {9188E82F-318B-4C6D-A796-29A6919EAEA2} - http://jones-srv-01/centricitypm%2004/Install/MPM03Components/Default.cab
O16 - DPF: {B1F6F07C-8CEF-4301-BFB7-A217427CD49F} - http://jones-srv-01/centricitypm04/Install/CPOPM04GoldComponents711_2/CPOPM04GoldComponents711_2.cab
O16 - DPF: {B4664E42-5597-40BA-8320-F2885640ED86} - http://jones-srv-01/centricitypm%2004/Install/CPOPM04Components/CPOPM04Components.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://gehciits.webex.com/client/T25L/support/ieatgpc.cab
O16 - DPF: {E839F0A1-4D68-472A-BBB8-08FA530581CF} (MBCInstaller 6.0 object) - http://jones-srv-01/centricitypm%2004/Install/MBCINSTaller60.dll
O16 - DPF: {F839F0A1-4D68-472A-BBB8-08FA530581CF} (GEMSInstaller 7.0 object) - http://jones-srv-01/centricitypm04/Install/MBCINSTaller70.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jones.local
O17 - HKLM\Software\..\Telephony: DomainName = jones.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{06CFA446-789A-45A2-82F4-4D2F75178609}: NameServer = 127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jones.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{06CFA446-789A-45A2-82F4-4D2F75178609}: NameServer = 127.0.0.1
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jones.local
O17 - HKLM\System\CS3\Services\Tcpip\..\{06CFA446-789A-45A2-82F4-4D2F75178609}: NameServer = 127.0.0.1
O20 - Winlogon Notify: pmnmljIx - C:\WINDOWS\
O23 - Service: 3DM2 - Unknown owner - C:\Program Files\3ware\3DM2\3dm2.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beserver.exe
O23 - Service: Backup Exec DLO Administration Service (DLOAdminSvcu) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\DLO\DLOAdminSvcu.exe
O23 - Service: Backup Exec DLO Maintenance Service (DLOMaintenanceSvc) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe
O23 - Service: Faw - Unknown owner - C:\F@H\F@W\Faw (file missing)
O23 - Service: Folding@Home client 1 (Folding1d) - Unknown owner - C:\F@H\F@H1\srvany.exe
O23 - Service: Folding@Home client 2 (Folding2d) - Unknown owner - C:\F@H\F@H2\srvany.exe
O23 - Service: Folding@Home client 3 (Folding3d) - Unknown owner - C:\F@H\F@H3\srvany.exe
O23 - Service: Folding@Home client 4 (Folding4d) - Unknown owner - C:\F@H\F@H4\srvany.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NOD32 Remote Administration Server (NOD32RA) - Eset - C:\Program Files\Eset\RA\Server\nod32ra.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 11348 bytes

pskelley
2008-10-10, 17:40
TeaTimer's memory returned junk and will will remove it later, but this:
O4 - HKLM\..\Run: [7468d898] rundll32.exe "C:\WINDOWS\system32\eprcyhve.dll",b
Is still showing in the HJT log so it is likely on the computer somewhere. Understand the hackers do not play by the rules.

Use Search...in Windows XP it would be Start > Search > all files and folder > copy/paste eprcyhve.dll in to the search box and click search. Might take a while, lots of files to look through.

I would also like you to try combofix again, this time download it to the Desktop, then boot to Safe Mode and see if it will run there.
http://spyware-free.us/tutorials/safemode/

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks

Raptors06
2008-10-10, 17:59
I didn't think ComboFix was going to run off of Server 2003. If I'm wrong, I'm more than willing to give it a shot. I'm searching for the .dll now but so far nothing. I do have quite a bit of disk space to search, however. I will post back following the search. Just let me know if I need to run ComboFix. Thanks.

