lots of bank-looking files.....

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Clarke

Thread Starter
Joined
Jun 22, 2003
Messages
26
Hi, here's my hijackthis log--am I suddenly being used to reroute huge amounts of cash, and is there any way to tap into it?

We go fifty-fifty...;)

thanks

edit: oops, forgot this:

Logfile of HijackThis v1.99.1
Scan saved at 10:10:49 PM, on 1/31/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\inet20019\mm4.exe
C:\WINDOWS\system32\system.exe
C:\WINDOWS\system32\sys32.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\winlogon.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\3415551.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\3419226.exe
C:\DOCUME~1\Chris\LOCALS~1\Temp\3469058.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: 216.32.94.147 www.bankone.com
O1 - Hosts: 216.32.94.147 bankone.com
O1 - Hosts: 216.32.94.147 halifax.com
O1 - Hosts: 216.32.94.147 www.halifax.com
O1 - Hosts: 216.32.94.147 halifax.co.uk
O1 - Hosts: 216.32.94.147 www.halifax.co.uk
O1 - Hosts: 216.32.94.147 www.bankofamerica.com
O1 - Hosts: 216.32.94.147 bankofamerica.com
O1 - Hosts: 216.32.94.147 www.paypal.com
O1 - Hosts: 216.32.94.147 paypal.com
O1 - Hosts: 216.32.94.147 www.lloydstsb.com
O1 - Hosts: 216.32.94.147 lloydstsb.com
O1 - Hosts: 216.32.94.147 www.lloydstsb.co.uk
O1 - Hosts: 216.32.94.147 lloydstsb.co.uk
O1 - Hosts: 216.32.94.147 www.bbvanet.com
O1 - Hosts: 216.32.94.147 bbvanet.com
O1 - Hosts: 216.32.94.147 www.bancopostaonline.poste.it
O1 - Hosts: 216.32.94.147 bancopostaonline.poste.it
O1 - Hosts: 216.32.94.147 www.poste.it
O1 - Hosts: 216.32.94.147 poste.it
O1 - Hosts: 216.32.94.147 www.credem.it
O1 - Hosts: 216.32.94.147 credem.it
O1 - Hosts: 216.32.94.147 www.creval.it
O1 - Hosts: 216.32.94.147 creval.it
O1 - Hosts: 216.32.94.147 www.gruppocarige.it
O1 - Hosts: 216.32.94.147 gruppocarige.it
O1 - Hosts: 216.32.94.147 www.rasbank.it
O1 - Hosts: 216.32.94.147 rasbank.it
O1 - Hosts: 216.32.94.147 www.bancagenerali.it
O1 - Hosts: 216.32.94.147 bancagenerali.it
O1 - Hosts: 216.32.94.147 www.garanti.com.tr
O1 - Hosts: 216.32.94.147 garanti.com.tr
O1 - Hosts: 216.32.94.147 www.kocbank.com.tr
O1 - Hosts: 216.32.94.147 kocbank.com.tr
O1 - Hosts: 216.32.94.147 www.disbank.com.tr
O1 - Hosts: 216.32.94.147 disbank.com.tr
O1 - Hosts: 216.32.94.147 www.cassarimini.it
O1 - Hosts: 216.32.94.147 cassarimini.it
O1 - Hosts: 216.32.94.147 www.unicredit.it
O1 - Hosts: 216.32.94.147 unicredit.it
O1 - Hosts: 216.32.94.147 www.chase.com
O1 - Hosts: 216.32.94.147 chase.com
O1 - Hosts: 216.32.94.147 www.southtrust.com
O1 - Hosts: 216.32.94.147 southtrust.com
O1 - Hosts: 216.32.94.147 www.wachovia.com
O1 - Hosts: 216.32.94.147 wachovia.com
O1 - Hosts: 216.32.94.147 www.wellsfargo.com
O1 - Hosts: 216.32.94.147 wellsfargo.com
O1 - Hosts: 216.32.94.147 www.barclays.co.uk
O1 - Hosts: 216.32.94.147 barclays.co.uk
O1 - Hosts: 216.32.94.147 www.barclays.com
O1 - Hosts: 216.32.94.147 barclays.com
O1 - Hosts: 216.32.94.147 www.barclays.pt
O1 - Hosts: 216.32.94.147 barclays.pt
O1 - Hosts: 216.32.94.147 www.barclays.pt
O1 - Hosts: 216.32.94.147 barclays.pt
O1 - Hosts: 216.32.94.147 online.cassarimini.it
O1 - Hosts: 216.32.94.147 www.bancacarim.it
O1 - Hosts: 216.32.94.147 bancacarim.it
O1 - Hosts: 216.32.94.147 www.citi.com
O1 - Hosts: 216.32.94.147 citi.com
O1 - Hosts: 216.32.94.147 www.citibank.com
O1 - Hosts: 216.32.94.147 citibank.com
O1 - Hosts: 216.32.94.147 www.etrade.com
O1 - Hosts: 216.32.94.147 etrade.com
O1 - Hosts: 216.32.94.147 www.neteller.com
O1 - Hosts: 216.32.94.147 neteller.com
O1 - Hosts: 216.32.94.147 tcfbank.com
O1 - Hosts: 216.32.94.147 www.tcfbank.com
O1 - Hosts: 216.32.94.147 hsbc.com
O1 - Hosts: 216.32.94.147 www.hsbc.com
O1 - Hosts: 216.32.94.147 hsbc.co.uk
O1 - Hosts: 216.32.94.147 www.hsbc.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\system32\ib6.dll
O2 - BHO: (no name) - {9C5875B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\system32\performentkls001.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20019\winlogon.exe
O4 - HKLM\..\Run: [System service] C:\WINDOWS\system32\system.exe
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [pro] C:\Documents and Settings\Chris\Desktop\srv1.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096608229681
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9D5B4DF-CB98-4202-AB44-1ED316079900}: NameServer = 168.95.192.1 168.95.1.1
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 
Joined
Sep 7, 2004
Messages
49,014
Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.

