mrodger6

Guys The PUM.hijack.help and hijack.controlpanelstyle were found on server and removed with malwarebytes. However, there is still an issue when you remotely login a shutdown command is being sent to various systems within our network. I ran Microsoft Malicious software removal tools, Kaspersky antivirus and nothing is found. So I run hijackthis and below is my resulting log. I would like you guys to review and give me your thioughts. Thanks Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 4:06:41 PM, on 2/27/2013 Platform: Windows 2003 SP2 (WinNT 5.02.3790) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers MP4\avp.exe C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe C:\WINDOWS\IntelliAdminRC4\Agent32.exe C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe C:\WINDOWS\IntelliAdminRC4\Agent32.exe C:\WINDOWS\system32\ntfrs.exe C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe C:\WINDOWS\System32\snmp.exe C:\Program Files\Symantec\Backup Exec\beremote.exe C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers MP4\avp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers MP4\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\TEMP\KAVREM~1\6D2E72~1\exec\KK.exe C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\rdpclip.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers MP4\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\WINDOWS\system32\mmc.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\rdpclip.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers MP4\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://rasdbs:1311/?authType=ntlm&locallogin=true&application=omsa O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers MP4\avp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-21-519517236-197921458-495535119-1532\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'JPOAdmin') O4 - HKUS\S-1-5-21-519517236-197921458-495535119-18512\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?') O4 - HKUS\S-1-5-21-519517236-197921458-495535119-18738\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'JPService09') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user') O4 - Global Startup: prnRpt.bat O4 - Global Startup: prntRpts.bat O4 - Global Startup: prntRptSlnt.vbs O4 - Global Startup: reporting.bat O4 - Global Startup: reports.bat O4 - Global Startup: runPrntRprt.bat O4 - Global Startup: runReporting.bat O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: silentReporting.vbs O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O15 - ESC Trusted Zone: http://runonce.msn.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196270844281 O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://dell.webex.com/client/T25L/support/ieatgpc.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jonesplastic.com O17 - HKLM\Software\..\Telephony: DomainName = jonesplastic.com O17 - HKLM\System\CCS\Services\Tcpip\..\{073BBE8F-11B8-48F7-8F75-D673A62E77CC}: NameServer = 10.1.12.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{98757B22-158A-46A8-B09D-AE6C8755FBAA}: NameServer = 10.1.2.70,10.1.12.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{A79191B3-886A-4721-8BFE-8FB09E30B395}: NameServer = 10.1.12.8 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jonesplastic.com O17 - HKLM\System\CS1\Services\Tcpip\..\{073BBE8F-11B8-48F7-8F75-D673A62E77CC}: NameServer = 10.1.12.8 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers MP4\avp.exe O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beremote.exe O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\benetns.exe O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\pvlsvr.exe O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\bengine.exe O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beserver.exe O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: IntelliAdminRC4 - Unknown owner - C:\WINDOWS\IntelliAdminRC4\Agent32.exe O23 - Service: Kaspersky Lab Network Agent (klnagent) - Kaspersky Lab ZAO - C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe -- End of file - 8868 bytes