TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Thoraxs on March 04, 2005, 06:02:35 AM

Title: Websiteviewer on win2000 server
Post by: Thoraxs on March 04, 2005, 06:02:35 AM

Hi,

I have websiteviewer on a win 2000 server.
I have tryed using the removal instructions posted here ealyer but it did not work.
I can not remove :
C:\WINDOWS\System32\tibs3.exe <--file
C:\WINDOWS\System32\open32.exe
C:\WINDOWS\System32\snim.dll
C:\WINDOWS\SYSTEM32\drct16.dll

they are not there.

These is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:48:07, on 4/03/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
C:\Program Files\VERITAS\Backup Exec\NT\nsvr.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\lserver.exe
C:\Program Files\Pwrchute\ups.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\NT\alertServer.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\Documents and Settings\Administrator\WINDOWS\winhlp.exe
C:\WINNT\System32\systime.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINNT\System32\systime.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOSTS07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOFXM07.exe
C:\Program Files\WebSiteViewer\124842.dlr
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php (http://\"http://213.159.117.134/index.php\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php (http://\"http://213.159.117.134/index.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php (http://\"http://213.159.117.134/index.php\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php (http://\"http://213.159.117.134/index.php\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php (http://\"http://213.159.117.134/index.php\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php (http://\"http://213.159.117.134/index.php\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.3:80
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [VideoDriver] C:\Documents and Settings\marc\WINDOWS\videodrv.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [TaskMon] C:\WINNT\System32\taskmon.exe
O4 - HKLM\..\Run: [win_upd2.exe] C:\WINNT\System32\WINdirect.exe
O4 - HKLM\..\Run: [winshost.exe] C:\WINNT\System32\winshost.exe
O4 - HKLM\..\Run: [csrss.exe] C:\Documents and Settings\Administrator\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [winhlp.exe] C:\Documents and Settings\Administrator\WINDOWS\winhlp.exe
O4 - HKLM\..\Run: [SysTime] C:\WINNT\System32\systime.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKCU\..\Run: [win_upd2.exe] C:\WINNT\System32\WINdirect.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINNT\System32\winshost.exe
O4 - HKCU\..\Run: [SysTime] C:\WINNT\System32\systime.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\Administrator\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Documents and Settings\Administrator\WINDOWS\web\related.htm (file missing)
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\rnr20.dll' missing
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:\Documents%20and%20Settings\marc\Local%20Settings\Temp\7\Rar$EX00.599\message.html!File://foo.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://C:\nosuch.mht!http://213.159.117.203/dl/adv407/x.chm::/load.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://iframedollars.biz/tb/loader2.ocx (http://\"http://iframedollars.biz/tb/loader2.ocx\")
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=2732 (http://\"http://www.mt-download.com/MediaTicketsIns....cab?refid=2732\")
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = astron.be
O17 - HKLM\System\CCS\Services\Tcpip\..\{A95F1784-2029-4B51-8B8A-83170A887CDC}: NameServer = 127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = astron.be
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = astron.be
O23 - Service: Alerter - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\services.exe (file missing)
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\services.exe (file missing)
O23 - Service: Backup Exec 8.x Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec 8.x Alert Server (BackupExecAlertServer) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\alertServer.exe
O23 - Service: Backup Exec 8.x Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec 8.x Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec 8.x Naming Service (BackupExecNamingService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
O23 - Service: Backup Exec 8.x Notification Server (BackupExecNotificationServer) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\nsvr.exe
O23 - Service: Backup Exec 8.x Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\services.exe (file missing)
O23 - Service: ClipBook (ClipSrv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\clipsrv.exe (file missing)
O23 - Service: Distributed File System (Dfs) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\Dfssvc.exe (file missing)
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\services.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\services.exe (file missing)
O23 - Service: DNS Server (DNS) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\dns.exe (file missing)
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\services.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\services.exe (file missing)
O23 - Service: Fax Service (Fax) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\faxsvc.exe (file missing)
O23 - Service: Intersite Messaging (IsmServ) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\ismserv.exe (file missing)
O23 - Service: Kerberos Key Distribution Center (kdc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Server (lanmanserver) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\services.exe (file missing)
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\services.exe (file missing)
O23 - Service: License Logging Service (LicenseService) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\llssrv.exe (file missing)
O23 - Service: TCP/IP NetBIOS Helper Service (LmHosts) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\services.exe (file missing)
O23 - Service: Messenger - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\services.exe (file missing)
O23 - Service: Network DDE (NetDDE) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Network Connections (Netman) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: File Replication Service (NtFrs) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\ntfrs.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Navision Attain Database Server PDCSRV (PDCSRV) - Navision a/s - C:\Program Files\Navision Attain\Database Server\SERVER.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Policy Agent (PolicyAgent) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\services.exe (file missing)
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Routing and Remote Access (RemoteAccess) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Remote Registry Service (RemoteRegistry) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\regsvc.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\locator.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\Documents.exe (file missing)
O23 - Service: QoS RSVP (RSVP) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\rsvp.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\MSTask.exe (file missing)
O23 - Service: RunAs Service (seclogon) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\services.exe (file missing)
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\smlogsvc.exe (file missing)
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Terminal Services (TermService) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\termsrv.exe (file missing)
O23 - Service: Terminal Services Licensing (TermServLicensing) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\lserver.exe (file missing)
O23 - Service: Telnet (TlntSvr) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\tlntsvr.exe (file missing)
O23 - Service: Distributed Link Tracking Server (TrkSvr) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\services.exe (file missing)
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\services.exe (file missing)
O23 - Service: UPS - APC PowerChute plus (UPS) - APC - C:\Program Files\Pwrchute\ups.exe
O23 - Service: Utility Manager (UtilMan) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\UtilMan.exe (file missing)
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\services.exe (file missing)
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\System32\WBEM\WinMgmt.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\Services.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\Documents and Settings\Administrator\WINDOWS\system32\svchost.exe (file missing)


Thx mutch for the help.

Thoraxs

Title: Websiteviewer on win2000 server
Post by: guestolo on March 05, 2005, 12:54:57 AM

Can I get you to access your Add/Remove Programs
and remove if found

Internet Optimizer
COMET System or similiar

When back in Windows

Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates

Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer  to finish the cleaning process

Download and Install Spybot S&D 1.3 (http://\"http://www.download.com/3000-8022-10122137.html\")
When Installing, please don't enable TEA TIMER, it's a great addon to Spybot but it can get in our way to do any manual fixes.. This can be enabled at a later time if you want it
After installation--Click the Update button on the left, in the window on the right click the
SEARCH FOR UPDATES button, Check and download all updates
Click the "Search and Destroy" Button
In the right window, click the
Check for Problems Let it complete it's scanning---Ensure to check and FIX everything in RED---they should be checked by default
RESTART your computer to finish the Cleaning process

If you can't run any of those in Normal mode try in Safe mode

When your back in Windows
I would also recommend you do an online Virus scan at
Panda's Online Virus scanner
http://www.pandasoftware.com/activescan/co...n_principal.htm (http://\"http://www.pandasoftware.com/activescan/com/activescan_principal.htm\")

Post back a fresh Hijackthis log afterwards