Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hijackthis.log


  • Please log in to reply

#1
ramadev

ramadev

    New Member

  • Member
  • Pip
  • 2 posts
thank you 'all' for any help with this bugger, hoping there's a cure.

tried following the directions on the main hijackthis advice page on this site, but the system message on my desktop warning of the trojan-spy.html.smitfraud.c persists and internet explorer goes to a new homepage i didn't set: http://www.skymasters.biz/?2184, which is in italian, i guess something based on the fact that i am conecting from rome.

i am running windows 2000 on a corporate ibm thinkpad, i.e. i'm not the admin.


Logfile of HijackThis v1.99.1
Scan saved at 0:15:34, on 05/07/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
c:\winnt\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Programmi\Network Associates\VirusScan\Avsynmgr.exe
C:\Programmi\ewido\security suite\ewidoctrl.exe
C:\Programmi\ewido\security suite\ewidoguard.exe
C:\Programmi\File comuni\Network Associates\McShield\Mcshield.exe
C:\Programmi\Network Associates\VirusScan\VsStat.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Programmi\Host Integration Server\system\ddmserv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programmi\Citrix\ICA Client\ssonsvr.exe
C:\Programmi\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINNT\System32\ctfmon.exe
C:\Programmi\AIM\aim.exe
C:\Programmi\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programmi\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Documents and Settings\en16832\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.skymasters.biz?2184
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: IEHlprObj Class - {01FB9C55-FC66-4476-A199-389241193188} - C:\WINNT\System32\LxboMLc.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Programmi\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Programmi\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSGuard] C:\Programmi\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PGPtray.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Viewpoint Search - res://C:\Programmi\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programmi\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\APPL\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\APPL\Yahoo!\MESSEN~1\YPager.exe
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.sgrunt.biz
O15 - Trusted Zone: www.skymasters.biz
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eni.pri
O17 - HKLM\System\CCS\Services\Tcpip\..\{60186554-E192-4F7E-AE52-05F8B87D3867}: NameServer = 213.205.32.70,213.205.36.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eni.pri
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eni.pri
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Programmi\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Controllo esteso sistema (ctless) - Unknown owner - C:\WINNT\downlo~1\dzc0ztp\429u5qo.exe (file missing)
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmi\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: McShield - Unknown owner - C:\Programmi\File comuni\Network Associates\McShield\Mcshield.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - c:\programmi\oracle\Ora81\BIN\ONRSD.EXE


grazie!
  • 0

Advertisements


#2
Perculator

Perculator

    Visiting Staff

  • Member
  • PipPipPip
  • 183 posts
Hello and welcome to Geeks To Go.

Lets start out with some general scans, and see if we can clean things up a little.

+++++ Step 1 +++++
Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")


+++++ Step 2 +++++

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

+++++ Step 3 +++++

Update HiJackThis
  • Open HiJackThis
  • Click Open the Misc Tools Section
  • Click Check for update online
+++++ Step 4 +++++

After that, I will need to see two different logs from HiJackThis. The first is the normal log like you posted here. To get the other one, follow these directions.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with those logs and we can continue from there.

If you have received help elsewhere or no longer need our assistance, please let us know.
  • 0

#3
ramadev

ramadev

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
THANKS FOR THE HELP SO FAR, I HAVEN'T GONE ELSEWHERE TO TAKE CARE OF THIS, HOPING THE PATIENCE WILL PAY OFF AT THE END!!

SORRY SOME OF THE EWIDO IS IN ITALIAN (PULITO MEANS CLEANED), THE SYSTEM SOFTWARE IS TOO.

