Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log, Please Help Diagnose


  • Please log in to reply
1 reply to this topic

#1 tareland31

tareland31

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 11 November 2004 - 02:14 PM

Logfile of HijackThis v1.98.2
Scan saved at 3:12:50 AM, on 11/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
c:\sh.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mcisvn.exe
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
O2 - BHO: (no name) - {397D7D63-816E-4ECF-8761-775C932C5CF1} - C:\WINDOWS\iDonate.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ICF Routing Client] wicfcl.exe
O4 - HKLM\..\Run: [mcisvn] C:\WINDOWS\system32\mcisvn.exe
O4 - HKLM\..\RunServices: [ICF Routing Client] wicfcl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095216456831
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/insaniqua...aploader_v6.cab

BC AdBot (Login to Remove)

 


#2 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:12:50 AM

Posted 12 November 2004 - 02:24 AM

hi

can you send me the file C:\WINDOWS\system32\mcisvn.exe

first enable showing of system and hidden files:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK
.
locate it ( C:\WINDOWS\system32\mcisvn.exe )
zip the file , password protect it how do i create a password protected zip file
send it as attachment to illukka@nospamdslr.net ( remove nospam from the addy )
put bleeping computer as the subject
include in the mail a link to this thread, also include the password ( i suggest using the word infected as the password)

after sending it lets killbox it:

Click on this link http://www.downloads.subratam.org/KillBox.zip to download TheKillbox by Option^Explicit. Extract it from the zip file. Now double-click on Killbox.exe to run it. In the drop down menu next to the yellow triangle scroll until you see
C:\WINDOWS\system32\mcisvn.exe and select it. Click the yellow triangle and click yes that you want to end task.
In the 'Paste Full Path of File to Delete' box, copy and paste this entry:
C:\WINDOWS\system32\mcisvn.exe


Next, click on the Action menu and choose "Delete on Reboot". Click the button with the red circle with a
white X in it. Close killbox.

As the machine boots back up from the killbox part of this fix boot into safe mode by tapping F8 at boot, then use the up/down arrows to select safe mode

while in safe mode:
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix checked button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

O2 - BHO: (no name) - {397D7D63-816E-4ECF-8761-775C932C5CF1} - C:\WINDOWS\iDonate.dll

O4 - HKLM\..\Run: [ICF Routing Client] wicfcl.exe
O4 - HKLM\..\Run: [mcisvn] C:\WINDOWS\system32\mcisvn.exe
O4 - HKLM\..\RunServices: [ICF Routing Client] wicfcl.exe


reboot back to normal mode and post a fresh hijackthis log!

Edited by illukka, 12 November 2004 - 02:28 AM.

To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users