Jump to content


Photo

Registry Entry - UserFaultCheck %systemroot%\system32\dumprep 0 -u

UserFaultCheck TROJ_INJECT BKDR_IRCBOT

  • Please log in to reply
1 reply to this topic

#1 cauthent

cauthent

    New Member

  • Members
  • Pip
  • 1 posts

Posted 28 March 2013 - 10:07 AM

I have a freshly built Windows 2003 Server (lastest Service Pack/fully updated). I am getting infection notices from my Trend Micro Server Protect with files that cannot be cleaned but are being deleled. The files are trying to be written to C:\Coldfusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\neotemp(long string of numbers).tmp with Trend Micro labeling the infection as either TROJ_INJECT.GIW or BKDR_IRCBOT.GIW. There is a new registry entry in the HKLM\Software\Microsoft\Windows\Run listed as UserFaultCheck %systemroot%\system32\dumprep 0 -u. All scans with Mlawarebytes are coming back clean (Quick, Flash, Full). I started a trial to take full advantage of the protection tools and yesterday was able under the Protection tab to fully protected. Late in the day, I noticed the icon for Malwarebytes missing from the system tray and opened the program to find the system had "Protection Partially Enabled" and "Enable malicious website blocking" was unchecked and could not be re-checked. Also there were two large protection log files (1.06 GB and 730 MB respectively) under C:\Documents and Settings\All Users\Application\Malwarebytes\Malwarebytes' Antimalware Logs that when opened were unreadable. I need help deciphering the log and more importantly ask for guidance on what to do next. Any thoughts would be greatly appreciated. Here is the Trend Micro HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:20:24 AM, on 3/28/2013
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ColdFusion9\solr\solr.exe
C:\ColdFusion9\jnbridge\CFDotNetsvc.exe
C:\ColdFusion9\jnbridge\JNBDotNetSide.exe
C:\ColdFusion9\runtime\jre\bin\java.exe
C:\ColdFusion9\db\slserver54\bin\swagent.exe
C:\ColdFusion9\db\slserver54\bin\swstrtr.exe
C:\ColdFusion9\db\slserver54\bin\swsoc.exe
C:\ColdFusion9\verity\k2\_nti40\bin\k2admin.exe
C:\Program Files\Trend\SProtect\EarthAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\compaq\survey\Surveyor.EXE
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\sysdown.exe
C:\ColdFusion9\verity\k2\_nti40\bin\k2server.exe
C:\ColdFusion9\verity\k2\_nti40\bin\k2index.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend\SProtect\StWatchDog.exe
C:\Program Files\Trend\SProtect\StOPP.exe
C:\Program Files\Trend\SProtect\SpntSvc.exe
C:\ColdFusion9\runtime\bin\jrun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\rap\Magic10\uniRQBroker.exe
D:\rap\Magic10\uniRTE.exe
D:\rap\Magic10\uniRTE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\IBackup for Windows\IBackground_955.exe
C:\IBackup for Windows\IBWin Service_955.exe
C:\IBackup for Windows\IBMonitor.exe
C:\IBackup for Windows\IBackup_Web.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gamls.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://gamls.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [IBWin Background process] "C:\IBackup for Windows\IBackground_955.exe"
O4 - HKLM\..\Run: [IBWin Monitor] "C:\IBackup for Windows\IBMonitor.exe" Min
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O15 - ESC Trusted Zone: http://runonce.msn.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE5A1A1B-62C5-4D1C-A23D-41322811B505}: NameServer = 10.10.10.19,205.152.37.23,205.152.144.23,205.152.132.23
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: ColdFusion 9 Solr Service (CF9Solr) - Acresso - C:\ColdFusion9\solr\solr.exe
O23 - Service: ColdFusion 9 .NET Service - Unknown owner - C:\ColdFusion9\jnbridge\CFDotNetsvc.exe
O23 - Service: ColdFusion 9 Application Server - Macromedia Inc. - C:\ColdFusion9\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion 9 ODBC Agent - Unknown owner - C:\ColdFusion9\db\slserver54\bin\swagent.exe
O23 - Service: ColdFusion 9 ODBC Server - Unknown owner - C:\ColdFusion9\db\slserver54\bin\swstrtr.exe
O23 - Service: ColdFusion 9 Search Server - Verity, Inc. - C:\ColdFusion9\verity\k2\_nti40\bin\k2admin.exe
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: Trend ServerProtect Agent (EarthAgent) - Trend Micro Inc. - C:\Program Files\Trend\SProtect\EarthAgent.exe
O23 - Service: IBWin Service - Pro Softnet Corporation - C:\IBackup for Windows\IBWin Service_955.exe
O23 - Service: Magic 10 Broker - Magic Software Enterprises - D:\rap\Magic10\uniRQBroker.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Trend ServerProtect (SpntSvc) - Trend Micro Inc. - C:\Program Files\Trend\SProtect\SpntSvc.exe
O23 - Service: Surveyor - Hewlett-Packard Development Group, L.P. - C:\compaq\survey\Surveyor.EXE
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe
--
End of file - 6244 bytes

#2 Firefox

Firefox

    Forum Deity

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 10,036 posts
  • Gender:Male
  • Location:USA

Posted 28 March 2013 - 10:47 AM

As your statement seems to indicate that this is a business please contact corporate support and they will assist you with this.

Please fill out this form located --> Right HERE and someone from corporate support will get in contact with you.

Also make sure you have malwarebytes.org and salesforce.com in your Safe Sender list in email.


In order to assist you better please provide the following information when contacting them.


Cleverbridge Order Reference Number:
Organization name:
Approved Contact name:


If you no longer have access to the order number you can contact Cleverbridge to obtain information about your order.

Cleverbridge customer service

Thank you

post-2065-0-92797800-1392234217.jpg


Dell Precision T7500, Win7 Ultimate 64bit fully updated, McAfee Corp Edition v8.8,
Watchguard Firewall, Intel Xeon E5606CPU, Dual Quad Core Processors, 16GB Ram,
E5606 @ 2.13GHz, Nvidia Quadro NVS420, Raid-1 Dual 1TB Sata 10000 rpm Hard Drives
Dual DVD Burners, IE10, Opera, MBAM, MBSB, MBAE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users