Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware on 2003 Server

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware on 2003 Server

Unread postby gschie » January 25th, 2008, 2:01 pm

Hello!

HELP!!
I have got two icon's on my desktop. Windows Update and Help and supportsenter. I tryed to delete them, bud they pop up at ounce.
Sometimes my screen is "blank" when i start up system. I must use Ctrl-Alt-Del and run Explorer.exe to get the desktop.

Here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:56, on 2008-01-25
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\grovel.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ismserv.exe
C:\PROGRA~1\MICROS~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
c:\ProgramFiler\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan\PCCSRV\Web\Service\OfcAoSMgr.exe
C:\Program Files\Trend Micro\Smex\svcGenericHost.exe
C:\Program Files\Trend Micro\Smex\svcGenericHost.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\BIN\WSSADMIN.EXE
C:\Program Files\Trend Micro\Smex\SMEX_SystemWatcher.exe
C:\Program Files\Trend Micro\Smex\SMEX_Master.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\tftpd.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
c:\ProgramFiler\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINDOWS\TEMP\AE359B.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\Smex\SMEX_RemoteConfig.exe
C:\WINDOWS\System32\svchost.exe
c:\ProgramFiler\Trend Micro\OfficeScan Client\TmPfw.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\System32\svchost.exe
c:\ProgramFiler\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [081d12ff] rundll32.exe "C:\WINDOWS\system32\vlsqwegp.dll",b
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "c:\ProgramFiler\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - ESC Trusted Zone: http://www.afterlogic.com
O15 - ESC Trusted Zone: http://weblogs.asp.net
O15 - ESC Trusted Zone: http://*.atvs.vg.no
O15 - ESC Trusted Zone: http://mail.broadpark.no
O15 - ESC Trusted Zone: http://www.broadpark.no
O15 - ESC Trusted Zone: http://ad.no.doubleclick.net
O15 - ESC Trusted Zone: http://software-files.download.com
O15 - ESC Trusted Zone: http://www.download.com
O15 - ESC Trusted Zone: http://mail.elektronettverk.no
O15 - ESC Trusted Zone: http://no.errorsafe.com
O15 - ESC Trusted Zone: http://www.experts-exchange.com
O15 - ESC Trusted Zone: http://*.flash.vg.no
O15 - ESC Trusted Zone: http://www.google.no
O15 - ESC Trusted Zone: http://*.itpro.no
O15 - ESC Trusted Zone: http://www.java.com
O15 - ESC Trusted Zone: http://search.kvasir.no
O15 - ESC Trusted Zone: http://www.2.livejasmin.com
O15 - ESC Trusted Zone: http://www.madres.org
O15 - ESC Trusted Zone: http://ie.search.msn.com
O15 - ESC Trusted Zone: http://rad.msn.com
O15 - ESC Trusted Zone: http://spaces.msn.com
O15 - ESC Trusted Zone: http://search.msn.no
O15 - ESC Trusted Zone: http://www.msn.no
O15 - ESC Trusted Zone: http://www.nextgentel.no
O15 - ESC Trusted Zone: http://login.passport.com
O15 - ESC Trusted Zone: http://login.passport.net
O15 - ESC Trusted Zone: http://mail.schie.info
O15 - ESC Trusted Zone: http://download-pdl.search.com
O15 - ESC Trusted Zone: http://download-search.search.com
O15 - ESC Trusted Zone: http://*.server5
O15 - ESC Trusted Zone: http://www.side2.no
O15 - ESC Trusted Zone: http://www.sol.no
O15 - ESC Trusted Zone: http://www.sysprotect.com
O15 - ESC Trusted Zone: http://*.technett.no
O15 - ESC Trusted Zone: http://torrents.thepiratebay.org
O15 - ESC Trusted Zone: http://www.thescripts.com
O15 - ESC Trusted Zone: http://de.trendmicro-europe.com
O15 - ESC Trusted Zone: http://eu-housecall.trendmicro-europe.com
O15 - ESC Trusted Zone: http://no.trendmicro-europe.com
O15 - ESC Trusted Zone: http://pub.tv2.no
O15 - ESC Trusted Zone: http://offers.whenu.com
O15 - ESC Trusted Zone: http://www.winfixer.com
O15 - ESC Trusted Zone: http://*.www.vg.no
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://193.213.35.200
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://server5.schie.info/officescan/c ... AtxEnc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {4F3DCE50-E8E7-40AC-AB8D-99F87F1F89BD} (Trend Micro OfficeScan Management Console) - https://server5.schie.info/officescan/c ... onsole.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/ ... 2897796063
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0629776414
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1440547923
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.c ... hcImpl.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft Terminal Services Client Control (redist)) - https://mail.elektronettverk.no/tsweb/msrdp.cab
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) - https://server5.schie.info:4343/SMB/con ... AtxEnc.cab
O16 - DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBED40} (Security Server Management Console) - https://server5.schie.info:4343/SMB/con ... onsole.cab
O16 - DPF: {A050E865-64E3-431B-8079-F0DFCEA90A2D} (PieChart Class) - https://server5.schie.info/officescan/c ... AtxPie.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = schie.info
O17 - HKLM\Software\..\Telephony: DomainName = schie.info
O17 - HKLM\System\CCS\Services\Tcpip\..\{55B2E435-286D-450C-8EB9-FECE1EC520AC}: NameServer = 127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = schie.info
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = schie.info
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - c:\ProgramFiler\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScan Plug-in Manager (OfcAoSMgr) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan\PCCSRV\Web\Service\OfcAoSMgr.exe
O23 - Service: OfficeScan Master Service (ofcservice) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan\PCCSRV\web\service\ofcservice.exe
O23 - Service: OfficeScan Control Manager Agent (OfficeScanCMAgent) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan\PCCSRV\CMAgent\OfcCMAgent.exe
O23 - Service: ScanMail for Microsoft Exchange Master Service (ScanMail_Master) - Trend Micro Inc. - C:\Program Files\Trend Micro\Smex\svcGenericHost.exe
O23 - Service: ScanMail for Microsoft Exchange Remote Configuration Server (ScanMail_RemoteConfig) - Trend Micro Inc. - C:\Program Files\Trend Micro\Smex\svcGenericHost.exe
O23 - Service: ScanMail for Microsoft Exchange System Watcher (ScanMail_SystemWatcher) - Trend Micro Inc. - C:\Program Files\Trend Micro\Smex\svcGenericHost.exe
O23 - Service: Star Engine (StarEngineService_08) - Unknown owner - C:\Program Files\Microsoft Antigen for Exchange\Engines\x86\SpamCure\bin\StarEngine8.exe (file missing)
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - c:\ProgramFiler\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - c:\ProgramFiler\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - c:\ProgramFiler\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe (file missing)

--
End of file - 11273 bytes


Regards
Gunnar Schie
gschie
Active Member
 
Posts: 1
Joined: January 25th, 2008, 1:42 pm
Advertisement
Register to Remove

Re: Malware on 2003 Server

Unread postby Katana » February 1st, 2008, 8:21 am

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I apologize for the delay in responding, but as you can probably see the forums are quite busy
and sometimes a post manages to slip by us.
Unfortunately there are far more people needing help than there are helpers.

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.



Please post a fresh log
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Malware on 2003 Server

Unread postby Gary R » February 7th, 2008, 11:41 am

Due to lack of response this topic is now closed.

If you still need help open a new thread in the Malware Removal forum and wait for a new helper.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Gary R
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware