I got into work this morning and was told that the secretary' pc was possessed by the devil so I ran adaware and got a score of 669, the biggest ive seen! So I set to work:
cleaned with adaware se, custom scan
ran spy bot in safe mode and as normal
ran avg
ran hijack this to see if I could spot anything
(all ref files up to date)
Some things just wont go away. After a reboot I can get a clean sheet with Adaware and then spybot picks up:
2 DSO exploits
2 eXact advertising Bargains buddy enties
A mywebsearch
and a Virtual Bouncer
I have emailed myself the log file at home and have been searching on suspicious objects and found 180ax.exe, which I am told is bad and I am currently trying to sniff them out by searching on each one! Unfortunately I do not have access to the infected machine again until tommorow afternoon as Iam now at home. But any help or advice would be appreciated. Please check out my log file. Sorry if theres a lot of junk running but I had to fix it inbetween it being used and when the secretary went to the toilet!!
thanks in advance
Logfile of HijackThis v1.98.2
Scan saved at 16:32:44, on 22/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBAgent.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINNT\system32\mshosts.exe
C:\winnt\180ax.exe
C:\WINNT\system32\nvkload.exe
C:\WINNT\system32\mshosts.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Windows Fix] integator.exe
O4 - HKLM\..\Run: [Microsoft Video] MV.exe
O4 - HKLM\..\Run: [Microsoft Windows Host] mshosts.exe
O4 - HKLM\..\Run: [Microsoft Windows Hosting] MSschost.exe
O4 - HKLM\..\Run: [Reek 32 Server] reek32.exe
O4 - HKLM\..\Run: [180ax] c:\winnt\180ax.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [load] msgsr32.exe
O4 - HKLM\..\Run: [nvkload] nvkload.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [lavat] C:\WINNT\lavat.exe
O4 - HKLM\..\RunServices: [Windows Fix] integator.exe
O4 - HKLM\..\RunServices: [Microsoft Video] MV.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Host] mshosts.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Hosting] MSschost.exe
O4 - HKLM\..\RunServices: [Reek 32 Server] reek32.exe
O4 - HKLM\..\RunServices: [load] msgsr32.exe
O4 - HKLM\..\RunServices: [nvkload] nvkload.exe
O4 - HKCU\..\Run: [Windows Fix] integator.exe
O4 - HKCU\..\Run: [Microsoft Windows Host] mshosts.exe
O4 - HKCU\..\Run: [Reek 32 Server] reek32.exe
O4 - HKCU\..\Run: [load] msgsr32.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/