THE REPORTS ARE IN THE FOLLOWING ORDER:

EWIDO
TREND MICRO
HIJACKTHIS

HERE THEY ARE:

ewido security suite - Rapporto Scansione
---------------------------------------------------------

+ Creato il: 1:27:34, 28/07/2005
+ Report-Checksum: C2811356

+ Risultati scansione:

HKLM\SOFTWARE\Classes\CLSID\{01FB9C55-FC66-4476-A199-389241193188} -> Spyware.WurldMedia : Pulito con Backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Pulito con Backup
HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Pulito con Backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Pulito con Backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01FB9C55-FC66-4476-A199-389241193188} -> Spyware.WurldMedia : Pulito con Backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@2o7[2].txt -> Spyware.Cookie.2o7 : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@adtech[2].txt -> Spyware.Cookie.Adtech : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@centrport[2].txt -> Spyware.Cookie.Centrport : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wfkikicjobo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wfkogmcpmhq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wfkosiazsao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wfkowicpgcp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wfkyanajefq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wflisndzmco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wfliuiazeco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wfloepajwaq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wgkiekcjmho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wjkoskd5afp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wjkosoczwho.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wjkyahdjmcp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wjkysndzigp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wjkywjd5mcq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wjl4wldzecp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wjl4wnazkko.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wjlicidjwkp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wjlisldpglp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wjlokgdjmhp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wjlyegdzifp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wjlyeiazeeq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wjlywjdjaho.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wjnyojc5icp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wjnyopajkkp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wjnyqnd5elo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wjnyqodjkfq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@e-2dj6wjnywld5wco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@fastclick[2].txt -> Spyware.Cookie.Fastclick : Pulito con Backup
C:\Documents and Settings\en16832\Cookies\en16832@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Pulito con Backup


::Fine Rapporto

TREND MICRO REPORT:

Virus Scan 0 virus cleaned, 0 virus deleted


Results:
We have detected 1 infected file(s) with 1 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 0 virus(es) deleted, 1 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken
C:\WINNT\system32\wininet.dll TSPY_ALEMOD.A Undeletable




Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken




Spyware Check 2 spyware programs removed

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 20 spyware(s) on your computer. Only 0 out of 0 spywares are displayed: - 18 spyware(s) passed, 0 spyware(s) no action available
- 2 spyware(s) removed, 0 spyware(s) unremovable
Spyware Name Spyware Type Action Taken
COOKIE_45 Cookie Pass
COOKIE_146 Cookie Pass
COOKIE_238 Cookie Pass
COOKIE_442 Cookie Pass
COOKIE_592 Cookie Pass
COOKIE_611 Cookie Pass
COOKIE_722 Cookie Pass
COOKIE_756 Cookie Pass
COOKIE_1198 Cookie Pass
COOKIE_1543 Cookie Pass
COOKIE_1738 Cookie Pass
COOKIE_2136 Cookie Pass
COOKIE_2250 Cookie Pass
COOKIE_2281 Cookie Pass
COOKIE_2411 Cookie Pass
COOKIE_2921 Cookie Pass
COOKIE_3201 Cookie Pass
DIAL_SGRUNT.A Dialer Removal successful
SPYW_PPNETWORK.B Spyware Removal successful
COOKIE_3235 Cookie Pass




