Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

1st post

Started by fetus2 , Nov 22 2004 01:36 PM

  • Please log in to reply

#1
fetus2
Posted 22 November 2004 - 01:36 PM

fetus2

    New Member

  • Member
  • Pip
  • 6 posts
Good evening everyone, Its my first post on here but ive been reading some of the other threads on this site to try and solve my problems and using your help with hijack this guides, but could do with some help.

I got into work this morning and was told that the secretary' pc was possessed by the devil so I ran adaware and got a score of 669, the biggest ive seen! So I set to work:

cleaned with adaware se, custom scan
ran spy bot in safe mode and as normal
ran avg
ran hijack this to see if I could spot anything
(all ref files up to date)

Some things just wont go away. After a reboot I can get a clean sheet with Adaware and then spybot picks up:

2 DSO exploits

2 eXact advertising Bargains buddy enties

A mywebsearch

and a Virtual Bouncer

I have emailed myself the log file at home and have been searching on suspicious objects and found 180ax.exe, which I am told is bad and I am currently trying to sniff them out by searching on each one! Unfortunately I do not have access to the infected machine again until tommorow afternoon as Iam now at home. But any help or advice would be appreciated. Please check out my log file. Sorry if theres a lot of junk running but I had to fix it inbetween it being used and when the secretary went to the toilet!!

thanks in advance

Logfile of HijackThis v1.98.2
Scan saved at 16:32:44, on 22/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBAgent.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINNT\system32\mshosts.exe
C:\winnt\180ax.exe
C:\WINNT\system32\nvkload.exe
C:\WINNT\system32\mshosts.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Windows Fix] integator.exe
O4 - HKLM\..\Run: [Microsoft Video] MV.exe
O4 - HKLM\..\Run: [Microsoft Windows Host] mshosts.exe
O4 - HKLM\..\Run: [Microsoft Windows Hosting] MSschost.exe
O4 - HKLM\..\Run: [Reek 32 Server] reek32.exe
O4 - HKLM\..\Run: [180ax] c:\winnt\180ax.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [load] msgsr32.exe
O4 - HKLM\..\Run: [nvkload] nvkload.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [lavat] C:\WINNT\lavat.exe
O4 - HKLM\..\RunServices: [Windows Fix] integator.exe
O4 - HKLM\..\RunServices: [Microsoft Video] MV.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Host] mshosts.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Hosting] MSschost.exe
O4 - HKLM\..\RunServices: [Reek 32 Server] reek32.exe
O4 - HKLM\..\RunServices: [load] msgsr32.exe
O4 - HKLM\..\RunServices: [nvkload] nvkload.exe
O4 - HKCU\..\Run: [Windows Fix] integator.exe
O4 - HKCU\..\Run: [Microsoft Windows Host] mshosts.exe
O4 - HKCU\..\Run: [Reek 32 Server] reek32.exe
O4 - HKCU\..\Run: [load] msgsr32.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
  • 0

Advertisements

#2
-=jonnyrotten=-
Posted 22 November 2004 - 02:30 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Go to control panel, add/remove programs and remove any or all of the following:
180 solutions
any toolbar/searchbars besides google
gain
gator
gmt
wild tangent
weather bug
mysearch
mywebserchbar
WinTools

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [Windows Fix] integator.exe
O4 - HKLM\..\Run: [Microsoft Windows Host] mshosts.exe
O4 - HKLM\..\Run: [Microsoft Windows Hosting] MSschost.exe
O4 - HKLM\..\Run: [Reek 32 Server] reek32.exe unless you know what this is, remove it
O4 - HKLM\..\Run: [180ax] c:\winnt\180ax.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [load] msgsr32.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [lavat] C:\WINNT\lavat.exe
O4 - HKLM\..\RunServices: [Windows Fix] integator.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Host] mshosts.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Hosting] MSschost.exe
O4 - HKLM\..\RunServices: [Reek 32 Server] reek32.exe
O4 - HKLM\..\RunServices: [load] msgsr32.exe
O4 - HKCU\..\Run: [Windows Fix] integator.exe
O4 - HKCU\..\Run: [Microsoft Windows Host] mshosts.exe
O4 - HKCU\..\Run: [Reek 32 Server] reek32.exe
O4 - HKCU\..\Run: [load] msgsr32.exe

Please reboot into safe mode - How do I boot into "Safe" mode?.
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINNT\system32\mshosts.exe
C:\winnt\180ax.exe
C:\PROGRA~1\IEMENU~1\tbextn.dll
C:\Program Files\Common Files\WinTools
C:\WINNT\lavat.exe

<<Run a search for and delete these>>
integator.exe
MSschost.exe
reek32.exe
msgsr32.exe

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

I'm also wondering about this file: C:\WINNT\system32\nvkload.exe
I don't know what it is but am working on finding out, if you know then inform me please. <_<

Reboot normally and post fresh log with any new information.

-=jonnyrotten=- :D
  • 0

#3
fetus2
Posted 22 November 2004 - 02:56 PM

fetus2

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks for the reply Jonnyrotten I will give it a shot tommorow and post again. I have also been trying to look up nvkload.exe and not found anything ......yet .

Thanks again.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP