A Hijack This LOG

Discussion in 'malware problems & news' started by Weber, Oct 9, 2003.

Thread Status:
Not open for further replies.
  1. Weber

    Weber Registered Member

    Joined:
    Jun 16, 2003
    Posts:
    108
    Location:
    Porto Alegre - Brazil
    Logfile of HijackThis v1.97.2
    Scan saved at 16:18:04, on 9/10/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\termsrv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\System32\llssrv.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\oracle\ora81\bin\vppdc.exe
    C:\oracle\ora81\BIN\TNSLSNR.exe
    c:\oracle\ora81\bin\ORACLE.EXE
    C:\WINNT\system32\regsvc.exe
    C:\resin-2.1.2\bin\httpd.exe
    C:\WINNT\system32\MSTask.exe
    C:\j2sdk1.4.0\bin\java.exe
    C:\PROGRA~1\Liquid\ServicoLiquid.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\system32\NWTRAY.EXE
    C:\WINNT\system32\msmsgri32.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
    C:\WINNT\System32\mdm.exe
    C:\WINNT\system32\CMD.exe
    F:\raizdoF\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [System Initialization] C:\WINNT\system32\msmsgri32.exe
    O4 - HKLM\..\Run: [MusIRC (irc.musirc.com) client] musirc4.71.exe
    O4 - HKLM\..\RunServices: [MusIRC (irc.musirc.com) client] musirc4.71.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37902.6343981481
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7194DDCF-E912-4ABC-804D-BC3F67A703E2}: NameServer = 192.168.0.30,192.168.0.1
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi Weber,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [System Initialization] C:\WINNT\system32\msmsgri32.exe
    O4 - HKLM\..\Run: [MusIRC (irc.musirc.com) client] musirc4.71.exe
    O4 - HKLM\..\RunServices: [MusIRC (irc.musirc.com) client] musirc4.71.exe

    Then reboot and delete:
    C:\WINNT\system32\msmsgri32.exe
    musirc4.71.exe

    and follow additional instructions here:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.d.html
    and here:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.q.html

    Regards,

    Pieter
     
  3. Weber

    Weber Registered Member

    Joined:
    Jun 16, 2003
    Posts:
    108
    Location:
    Porto Alegre - Brazil
    Thanks Pieter :D
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Anytime, Weber. :)

    Regards,

    Pieter
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Too fast for me, I would have liked to see those samples :D
     
  6. Weber

    Weber Registered Member

    Joined:
    Jun 16, 2003
    Posts:
    108
    Location:
    Porto Alegre - Brazil
    Hi Gavin,

    if i find that the machine is infected again, i'll try to send the files to you. what is the email address?
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,133
    Location:
    New England
    Hi Weber,

    You can send those to submit@diamondcs.com.au and Gavin will get them. (It is best to put all the files in a ZIP or other archive for emailing.)
     
  8. Weber

    Weber Registered Member

    Joined:
    Jun 16, 2003
    Posts:
    108
    Location:
    Porto Alegre - Brazil
    Hi,

    I sent the files...
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.