Microsoft Vulnerability Check 19 vulnerabilities detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 19 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix
Critical This vulnerability allows local users to gain system privileges by duplicating a handle to a privileged process. This is due to Windows NT and Windows 2000's debugging subsystem, which does not properly authenticate programs that connect to other programs. MS02-024
Critical This vulnerability allows an attacker to cause a denial of service attack to a target server machine. This is caused by a buffer overflow in SMB protocol in Microsoft Windows NT, Windows 2000, and Windows XP. MS02-045
Highly Critical This vulnerability enables local users to execute arbitrary code through an RPC call. This is caused by a buffer overflow in the RPC Locator service for Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP. MS03-001
Highly Critical This vulnerability enables a remote attacker to execute arbitrary code through a WebDAV request to IIS 5.0. This is caused by a buffer overflow in NTDLL.DLL on Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP. MS03-007
Highly Critical This vulnerability enables a remote attacker to execute any file that can be rendered as text, and be opened as part of a page in Internet Explorer. MS03-014
Critical This vulnerability enables a remote attacker to cause a denial of service and execute arbitrary code through a specially formed web page or HTML e-mail. This is caused by a flaw in the way the HTML converter for Microsoft Windows handles a conversion request during a cut-and-paste operation. MS03-023
Critical This vulnerability allows a remote attacker to execute arbitrary code without user approval. This is caused by the authenticode capability in Microsoft Windows NT through Server 2003 not prompting the user to download and install ActiveX controls when system is low on memory. MS03-041
Critical This vulnerability allows a remote attacker to execute arbitrary code on the affected system. This is caused of a buffer overflow in the Messenger Service for Windows NT through Server 2003. MS03-043
Important This vulnerability is due to a buffer overrun in the ListBox and ComboBox controls found in User32.dll. Any program that implements the ListBox control or the ComboBox control could allow arbitrary code to be executed at the same privilege level. This vulnerability cannot be exploited remotely. MS03-045
Highly Critical The LSASS vulnerability is a buffer overrun vulnerability allows remote code execution.;The LDAP vulnerability is a denial of service (DoS) vulnerability that causes the service in a Windows 2000 domain controller responsible for authenticating users in an Active Directory domain to stop responding.;The PCT vulnerability is a buffer overrun vulnerability in the Private Communications Transport (PCT) protocol, a part of the SSL library, that allows remote code execution.;The Winlogon vulnerability is a buffer overrun vulnerability in the Windows logon process (winlogon) that allows remote code execution.;The Metafile vulnerability is a buffer overrun vulnerability that exists in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats.;The Help and Support Center vulnerability allows remote code execution and is due to the way Help and Support Center handles HCP URL validation.;The Utility Manager vulnerability is a privilege elevation vulnerability that exists due to the way that Utility Manager launches applications.;The Windows Management vulnerability is a privilege elevation vulnerability that when successfully exploited allows a local attacker to take complete control of a system by executing commands at the system privilege level.;The Local Descriptor Table vulnerability is a privilege elevation vulnerability that when successfully exploited allows a local attacker to take complete control of a system by executing commands at with system privileges.;The H.323 vulnerability is a buffer overrun vulnerability that when successfully exploited can allows attackers to gain full control of a system by arbitrarily executing commands with system privileges.;Virtual DOS Machine vulnerability is a privilege elevation vulnerability that when successfully exploited allows a local attacker to gain full control of a system by executing commands with system privileges.;The Negotiate SSP vulnerability is a buffer overrun vulnerability that exists in Microsoft's Negotiate Security Service Provider (SSP) interface and allows remote code execution.;The SSL vulnerability exists due to the way SSL packets are handled and can causes the affected systems to stop responding to SSL connection requests.;The ASN.1 'Double-Free' vulnerability exists in Microsoft's Abstract Syntax Notation One (ASN.1) Library and allows remote code execution at the system privilege level. MS04-011
Critical The RPC Runtime Library vulnerability is a remote code execution vulnerability that results from a race condition when the RPC Runtime Library processes specially crafted messages. An attacker who successfully exploits this vulnerability could take complete control of an affected system.;The RPCSS Service denial of service (DoS) vulnerability allows a malicious user or malware to send specially-crafted messages to a vulnerable system, which causes the RPCSS Service to stop responding.;The RPC Over HTTP vulnerability may be used to launch a denial of service (DoS) attack against a system with CIS or RPC over HTTP Proxy enabled.;When successfully exploited, the Object Identity vulnerability allows an attacker to force currently running applications to open network communication ports, thereby opening a system to remote attacks. MS04-012
Critical The MHTML URL Processing Vulnerability allows remote attackers to bypass domain restrictions and execute arbitrary code via script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers.This could allow an attacker to take complete control of an affected system. MS04-013
Moderate This is a denial of service (DoS) vulnerability. It affects applications that implement the IDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay. Applications that use this API are typically network-based multiplayer games.;An attacker who successfully exploits this vulnerability could cause the DirectX application to fail while a user is playing a game. The affected user would then have to restart the application. MS04-016
Moderate A denial of service (DoS) vulnerability exists in Outlook Express that could cause the said program to fail. The malformed email should be removed before restarting Outlook Express in order to regain its normal operation. MS04-018
Critical This vulnerability lies in an unchecked buffer within the Task Scheduler component. When exploited, it allows the attacker to execute arbitrary code on the affected machine with the same privileges as the currently logged on user. MS04-022
Critical An attacker who successfully exploits this vulnerability could gain the same privileges as that of the currently logged on user. If the user is logged in with administrative privileges, the attacker could take complete control of the system. User accounts with fewer privileges are at less risk than users with administrative privileges. MS04-023
Critical The Navigation Method Cross-Domain Vulnerability is a remote execution vulnerability that exists in Internet Explorer because of the way that it handles navigation methods. An attacker could exploit this vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visits a malicious Web site.;The Malformed BMP File Buffer Overrun Vulnerability exists in the processing of BMP image file formats that could allow remote code execution on an affected system.;The Malformed GIF File Double Free Vulnerability is a buffer overrun vulnerability that exists in the processing of GIF image file formats that could allow remote code execution on an affected system. MS04-025
Critical This vulnerability lies in the way the affected components process JPEG image files. An unchecked buffer within this process is the cause of the vulnerability.;This remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. The malicious user or malware can execute arbitrary code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes. MS04-028
Critical This security update addresses and resolves a vulnerability in Internet Explorer that could allow remote code execution. A Web page can be crafted to exploit this vulnerability such that an arbitrary application can be executed on visiting systems with the same priviledge as the currently logged on user. MS04-040



