|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
July 6th, 2005, 09:02 AM
|
||||
|
||||
|
i think ive got a win2k machine hijacked :(
hey all,
i was hoping someone could advise me on the below HJT Log. I recognise a few things that shouldn't be there but i wanted a second opinion on them !! Basicaly the problem with the machine is that it won't open webpages  so i can't browse the web on it, and if it does browse the web it is VERY slow anyways, here is the log Logfile of HijackThis v1.99.1 Scan saved at 14:59:53, on 06/07/2005 Platform: Windows 2000 SP2 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Executive Software\DiskeeperLite\DKService.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\pctspk.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.EXE C:\Program Files\PCI Audio Applications\Mixer.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINNT\System32\winpdg.exe C:\Program Files\Media Access\MediaAccK.exe C:\program files\180searchassistant\salm.exe C:\WINNT\System32\gah95on6.exe C:\WINNT\System32\internat.exe C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2002.exe C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe C:\Program Files\Media Access\MediaAccess.exe C:\WINNT\twain_32\S6U12BX\WATCH.exe C:\Documents and Settings\carrol\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O1 - Hosts: 213.199.246.103 ibank.barclays.co.uk O1 - Hosts: 213.199.246.103 online-business.lloydstsb.co.uk O1 - Hosts: 213.199.246.103 online.lloydstsb.co.uk O1 - Hosts: 213.199.246.103 www.halifax-online.co.uk O1 - Hosts: 213.199.246.103 www.ukpersonal.hsbc.co.uk O1 - Hosts: 213.199.246.103 www.nwolb.com O1 - Hosts: 213.199.246.103 banesnet.banesto.es O1 - Hosts: 213.199.246.103 extranet.banesto.es O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\salmhook.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup O4 - HKLM\..\Run: [Gtwatch] C:\WINNT\gtwatch.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [Windows PDG] winpdg.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe O4 - HKLM\..\Run: [lsb] C:\WINNT\lsb.exe O4 - HKLM\..\Run: [gah95on6] C:\WINNT\System32\gah95on6.exe O4 - HKLM\..\RunServices: [Windows PDG] winpdg.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2002.exe O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe O4 - Global Startup: Watch.lnk = C:\WINNT\twain_32\S6U12BX\WATCH.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c18.cab O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{12D2BD45-46AC-4FBB-B2C3-4AD1DF4E880D}: NameServer = 10.11.49.1 O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe thanks to anyone who can offer some advice to me!! RF
__________________
|
|
#2
July 7th, 2005, 03:27 PM
|
||||
|
||||
|
anyone at all ????
|
|
#3
July 8th, 2005, 08:22 AM
|
||||
|
||||
|
sorry RadioActive frog,.. thanks for the patience.. i'll have a look over your log and post back in while
__________________
Nigel ..Seeking code free nirvana... Nigel Fernandes Blog Never argue with fools. They will bring you down to their level and beat you with experience.  Manchester United Forever  
|
|
#4
July 8th, 2005, 08:29 AM
|
||||
|
||||
|
Quote:
thanks oneMSBi, that would be much appreciated. RF
|
|
#5
July 8th, 2005, 10:15 AM
|
||||
|
||||
|
Hi radioactivefrog,
Ok you do have malware and adware on your system. First off, i'll give you a list of Programs/Tools i would like you to download from the URL's given along side the Program/Tool. Then below are the instructions i would like you to carry out. You might want to print out these instructions or write them down for reference. ============================================================================== Ok please obtain the following: Adware SE :http://www.lavasoftusa.com/software/adaware/ Spybot Search & Destroy :http://www.safer-networking.org/ (I notice you have this already, but please get the latest version if available or update it as necessary) 180 Search Adware Removal Tool by Symantec: http://securityresponse.symantec.co...er/Fix180Sh.exe Microsoft Malicious Software Removal Tool: http://www.microsoft.com/downloads/...