Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis log: PLease help diagnose


  • Please log in to reply
4 replies to this topic

#1 clarek

clarek

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 19 November 2004 - 06:00 AM

Logfile of HijackThis v1.98.2
Scan saved at 10:49:22, on 19/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\WINDOWS\System32\crsss.exe
C:\Program Files\SED\SED.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://oca.microsoft.com/resredir.asp?SID=...=6597&LCID=1033
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [Windows media service] crsss.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\RunServices: [Windows media service] crsss.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = drg_norwich.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = drg_norwich.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = drg_norwich.co.uk

BC AdBot (Login to Remove)

 


#2 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:42 PM

Posted 19 November 2004 - 08:20 AM

Greetings clarek.

Looking it over. Will be back to you soon.
Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals

#3 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:42 PM

Posted 19 November 2004 - 11:53 AM

Go to your list of running processes using CTRL>ALT>DEL Locate these processes and end them
Crsss.exe<-----this process
SED.exe<-----this process

Please download LSPFix HERE
*Run it
*Check the box next to "I know what I'm doing".
*Click on all instances of aklsp.dll only
*Then click the right-pointing arrows ( >> ) to send aklsp.dll to the Remove pane.
*Click Finish

Using Windows Explore, navigate to and find and delete these files and or folders in bold
C:\Windows\System32\aklsp.dll<-----this file
C:\Windows\System32\crsss.exe<-----This file
C:\Program Files\SED<-----this folder

Reboot

Use HijackThis to run another scan.

Please place a check mark for these entries in HJT

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O4 - HKLM\..\Run: [Windows media service] crsss.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\
O4 - HKLM\..\RunServices: [Windows media service] crsss.exe

With ALL windows and browsers CLOSED, including this one, click "Fix checked"

Reboot

Download a free copy of Ad-Aware SE HERE
After installing, run it and click on the Globe and download the latest updates.

Reconfigure Ad-Aware SE for a custom scan:

Launch the program, and click on the Gear at the top of the start screen.

Under "General Settings" all available options should be selected.

Click the "Scanning" button.
Under "Drives, Folders and Files," select "Scan within Archives".
Click "Drives and folders to scan" and select your installed hard drives.
Under "Memory & Registry," select all options.

Click the "Advanced" button.
Under "Logfile detail level," select all options.

Click the "Defaults" button.
If you want to keep your current settings for your homepage and searchpage,
select "Read current settings from system." Otherwise, Ad-aware will reset them.

Click the "Tweak" button.
Under "Scanning Engine," select the following:
"Unload recognized processes during scanning."
Under "Cleaning Engine," select the following:
"Always try to unload modules before deletion."
"During removal unload Explorer and IE if necessary."
"Let Windows remove files in use after reboot."
Click on "Proceed" to save these Preferences.

Run the Ad-Aware scan, making sure that the mode selected is "Use custom scanning options."

When the scan is finished, the screen will tell you if anything has been found, click "Next." The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed.

Reboot

Please post a fresh HJT log for further review
Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals

#4 clarek

clarek
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 22 November 2004 - 04:08 AM

Thanks

I couldn't delete aklsp.dll and crsss.exe wasn't listed. I keep getting various virus warning on the screen. Log below

Logfile of HijackThis v1.98.2
Scan saved at 09:02:29, on 22/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://oca.microsoft.com/resredir.asp?SID=...=6597&LCID=1033
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100865564102
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = drg_norwich.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = drg_norwich.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = drg_norwich.co.uk

Thanks for your help. I am now having the same problems on 4 of our other machines in the office

#5 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:42 PM

Posted 22 November 2004 - 07:46 PM

Good news is the hostile files are now no longer loading at at startup. For the files you couldn't delete or find, let's try this.

Reboot to Safe Mode
While your computer is starting up, tap the F8 repeatedly then choose Safe Mode from the menu.

Reconfigure Windows Explorer to show Hidden Files:

*Open the Windows Explorer | Tools | Folder Options - View
*Scroll down to the "Files and Folders" section.
*Select: "Display the contents of system folders".
*Scroll down to the "Hidden Files and Folders" section.
*Select: "Show hidden files and folders", Ok the prompt
*Uncheck: "Hide file extensions for known file types"
*Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply
*Click the "Apply to all Folders" button.

Using Windows Explore, navigate to and find and delete these files and or folders in bold
C:\Windows\System32\aklsp.dll<-----this file
C:\Windows\System32\crsss.exe<-----This file

You have picked up a few more pests since your last log.
Go to Add/Remove Programs and uninstall NaviSearch

Concerning your statement "I keep getting various virus warning on the screen"
Let's see what these free on line scans will cough up:

Please download and run this free 30 day trial version of Trojan Hunter HERE let it fix anything it finds.

Please run this "free" Panda Online Scan HERE let it fix anything it finds.

Please save the logs from both scans in case I need to review them later.

Please let me know if warnings continue to pop-up after the scans and include the exact wording of those warnings.

We can tackle the logs from your other computers once we get this one cleaned up and have added some things that will harden your computer against future attacks.

Edited by Indrid_Cold, 22 November 2004 - 07:53 PM.

Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users