[Spazzer]

Hello,

I have had my PC's HOSTS file hijacked and get constant popups along with executables trying to register themselves.
Here is my hijack this log. Any help would be great!

Spaz


Logfile of HijackThis v1.99.0
Scan saved at 6:52:36 AM, on 1/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rykqqw.exe
C:\WINNT\SYSTEM32\DWRCST.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\wisptis.exe
C:\WINNT\System32\MsiExec.exe
C:\Utilities\Spyware Utils\HiJackThis\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - file://C:\Documents and Settings\netadmin\Local Settings\Temp\isetup.cab
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2) - http://jplugin.cat.com/jre142_04.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = altorfer.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = altorfer.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = altorfer.com
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

[Rollin' Rog]

You will need to download, unzip as necessary, and have available the following files:

Coolwebshredder: http://www.intermute.com/spysubtract..._download.html
Hoster: http://members.aol.com/toadbee/hoster.zip
Findit: http://forums.techguy.org/attachment...chmentid=46183
killbox: http://www.downloads.subratam.org/KillBox.zip
http://downloads.subratam.org/VX2Finder(126).exe



Start by running "findit.bat" and copy/paste the log it produces to a reply.

Be advised this is a very resistant hijack to clean and usually takes several days and multiple efforts.

Also, Dameware is a remote administration tool, verify that it is installed with your knowledge and support...

I do not know what this is or where it is starting from, do you? >>


C:\WINNT\system32\rykqqw.exe

[Spazzer]

Thank you for your reply. My apologies for not posting back but I searched through the forums and figured the issue out on my own.

It took a couple hours but the problem is resolved.

By the way, just for reference for others that may have the same issue as my hijackThis log above shows, sledgehammers work very well and it only takes a couple hours to smash a computer into a whining little pile of sand.

Best $1010.00 I ever spent for therapy in my life. ($1000.00 for the PC and $10.00 for the sledgehammer). Heck, couseling isn't even that cheap!!

Kindest regards,

Spaz

[Rollin' Rog]

Ok, assuming the sledgehammer solution wasn't really used -- I don't know whether you are aware of this, but depending on what instructions you followed, you may still need to run the vx2 finder and click "restore policy".

Also problems with the recycle bin and quicklaunch toolbar are reported.

If you have recycle bin problems, open a cmd prompt and at the prompt enter:

rd /s c:\recycler

this assumes you have a ntfs file system. If Fat32, use "recycled" instead.

Problems with the quicklaunch bar are reported resolved by going to start > run and entering:

regsvr32 /i shell32.dll

[Spazzer]

Rolling,

Thank you for your help, very much!!

I will check to make sure I follow those instructions. Extremely helpful!!

Regards,

Spaz