PDA

View Full Version : Cscripts.exe trojan, plz help!



GuliblGuy
2009-09-30, 23:09
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:02 PM, on 9/30/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\E_S00RP1.EXE
C:\WINNT\System32\svchost.exe
C:\FAH\FAH504-Console.exe
C:\WINNT\system32\cba\pds.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\ACCPAC\Messenger\MsgrHost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Genie-Soft\GBMServer8\GBMAgent.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ACCPAC\Messenger\PrnAgent.exe
C:\Data\USERS\timesvr.exe
C:\WINNT\system32\ntfrs.exe
C:\PVSW\BIN\W3SQLMGR.EXE
C:\PVSW\BIN\NTBTRV.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PVSW\BIN\NTDBSMGR.EXE
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\FAH\FahCore_82.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O3 "usb" /M "Stylus CX3800"
O4 - HKLM\..\Run: [GBMServer8Agent] C:\Program Files\Genie-Soft\GBMServer8\GBMAgent.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [EPSON Stylus CX3800 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /M "Stylus CX3800" /EF "HKCU"
O4 - HKCU\..\Run: [GBMServer8Agent] C:\Program Files\Genie-Soft\GBMServer8\GBMAgent.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Shortcut to timesvr.exe.lnk = USERS\timesvr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FAX Printer.lnk = C:\Program Files\ACCPAC\Messenger\PrnAgent.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://quantum2k.webex.com/client/T26L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = informslink.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0A75823-BE64-46DA-B7AF-587CAA05014A}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = informslink.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = informslink.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = informslink.local
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINNT\system32\E_S00RP1.EXE
O23 - Service: FAH@C:+FAH+FAH504-Console.exe - Stanford University - C:\FAH\FAH504-Console.exe
O23 - Service: faxinit - Unknown owner - C:\WINNT\bfax\runfaxin.exe
O23 - Service: ACCPAC Messenger FAX Server (FAXServe) - ACCPAC International, Inc. - C:\Program Files\ACCPAC\Messenger\FAXserve.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel Alert Handler - LANDesk Software Ltd. - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - LANDesk Software Ltd. - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - LANDesk Software Ltd. - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINNT\system32\cba\pds.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: ACCPAC Messenger Server (MsgrHost) - ACCPAC International, Inc. - C:\Program Files\ACCPAC\Messenger\MsgrHost.exe
O23 - Service: ACCPAC Internet FAX Services (MsgrIPFax) - ACCPAC International, Inc. - C:\Program Files\ACCPAC\Messenger\MsgrIPFax.exe
O23 - Service: ACCPAC Messenger Print Server (MsgrPrintServe) - ACCPAC International, Inc. - C:\Program Files\ACCPAC\Messenger\MsgrPrintServe.exe
O23 - Service: Pervasive.SQL (relational) - Pervasive Software Inc. - C:\PVSW\BIN\W3SQLMGR.EXE
O23 - Service: Pervasive.SQL (transactional) - Unknown owner - C:\PVSW\BIN\NTBTRV.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7859 bytes

Shaba
2009-10-01, 20:16
Hi GuliblGuy

Is this a personal computer?

GuliblGuy
2009-10-01, 20:25
Yes my personal comp for home network

Shaba
2009-10-01, 21:50
Then I would like to get an explanation for example for these:

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = informslink.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = informslink.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = informslink.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = informslink.local

GuliblGuy
2009-10-02, 22:23
Ok you got me, I'm the "IT director" at work, just cause I know more about computers than others, and my boss wants me to get rid of this threat. You guys have helped us before on a company computer when we said we wouldn't hold you responsible if anything went wrong, I just though saying it was my personal pc would circumvent that, I'm sorry.

Shaba
2009-10-03, 13:09
Please see then this (http://forums.spybot.info/showpost.php?p=25712&postcount=5)

If your company has purchased spybot, you can get support via email.

Forum volunteers are unfortunately unable to help as per forum policy.