Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Remote Administrator server & more


  • Please log in to reply

#1
grizzly191

grizzly191

    New Member

  • Member
  • Pip
  • 1 posts
Hello all! Windows 2000 Server is running on this infected machine. I noticed that Remote Administrator server has been added to my toolbar though no icon appears for it, there's a blank space where the icon should be. IE's settings are all sorts of screwy becasue of the hijack and the hijacked settings keep replicating themselves after they've been changed. I am also getting a frequent fake notification from "Microsoft" that is telling me to fight spyware. The only listed website I could find in this "help" notification is http://www.pcspyremover.com.

Here is my log file and THANK YOU in advance to whomever answers my cry for help!!



Logfile of HijackThis v1.99.1
Scan saved at 12:28:05 PM, on 5/11/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\sysiy32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\llssrv.exe
C:\winnt\system32\mcm.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Microsoft Office\Office\OWSTIMER.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\MSSQL7\binn\sqlagent.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\sysyo.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\unzipped\hijackthis[1]\HijackThis.exe
C:\PROGRA~1\MOZILL~1\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\rifix.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\rifix.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\rifix.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\rifix.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\rifix.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\rifix.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\rifix.dll/sp.html#14044
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {98B066C4-E8CA-0E39-B771-CBC24ECE2AA6} - C:\WINNT\system32\winld32.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [sysyo.exe] C:\WINNT\system32\sysyo.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~4\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = libserver.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F97AD10-4C7D-47B4-9AFF-F13084A1B06E}: NameServer = 24.92.226.238
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = libserver.net
O17 - HKLM\System\CS1\Services\Tcpip\..\{2F97AD10-4C7D-47B4-9AFF-F13084A1B06E}: NameServer = 24.92.226.171,24.92.226.172,24.92.226.173
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = libserver.net
O17 - HKLM\System\CS2\Services\Tcpip\..\{2F97AD10-4C7D-47B4-9AFF-F13084A1B06E}: NameServer = 24.92.226.238
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = libserver.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{2F97AD10-4C7D-47B4-9AFF-F13084A1B06E}: NameServer = 24.92.226.238
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\sysiy32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Microsoft Console Manager (mcm) - Unknown owner - C:\winnt\system32\mcm.exe
O23 - Service: Office Server Extensions Notification Service (OWSTimer) - Unknown owner - C:\Program Files\Microsoft Office\Office\OWSTIMER.EXE
O23 - Service: Svhost Service (Svhost) - Unknown owner - C:\WINNT\system32\tmp\svchost.exe (file missing)
O23 - Service: System Event log (System) - Unknown owner - C:\WINNT\system32\System.exe (file missing)

Edited by grizzly191, 11 May 2005 - 10:50 AM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP