Registry trojan - looking to fix.

R

rko9911

New Member
Reaction score
0
I am using Windows 2000 Server with Symantec Antivirus Corporate 8.1.0. A trojan appeared a few weeks ago, that opened up a slew of others. After going to safe mode and addressing them all, I thought I was clean. Symantec (with the latest virus definition) said so, as well as Ad-Aware.

However, I get a pop-up about every 60 seconds if I go online, an activity that never occured before. After running hijack-this, I found two items in the registry that I can't seem to change. In fact, they reinsert themselves immediately.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell->Explorer.exe, C:\WINNT\system32\vtlvf.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit->C:\WINNT\SYSTEM32\Userinit.exe,horapeh.exe

There are no files named vtlvf.exe or horapeh.exe. These are the only registry keys with these name in them. I can find nothing online about these files. They were not there pre-trojan.

Here is my hijack-this log:
Logfile of HijackThis v1.99.1
Scan saved at 8:14:58 PM, on 8/31/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
E:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
E:\PROGRA~1\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
E:\Program Files\Exchsrvr\bin\srsmain.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
E:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINNT\system32\ntfrs.exe
E:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
E:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\SLServer.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
E:\Program Files\Exchsrvr\bin\exmgmt.exe
E:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
E:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
E:\Program Files\Exchsrvr\bin\store.exe
E:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
E:\PROGRA~1\vptray.exe
E:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\ntvdm.exe
E:\PROGRA~1\Rtvscan.exe
e:\Program Files\Symantec\SAVFMSE\SMSESrv.exe
e:\Program Files\Symantec\SAVFMSE\SMSECtrl.EXE
e:\Program Files\Symantec\SAVFMSE\SMSESp.exe
e:\Program Files\Symantec\SAVFMSE\SMSESp.exe
e:\Program Files\Symantec\SAVFMSE\SMSESp.exe
e:\Program Files\Symantec\SAVFMSE\SMSEUI.EXE
e:\Program Files\Symantec\SAVFMSE\SMSELog.EXE
e:\Program Files\Symantec\SAVFMSE\SMSESJM.EXE
e:\Program Files\Symantec\SAVFMSE\SMSETask.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
E:\Program Files\HijackThis 1.99.1\HijackThis.exe

R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\vtlvf.exe
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,horapeh.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\vptray.exe
O4 - HKLM\..\Run: [VxTaskbarMgr] E:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = KNOEBELS1.Knoebels1.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE0C0A93-C8AC-458A-BD79-1F07BF8831E8}: NameServer = 10.10.2.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = KNOEBELS1.Knoebels1.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = KNOEBELS1.Knoebels1.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\\NavLogon.dll
O20 - Winlogon Notify: Welcome - C:\WINNT\system32\mitscax.dll (file missing)
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - E:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - E:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - E:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - E:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - E:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\UmljayBLbm9lYmVs\command.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - E:\PROGRA~1\DefWatch.exe
O23 - Service: Backup Exec DLO Administration Service (DLOAdminSvcu) - VERITAS Software Corporation - E:\Program Files\VERITAS\Backup Exec\NT\DLOAdminSvcu.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINNT\System32\dmadmin.exe (file missing)
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec AntiVirus Server (Norton AntiVirus Server) - Symantec Corporation - E:\PROGRA~1\Rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - E:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler AG - E:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AntiVirus/Filtering for Microsoft Exchange 2000 (SAVFMSE) - Symantec Corporation - e:\Program Files\Symantec\SAVFMSE\SMSESrv.exe
O23 - Service: ScriptLogic Service (SLServer) - ScriptLogic Corporation - C:\WINNT\SYSTEM32\SLServer.exe

Any help would be appreciated.

Thank you.

Rick
 
Remove Everything Marked RED with Hijack This.

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
E:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
E:\PROGRA~1\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
E:\Program Files\Exchsrvr\bin\srsmain.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
E:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINNT\system32\ntfrs.exe
E:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
E:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\SLServer.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
E:\Program Files\Exchsrvr\bin\exmgmt.exe
E:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
E:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
E:\Program Files\Exchsrvr\bin\store.exe
E:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
E:\PROGRA~1\vptray.exe
E:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\ntvdm.exe
E:\PROGRA~1\Rtvscan.exe
e:\Program Files\Symantec\SAVFMSE\SMSESrv.exe
e:\Program Files\Symantec\SAVFMSE\SMSECtrl.EXE
e:\Program Files\Symantec\SAVFMSE\SMSESp.exe
e:\Program Files\Symantec\SAVFMSE\SMSESp.exe
e:\Program Files\Symantec\SAVFMSE\SMSESp.exe
e:\Program Files\Symantec\SAVFMSE\SMSEUI.EXE
e:\Program Files\Symantec\SAVFMSE\SMSELog.EXE
e:\Program Files\Symantec\SAVFMSE\SMSESJM.EXE
e:\Program Files\Symantec\SAVFMSE\SMSETask.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
E:\Program Files\HijackThis 1.99.1\HijackThis.exe

R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\vtlvf.exe
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,horapeh.ex e
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\vptray.exe
O4 - HKLM\..\Run: [VxTaskbarMgr] E:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/tech...rl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...rl/tgctlsr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = KNOEBELS1.Knoebels1.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE0C0A93-C8AC-458A-BD79-1F07BF8831E8}: NameServer = 10.10.2.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = KNOEBELS1.Knoebels1.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = KNOEBELS1.Knoebels1.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\\NavLogon.dll
O20 - Winlogon Notify: Welcome - C:\WINNT\system32\mitscax.dll (file missing)
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - E:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - E:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - E:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - E:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - E:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\UmljayBLbm9lYmVs\command.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - E:\PROGRA~1\DefWatch.exe
O23 - Service: Backup Exec DLO Administration Service (DLOAdminSvcu) - VERITAS Software Corporation - E:\Program Files\VERITAS\Backup Exec\NT\DLOAdminSvcu.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINNT\System32\dmadmin.exe (file missing)
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec AntiVirus Server (Norton AntiVirus Server) - Symantec Corporation - E:\PROGRA~1\Rtvscan.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - E:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler AG - E:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AntiVirus/Filtering for Microsoft Exchange 2000 (SAVFMSE) - Symantec Corporation - e:\Program Files\Symantec\SAVFMSE\SMSESrv.exe
O23 - Service: ScriptLogic Service (SLServer) - ScriptLogic Corporation - C:\WINNT\SYSTEM32\SLServer.exe
Click to expand...


Does this folder still exist? If so delete it and its contents:
C:\WINNT\UmljayBLbm9lYmVs\

Find and Delete:
vtlvf.exe
horapeh.exe

If you cannot delete these, try deleting them in safe mode.

You arent patched up to date, you should update to Service Pack 4, unless you have a valid reason not to (such as compatibility issues). You can get SP4 here

You seem to have alot of servers running, Be sure to check that they are fully up to date as you may be opening yourself up to various server attacking worms.



 
You must log in or register to reply here.

Similar threads

Big Jim
Anyone good with combo fix logs ?
Replies
1
Views
2K
nlinecomputers
nlinecomputers
pctutor
Anyone good at reading ComboFix logs?
Replies
8
Views
3K
pctutor
pctutor
C
IE 7 address bar search messed up
Replies
12
Views
3K
computerdoc
C
I
Any idea if this is a rootkit (TDSS or ZeroAccess)?
Replies
13
Views
6K
citizensmith
citizensmith
M
Hijackthis log
Replies
14
Views
2K
Xander
Xander
Back
Top