Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Error #317 Microsoft Windows Security warning


  • Please log in to reply
1 reply to this topic

#1 jitsy

jitsy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 29 March 2005 - 01:25 AM

I am having spyware on my computer ,i receive "Error #317 Microsoft Windows Security warning " which shows my ports have been hijacked. And my home page changes to "http://www.hotoffers.info/185/".

This is my log.
Please help me.

------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:11:32 AM, on 3/29/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\system32\slserver.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\RConnect\RConnectDialer.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\YAHOO!\MESSENGER\YPager.exe
C:\Downloads\Software\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/185/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\SK\Application Data\Mozilla\Profiles\default\63e0queh.slt\prefs.js)
O1 - Hosts: 72.36.130.226 ibank.barclays.co.uk
O1 - Hosts: 72.36.130.226 online-business.lloydstsb.co.uk
O1 - Hosts: 72.36.130.226 online.lloydstsb.co.uk
O1 - Hosts: 72.36.130.226 www.halifax-online.co.uk
O1 - Hosts: 72.36.130.226 www.ukpersonal.hsbc.co.uk
O1 - Hosts: 72.36.130.226 www.nwolb.com
O1 - Hosts: 72.36.130.226 banesnet.banesto.es
O1 - Hosts: 72.36.130.226 extranet.banesto.es
O1 - Hosts: 69.50.173.4 earthlink.net
O1 - Hosts: 69.50.173.4 www.earthlink.net
O1 - Hosts: 69.50.173.4 go.com
O1 - Hosts: 69.50.173.4 www.go.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: WgBHO Class - {67E9834D-B226-49E6-B6F6-85AA64E14BA3} - C:\Program Files\Free Download Manager\iefdm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [Microsoft IIS] C:\WINDOWS\system32\syshost.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [NAV Auto Updates] slserver.exe
O4 - HKLM\..\Run: [mIANi] C:\windows\temp\mIANi.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\RunServices: [NAV Auto Updates] slserver.exe
O4 - HKCU\..\Run: [NAV Auto Updates] slserver.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPager.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D43FF9ED-EF0A-4E1F-828E-163E987ADC8C}: NameServer = 202.138.97.193 202.138.96.2
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

BC AdBot (Login to Remove)

 


m

#2 picard_uk

picard_uk

  • Members
  • 123 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 29 March 2005 - 05:57 PM

Hi jitsy,

Welcome to the forums.

I'd like you to download and install this free program
http://cleanup.stevengould.org/
On the downloads page you will find Cleanup312.exe
Install this but do NOT run it yet.

Run HiJackThis, scan and place a check mark next to the following
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/185/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O4 - HKLM\..\Run: [Microsoft IIS] C:\WINDOWS\system32\syshost.exe
O4 - HKLM\..\Run: [NAV Auto Updates] slserver.exe
O4 - HKLM\..\Run: [mIANi] C:\windows\temp\mIANi.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] slserver.exe
O4 - HKCU\..\Run: [NAV Auto Updates] slserver.exe


With all windows,and browser windows closed, including this one, hit "Fix checked"


Reboot, on restart, start in "Safe Mode".
How To
1. Restart the computer.
2. As the computer restarts, begin tapping the F8 key until the Windows XP startup menu appears.
3. Choose Safe mode from the startup menu, and then press Enter. Windows starts in Safe mode.


Show "Hidden files and folders".
How to
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
In the Advanced settings box, under the "Hidden files" folder, select Show hidden files and folders
Remove the check mark from "Hide protected operating system files (Recommended)".
Click Apply, and then click OK.

Find and delete the following (Note, only delete the items in bold)

slserver.exe<--File only
C:\WINDOWS\system32\syshost.exe

Run the cleanup utility you downloaded earlier. This will delete the contents of C:\Temp, Windows Temporary Folder, Temporary Internet Files, cookies, Recycle Bin etc.

Reboot normally.


I'd like you to run both of these online virus scans. Reboot between each scan.
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/co...n_principal.htm

Let them fix what they find.

Reboot.


Please download Ad-Aware SE from: http://www.lavasoft.de/support/download/
The personal version is free.
Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, you need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
* Automatically save log-file
* Automatically quarantine objects prior to removal
* Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :
* Scan Within Archives
* Scan Active Processes
* Scan Registry
* Deep Scan Registry
* Scan my IE favorites for banned URL’s
* Scan my Hosts file
* Under Click here to select drives + folders, choose:
* All of your hard drives

Click on the Advanced button on the left and select:
* Include additional process information
* Include additional file information
* Include environment information

Click the Tweak button and select:
* Under the Scanning Engine:
o Unload recognized processes & modules during scan
o Include additional Ad-aware settings in logfile
* Under the Cleaning Engine:
o Let Windows remove files in use at next reboot

Click on Proceed to save the settings.

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
* Use Custom Scanning Options

Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Save the log file when it asks and then click Finish

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Reboot your computer.


If you haven't done so, please scan with Spybot Search and Destroy

1. Download and install Spybot S&D http://www.safer-networking.org/index.php?page=home, accepting the Default Settings
2. In the Menu Bar at the top of the Spybot window you will see Mode. Make certain that default mode has a check mark beside it.
3. Close ALL windows except Spybot S&D
4. Click the button to Search for Updates and download and install the Updates.
5. Next click the button Check for Problems
6. When Spybot is complete, it will be showing RED entries BLACK entries and GREEN entries in the window
7. Make certain there is a check mark beside all of the RED entries ONLY.
8. Choose Fix Selected Problems and allow Spybot to fix the RED entries.
9. REBOOT to complete the scan.

Next, I'd like you to download and install SpywareBlaster by Javacool. This may help prevent the drive-by download of malware you seem to have experienced. The program is free and just needs to be updated now and again
http://www.javacoolsoftware.com/spywareblaster.html

Let me know how you get on.


Run HiJackThis, scan and post a fresh log file in your reply.



picard.
Every day's a school day.

ASAP Proud member since 2005 Alliance of Security Analysis Professionals




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users