Hyjacked by Cyberattack.org

[Cartageman]

It seems that my computer has been attacked by the above organisation. after searching the web it pointed me to this forum. An earlier attack seemed to be solved by someone on your forum by downloading and running Hyjack This. I also have run the program but are unsure of what to check. The following is a copy of what the program found.
Logfile of HijackThis v1.98.2
Scan saved at 7:50:29 p.m., on 5/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\ESB.exe
C:\WINDOWS\System32\4mtcsb.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\WINDOWS\System32\ilka32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\PrecisionTime\PrecisionTime.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\OpenOffice.org1.1\program\soffice.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Jamie Carroll\My Documents\Hijack this\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trademe.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ESB] C:\WINDOWS\System32\ESB.exe
O4 - HKLM\..\Run: [4mtcsb] C:\WINDOWS\System32\4mtcsb.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\qazlk.exe
O4 - HKLM\..\Run: [ilka32] ilka32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\RunServices: [ilka32] ilka32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ilka32] ilka32.exe
O4 - Startup: OpenOffice.org 1.1.lnk = C:\Program Files\OpenOffice.org1.1\program\quickstart.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

Thanks for any help you can give.

 

[mobo]

[Lets begin by rescanning once again with hijack. then insert a check next to each of the following items, close all browser windows and click "Fix checked"

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm

O4 - HKLM\..\Run: [ESB] C:\WINDOWS\System32\ESB.exe

O4 - HKLM\..\Run: [4mtcsb] C:\WINDOWS\System32\4mtcsb.exe

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\qazlk.exe

O4 - HKLM\..\Run: [ilka32] ilka32.exe

O4 - HKLM\..\RunServices: [ilka32] ilka32.exe

O4 - HKCU\..\Run: [ilka32] ilka32.exe

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


Then reboot your system into safe mode http://dotcomsecurity.org/forums/index.php?showtopic=55


Open windows explorer, find then delete:
C:\Program Files\PrecisionTime
C:\WINDOWS\System32\ESB.exe
C:\Program Files\Common Files\GMT
C:\WINDOWS\System32\4mtcsb.exe
C:\Program Files\Common Files\CMEII
C:\WINDOWS\System32\ilka32.exe


Download Adaware SE http://www.lavasoftusa.com/support/download/
The first step is updating your Ad-Aware SE. You can do this by going to the bottom right corner and clicking on the link that says "Check for Updates Now".
Press "Continue" on the bottom right on your screen
Next another pop-up will pop-up saying what type of update it is and what to do, press "Okay" and a download screen will come up downloading the update. Press "Finish" after the update is downloaded. Now select "Finish" then on the bvottom right of your Adaware screen click "Start".
A new screen will pop-up and will say "Select a scan mode". You want to click "Use Custom Scanning Mode". Before you press "Start" on the bottom right click "Customize" right next to "Use Custom Scanning Mode".

Select the following:

In the General tab select:
Keep it all the same

In the Scanning tab select:
Under Drivers Folders and Files-select Scan within archives
Under Memory and Registry select all that is underneath it!
Make sure your harddrive is selected when you press "Select Drives and Folders to scan"

In the Advanced tab select:
Make sure you have everything under the "Logfile Detail Level" selected.
(This makes it easier for people from Lavasoft forums see what options you have selected)

In the Startup, Defaults, and Interface tab select nothing.


In the Tweak tab select:
You may not be able to select certain things in the tweak tab, but do not be alarmed.
Under scanning engine select:
"Unload recognized processes during scanning"
"Scan registry for all users instead of current users only"
Under Cleaning Engine select:
"Always try to unload modules before deletion"
"During removal unload Explorer and IE if necessary"
"Let Windows remove files in use at next boot"
"Delete Quarantined objects after restoring"
Under log files:
"Include Basic Ad-Aware settings in log file"
"Include additional Ad-Aware settings in log file"
"Include reference summary in log file"
"Include used command line parameters in log file"
All of the other links are just fine.

Press "Proceed" to save the settings


Press "Next" on the bottom right hand corner.
Ad-Aware SE will scan your computer for possible spyware threats or anything that you have on your computer that maybe spyware.
Then click ”Next “ to remove any objects found


Reboot, rescan with hijack and post a fresh logfile please.