[ezekiel2517]

I'm on a friend's machine running Windows Server 2003. It randomly popups advertisement websites ("onlyspecialoffers.info") and sometimes locks up when browsing my Computer (mouse is still usable but taskbar, start menu, control+alt+del are all unresponsive).

I ran Malware bytes. It says I'm infected with
Trojan.Agent
Trojan.Witkinat
but if I try to remove, Malwarebytes locks up.

I also ran DocorWeb CureIt! and was told I am infected with
Trojan.fakealert.14606
Backdoor.tdss.565
CureIt! says they are removed but I have a feeling those will come back after a reboot.

Attached is my HijackThis! log. thanks for your help!

 hijack_this.txt   7.53KB   116 downloads

[Advertisements]

Run HJT Scan Only and check these then Fix Checked:

O4 - HKCU\..\Run: [tiuop] C:\Documents and Settings\Administrator.SERVER\tiuop.exe
O4 - HKCU\..\Run: [ruuufis] C:\Documents and Settings\Administrator.SERVER\ruuufis.exe
O4 - HKCU\..\Run: [tiuop ] C:\Documents and Settings\Administrator.SERVER\tiuop .exe
O4 - HKCU\..\Run: [tiuop ] C:\Documents and Settings\Administrator.SERVER\tiuop .exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - Startup: APL.log

O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.server\windows\system32\mswsock.dll' missing
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\Documents and Settings\Administrator.SERVER\WINDOWS\system32\browseui.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Documents and Settings\Administrator.SERVER\WINDOWS\system32\browseui.dll (file missing)

Then Start, Run, cmd, OK to bring up a new command window. Type (with an Enter after each line):

netsh winsock reset catalog

netsh int ip reset reset.log

(netsh SPACE winsock SPACE reset SPACE catalog

netsh SPACE int SPACE ip SPACE reset SPACE reset.log)

Then reboot. If that doesn't help then try it again in Safe Mode (Reboot and start tapping F8 slowly when you see the maker's logo or hear a beep. Select the top option. Use your usual login.)

IF that helps then follow the malware removal protocol at the top of the forum and post your logs (use copy and paste - DO NOT ATTACH!).

If not come back with a new HJT log and we will try something else.

Ron

[RKinner]

Run HJT Scan Only and check these then Fix Checked:

O4 - HKCU\..\Run: [tiuop] C:\Documents and Settings\Administrator.SERVER\tiuop.exe
O4 - HKCU\..\Run: [ruuufis] C:\Documents and Settings\Administrator.SERVER\ruuufis.exe
O4 - HKCU\..\Run: [tiuop ] C:\Documents and Settings\Administrator.SERVER\tiuop .exe
O4 - HKCU\..\Run: [tiuop ] C:\Documents and Settings\Administrator.SERVER\tiuop .exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - Startup: APL.log

O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.server\windows\system32\mswsock.dll' missing
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\Documents and Settings\Administrator.SERVER\WINDOWS\system32\browseui.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Documents and Settings\Administrator.SERVER\WINDOWS\system32\browseui.dll (file missing)

Then Start, Run, cmd, OK to bring up a new command window. Type (with an Enter after each line):

netsh winsock reset catalog

netsh int ip reset reset.log

(netsh SPACE winsock SPACE reset SPACE catalog

netsh SPACE int SPACE ip SPACE reset SPACE reset.log)

Then reboot. If that doesn't help then try it again in Safe Mode (Reboot and start tapping F8 slowly when you see the maker's logo or hear a beep. Select the top option. Use your usual login.)

IF that helps then follow the malware removal protocol at the top of the forum and post your logs (use copy and paste - DO NOT ATTACH!).

If not come back with a new HJT log and we will try something else.

Ron

[ezekiel2517]

thanks ron, quick question before I make those changes:

are those 015 "fixes" OK for windows server, or will those possibly affect connectivity?

[RKinner]

Don't see why they should be in that zone but you can leave the lines out of the fix if you want.

Ron