Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Remote Administrator server & more

Started by grizzly191 , May 11 2005 10:43 AM

  • Please log in to reply

#1
grizzly191
Posted 11 May 2005 - 10:43 AM

grizzly191

    New Member

  • Member
  • Pip
  • 1 posts
Hello all! Windows 2000 Server is running on this infected machine. I noticed that Remote Administrator server has been added to my toolbar though no icon appears for it, there's a blank space where the icon should be. IE's settings are all sorts of screwy becasue of the hijack and the hijacked settings keep replicating themselves after they've been changed. I am also getting a frequent fake notification from "Microsoft" that is telling me to fight spyware. The only listed website I could find in this "help" notification is http://www.pcspyremover.com.

Here is my log file and THANK YOU in advance to whomever answers my cry for help!!



Logfile of HijackThis v1.99.1
Scan saved at 12:28:05 PM, on 5/11/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\sysiy32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\llssrv.exe
C:\winnt\system32\mcm.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Microsoft Office\Office\OWSTIMER.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\MSSQL7\binn\sqlagent.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\sysyo.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\unzipped\hijackthis[1]\HijackThis.exe
C:\PROGRA~1\MOZILL~1\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\rifix.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\rifix.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\rifix.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\rifix.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\rifix.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\rifix.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\rifix.dll/sp.html#14044
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {98B066C4-E8CA-0E39-B771-CBC24ECE2AA6} - C:\WINNT\system32\winld32.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [sysyo.exe] C:\WINNT\system32\sysyo.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~4\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = libserver.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F97AD10-4C7D-47B4-9AFF-F13084A1B06E}: NameServer = 24.92.226.238
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = libserver.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{2F97AD10-4C7D-47B4-9AFF-F13084A1B06E}: NameServer = 24.92.226.171,24.92.226.172,24.92.226.173
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = libserver.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{2F97AD10-4C7D-47B4-9AFF-F13084A1B06E}: NameServer = 24.92.226.238
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = libserver.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{2F97AD10-4C7D-47B4-9AFF-F13084A1B06E}: NameServer = 24.92.226.238
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\sysiy32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Microsoft Console Manager (mcm) - Unknown owner - C:\winnt\system32\mcm.exe
O23 - Service: Office Server Extensions Notification Service (OWSTimer) - Unknown owner - C:\Program Files\Microsoft Office\Office\OWSTIMER.EXE
O23 - Service: Svhost Service (Svhost) - Unknown owner - C:\WINNT\system32\tmp\svchost.exe (file missing)
O23 - Service: System Event log (System) - Unknown owner - C:\WINNT\system32\System.exe (file missing)

Edited by grizzly191, 11 May 2005 - 10:50 AM.

  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP