A Hijack This LOG

Logfile of HijackThis v1.97.2
Scan saved at 16:18:04, on 9/10/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\tcpsvcs.exe
C:\oracle\ora81\bin\vppdc.exe
C:\oracle\ora81\BIN\TNSLSNR.exe
c:\oracle\ora81\bin\ORACLE.EXE
C:\WINNT\system32\regsvc.exe
C:\resin-2.1.2\bin\httpd.exe
C:\WINNT\system32\MSTask.exe
C:\j2sdk1.4.0\bin\java.exe
C:\PROGRA~1\Liquid\ServicoLiquid.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\system32\NWTRAY.EXE
C:\WINNT\system32\msmsgri32.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\WINNT\System32\mdm.exe
C:\WINNT\system32\CMD.exe
F:\raizdoF\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [System Initialization] C:\WINNT\system32\msmsgri32.exe
O4 - HKLM\..\Run: [MusIRC (irc.musirc.com) client] musirc4.71.exe
O4 - HKLM\..\RunServices: [MusIRC (irc.musirc.com) client] musirc4.71.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37902.6343981481
O17 - HKLM\System\CCS\Services\Tcpip\..\{7194DDCF-E912-4ABC-804D-BC3F67A703E2}: NameServer = 192.168.0.30,192.168.0.1

 

Hi Weber,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [System Initialization] C:\WINNT\system32\msmsgri32.exe
O4 - HKLM\..\Run: [MusIRC (irc.musirc.com) client] musirc4.71.exe
O4 - HKLM\..\RunServices: [MusIRC (irc.musirc.com) client] musirc4.71.exe

Then reboot and delete:
C:\WINNT\system32\msmsgri32.exe
musirc4.71.exe

and follow additional instructions here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.d.html
and here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.q.html

Regards,

Pieter

 

Thanks Pieter

 

Anytime, Weber.

Regards,

Pieter

 

Too fast for me, I would have liked to see those samples

 

Hi Gavin,

if i find that the machine is infected again, i'll try to send the files to you. what is the email address?

 

Hi,

I sent the files...