HIJACK THIS REPORT NUMBER 2:

Logfile of HijackThis v1.99.1
Scan saved at 2:01:58, on 28/07/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
c:\winnt\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Programmi\Network Associates\VirusScan\Avsynmgr.exe
C:\Programmi\ewido\security suite\ewidoctrl.exe
C:\Programmi\File comuni\Network Associates\McShield\Mcshield.exe
C:\Programmi\Citrix\ICA Client\ssonsvr.exe
C:\Programmi\Network Associates\VirusScan\VsStat.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Programmi\Host Integration Server\system\ddmserv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Programmi\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\System32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINNT\System32\ctfmon.exe
C:\Programmi\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programmi\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Programmi\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\ewido\security suite\ewidoguard.exe
C:\Documents and Settings\en16832\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://qing.com/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Programmi\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Programmi\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSGuard] C:\Programmi\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PGPtray.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Viewpoint Search - res://C:\Programmi\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programmi\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\APPL\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\APPL\Yahoo!\MESSEN~1\YPager.exe
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.skymasters.biz
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eni.pri
O17 - HKLM\System\CCS\Services\Tcpip\..\{60186554-E192-4F7E-AE52-05F8B87D3867}: NameServer = 213.205.32.70,213.205.36.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eni.pri
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eni.pri
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Programmi\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Controllo esteso sistema (ctless) - Unknown owner - C:\WINNT\downlo~1\dzc0ztp\429u5qo.exe (file missing)
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmi\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: McShield - Unknown owner - C:\Programmi\File comuni\Network Associates\McShield\Mcshield.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - c:\programmi\oracle\Ora81\BIN\ONRSD.EXE
  • 0

#4
Perculator

Perculator

    Visiting Staff

  • Member
  • PipPipPip
  • 183 posts
Hello,


Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!



Download SmitRem
your desktop.
Right click on the file and extract it to it's own folder on the desktop.

***

Place a shortcut to Panda ActiveScan on your desktop.

***

Please download the trial version of ewido security suite.Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

Launch ewido, there should be an icon on your desktop double-click it.
The program will prompt you to update click the OK button

The program will now go to the main screen
You will need to update ewido to the latest definition files.On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido for now.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.

***
Download the Hoster Here
Please do not use program yet


***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode and press Enter.


***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Post me the contents of the smitfiles.txt log as you post back.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Now open Ewido Security Suite:* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Reboot your computer.

***

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

***

Reboot back into Windows’ Normal mode

Unzip Hoster to your desktop

Open up the Hoster program.
  • Make sure that the "make hosts writable?" button in the upper right corner is enabled.
  • Click back up Host files
  • then click Restore orginal host files
  • close program
***

Download: deldomains.
To use: right-click and select: Install (no need to restart)

***

Now click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let me know if any problems persist.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP