Google Answers: NT hijack problem

View Question

Q: NT hijack problem ( No Answer, 3 Comments )

Question

Subject: NT hijack problem
Category: Computers > Security
Asked by: smallbusiness-ga
List Price: $50.00

Posted: 16 Oct 2005 01:32 PDT
Expires: 15 Nov 2005 00:32 PST
Question ID: 580850

The Windows NT 4.0 server for our 9-computer LAN seems to be infected with a nasty virus that blocks Google from all the computers. How should we fix this? All the computers are virus free as checked by McAffee, Adaware, AX2, and Microsoft Malicious software remover. However, it turns out that the NT computer has not been installing the Microsoft security updates although they download OK. The McAffee and Microsoft anti-virus software apparently do not support the old NT software. Our symptom is that we can't reach Google, news.google and maps.google. Froogle google worked this week but seems to have gone bad too now. Please help. Thanks, Small business GA
Clarification of Question by smallbusiness-ga on 16 Oct 2005 01:35 PDT The LAN has a separate computer firewall installed by a professional
Request for Question Clarification by livioflores-ga on 17 Oct 2005 08:03 PDT Hi!! there are several things that you can and must do in order to get assistance from us. First thing you can do is to download a free antivirus to scan your NT computer, Avast! antivirus has support to the NT 4.0 platform, according to its system requirements list. First you need to register here to get the register key (it is free): http://www.avast.com/i_kat_207.php?lang=ENG Then download and install the antivirus: http://files.avast.com/iavs4pro/setupeng.exe Run the antivirus and see the results, if it asked you to fix, let it do. Another thing you need to do is to download and run Hijackthis, this is an expert's tool used to remove hijackers and spyware, but since it works on demand, not automatically, you only need to post a log here as a clarification and then I will analyze it and tell you what are the next steps. Download HJT from here and copy it to a dedicated folder: http://aumha.org/downloads/hijackthis.exe To see how to get and post a log here see the following tutorial at BleepingComputer.com: http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#HowToUse Note that on Windows NT, 2000, & XP, it requires that you have administrator privileges. I am looking forward to your response to this request. Regards, livioflores-ga
Clarification of Question by smallbusiness-ga on 17 Oct 2005 20:26 PDT Hi Livioflores-ga, Thanks for your advice. Most antivirus downloads are blocked at work so I downloaded Avast at home and then emailed the file to the NT computer. Tomorrow we will see if Avast works and also if HJT can be downloaded to the NT computer. I'll be in touch as soon as possible, from home if Google is still blocked at work. Thanks again, SmallBusiness ga
Clarification of Question by smallbusiness-ga on 19 Oct 2005 06:38 PDT To Livioflores-GA The logfiles of HiJackThis from 2 different days are below as you requested. Logfile of HijackThis v1.99.1 Scan saved at 2:29:07 PM, on 10/11/05 Platform: Windows NT 4 SP6 (WinNT 4.00.1381) MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\spoolss.exe C:\WINNT\System32\llssrv.exe C:\WINNT\System32\LOCATOR.EXE C:\WINNT\system32\RpcSs.exe c:\winnt\system32\pstores.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\nddeagnt.exe C:\WINNT\Explorer.exe C:\WINNT\System32\loadwc.exe C:\WINNT\System32\Atiptaaa.exe C:\Program Files\Creative\ShareDLL\CtNotify.exe C:\WINNT\System32\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\AWS\WeatherBug\Weather.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Creative\ShareDLL\MediaDet.Exe C:\WINNT\System32\ddhelp.exe C:\Program Files\Qualcomm\Eudora Mail\Eudora.exe C:\Program Files\Microsoft Office\Office\WINWORD.EXE C:\Program Files\Plus!\Microsoft Internet\IEXPLORE.EXE C:\PROGRA~1\WINZIP\winzip32.exe C:\TEMP\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Abcam Toolbar - {68EC5979-EB00-46b9-8FF4-26943B2A358B} - C:\Program Files\AbcamToolbar\abcamtool.dll O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\System32\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Abcam Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\AbcamToolbar\abcamtool.dll O9 - Extra 'Tools' menuitem: Abcam Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\AbcamToolbar\abcamtool.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU) O12 - Plugin for .pdb: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\npchime.dll O13 - WWW. Prefix: http:// O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kendricklab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kendricklab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 204.246.1.20 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kendricklab O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 204.246.1.20 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 204.246.1.20 Logfile of HijackThis v1.99.1 (B) Scan saved at 4:15:33 PM, on 10/13/05 Platform: Windows NT 4 SP6 (WinNT 4.00.1381) MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\spoolss.exe C:\WINNT\System32\llssrv.exe C:\WINNT\System32\LOCATOR.EXE C:\WINNT\System32\nddeagnt.exe C:\WINNT\Explorer.exe C:\WINNT\system32\RpcSs.exe C:\WINNT\System32\loadwc.exe C:\WINNT\System32\Atiptaaa.exe c:\winnt\system32\pstores.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Creative\ShareDLL\CtNotify.exe C:\WINNT\System32\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\AWS\WeatherBug\Weather.exe C:\Program Files\a2\a2guard.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Creative\ShareDLL\MediaDet.Exe C:\WINNT\System32\ddhelp.exe C:\Program Files\Qualcomm\Eudora Mail\Eudora.exe C:\Program Files\Microsoft Office\Office\WINWORD.EXE C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe C:\Program Files\Microsoft Office\Office\POWERPNT.EXE D:\gelimages2005\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Abcam Toolbar - {68EC5979-EB00-46b9-8FF4-26943B2A358B} - C:\Program Files\AbcamToolbar\abcamtool.dll O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINNT\System32\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe" O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: Abcam Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\AbcamToolbar\abcamtool.dll O9 - Extra 'Tools' menuitem: Abcam Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\AbcamToolbar\abcamtool.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU) O12 - Plugin for .pdb: C:\PROGRA~1\Plus!\MICROS~1\PLUGINS\npchime.dll O13 - WWW. Prefix: http:// O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kendricklab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kendricklab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 204.246.1.20 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kendricklab O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 204.246.1.20 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 204.246.1.20
Request for Question Clarification by livioflores-ga on 19 Oct 2005 07:28 PDT Hi!! I did not find nothing significant in your log files related to your problem. But I think that some things must be fixed: Run HJT and click the Scan button, then check the following items: O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file) O13 - WWW. Prefix: http:// O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab The above are just cosmetic fixes so you can skip them if you like, but there are one thing that I need to know: did you check at the Internet options if somebody have added to the Restricted Sites zone (at the Security tab --> select Restricted Sites --> Sites button) some references about the Google site? Another issue that I cannot handle from here is related to the Abcam toolbar, is it possible that this toolbar is ralated to your problem (for example the problems began with the installation of it), I have not references about this toolbar, probably you can try uninstalling it and checking. You can also try with the following removal tool from Symantec, this tool is for remove a trojan which behaviour is similar to your problem: "Trojan.Qhosts" http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html "Symantec Security Response - Trojan.Qhosts Removal Tool" http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.removal.tool.html PS: did you installed the antivirus and scanned your computer? I will wait for your response. Regards, livioflores-ga
Clarification of Question by smallbusiness-ga on 19 Oct 2005 19:30 PDT To livioflores-ga The Avast file from home didn't work. At the office, Avast antivirus downloaded but either didn't work or didn't find anything (someone else did this). Nothing was added to the restricted sites on the Security tab. Abcam isn't a problem. A client visited today and we didn't have time to try the Symantec Trojan Qhost Removal Tool. Will try it tomorrow. Thanks Small business-ga To X86guru-ga The rootkit revealer labeled everything (150,000 files or something like that) as a problem on the NT computer. We ran it on a Windows 2000 and it found nothing. Also, c:\winnt\system32\drivers\etc host showed no entries for google. So hopefully we don't have a rootkit. We purchsed Adaware SE from Amazon and will try installing it from the CD tomorrow. Hopefully it will have updated files as we are unable to download any updates because the download sites are blocked. Thanks, Small business-ga
Request for Question Clarification by livioflores-ga on 20 Oct 2005 07:57 PDT What about the firewall, it could be the problem. And one more thing, Google cannot be reached by any computer of your network, right?, so please could you post a HJT log of one of the computers, sometimes the security softwares fail in finding the pest, but HJT will show us if they are infected. Your NT computer could be clean but the other not, this depends on the windows versions that are the target of the pestware and the use of the computer, the server is probably not used to navigate as often than the other 9 are (and the servers usually navigate in a more "professional" way).

