Jump to content

Registry Entry - UserFaultCheck %systemroot%\system32\dumprep 0 -u


Recommended Posts

I have a freshly built Windows 2003 Server (lastest Service Pack/fully updated). I am getting infection notices from my Trend Micro Server Protect with files that cannot be cleaned but are being deleled. The files are trying to be written to C:\Coldfusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\neotemp(long string of numbers).tmp with Trend Micro labeling the infection as either TROJ_INJECT.GIW or BKDR_IRCBOT.GIW. There is a new registry entry in the HKLM\Software\Microsoft\Windows\Run listed as UserFaultCheck %systemroot%\system32\dumprep 0 -u. All scans with Mlawarebytes are coming back clean (Quick, Flash, Full). I started a trial to take full advantage of the protection tools and yesterday was able under the Protection tab to fully protected. Late in the day, I noticed the icon for Malwarebytes missing from the system tray and opened the program to find the system had "Protection Partially Enabled" and "Enable malicious website blocking" was unchecked and could not be re-checked. Also there were two large protection log files (1.06 GB and 730 MB respectively) under C:\Documents and Settings\All Users\Application\Malwarebytes\Malwarebytes' Antimalware Logs that when opened were unreadable. I need help deciphering the log and more importantly ask for guidance on what to do next. Any thoughts would be greatly appreciated. Here is the Trend Micro HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 10:20:24 AM, on 3/28/2013

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\cpqteam.exe

C:\WINDOWS\system32\ctfmon.exe

C:\ColdFusion9\solr\solr.exe

C:\ColdFusion9\jnbridge\CFDotNetsvc.exe

C:\ColdFusion9\jnbridge\JNBDotNetSide.exe

C:\ColdFusion9\runtime\jre\bin\java.exe

C:\ColdFusion9\db\slserver54\bin\swagent.exe

C:\ColdFusion9\db\slserver54\bin\swstrtr.exe

C:\ColdFusion9\db\slserver54\bin\swsoc.exe

C:\ColdFusion9\verity\k2\_nti40\bin\k2admin.exe

C:\Program Files\Trend\SProtect\EarthAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\compaq\survey\Surveyor.EXE

C:\WINDOWS\system32\CpqRcmc.exe

C:\WINDOWS\system32\sysdown.exe

C:\ColdFusion9\verity\k2\_nti40\bin\k2server.exe

C:\ColdFusion9\verity\k2\_nti40\bin\k2index.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend\SProtect\StWatchDog.exe

C:\Program Files\Trend\SProtect\StOPP.exe

C:\Program Files\Trend\SProtect\SpntSvc.exe

C:\ColdFusion9\runtime\bin\jrun.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

D:\rap\Magic10\uniRQBroker.exe

D:\rap\Magic10\uniRTE.exe

D:\rap\Magic10\uniRTE.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\IBackup for Windows\IBackground_955.exe

C:\IBackup for Windows\IBWin Service_955.exe

C:\IBackup for Windows\IBMonitor.exe

C:\IBackup for Windows\IBackup_Web.exe

C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe

c:\windows\system32\inetsrv\w3wp.exe

c:\windows\system32\inetsrv\w3wp.exe

C:\WINDOWS\regedit.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gamls.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://gamls.com/

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [iBWin Background process] "C:\IBackup for Windows\IBackground_955.exe"

O4 - HKLM\..\Run: [iBWin Monitor] "C:\IBackup for Windows\IBMonitor.exe" Min

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O15 - ESC Trusted Zone: http://runonce.msn.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{CE5A1A1B-62C5-4D1C-A23D-41322811B505}: NameServer = 10.10.10.19,205.152.37.23,205.152.144.23,205.152.132.23

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe

O23 - Service: ColdFusion 9 Solr Service (CF9Solr) - Acresso - C:\ColdFusion9\solr\solr.exe

O23 - Service: ColdFusion 9 .NET Service - Unknown owner - C:\ColdFusion9\jnbridge\CFDotNetsvc.exe

O23 - Service: ColdFusion 9 Application Server - Macromedia Inc. - C:\ColdFusion9\runtime\bin\jrunsvc.exe

O23 - Service: ColdFusion 9 ODBC Agent - Unknown owner - C:\ColdFusion9\db\slserver54\bin\swagent.exe

O23 - Service: ColdFusion 9 ODBC Server - Unknown owner - C:\ColdFusion9\db\slserver54\bin\swstrtr.exe

O23 - Service: ColdFusion 9 Search Server - Verity, Inc. - C:\ColdFusion9\verity\k2\_nti40\bin\k2admin.exe

O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINDOWS\system32\CpqRcmc.exe

O23 - Service: Trend ServerProtect Agent (EarthAgent) - Trend Micro Inc. - C:\Program Files\Trend\SProtect\EarthAgent.exe

O23 - Service: IBWin Service - Pro Softnet Corporation - C:\IBackup for Windows\IBWin Service_955.exe

O23 - Service: Magic 10 Broker - Magic Software Enterprises - D:\rap\Magic10\uniRQBroker.exe

O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Trend ServerProtect (SpntSvc) - Trend Micro Inc. - C:\Program Files\Trend\SProtect\SpntSvc.exe

O23 - Service: Surveyor - Hewlett-Packard Development Group, L.P. - C:\compaq\survey\Surveyor.EXE

O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe

--

End of file - 6244 bytes

Link to post
Share on other sites

As your statement seems to indicate that this is a business please contact corporate support and they will assist you with this.

Please fill out this form located --> Right HERE and someone from corporate support will get in contact with you.

Also make sure you have malwarebytes.org and salesforce.com in your Safe Sender list in email.

In order to assist you better please provide the following information when contacting them.

Cleverbridge Order Reference Number:

Organization name:

Approved Contact name:

If you no longer have access to the order number you can contact Cleverbridge to obtain information about your order.

Cleverbridge customer service

Thank you

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.