Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • Please log in to reply
5 replies to this topic

#1 muhl

muhl

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 26 March 2005 - 05:57 PM

Hello,

Here is my HijackThis log. This is on a Windows 2000 server running SP4. I have been battling this for two days solid. Samsungs.exe and ringtunes.exe are returning no matter what I try. I can't even kill them with the HiJack "Kill Process" command. I have the following files in WINNT\System32:

mt-uninstaller.exe - I think this is also spyware, but am not sure.
samsungs.exe
o (whatever that is)

Ringtunes.exe keeps coming back to C:\

Any help and/or advice would be greatly appreciated.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 4:52:29 PM, on 3/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Cisco\PIX Firewall Manager\pixservi.exe
C:\Program Files\Cisco\PIX Firewall Manager\pixmserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Pwrchute\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\Samsungs.exe
C:\ringtunes.exe
C:\WINNT\system32\mt-uninstaller.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\ringtunes.exe
C:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Samsung] Samsungs.exe
O4 - HKLM\..\Run: [REGRUN] C:\ringtunes.exe
O4 - HKLM\..\RunServices: [Samsung] Samsungs.exe
O4 - HKCU\..\Run: [YBx7RWJ5W] usp0_qc.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O13 - WWW. Prefix: http://
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...Bridge-c139.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://proxymed.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = keycom.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{01BF384F-92E0-46DF-A510-4D7914DC1EF9}: Domain = keycom.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{01BF384F-92E0-46DF-A510-4D7914DC1EF9}: NameServer = 192.168.70.40,192.168.40.40
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = keycom.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{01BF384F-92E0-46DF-A510-4D7914DC1EF9}: Domain = keycom.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{01BF384F-92E0-46DF-A510-4D7914DC1EF9}: NameServer = 192.168.70.40,192.168.40.40
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = keycom.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{01BF384F-92E0-46DF-A510-4D7914DC1EF9}: Domain = keycom.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{01BF384F-92E0-46DF-A510-4D7914DC1EF9}: NameServer = 192.168.70.40,192.168.40.40
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoldSync Service (GMService) - Unknown owner - \\nafs2\applications\Apps\Goldmine\gmw6.exe (file missing)
O23 - Service: Intel PDS - Unknown owner - C:\WINNT\System32\cba\pds.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PIX Firewall Manager Server (pixmservice) - Unknown owner - C:\Program Files\Cisco\PIX Firewall Manager\pixservi.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - APC - C:\Program Files\Pwrchute\ups.exe
O23 - Service: Vineyard Inventory (vineinv) - Proverbs, LLC - C:\WINNT\vineinv.exe

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:25 AM

Posted 27 March 2005 - 03:10 PM

Print out these instructions and then close all windows including Internet Explorer.

Reboot your computer into Safe Mode

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O4 - HKLM\..\Run: [Samsung] Samsungs.exe
O4 - HKLM\..\Run: [REGRUN] C:\ringtunes.exe
O4 - HKLM\..\RunServices: [Samsung] Samsungs.exe
O4 - HKCU\..\Run: [YBx7RWJ5W] usp0_qc.exe
O13 - WWW. Prefix: http://
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...Bridge-c139.cab
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)



Then delete these files or directories (Do not be concerned if they do not exist)

C:\Program Files\ISTbar\
c:\winnt\system32\Samsungs.exe
C:\ringtunes.exe
c:\winnt\system32\usp0_qc.exe


Reboot your computer to go back to normal mode and post a new log.

#3 muhl

muhl
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 22 April 2005 - 03:32 PM

Grinler,

Sorry I haven't responded sooner - I have been out for awhile. Thanks for all of your help. The server seems to be back to normal after I followed your instructions. Here is my new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:23:27 PM, on 4/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Cisco\PIX Firewall Manager\pixservi.exe
C:\Program Files\Cisco\PIX Firewall Manager\pixmserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Pwrchute\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\mmc.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://proxymed.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = keycom.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{01BF384F-92E0-46DF-A510-4D7914DC1EF9}: Domain = keycom.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{01BF384F-92E0-46DF-A510-4D7914DC1EF9}: NameServer = 192.168.70.40,192.168.40.40
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = keycom.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{01BF384F-92E0-46DF-A510-4D7914DC1EF9}: Domain = keycom.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{01BF384F-92E0-46DF-A510-4D7914DC1EF9}: NameServer = 192.168.70.40,192.168.40.40
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = keycom.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{01BF384F-92E0-46DF-A510-4D7914DC1EF9}: Domain = keycom.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{01BF384F-92E0-46DF-A510-4D7914DC1EF9}: NameServer = 192.168.70.40,192.168.40.40
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoldSync Service (GMService) - Unknown owner - \\nafs2\applications\Apps\Goldmine\gmw6.exe (file missing)
O23 - Service: Intel PDS - Unknown owner - C:\WINNT\System32\cba\pds.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PIX Firewall Manager Server (pixmservice) - Unknown owner - C:\Program Files\Cisco\PIX Firewall Manager\pixservi.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - APC - C:\Program Files\Pwrchute\ups.exe
O23 - Service: Vineyard Inventory (vineinv) - Proverbs, LLC - C:\WINNT\vineinv.exe

Thanks again.

P.S. The C:\WINNT\system32\r_server.exe" /service (file missing) is legitimate software we use for remote access.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:25 AM

Posted 22 April 2005 - 04:06 PM

Ok glad to know you installed the r_Server yourself. Looks good to me...still having problems?

#5 muhl

muhl
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 25 April 2005 - 09:24 AM

No, everything seems to be back to normal. Thanks again for all of your help.

Mark

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:25 AM

Posted 25 April 2005 - 10:18 AM

Your log is clean! Great job!

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users