I having problem with this hacktool.rootkit. I've already read the forums and discussion on the net, but it seems that none of it a simpler and easy. Therefore, i'm still searching for a better and alternative ways to solve this problem. Any ideas and method are good use to me...
:)
Liuism
0
Newbie Poster
Recommended Answers
Jump to PostHello luism, welcome to DaniWeb :)
To begin with, please do the following:
Download the (free) HijackThis utility:
Once downloaded, follow these instructions to install and run the program:
* Create a folder for HJT outside of any Temp/Temporary folders and move the …
Jump to PostI suggest that you download this. You have number of nasties there. One called "SERVICES.EXE" is hard to get rid off (speaking from experiance).
Jump to PostYou have number of nasties there.
Yes, and that being the case, on top of Chalky's suggestion to run Spyware Doctor, please also do the following:
You will need to close/quit all web browser programs and disconnect from the Internet for some of the following, so you should print …
All 12 Replies
DMR
152
Wombat At Large
Team Colleague
Hello luism, welcome to DaniWeb :)
To begin with, please do the following:
Download the (free) HijackThis utility:
Once downloaded, follow these instructions to install and run the program:
* Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.
* Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
* Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". The log file will open in Windows Notepad once you save it; cut-n-paste the entire contents of the file from Notepad and post it here.
The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.
Liuism
0
Newbie Poster
Logfile of HijackThis v1.99.1
Scan saved at 17:52:14, on 30/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\dskernel.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\SERVICES.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Chen\LOCALS~1\Temp\64842.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\svch0st.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\PROGRA~1\ICQCorp\ICQCorp.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\DOCUME~1\Chen\LOCALS~1\Temp\2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe 1
O2 - BHO: IEMonitor Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:\WINDOWS\system32\deskipn.dll
O2 - BHO: (no name) - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IEBarUp] RunDll32 "C:\WINDOWS\system32\IeBar1.dll",Run
O4 - HKLM\..\Run: [zts2] C:\DOCUME~1\Chen\LOCALS~1\Temp\2.exe
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\SERVICES.EXE
O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [wl] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [ZhanYouSever] C:\WINDOWS\ZhanYouSever.exe
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Desktop] C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\NTService32.dll" ,Run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ravshell] C:\WINDOWS\system32\svch0st.exe
O4 - HKCU\..\Run: [kavshell] C:\WINDOWS\system32\svch0st.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ICQ Corp.lnk = C:\PROGRA~1\ICQCorp\ICQCorp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Skype™ For Internet Explorer - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\toolbars\SKYPEF~1\SKYPE_~1.DLL (file missing)
O9 - Extra 'Tools' menuitem: Skype™ For Internet Explorer - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\toolbars\SKYPEF~1\SKYPE_~1.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{22FE32EB-5C9F-4BE2-A9F0-284C19EB6E96}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{22FE32EB-5C9F-4BE2-A9F0-284C19EB6E96}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Windows Accounts Driver Extensions (RemoteStorage) - Unknown owner - C:\WINDOWS\system32\dskernel.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows NT Service32 - Unknown owner - C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\NTService32.dll",Start (file missing)
Above is the hijackthis log files, please advise me the next steps..
thanks...:lol:
DMR
152
Wombat At Large
Team Colleague
You have number of nasties there.
Yes, and that being the case, on top of Chalky's suggestion to run Spyware Doctor, please also do the following:
You will need to close/quit all web browser programs and disconnect from the Internet for some of the following, so you should print out the following instructions or save them into a text file with Notepad.
1. Download ATF-Cleaner and save it to convenient location.
2. Download the free version of AVG Anti-Spyware (formerly ewido). Save the installer file to your desktop or any convenient folder.
* Run the installer, accepting the default options. Run the program once installed, click on the Update icon at the top of the main AVG window, and allow the program to download the most current components.
* Close AVG once the updates have been downloaded.
3. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).
* Double-click ATF-Cleaner.exe to run the program.
- Click the Main menu option.
- Check the Select All box. (Uncheck cookies if you do not want them removed).
- Click the Empty Selected button.
If you use Firefox browser:
- Click the Firefox menu option.
- Check the Select All box. (Uncheck cookies if you do not want them removed).
- Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, click No at the prompt.
- Click Exit on the Main menu to close the program.
* Run AVG Anti-Spyware.
- Click on the "Scanner" icon just to the right of the Update icon. In the Scanner window, click on the "Settings" tab.
- Under "How to act?", click on "Recommended actions" and choose "Delete" from the resulting menu.
- All boxes under "How to scan" and "Possibly unwanted..." should be checked.
- Under "Reports", check "Automatically generate report after every scan".
- Under "What to scan", select "Scan every file".
- Click on the "Scan" tab, and then click on "Complete System Scan" to start scanning. It usually takes at least 40 minutes to complete a full scan.
Once the scan is complete, a window listing all infected objects (if any are found) will be displayed. Below the list of infected objects, make sure the Set all elements to: option is set to Delete and then click the Apply all actions button.
After the malicious items are deleted, you will be given the option to save the scan report; do that. The report is saved as a text file in the C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports folder. (The actual filename is a combination of the date and time of the scan.)
