| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 86263 | 2008-01-10 06:47:00 | Help wanted with HijackThis log please | brig (1359) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 629082 | 2008-01-10 06:47:00 | I'm cleaning up a very sick PC for a friend. I've never seen such a mess of trojans and other junk. I've got it back into a reasonable state but am not entirely happy with it so I ran Hijackthis and got this log: Would Speedy or anyone else who know how to deal with Hijackthis please advise what needs attention? Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:16:36 p.m., on 10/01/08 Platform: Windows 2000 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\svshost.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer O1 - Hosts: 213.21.215.158 bancopostaonline.poste.it O1 - Hosts: 213.21.215.158 mybank.bybank.it O1 - Hosts: 213.21.215.158 ibank.internationalbanking.barclays.com O1 - Hosts: 213.21.215.158 welcome7.co-operativebank.co.uk O1 - Hosts: 213.21.215.158 welcome11.co-operativebankonline.co.uk O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {D3ABB358-7BDE-46B3-8A4E-5FF7AA5CAEFB} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{8ABA07B0-379C-443C-9ED7-B5CE072DB03E}: NameServer = 203.109.252.42,203.109.252.43 O20 - Winlogon Notify: fccaa - C:\WINNT\System32\fccaa.dll (file missing) O20 - Winlogon Notify: opnkjif - opnkjif.dll (file missing) O20 - Winlogon Notify: winpgz32 - winpgz32.dll (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Control Task Manager - Unknown owner - C:\WINNT\system32\cvsys.exe (file missing) O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: hs7d2t9 - Unknown owner - C:\WINNT\system32\svshost.exe O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe (file missing) -- End of file - 3700 bytes Those 5 entries listed under: O1 - Hosts: 213.21.215.158 bancopostaonline.poste.it look highly suspicious. What should I do with them? I had a lot of fun removing a very stubborn "virtumonde.generic" but it might be hiding under an alias? Is there anything else that needs removing? Many thanks brig |
brig (1359) | ||
| 629083 | 2008-01-10 07:03:00 | Well, once you tick these I would update this computer sometime. Before it goes back on the internet Run HJT again tick these entries then tick fix checked Close browser/s. C:\WINNT\system32\svshost.exe I would tick all of these O1 - Hosts: 213.21.215.158 bancopostaonline.poste.it O1 - Hosts: 213.21.215.158 mybank.bybank.it O1 - Hosts: 213.21.215.158 ibank.internationalbanking.barclays.com O1 - Hosts: 213.21.215.158 welcome7.co-operativebank.co.uk O1 - Hosts: 213.21.215.158 welcome11.co-operativebankonline.co.uk O2 - BHO: (no name) - {D3ABB358-7BDE-46B3-8A4E-5FF7AA5CAEFB} - (no file) 04 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O20 - Winlogon Notify: fccaa - C:\WINNT\System32\fccaa.dll (file missing) 020 - Winlogon Notify: opnkjif - opnkjif.dll (file missing) O20 - Winlogon Notify: winpgz32 - winpgz32.dll (file missing) O23 - Service: hs7d2t9 - Unknown owner - C:\WINNT\system32\svshost.exe O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe (file missing) Install trojan remover (www.simplysup1.com) Update it then click on scan. Then select all options, under the utilities menu Then boot into safe mode and delete these svshost.exe opnkjif.dll shost.exe fccaa.dl winpgz32.dll shost.exe |
Speedy Gonzales (78) | ||
| 629084 | 2008-01-10 07:19:00 | Oops and tick this entry as well O23 - Service: Control Task Manager - Unknown owner - C:\WINNT\system32\cvsys.exe (file missing) And delete cvsys.exe in safe mode. |
Speedy Gonzales (78) | ||
| 629085 | 2008-01-10 07:28:00 | Oops and tick this entry as well O23 - Service: Control Task Manager - Unknown owner - C:\WINNT\system32\cvsys.exe (file missing) And delete cvsys.exe in safe mode. Many thanks Speedy I did the fix of the HJT list from your 1st post and will do these others and everything else tomorrow........no, I won't conect this one to the net till I've done everything :badpc: brig |
brig (1359) | ||
| 629086 | 2008-01-10 07:33:00 | You'll need SP4 (www.microsoft.com) Then the rollup (www.microsoft.com) And IE 6 SP1 (www.microsoft.com) If he uses IE 6 for most things. Then go to the windowsupdate site and install the rest from there. After u tick the above entries and delete the above files in safe mode. If he's still got the 2000 CD, I would make a slipstreamed CD with SP4 on it. It'll make things easier, if he needs to format. |
Speedy Gonzales (78) | ||
| 629087 | 2008-01-12 00:20:00 | You'll need SP4 (www.microsoft.com) Then the rollup (www.microsoft.com) And IE 6 SP1 (www.microsoft.com) If he uses IE 6 for most things. Then go to the windowsupdate site and install the rest from there. After u tick the above entries and delete the above files in safe mode. If he's still got the 2000 CD, I would make a slipstreamed CD with SP4 on it. It'll make things easier, if he needs to format. All done now and PC returned to it's owner who doesn't have a clue what a mission it's been It's times like this that I'm glad I don't do this professionally :stare::stare: Thanks again for your help Speedy. |
brig (1359) | ||
| 629088 | 2008-01-12 01:13:00 | No worries :) Hopefully, he keeps it up to date in the future. |
Speedy Gonzales (78) | ||
| 1 | |||||