Raptors06
2008-10-10, 18:29
I know I'm not supposed to post-bump, but I'm posting back with information on the deletion and HJT log. I finally found that .dll file and got it out. FINALLY! It ended up being in a folder inside the sys32 folder. I haven't included the ComboFix log because I didn't think it was going to run on Server 03. Anyway, here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:45 AM, on 10/10/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\3ware\3DM2\3dm2.exe
C:\Program Files\Symantec\Backup Exec\beremote.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\F@H\F@W\Faw.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Eset\RA\Server\nod32ra.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlagent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Exchsrvr\bin\store.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\IDScenter\idscenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\3ware\3DM2\WinAVAlarm.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\VMware\VMware Server\vmware.exe
C:\Program Files\VMware\VMware Server\bin\vmware-vmx.exe
C:\Program Files\VMware\VMware Server\bin\vmware-remotemks.exe
C:\Program Files\VMware\VMware Server\bin\vmware-vmx.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.net-studio.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O2 - BHO: (no name) - {03EC8CE0-E697-4339-8BC2-2DDF72716A42} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {195DE1AE-BD4D-4A45-95E4-C630B2D3250D} - C:\WINDOWS\system32\yayyWqPI.dll (file missing)
O2 - BHO: (no name) - {7E699AC6-99F5-4809-AC76-660992DCF109} - (no file)
O2 - BHO: (no name) - {9A9C01A8-CE35-4EE2-BFFF-C631BC16C61C} - C:\WINDOWS\system32\urqOIcAr.dll (file missing)
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IDScenter] "C:\Program Files\IDScenter\idscenter.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-18 Startup: Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (User 'Default user')
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Global Startup: 3DM 2.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinAVAlarm.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {15D73F88-277E-42EC-BE97-C64E1C6A18D9} - http://jones-srv-01/centricitypm%2004/Install/CPOPM04Client/CPOPM04Client.cab
O16 - DPF: {297BE6C8-39C6-4850-94A4-22638FF39D12} - http://jones-srv-01/centricitypm04/Install/McKesson04/McKesson04.cab
O16 - DPF: {473372A0-AF4A-4B99-B346-A7327B718981} - http://jones-srv-01/centricitypm04/Install/CPOPM04GoldClient711_2/CPOPM04GoldClient711_2.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1206656513953
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183593641234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183641965015
O16 - DPF: {723A35DD-9BB4-438E-BDDB-988B5E0298C7} - http://jones-srv-01/centricitypm04/Install/StandardPaperForms04/StandardPaperForms04.cab
O16 - DPF: {9188E82F-318B-4C6D-A796-29A6919EAEA2} - http://jones-srv-01/centricitypm%2004/Install/MPM03Components/Default.cab
O16 - DPF: {B1F6F07C-8CEF-4301-BFB7-A217427CD49F} - http://jones-srv-01/centricitypm04/Install/CPOPM04GoldComponents711_2/CPOPM04GoldComponents711_2.cab
O16 - DPF: {B4664E42-5597-40BA-8320-F2885640ED86} - http://jones-srv-01/centricitypm%2004/Install/CPOPM04Components/CPOPM04Components.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://gehciits.webex.com/client/T25L/support/ieatgpc.cab
O16 - DPF: {E839F0A1-4D68-472A-BBB8-08FA530581CF} (MBCInstaller 6.0 object) - http://jones-srv-01/centricitypm%2004/Install/MBCINSTaller60.dll
O16 - DPF: {F839F0A1-4D68-472A-BBB8-08FA530581CF} (GEMSInstaller 7.0 object) - http://jones-srv-01/centricitypm04/Install/MBCINSTaller70.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jones.local
O17 - HKLM\Software\..\Telephony: DomainName = jones.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{06CFA446-789A-45A2-82F4-4D2F75178609}: NameServer = 127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jones.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{06CFA446-789A-45A2-82F4-4D2F75178609}: NameServer = 127.0.0.1
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jones.local
O17 - HKLM\System\CS3\Services\Tcpip\..\{06CFA446-789A-45A2-82F4-4D2F75178609}: NameServer = 127.0.0.1
O20 - Winlogon Notify: pmnmljIx - C:\WINDOWS\
O23 - Service: 3DM2 - Unknown owner - C:\Program Files\3ware\3DM2\3dm2.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beserver.exe
O23 - Service: Backup Exec DLO Administration Service (DLOAdminSvcu) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\DLO\DLOAdminSvcu.exe
O23 - Service: Backup Exec DLO Maintenance Service (DLOMaintenanceSvc) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe
O23 - Service: Faw - Unknown owner - C:\F@H\F@W\Faw (file missing)
O23 - Service: Folding@Home client 1 (Folding1d) - Unknown owner - C:\F@H\F@H1\srvany.exe
O23 - Service: Folding@Home client 2 (Folding2d) - Unknown owner - C:\F@H\F@H2\srvany.exe
O23 - Service: Folding@Home client 3 (Folding3d) - Unknown owner - C:\F@H\F@H3\srvany.exe
O23 - Service: Folding@Home client 4 (Folding4d) - Unknown owner - C:\F@H\F@H4\srvany.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NOD32 Remote Administration Server (NOD32RA) - Eset - C:\Program Files\Eset\RA\Server\nod32ra.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 11553 bytes

pskelley
2008-10-13, 14:49
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {03EC8CE0-E697-4339-8BC2-2DDF72716A42} - (no file)
O2 - BHO: (no name) - {195DE1AE-BD4D-4A45-95E4-C630B2D3250D} - C:\WINDOWS\system32\yayyWqPI.dll (file missing)
O2 - BHO: (no name) - {7E699AC6-99F5-4809-AC76-660992DCF109} - (no file)
O2 - BHO: (no name) - {9A9C01A8-CE35-4EE2-BFFF-C631BC16C61C} - C:\WINDOWS\system32\urqOIcAr.dll (file missing)
O20 - Winlogon Notify: pmnmljIx - C:\WINDOWS\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run Clean Manager
http://spyware-free.us/tutorials/cleanmgr/

Any malware issues?

Raptors06
2008-10-13, 16:16
I ran HJT again this morning just now and have posted the log below. NOD32 and Spybot have both come back clean in their scans for malware and viruses. As far as I can tell, the fix has been successful. Just let me know if I need to proceed any further with cleaning the infection.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:56 AM, on 10/13/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\3ware\3DM2\3dm2.exe
C:\Program Files\Symantec\Backup Exec\beremote.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\F@H\F@W\Faw.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Eset\RA\Server\nod32ra.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlagent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\System32\wins.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\IDScenter\idscenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\3ware\3DM2\WinAVAlarm.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Eset\nod32.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Eset\nod32.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.net-studio.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IDScenter] "C:\Program Files\IDScenter\idscenter.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - S-1-5-18 Startup: Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Server Management.lnk = C:\Program Files\Microsoft Windows Small Business Server\Administration\LaunchConsole.exe (User 'Default user')
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Global Startup: 3DM 2.lnk = ?
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinAVAlarm.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {15D73F88-277E-42EC-BE97-C64E1C6A18D9} - http://jones-srv-01/centricitypm%2004/Install/CPOPM04Client/CPOPM04Client.cab
O16 - DPF: {297BE6C8-39C6-4850-94A4-22638FF39D12} - http://jones-srv-01/centricitypm04/Install/McKesson04/McKesson04.cab
O16 - DPF: {473372A0-AF4A-4B99-B346-A7327B718981} - http://jones-srv-01/centricitypm04/Install/CPOPM04GoldClient711_2/CPOPM04GoldClient711_2.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1206656513953
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183593641234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183641965015
O16 - DPF: {723A35DD-9BB4-438E-BDDB-988B5E0298C7} - http://jones-srv-01/centricitypm04/Install/StandardPaperForms04/StandardPaperForms04.cab
O16 - DPF: {9188E82F-318B-4C6D-A796-29A6919EAEA2} - http://jones-srv-01/centricitypm%2004/Install/MPM03Components/Default.cab
O16 - DPF: {B1F6F07C-8CEF-4301-BFB7-A217427CD49F} - http://jones-srv-01/centricitypm04/Install/CPOPM04GoldComponents711_2/CPOPM04GoldComponents711_2.cab
O16 - DPF: {B4664E42-5597-40BA-8320-F2885640ED86} - http://jones-srv-01/centricitypm%2004/Install/CPOPM04Components/CPOPM04Components.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://gehciits.webex.com/client/T25L/support/ieatgpc.cab
O16 - DPF: {E839F0A1-4D68-472A-BBB8-08FA530581CF} (MBCInstaller 6.0 object) - http://jones-srv-01/centricitypm%2004/Install/MBCINSTaller60.dll
O16 - DPF: {F839F0A1-4D68-472A-BBB8-08FA530581CF} (GEMSInstaller 7.0 object) - http://jones-srv-01/centricitypm04/Install/MBCINSTaller70.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jones.local
O17 - HKLM\Software\..\Telephony: DomainName = jones.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{06CFA446-789A-45A2-82F4-4D2F75178609}: NameServer = 127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jones.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{06CFA446-789A-45A2-82F4-4D2F75178609}: NameServer = 127.0.0.1
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jones.local
O17 - HKLM\System\CS3\Services\Tcpip\..\{06CFA446-789A-45A2-82F4-4D2F75178609}: NameServer = 127.0.0.1
O23 - Service: 3DM2 - Unknown owner - C:\Program Files\3ware\3DM2\3dm2.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beserver.exe
O23 - Service: Backup Exec DLO Administration Service (DLOAdminSvcu) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\DLO\DLOAdminSvcu.exe
O23 - Service: Backup Exec DLO Maintenance Service (DLOMaintenanceSvc) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\DLO\dlomaintsvcu.exe
O23 - Service: Faw - Unknown owner - C:\F@H\F@W\Faw (file missing)
O23 - Service: Folding@Home client 1 (Folding1d) - Unknown owner - C:\F@H\F@H1\srvany.exe
O23 - Service: Folding@Home client 2 (Folding2d) - Unknown owner - C:\F@H\F@H2\srvany.exe
O23 - Service: Folding@Home client 3 (Folding3d) - Unknown owner - C:\F@H\F@H3\srvany.exe
O23 - Service: Folding@Home client 4 (Folding4d) - Unknown owner - C:\F@H\F@H4\srvany.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NOD32 Remote Administration Server (NOD32RA) - Eset - C:\Program Files\Eset\RA\Server\nod32ra.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 10909 bytes

pskelley
2008-10-13, 16:24
As far as I can see, the HJT log looks clean of malware. Here is some information to help you stay clean, and I am not sure it will all apply to your operating system.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

Raptors06
2008-10-13, 16:35
Many thanks for the assistance. I will definitely put your links in my reading pile to peruse as I have the time.