A Hijack This LOG

Discussion in 'malware problems & news' started by Weber, Oct 9, 2003.

Thread Status:
Not open for further replies.
  1. Weber

    Weber Registered Member

    Joined:
    Jun 16, 2003
    Posts:
    107
    Location:
    Porto Alegre - Brazil
    Logfile of HijackThis v1.97.2
    Scan saved at 16:18:04, on 9/10/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\termsrv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\System32\llssrv.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\oracle\ora81\bin\vppdc.exe
    C:\oracle\ora81\BIN\TNSLSNR.exe
    c:\oracle\ora81\bin\ORACLE.EXE
    C:\WINNT\system32\regsvc.exe
    C:\resin-2.1.2\bin\httpd.exe
    C:\WINNT\system32\MSTask.exe
    C:\j2sdk1.4.0\bin\java.exe
    C:\PROGRA~1\Liquid\ServicoLiquid.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\system32\NWTRAY.EXE
    C:\WINNT\system32\msmsgri32.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
    C:\WINNT\System32\mdm.exe
    C:\WINNT\system32\CMD.exe
    F:\raizdoF\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [System Initialization] C:\WINNT\system32\msmsgri32.exe
    O4 - HKLM\..\Run: [MusIRC (irc.musirc.com) client] musirc4.71.exe
    O4 - HKLM\..\RunServices: [MusIRC (irc.musirc.com) client] musirc4.71.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37902.6343981481
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7194DDCF-E912-4ABC-804D-BC3F67A703E2}: NameServer = 192.168.0.30,192.168.0.1
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Weber,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [System Initialization] C:\WINNT\system32\msmsgri32.exe
    O4 - HKLM\..\Run: [MusIRC (irc.musirc.com) client] musirc4.71.exe
    O4 - HKLM\..\RunServices: [MusIRC (irc.musirc.com) client] musirc4.71.exe

    Then reboot and delete:
    C:\WINNT\system32\msmsgri32.exe
    musirc4.71.exe

    and follow additional instructions here:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.d.html
    and here:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.q.html

    Regards,

    Pieter
     
  3. Weber

    Weber Registered Member

    Joined:
    Jun 16, 2003
    Posts:
    107
    Location:
    Porto Alegre - Brazil
    Thanks Pieter :D
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Anytime, Weber. :)

    Regards,

    Pieter
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Too fast for me, I would have liked to see those samples :D
     
  6. Weber

    Weber Registered Member

    Joined:
    Jun 16, 2003
    Posts:
    107
    Location:
    Porto Alegre - Brazil
    Hi Gavin,

    if i find that the machine is infected again, i'll try to send the files to you. what is the email address?
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Hi Weber,

    You can send those to submit@diamondcs.com.au and Gavin will get them. (It is best to put all the files in a ZIP or other archive for emailing.)
     
  8. Weber

    Weber Registered Member

    Joined:
    Jun 16, 2003
    Posts:
    107
    Location:
    Porto Alegre - Brazil
    Hi,

    I sent the files...
     
Loading...
Thread Status:
Not open for further replies.