HiJack This Log

[wazza]

Hi

Can't open/access taskmanager, cmd prompt, regedit, msconfig

I installed Hijack This and did a scan.

See HijackThis log(attachment) for results.

I read a thread exactly like this and it said that I should let you guys have a look at the Hijack This log and then you would be able to help me fix the problem.

NB: The Operating system is Windows Server 2003 and obvisously it is a server which is running a lot of applications and services. So I dont want to make a mistake.


Later

Thanks in advance
WaZZa

 

[howard_hopkinso]

Hello and welcome to Techspot.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

DAP

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

system service
Generic Host Process

Close the services window.

Open your task manager(if you can), by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

system.exe
DAP.EXE
scvhost.exe<Not to be confused with svchost.exe which is legit.

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\scvhost.exe

F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe

F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.DLL

O4 - HKLM\..\Run: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe

O4 - HKLM\..\Run: [WinReg] c:\windows\system\svchost.exe

O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = LaserNet_CPT
O17 - HKLM\Software\..\Telephony: DomainName = LaserNet_CPT
O17 - HKLM\System\CCS\Services\Tcpip\..\{225D0BD3-73C7-46DB-9FA8-B4F0A547A37F}: NameServer = 196.7.0.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7B83BCA-A7B6-48DE-892E-661B5558658E}: NameServer = 196.7.0.138
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = LaserNet_CPT
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = LaserNet_CPT

Only fix the above 017 entries, if they don`t belong to your domain or ISP.

O23 - Service: system service (system) - Unknown owner - C:\Documents and Settings\Administrator\system.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Documents and Settings\Administrator\system.exe
C:\WINDOWS\system32\scvhost.exe<Not to be confused with svchost.exe.

c:\windows\system\svchost.exe This is not the legit svchost.exe and is running from the wrong location.

C:\Program Files\DAP

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Make sure to rename the HijackThis.exe to HijackThis1991.exe and post a fresh HJT log.

Let me know how your system is running.

Regards Howard :wave: :wave:

This thread is for the use of wazza only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[wazza]

New Hijack this log

Hi Howard

Thanks for the help. I followed your instruction but the problem still persists.
I cant open regedit, cmd, firewall, task man.

See latest log

 

[howard_hopkinso]

You still have at least one trojan on your system.

Go HERE and follow all the instructions exactly.

Post fresh HJT and Ewido logs into this thread, only after doing the above.

Regards Howard

This thread is for the use of wazza only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[wazza]

Hey Howard

Still battling here.

See latest logs.

Once again thanks

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Aspera

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Aspera Sync Service

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

asperacopy.exe
msiexec16.exe
asperasync.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

F0 - system.ini: Shell=Explorer.exe c:\windows\system32\msiexec16.exe

F1 - win.ini: run=c:\windows\system32\msiexec16.exe

O4 - Global Startup: Aspera Scp.lnk = C:\Program Files\Aspera\bin\asperacopy.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O23 - Service: Aspera Sync Service (AsperaSyncService) - Aspera Inc. - C:/Program Files/Aspera/bin\asperasync.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Aspera
c:\windows\system32\msiexec16.exe

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Go HERE and follow the instructions for enabling regedit.

Post a fresh HJT log and let me know how your system is running.


Regards Howard

This thread is for the use of wazza only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[wazza]

Hi Howard

Sorry I cant uninstall Aspera, I need that for my clients. I will complete the other instructions as directed. Will try tonight

 

[howard_hopkinso]

That`s ok. Thanks for letting me know.

Regards Howard

 

[wazza]

Hey Howard

I cannot complete your last instructions, I cannot go into safe mode as I am at home, but I use VNC to connect to the server remotely as you would have seen. So throughout the day I have just been running antivirus and antispyware programs. None of them found anything besides I program I stambled on this afternoon "Trojan Hunter", it found VNC and 1 other trojan.

So where are we ?

I can get into task manager and the registry but still cannot access cmd and the windows firewall. Any suggestions?

I didnt post a new HJT log as not much has changed from the last one.

 

[howard_hopkinso]

Did you delete the msiexec16.exe file?

You really do need to access safe mode for the instructions to work properly. Maybe you should wait until you`re home.

Regards Howard

 

[wazza]

I am at home, that why I cannot get my server into safe mode unless you know a way of doing it via VNC maybe?

 

[howard_hopkinso]

Sorry mate, I obviously misunderstood.

Nope, I don`t know of a way to get your server into safe mode with vnc.

Regards Howard

This thread is for the use of wazza only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[wazza]

I will do it in the morning tomorrow.

Ill keep you updated.

Thanks