Answer

There is no answer at this time.

Comments

Subject: Re: NT hijack problem
From: x86guru-ga on 18 Oct 2005 02:06 PDT

Sounds like you have either been rootkitted and the virus has extreme
control over your filesyste, networking, and processes.
Download and run this tool
http://www.sysinternals.com/Utilities/RootkitRevealer.html
Its rootkit revealer from sysinternals. This should help in
determining if you have a rootkit installed.
You also might have a non rootkit virus installed but its messign with
your host file on your system located at
c:\winnt\system32\drivers\etc\host. Open this file with notepad and
see if it has entries for google and popular antivirus sites.
Be warned rootkits are very very difficult to remove and best solution
would be to reinstall the OS from scratch after backing up your data.

Subject: Re: NT hijack problem
From: securityexpert-ga on 31 Oct 2005 00:08 PST

In order to install NT updates you can update the jscript.dll from
microsoft.Goto Microsoft and search for jscript.dll patch which would
solve your issue with Updating.

Also check the hosts file for possible poisoning of domain name google.

Subject: Re: NT hijack problem
From: jhoffa-ga on 04 Nov 2005 18:55 PST

type in 66.102.7.104 into your ie at work and see if it opens. if so
its a prob with your dns or hosts. go to services and try shutting
down your dns client, go to properties -> startup type -> manual,
reboot and trying to connect again. pop open your hosts file in
c:winnt\sys32\drivers\etc (can do it with notepad) and check to see if
www.google.com is listed with 127.0.0.1 next to it. If it's not listed
at all you can try adding it in with 66.102.7.104 next to it. If it is
listed with 127.0.0.1, you've been infected, most likly with a trojan.
Use ewido or a trojan specific av program to clean this out. find the
infection and fix it, then switch the ip in your hosts file with the
correct ip and you should be fine.
if its not your hosts file then it could still be your dns server. hope this helps.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.

Search Google Answers for

Google Home - Answers FAQ - Terms of Service - Privacy Policy