 Severe Hijack, Can't boot up normally, Can't download |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Mar 8 2005, 03:36 AM
Post
#1
|
|
|
New Member  Group: Members Posts: 2 Joined: 8-March 05 Member No.: 13,857  |
I was infected with the HSA Hijack a few weeks ago, followed your advice and sucessfully removed it. On Friday I left my computer on and was infected with another Hijack, that seems to incorporate aspects of other hijacks, but doesnt manifest itself in the same way as the HSA. Initially it set my homepage to a link containing britneynude etc... and installed mass amounts of malware including Media Pass. It has now manifested to the point where I can not log into Windows normally, I can only boot up in Safe Mode, and it is even present in Safe Mode. I have attempted to remove it with Hijack This, msconfig, Ad Aware, Ad Buster, and Trend Micro (trend micro identifies the infected files, but refuses to show me the log and fix the problems) but it still reloads every time I start up. I was sucessfull in starting up normally once, but within seconds it had downloaded Media Pass, mommableep.exe, csrs.exe, syswork.exe, etc and several other programs. I can no longer download files from the internet, only view pages, and taskmonitor refuses does not respond. I want to get the FAV antivirus software, but again, I can't download anything, IE Explorer just freezes up. I may have removed something iportant inadvertantly, but if anyone could help I would appreciate it. Here is my Hijack This log, unfortunately I have a powerpoint presentation to give tomorow and porn pop ups, and internet gambling arent in the curriculum. Thanks for the help, here is the log: Logfile of HijackThis v1.99.0 Scan saved at 12:21:27 AM, on 08/03/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\MDN.exe C:\WINDOWS\System32\taskmgr.exe C:\WINDOWS\System32\taskmgr.exe C:\WINDOWS\System32\taskmgr.exe C:\Program Files\HJT\HijackThis.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe" O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [gcasServ] C:\WINDOWS\gcasServ.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110172846576 O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe |
 |
 
|
|
Mar 8 2005, 04:44 AM
Post
#2
|
|
|
New Member Group: Members Posts: 2 Joined: 8-March 05 Member No.: 13,857 |
I just ran Panda online and here are the noteworthy results:
Virus:Trj/Downloader.AEG Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2LMNAFMB\uninst[1].exe Virus:Trj/WmvDownloader.A Disinfected C:\My Shared Folder\Loco - David Lee Murphy.wma Virus:Trj/Multidropper.NB Disinfected C:\WINDOWS\ahadp.exe Virus:Trj/Downloader.ALQ Disinfected C:\WINDOWS\msnmsgq.exe.bak Virus:W32/Admincash.A Disinfected C:\WINDOWS\OLD5.tmp Virus:Bck/Webdor.G Disinfected C:\WINDOWS\svchst.exe.bak Virus:Trj/Downloader.ANG Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\1G8F38CO\dl[1].exe Virus:Trj/Downloader.ANG Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\1G8F38CO\dl[2].exe Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\1G8F38CO\EULA[1].ctxt[EULA[1].ctxt] Virus:W32/Korgo.T.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\F7438XF8\x[1].exe Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\britneynude[1].html Virus:Trj/Downloader.ANG Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\dl[1].exe Virus:Trj/Downloader.ANG Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\dl[2].exe Virus:Trj/Qukart.G Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\kkq3[1].gif Virus:Trj/Qukart.G Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\kkq3[2].gif Virus:W32/Korgo.V.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\x[1].exe Virus:W32/Korgo.AM.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\x[2].exe Virus:W32/Gaobot.DKR.worm Disinfected C:\WINDOWS\system32\ctxma.exe Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\elitebfi32.exe Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\elitepmi32.exe Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\elitewfu32.exe Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\elitewgc32.exe Virus:W32/Gaobot.DFE.worm Disinfected C:\WINDOWS\system32\TFTP2372 Virus:W32/Gaobot.DJK.worm Disinfected C:\WINDOWS\system32\winlite.exe __________________________________________________________________ After running panda, I rebooted Windows normally, which worked but immediately started downloading trojans and malware once again. Thought it might help, due to info on specific worms and trojans... |
|
|
|
|
Mar 10 2005, 02:19 AM
Post
#3
|
|
 Guru at being a Newbie Group: HJT Team Posts: 5,718 Joined: 8-April 04 Member No.: 96 |
Hi Dyan,
Sorry for the delay. I found where you have a log posted at Castle Cops. http://computercops.biz/postp484394.html Please post back to that thread that you are getting help elsewhere. HJT logs are very time consuming and there are a massive amount of them on the net, so it will be a waste of someone's time to work on a log only to be told the problem has been solved. It also causes confusion. Your log over there is also a bit different. Please post a new one for me to review. From the fact that you ran a Panda scan I'm assuming that you are on DSL and booting to Safe Mode with networking? Are you not able to download in safe mode? I would like for you to try again. Go to the following page and try downloading the latest version of HijackThis 1.99.1 from the link in the tutorial: How to post a HijackThis Log Wehther successful or not, please do this: In safe mode, run Disk Cleanup. Type cleanmgr in the run box by going to Start>Run. Allow it to clean up all options that are checked and be sure that these three are: Temporary Files Temporary Internet Files Recycle Bin Then try downloading again. Also while in safe mode type the following bold text in the Run box and hit Enter: C:\WINDOWS\system32\ Look for the file taskmgr.exe Rename the file taskmgr.com Now doubleclick to open taskmgr.com Does Task Manager open? Let me know. In any event, post a fresh HijackThis log, in Normal Mode if possible. Open msconfig and set it for Normal startup under the general tab. Let me know if that helps and we need to see all startups anyway so we will know what all needs to be removed. -------------------- If I have helped you, please consider a donation in memory of my cousin Matthew, lost to leukemia August 29, 2008 at the age of 25. Matt's sister, Marla, and his wife, Erin (who he had newly wed), are raising money to fight such blood diseases.
Marla's Site Erin's Site |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 9th January 2009 - 06:33 AM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.