Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Malware deleting files?

Status
Not open for further replies.
Budgetguy

Budgetguy

Technical User
Jun 22, 2006
12
US
Part of my job in the office is to provide some "Tech Help Lite" to the other users in the department and prevent some of the simple calls going to the IT help desk. I came back to work after a couple of days off to find that IT had been in re-imaging one of the PCs because almost all of the files on it's hard drive had been deleted. The story, as I've been told, is that one of the users was looking for an icon for a little used application and found one that she said resembled an MS-DOS link and was named "View Desktop". Thinking this might be the one she wanted she double-clicked and what appeared to be a series of MS-DOS commands started to run that included a delete command. After watching for a time the user decided that something bad was happening and killed the power to the PC and called IT. We're running XP Pro, McAfee, Spybot, and have Websense to keep us out of really bad places (in theory). Does this sound familier to anybody? Do I need to have everybody keep watch for odd links showing up on their desktop? Thanks in advance for any help or ideas you can give me.
 
Sort by date Sort by votes
Sounds like a batch file that someone made. Download hijackthis from the link below. Open it up and choose do a system scan and save a logfile. Post the logfile on here and unless you know what your doing do not attempt to fix anything it shows as not everything it shows is bad.

Also please paste the logfile exactly as it shows, like do not space it lol. I normally do not mention that but had someone recently space it trying to be helpful but it makes it much harder to read.


There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
Here is the logfile for Hijackthis. A little more digging in the PC looks very odd as all system tools(in fact most of the accessories) have been deleted and a number of links to internet games have been added.

Logfile of HijackThis v1.99.1
Scan saved at 9:54:19 AM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://jocoweb/
O15 - Trusted Zone: O15 - Trusted Zone: O15 - Trusted Zone: O15 - Trusted Zone: *.jocogov.org
O15 - Trusted Zone: *.ad.jocoks.com
O15 - Trusted Zone: fhrap01.ad.jocoks.com
O15 - Trusted Zone: O15 - Trusted Zone: fhrap02.ad.jocoks.com
O15 - Trusted Zone: O15 - Trusted Zone: O15 - Trusted Zone: O15 - Trusted Zone: O15 - Trusted Zone: O15 - Trusted Zone: O15 - Trusted Zone: O15 - Trusted Zone: O15 - Trusted Zone: O15 - Trusted Zone: O15 - Trusted Zone: O15 - Trusted Zone: O15 - Trusted Zone: O15 - Trusted Zone: (HKLM)
O15 - Trusted Zone: (HKLM)
O15 - Trusted Zone: *.jocogov.org (HKLM)
O15 - Trusted Zone: *.ad.jocoks.com (HKLM)
O15 - Trusted Zone: fhrap01.ad.jocoks.com (HKLM)
O15 - Trusted Zone: (HKLM)
O15 - Trusted Zone: fhrap02.ad.jocoks.com (HKLM)
O15 - Trusted Zone: (HKLM)
O15 - Trusted Zone: (HKLM)
O15 - Trusted Zone: (HKLM)
O15 - Trusted Zone: (HKLM)
O15 - Trusted Zone: (HKLM)
O15 - Trusted Zone: (HKLM)
O15 - Trusted Zone: (HKLM)
O15 - Trusted Zone: (HKLM)
O15 - Trusted Zone: (HKLM)
O15 - Trusted Zone: (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {CAFECAFE-0013-0001-0025-ABCDEFABCDEF} (JInitiator 1.3.1.25) - O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) -
O16 - DPF: {e2258010-b53c-11d6-b64d-00c04faedb18} (Oracle JInitiator 1.1.8.20) -
O16 - DPF: {e79bc654-8fc6-4bb9-bfb8-8860779ae213} (Oracle JInitiator 1.1.8.24) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.jocoks.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.jocoks.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.jocoks.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.jocoks.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
 
Upvote 0 Downvote
Your log looks clean. I see nothing on it. Just keep an eye on things in case something looks suspicious.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2ffat
  • Locked
  • News
MalwareBytes may have been hacked
Replies
0
Views
117
2ffat
2ffat
goombawaho
  • Locked
  • News
Malware Injected Into CCleaner 3
Replies
2
Views
125
goombawaho
goombawaho
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
130
goombawaho
goombawaho
goombawaho
  • Locked
  • Helpful tip
Evil: Poweliks Malware 1
Replies
1
Views
83
kjv1611
kjv1611
kjv1611
  • Locked
  • Question
POS Malware Infections Detection and Protection
Replies
0
Views
86
kjv1611
kjv1611

Part and Inventory Search

Sponsor

Back
Top