=============
Download Hoster from here:
www.funkytoad.com/download/hoster.zip
Run the program Hoster and press Restore Original Hosts, OK, and Exit Program.
=========

post a new Hijack This log. and the Sweeper log
 

Clarke

Thread Starter
Joined
Jun 22, 2003
Messages
26
Thanks, MFD.

I'll try that when I get home, but I'm not sure I'll even be able to access the site--whatever has my computer keeps shutting down my internet. It gets to the site but then it says, "Windows cannot acces http://etc.etc." and then goes to a "Cannot find server" site. It's pretty vicious.

I'll let you know how it goes.
 

Clarke

Thread Starter
Joined
Jun 22, 2003
Messages
26
Sorry I took so long--

I may have bunged this up a little, but here's the new hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 7:51:40 PM, on 2/3/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\windows\Mixer.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\smss.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\winlogon.exe
C:\windows\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\windows\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - (no file)
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\windows\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\windows\winlogon.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096608229681
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9D5B4DF-CB98-4202-AB44-1ED316079900}: NameServer = 168.95.192.1 168.95.1.1
O20 - Winlogon Notify: WRNotifier - C:\windows\SYSTEM32\WRLogonNTF.dll
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

While the spysweeper was running my computer was still going haywire, and somehow I failed to save the sweep record. There were a few trojan horses, one of them was "sherrif" something.

Sorry, and thanks again

clarke
 
Joined
Sep 7, 2004
Messages
49,014
Fix these with HJT – mark them, close IE, click fix checked

O2 - BHO: - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - (no file)

O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\windows\smss.exe

O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\windows\winlogon.exe

O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)
==================================
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name

Windows Logon Process Service

Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. File-Exit the Services utility.
========================

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\windows\smss.exe
C:\windows\winlogon.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top