&displaylang=en Please also download Pocket Killbox from the link given below. Do not use it for now. We will use it to delete stubborn files if necessary. http://www.bleepingcomputer.com/files/killbox.php ============================================================================== Please update and install both Adware and Spybot. But do not run the scans yet. Please close any open windows explorer, and internet explorer windows. Ok now i would like you to navigate to your Control Panel > Addd/Remove Programs > And from the list of programs present please slect and uninstall the following software if present Media Access 180Search Assistant. Now i would like you to immediately reboot to safe mode. If you do not know how to do this you can find out at the link below: http://www.xtra.co.nz/help/0,,6156-1377929,00.html#4 Once you are in safe mode i would like you to run the microsoft Malicious software removal tool by just clicking the file you downloaded. In the window that opens please select Next. And follow the instructions from there. At the end it will give you an option to view a report. Please copy paste that report into a notepad file and post the report here later. Now please run the 180 Search Adware removal tool i asked you to download from symantec while in safe mode. Now please run Hijackthis while still in safe mode, and place a check next to the following entries (do not be alarmed if they do not exsist). Quote:
Click the fix button in Hijackthis. If hijackthis asks you to restart, please say yes, but reboot into safe mode only. Make sure all windows Explorer windows are closed, then go to start>run> and type Regedit please Navigate to the registry subkey: HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Control In the right pane, set the value: "LoginSessionDisable" = "0" Now navigate to the folowing registry keys and delete them if they exsist. Do not be alarmed if they do not exsist. Quote:
Now please navigate to the following folder C:\Program Files\ and delete the following folders if present: Media Access 180searchassistant Please navigate to the following folder C:\WINNT\System32\ and delete the following files if they exsist: gah95on6.exe winpdg.exe Look for and Delete MSBB.EXE using windows search. If it does not exsist, do not worry. IF YOU CANNOT DELETE ANY FILE MARKED FOR REMOVAL SO FAR.. Install and Run killbox and click the radio button that says Delete a file on reboot. For each of the files (NOT REGISTRY ENTRIES) you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it. The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Please reboot into safe mode only. Now while in safe mode please run the Adaware and Spybot scans. Fix any items they report. Please reboot into windows normally now, and scan with hijackthis. save a log and post the log into your next post along with the Microsoft log i asked for earlier. A question and a couple of tasks i'd like you to do as well: * Do you use a network printer of any sort with this machine ? i would like you to submit the following two files at the site mentioned below for scanning as i suspect they are malware. Please treat the files with caution, and do not click them. Website: http://virusscan.jotti.org/ Files to submit: * C:\WINNT\lsb.exe * c:\windows\System32\internat.exe Please post and let me know what the results of the scan of these two files are. Cheers Last edited by oneMSBi : July 8th, 2005 at 02:43 PM.
|
|
#6
July 8th, 2005, 10:41 AM
|
||||
|
||||
|
just to add a small note: i think you have copy pasted your original hijackthis log slightly wrong.
the following line did not seem quite right.  Quote:
|
|
#7
July 8th, 2005, 02:33 PM
|
||||
|
||||
|
Quote:
i have checked the log and that is what i says  anyway, i will be back at that machine tomorrow hopefully so i will try all that then. thanks very very much for all the suggestions. RF
|
|
#8
July 8th, 2005, 02:39 PM
|
||||
|
||||
|
Quote:
ummm.. i'm checking on this.. must be my mistake then. sorry. 
|
|
#9
July 8th, 2005, 02:42 PM
|
||||
|
||||
|
please check the link i posted to the microsoft download. I just changed it. The old link was not working. Sorry for the mistake.
|
|
#10
July 9th, 2005, 05:12 AM
|
||||
|
||||
|
Quote:
no worries, i haven't been able to get at the computer yet. It is our church computer but i can't get hold of anyone with a key!!! Doh!! Cheers RF
|
|
#11
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