* Reboot the computer normally, run a new HijackThis scan, and post the log. Also open the AVG Anti-Spyware report in Windows Notepad and Cut-N-Paste the entire contents of that report as well.
Chaky
191
Posting Virtuoso
This is how I got rid of SERVICES.EXE:
(You will need to use registry editor and task manager.)
- use ctrl-alt-delete (task manager) to kill the "Services" process
- After that kill the "svch0st" (note that it has number zero instead of letter "O")
- there is SERVICES.EXE file in your "C:\Windows" dir. It is hidden, and checking "show hidden files" in the folders options did not reveal it (at least, not in my case). I had to use command prompt to delete it. (del C:\Windows\services.exe)
Note that there is another services.exe file in your Windows\System32 dir. which is essential for running windows - leave that one. Way to differentiate between two (apart from different folder) is when you rightclick one in System32 folder, you will see a "version" tab in the proprieties, with Microsoft's signature. The one in Windows folder has no "version" tab, or it has blank "company name" string. (not sure)
- I used registry editor (run menu/regedit) to delete the entry containing data "C:\Windows\services.exe" in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run key.
There also might be "C:\Windows\services.exe" entry in "SharedDDLs" key (in a same branch of keys as "Run". Delete it too.
Now, for the SVCH0ST:
Delete the C:\WINDOWS\SYSTEM32\SVCH0ST.EXE. You can use the command prompt instead.
Use registry editor to delete anything containing the data "C:\Windows\svch0st.exe" in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce keys. The names are false. (taskmgr and svchost)
Also, look for it in the "SharedDDLs" key.
While you're at it, you can also get rid of "C:\DOCUME~1\Chen\LOCALS~1\Temp\2.exe" and NTServices32.dll. (they say it is dangerous)
You can use search function to check if there are any other entries of the svch0st trojan.
Liuism
0
Newbie Poster
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 15:38:31 05/12/2006
+ Scan result:
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP281\A0062066.exe -> Adware.Cinmus : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP281\A0062065.dll -> Downloader.Small.dla : Cleaned.
C:\WINDOWS\system32\MDLB32.dll -> Downloader.Small.dla : Cleaned.
C:\Documents and Settings\Chen\Local Settings\Temp\2.exe -> Trojan.OnLineGames.bs : Cleaned.
::Report end
---------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 15:47:52, on 05/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\dskernel.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SERVICES.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\ICQCorp\ICQCorp.exe
C:\DOCUME~1\Chen\LOCALS~1\Temp\_iu14D2N.tmp
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe 1
F3 - REG:win.ini: load=C:\PROGRA~1\svhost32.exe
O2 - BHO: IEMonitor Class - {08A312BB-5409-49FC-9347-54BB7D069AC6} - C:\WINDOWS\system32\deskipn.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools_2006122_7065.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IEBarUp] RunDll32 "C:\WINDOWS\system32\IeBar1.dll",Run
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\SERVICES.EXE
O4 - HKLM\..\Run: [wl] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [ZhanYouSever] C:\WINDOWS\ZhanYouSever.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Desktop] C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\NTService32.dll" ,Run
O4 - HKLM\..\Run: [mhs] C:\DOCUME~1\Chen\LOCALS~1\Temp\mh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [ravshell] C:\WINDOWS\system32\svch0st.exe
O4 - HKCU\..\Run: [kavshell] C:\WINDOWS\system32\svch0st.exe
O4 - HKCU\..\Run: [svc] C:\DOCUME~1\Chen\LOCALS~1\Temp\relpop.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ICQ Corp.lnk = C:\PROGRA~1\ICQCorp\ICQCorp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Skype™ For Internet Explorer - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\toolbars\SKYPEF~1\SKYPE_~1.DLL (file missing)
O9 - Extra 'Tools' menuitem: Skype™ For Internet Explorer - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\toolbars\SKYPEF~1\SKYPE_~1.DLL (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{22FE32EB-5C9F-4BE2-A9F0-284C19EB6E96}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{22FE32EB-5C9F-4BE2-A9F0-284C19EB6E96}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Windows Accounts Driver Extensions (RemoteStorage) - Unknown owner - C:\WINDOWS\system32\dskernel.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows NT Service32 - Unknown owner - C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\NTService32.dll",Start (file missing)
I've already perform the task as advised, above are the log reports. Result are stil the same, the hacktool.Rootkit stil there :( Anyway, i assume the steps doesn't stop till there then..
Yeah, Chaky! I can't kill off the SERVICES.exe. Windows prompt me the critical error box denying me to close the process.
Chaky
191
Posting Virtuoso
Try booting to safe mode, then proceed the steps I gave you.
P.S.
It's been long time since I've dealt with it. I'm not 100% certain that I haven't missed something in those steps there.
Liuism
0
Newbie Poster
Sorry guys, i've already chosen the last option(FORMAT). The system is too difficult to manage/repair, alot of the application are unable to open.
kylethedarkn
23
A.K.A. The Laughing Man
Team Colleague
Sorry to hear that. We could of got you through it. Oh well though.
Liuism
0
Newbie Poster
It's okay!Anyway, how to to read/understand from the Hijackthis logs??
I only knew the common files but the rest are gibberish to me..Virus or No Virus? ehehehe...
Liuism
0
Newbie Poster
That i know, sure takes alot of time.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.