Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Witkinat, Fakealert, Backdoor infection


  • Please log in to reply

#1
ezekiel2517

ezekiel2517

    New Member

  • Member
  • Pip
  • 2 posts
I'm on a friend's machine running Windows Server 2003. It randomly popups advertisement websites ("onlyspecialoffers.info") and sometimes locks up when browsing my Computer (mouse is still usable but taskbar, start menu, control+alt+del are all unresponsive).

I ran Malware bytes. It says I'm infected with
Trojan.Agent
Trojan.Witkinat
but if I try to remove, Malwarebytes locks up.

I also ran DocorWeb CureIt! and was told I am infected with
Trojan.fakealert.14606
Backdoor.tdss.565
CureIt! says they are removed but I have a feeling those will come back after a reboot.

Attached is my HijackThis! log. thanks for your help!

Attached File  hijack_this.txt   7.53KB   94 downloads
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,727 posts
  • MVP
Run HJT Scan Only and check these then Fix Checked:

O4 - HKCU\..\Run: [tiuop] C:\Documents and Settings\Administrator.SERVER\tiuop.exe
O4 - HKCU\..\Run: [ruuufis] C:\Documents and Settings\Administrator.SERVER\ruuufis.exe
O4 - HKCU\..\Run: [tiuop ] C:\Documents and Settings\Administrator.SERVER\tiuop .exe
O4 - HKCU\..\Run: [tiuop ] C:\Documents and Settings\Administrator.SERVER\tiuop .exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - Startup: APL.log

O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.server\windows\system32\mswsock.dll' missing
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\Documents and Settings\Administrator.SERVER\WINDOWS\system32\browseui.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Documents and Settings\Administrator.SERVER\WINDOWS\system32\browseui.dll (file missing)

Then Start, Run, cmd, OK to bring up a new command window. Type (with an Enter after each line):

netsh winsock reset catalog

netsh int ip reset reset.log

(netsh SPACE winsock SPACE reset SPACE catalog

netsh SPACE int SPACE ip SPACE reset SPACE reset.log)

Then reboot. If that doesn't help then try it again in Safe Mode (Reboot and start tapping F8 slowly when you see the maker's logo or hear a beep. Select the top option. Use your usual login.)

IF that helps then follow the malware removal protocol at the top of the forum and post your logs (use copy and paste - DO NOT ATTACH!).

If not come back with a new HJT log and we will try something else.

Ron
  • 0

#3
ezekiel2517

ezekiel2517

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
thanks ron, quick question before I make those changes:

are those 015 "fixes" OK for windows server, or will those possibly affect connectivity?
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,727 posts
  • MVP
Don't see why they should be in that zone but you can leave the lines out of the fix if you want.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP