Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91631 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

second pc on network infected


  • This topic is locked This topic is locked
No replies to this topic

#1 pinman

pinman

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 12 April 2008 - 02:05 PM

hi, after just recently dis-infecting my laptop i ran a scan on one of my networked pc's. the pc is used as a fileserver/p2p downloader and no web surfing at all which is why i didn't bother setting up any virus or spyware defences on it. i only ever connect to it using remote desktop (which is never that swift even on my wired network) or use files via the network shared data partition. as such i can't really tell how the pc behaves in normal operation but kaspersky online scan found.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 12, 2008 9:01:33 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/04/2008
Kaspersky Anti-Virus database records: 699912
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 13882
Number of viruses found: 1
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 00:59:30

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\server-pc\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\server-pc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\server-pc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\server-pc\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\server-pc\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\server-pc\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\server-pc\NTUSER.DAT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\A0003865.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.6404 skipped
C:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\A0003866.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.6404 skipped
C:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\A0003867.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.6404 skipped
C:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\A0003868.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.6404 skipped
C:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{5620BDC1-5EAB-470A-A8BD-2E74F9101235}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\A0003874.exe/file01 Infected: not-a-virus:Server-FTP.Win32.Serv-U.6404 skipped
D:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\A0003874.exe/file02 Infected: not-a-virus:Server-FTP.Win32.Serv-U.6404 skipped
D:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\A0003874.exe/file03 Infected: not-a-virus:Server-FTP.Win32.Serv-U.6404 skipped
D:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\A0003874.exe/file04 Infected: not-a-virus:Server-FTP.Win32.Serv-U.6404 skipped
D:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\A0003874.exe Inno: infected - 4 skipped
D:\System Volume Information\_restore{4E6B3553-DD1F-46C1-ADBE-74318D927658}\RP36\change.log Object is locked skipped

Scan process completed.

the scan above seems to indicate that the problem is with u-serve ftp client which i uninstalled and deleted all files from that program then re-ran the scan and got the result above.

my hijacthis log is

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:03:01, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\logon.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab

--
End of file - 1801 bytes

well, just disabled system restore and now no threats detected. also locked objects from previous scans have disappeared. seems as though i must of misread logs lol :rofl: :rofl:

    Advertisements

Register to Remove

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users