TechSpot

HiJack This Log

By wazza
Sep 15, 2006
  1. Hi

    Can't open/access taskmanager, cmd prompt, regedit, msconfig

    I installed Hijack This and did a scan.

    See HijackThis log(attachment) for results.

    I read a thread exactly like this and it said that I should let you guys have a look at the Hijack This log and then you would be able to help me fix the problem.

    NB: The Operating system is Windows Server 2003 and obvisously it is a server which is running a lot of applications and services. So I dont want to make a mistake.


    Later

    Thanks in advance
    WaZZa
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    DAP

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    system service
    Generic Host Process

    Close the services window.

    Open your task manager(if you can), by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    system.exe
    DAP.EXE
    scvhost.exe<Not to be confused with svchost.exe which is legit.

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\scvhost.exe

    F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe

    F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe

    O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.DLL

    O4 - HKLM\..\Run: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe

    O4 - HKLM\..\Run: [WinReg] c:\windows\system\svchost.exe

    O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe

    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LaserNet_CPT
    O17 - HKLM\Software\..\Telephony: DomainName = LaserNet_CPT
    O17 - HKLM\System\CCS\Services\Tcpip\..\{225D0BD3-73C7-46DB-9FA8-B4F0A547A37F}: NameServer = 196.7.0.138
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A7B83BCA-A7B6-48DE-892E-661B5558658E}: NameServer = 196.7.0.138
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = LaserNet_CPT
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = LaserNet_CPT

    Only fix the above 017 entries, if they don`t belong to your domain or ISP.

    O23 - Service: system service (system) - Unknown owner - C:\Documents and Settings\Administrator\system.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Documents and Settings\Administrator\system.exe
    C:\WINDOWS\system32\scvhost.exe<Not to be confused with svchost.exe.

    c:\windows\system\svchost.exe This is not the legit svchost.exe and is running from the wrong location.

    C:\Program Files\DAP

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Make sure to rename the HijackThis.exe to HijackThis1991.exe and post a fresh HJT log.

    Let me know how your system is running.

    Regards Howard :wave: :wave:

    This thread is for the use of wazza only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. wazza

    wazza TS Rookie Topic Starter Posts: 69

    New Hijack this log

    Hi Howard

    Thanks for the help. I followed your instruction but the problem still persists.
    I cant open regedit, cmd, firewall, task man.

    See latest log
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You still have at least one trojan on your system.

    Go HERE and follow all the instructions exactly.

    Post fresh HJT and Ewido logs into this thread, only after doing the above.

    Regards Howard :)

    This thread is for the use of wazza only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. wazza

    wazza TS Rookie Topic Starter Posts: 69

    Hey Howard

    Still battling here.

    See latest logs.

    Once again thanks
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Aspera

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Aspera Sync Service

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    asperacopy.exe
    msiexec16.exe
    asperasync.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    F0 - system.ini: Shell=Explorer.exe c:\windows\system32\msiexec16.exe

    F1 - win.ini: run=c:\windows\system32\msiexec16.exe

    O4 - Global Startup: Aspera Scp.lnk = C:\Program Files\Aspera\bin\asperacopy.exe

    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    O23 - Service: Aspera Sync Service (AsperaSyncService) - Aspera Inc. - C:/Program Files/Aspera/bin\asperasync.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Aspera
    c:\windows\system32\msiexec16.exe

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Go HERE and follow the instructions for enabling regedit.

    Post a fresh HJT log and let me know how your system is running.


    Regards Howard :)

    This thread is for the use of wazza only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. wazza

    wazza TS Rookie Topic Starter Posts: 69

    Hi Howard

    Sorry I cant uninstall Aspera, I need that for my clients. I will complete the other instructions as directed. Will try tonight
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s ok. Thanks for letting me know.

    Regards Howard :)
     
  9. wazza

    wazza TS Rookie Topic Starter Posts: 69

    Hey Howard

    I cannot complete your last instructions, I cannot go into safe mode as I am at home, but I use VNC to connect to the server remotely as you would have seen. So throughout the day I have just been running antivirus and antispyware programs. None of them found anything besides I program I stambled on this afternoon "Trojan Hunter", it found VNC and 1 other trojan.

    So where are we ?

    I can get into task manager and the registry but still cannot access cmd and the windows firewall. Any suggestions?

    I didnt post a new HJT log as not much has changed from the last one.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Did you delete the msiexec16.exe file?

    You really do need to access safe mode for the instructions to work properly. Maybe you should wait until you`re home.

    Regards Howard :)
     
  11. wazza

    wazza TS Rookie Topic Starter Posts: 69

    I am at home, that why I cannot get my server into safe mode unless you know a way of doing it via VNC maybe?
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Sorry mate, I obviously misunderstood.

    Nope, I don`t know of a way to get your server into safe mode with vnc.

    Regards Howard :)

    This thread is for the use of wazza only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. wazza

    wazza TS Rookie Topic Starter Posts: 69

    I will do it in the morning tomorrow.

    Ill keep you updated.

    Thanks
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...