1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hyjacked by Cyberattack.org

Discussion in 'Virus & Other Malware Removal' started by Cartageman, Sep 5, 2004.

Thread Status:
Not open for further replies.
  1. Cartageman

    Cartageman Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    1
    It seems that my computer has been attacked by the above organisation. after searching the web it pointed me to this forum. An earlier attack seemed to be solved by someone on your forum by downloading and running Hyjack This. I also have run the program but are unsure of what to check. The following is a copy of what the program found.
    Logfile of HijackThis v1.98.2
    Scan saved at 7:50:29 p.m., on 5/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\ESB.exe
    C:\WINDOWS\System32\4mtcsb.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\CMEII\CMESys.exe
    C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
    C:\WINDOWS\System32\ilka32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Exif Launcher\QuickDCF.exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\PrecisionTime\PrecisionTime.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\OpenOffice.org1.1\program\soffice.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Documents and Settings\Jamie Carroll\My Documents\Hijack this\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trademe.co.nz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ESB] C:\WINDOWS\System32\ESB.exe
    O4 - HKLM\..\Run: [4mtcsb] C:\WINDOWS\System32\4mtcsb.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
    O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe"
    O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\qazlk.exe
    O4 - HKLM\..\Run: [ilka32] ilka32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\RunServices: [ilka32] ilka32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ilka32] ilka32.exe
    O4 - Startup: OpenOffice.org 1.1.lnk = C:\Program Files\OpenOffice.org1.1\program\quickstart.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

    Thanks for any help you can give.
     
  2. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    [Lets begin by rescanning once again with hijack. then insert a check next to each of the following items, close all browser windows and click "Fix checked"

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm

    O4 - HKLM\..\Run: [ESB] C:\WINDOWS\System32\ESB.exe

    O4 - HKLM\..\Run: [4mtcsb] C:\WINDOWS\System32\4mtcsb.exe

    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

    O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\qazlk.exe

    O4 - HKLM\..\Run: [ilka32] ilka32.exe

    O4 - HKLM\..\RunServices: [ilka32] ilka32.exe

    O4 - HKCU\..\Run: [ilka32] ilka32.exe

    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

    O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


    Then reboot your system into safe mode http://dotcomsecurity.org/forums/index.php?showtopic=55


    Open windows explorer, find then delete:
    C:\Program Files\PrecisionTime
    C:\WINDOWS\System32\ESB.exe
    C:\Program Files\Common Files\GMT
    C:\WINDOWS\System32\4mtcsb.exe
    C:\Program Files\Common Files\CMEII
    C:\WINDOWS\System32\ilka32.exe


    Download Adaware SE http://www.lavasoftusa.com/support/download/
    The first step is updating your Ad-Aware SE. You can do this by going to the bottom right corner and clicking on the link that says "Check for Updates Now".
    Press "Continue" on the bottom right on your screen
    Next another pop-up will pop-up saying what type of update it is and what to do, press "Okay" and a download screen will come up downloading the update. Press "Finish" after the update is downloaded. Now select "Finish" then on the bvottom right of your Adaware screen click "Start".
    A new screen will pop-up and will say "Select a scan mode". You want to click "Use Custom Scanning Mode". Before you press "Start" on the bottom right click "Customize" right next to "Use Custom Scanning Mode".

    Select the following:

    In the General tab select:
    Keep it all the same

    In the Scanning tab select:
    Under Drivers Folders and Files-select Scan within archives
    Under Memory and Registry select all that is underneath it!
    Make sure your harddrive is selected when you press "Select Drives and Folders to scan"

    In the Advanced tab select:
    Make sure you have everything under the "Logfile Detail Level" selected.
    (This makes it easier for people from Lavasoft forums see what options you have selected)

    In the Startup, Defaults, and Interface tab select nothing.


    In the Tweak tab select:
    You may not be able to select certain things in the tweak tab, but do not be alarmed.
    Under scanning engine select:
    "Unload recognized processes during scanning"
    "Scan registry for all users instead of current users only"
    Under Cleaning Engine select:
    "Always try to unload modules before deletion"
    "During removal unload Explorer and IE if necessary"
    "Let Windows remove files in use at next boot"
    "Delete Quarantined objects after restoring"
    Under log files:
    "Include Basic Ad-Aware settings in log file"
    "Include additional Ad-Aware settings in log file"
    "Include reference summary in log file"
    "Include used command line parameters in log file"
    All of the other links are just fine.

    Press "Proceed" to save the settings


    Press "Next" on the bottom right hand corner.
    Ad-Aware SE will scan your computer for possible spyware threats or anything that you have on your computer that maybe spyware.
    Then click ”Next “ to remove any objects found


    Reboot, rescan with hijack and post a fresh logfile please.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/270337

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice