• Content count

  • Joined

  • Last visited

About cauthent

  • Rank
    New Member
  1. I have a freshly built Windows 2003 Server (lastest Service Pack/fully updated). I am getting infection notices from my Trend Micro Server Protect with files that cannot be cleaned but are being deleled. The files are trying to be written to C:\Coldfusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\neotemp(long string of numbers).tmp with Trend Micro labeling the infection as either TROJ_INJECT.GIW or BKDR_IRCBOT.GIW. There is a new registry entry in the HKLM\Software\Microsoft\Windows\Run listed as UserFaultCheck %systemroot%\system32\dumprep 0 -u. All scans with Mlawarebytes are coming back clean (Quick, Flash, Full). I started a trial to take full advantage of the protection tools and yesterday was able under the Protection tab to fully protected. Late in the day, I noticed the icon for Malwarebytes missing from the system tray and opened the program to find the system had "Protection Partially Enabled" and "Enable malicious website blocking" was unchecked and could not be re-checked. Also there were two large protection log files (1.06 GB and 730 MB respectively) under C:\Documents and Settings\All Users\Application\Malwarebytes\Malwarebytes' Antimalware Logs that when opened were unreadable. I need help deciphering the log and more importantly ask for guidance on what to do next. Any thoughts would be greatly appreciated. Here is the Trend Micro HiJackThis log: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 10:20:24 AM, on 3/28/2013 Platform: Windows 2003 SP2 (WinNT 5.02.3790) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\cpqteam.exe C:\WINDOWS\system32\ctfmon.exe C:\ColdFusion9\solr\solr.exe C:\ColdFusion9\jnbridge\CFDotNetsvc.exe C:\ColdFusion9\jnbridge\JNBDotNetSide.exe C:\ColdFusion9\runtime\jre\bin\java.exe C:\ColdFusion9\db\slserver54\bin\swagent.exe C:\ColdFusion9\db\slserver54\bin\swstrtr.exe C:\ColdFusion9\db\slserver54\bin\swsoc.exe C:\ColdFusion9\verity\k2\_nti40\bin\k2admin.exe C:\Program Files\Trend\SProtect\EarthAgent.exe C:\WINDOWS\System32\svchost.exe C:\compaq\survey\Surveyor.EXE C:\WINDOWS\system32\CpqRcmc.exe C:\WINDOWS\system32\sysdown.exe C:\ColdFusion9\verity\k2\_nti40\bin\k2server.exe C:\ColdFusion9\verity\k2\_nti40\bin\k2index.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend\SProtect\StWatchDog.exe C:\Program Files\Trend\SProtect\StOPP.exe C:\Program Files\Trend\SProtect\SpntSvc.exe C:\ColdFusion9\runtime\bin\jrun.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe D:\rap\Magic10\uniRQBroker.exe D:\rap\Magic10\uniRTE.exe D:\rap\Magic10\uniRTE.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\IBackup for Windows\IBackground_955.exe C:\IBackup for Windows\IBWin Service_955.exe C:\IBackup for Windows\IBMonitor.exe C:\IBackup for Windows\IBackup_Web.exe C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe c:\windows\system32\inetsrv\w3wp.exe c:\windows\system32\inetsrv\w3wp.exe C:\WINDOWS\regedit.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [iBWin Background process] "C:\IBackup for Windows\IBackground_955.exe" O4 - HKLM\..\Run: [iBWin Monitor] "C:\IBackup for Windows\IBMonitor.exe" Min O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user') O15 - ESC Trusted Zone: O17 - HKLM\System\CCS\Services\Tcpip\..\{CE5A1A1B-62C5-4D1C-A23D-41322811B505}: NameServer =,,, O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe O23 - Service: ColdFusion 9 Solr Service (CF9Solr) - Acresso - C:\ColdFusion9\solr\solr.exe O23 - Service: ColdFusion 9 .NET Service - Unknown owner - C:\ColdFusion9\jnbridge\CFDotNetsvc.exe O23 - Service: ColdFusion 9 Application Server - Macromedia Inc. - C:\ColdFusion9\runtime\bin\jrunsvc.exe O23 - Service: ColdFusion 9 ODBC Agent - Unknown owner - C:\ColdFusion9\db\slserver54\bin\swagent.exe O23 - Service: ColdFusion 9 ODBC Server - Unknown owner - C:\ColdFusion9\db\slserver54\bin\swstrtr.exe O23 - Service: ColdFusion 9 Search Server - Verity, Inc. - C:\ColdFusion9\verity\k2\_nti40\bin\k2admin.exe O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINDOWS\system32\CpqRcmc.exe O23 - Service: Trend ServerProtect Agent (EarthAgent) - Trend Micro Inc. - C:\Program Files\Trend\SProtect\EarthAgent.exe O23 - Service: IBWin Service - Pro Softnet Corporation - C:\IBackup for Windows\IBWin Service_955.exe O23 - Service: Magic 10 Broker - Magic Software Enterprises - D:\rap\Magic10\uniRQBroker.exe O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: Trend ServerProtect (SpntSvc) - Trend Micro Inc. - C:\Program Files\Trend\SProtect\SpntSvc.exe O23 - Service: Surveyor - Hewlett-Packard Development Group, L.P. - C:\compaq\survey\Surveyor.EXE O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe -- End of file - 6244 bytes