Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Severe Hijack


  • Please log in to reply
2 replies to this topic

#1 Dyan

Dyan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 08 March 2005 - 03:36 AM

Hey Guys,

I was infected with the HSA Hijack a few weeks ago, followed your advice and sucessfully removed it. On Friday I left my computer on and was infected with another Hijack, that seems to incorporate aspects of other hijacks, but doesnt manifest itself in the same way as the HSA. Initially it set my homepage to a link containing britneynude etc... and installed mass amounts of malware including Media Pass. It has now manifested to the point where I can not log into Windows normally, I can only boot up in Safe Mode, and it is even present in Safe Mode. I have attempted to remove it with Hijack This, msconfig, Ad Aware, Ad Buster, and Trend Micro (trend micro identifies the infected files, but refuses to show me the log and fix the problems) but it still reloads every time I start up. I was sucessfull in starting up normally once, but within seconds it had downloaded Media Pass, mommableep.exe, csrs.exe, syswork.exe, etc and several other programs.

I can no longer download files from the internet, only view pages, and taskmonitor refuses does not respond. I want to get the FAV antivirus software, but again, I can't download anything, IE Explorer just freezes up. I may have removed something iportant inadvertantly, but if anyone could help I would appreciate it.

Here is my Hijack This log, unfortunately I have a powerpoint presentation to give tomorow and porn pop ups, and internet gambling arent in the curriculum.

Thanks for the help, here is the log:

Logfile of HijackThis v1.99.0
Scan saved at 12:21:27 AM, on 08/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MDN.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\HJT\HijackThis.exe

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] C:\WINDOWS\gcasServ.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110172846576
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

BC AdBot (Login to Remove)

 


#2 Dyan

Dyan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 08 March 2005 - 04:44 AM

I just ran Panda online and here are the noteworthy results:


Virus:Trj/Downloader.AEG Disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2LMNAFMB\uninst[1].exe

Virus:Trj/WmvDownloader.A Disinfected C:\My Shared Folder\Loco - David Lee Murphy.wma

Virus:Trj/Multidropper.NB Disinfected C:\WINDOWS\ahadp.exe
Virus:Trj/Downloader.ALQ Disinfected C:\WINDOWS\msnmsgq.exe.bak
Virus:W32/Admincash.A Disinfected C:\WINDOWS\OLD5.tmp
Virus:Bck/Webdor.G Disinfected C:\WINDOWS\svchst.exe.bak

Virus:Trj/Downloader.ANG Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\1G8F38CO\dl[1].exe
Virus:Trj/Downloader.ANG Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\1G8F38CO\dl[2].exe
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\1G8F38CO\EULA[1].ctxt[EULA[1].ctxt]
Virus:W32/Korgo.T.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\F7438XF8\x[1].exe

Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\britneynude[1].html
Virus:Trj/Downloader.ANG Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\dl[1].exe
Virus:Trj/Downloader.ANG Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\dl[2].exe
Virus:Trj/Qukart.G Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\kkq3[1].gif
Virus:Trj/Qukart.G Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\kkq3[2].gif
Virus:W32/Korgo.V.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\x[1].exe
Virus:W32/Korgo.AM.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\N068GRCF\x[2].exe
Virus:W32/Gaobot.DKR.worm Disinfected C:\WINDOWS\system32\ctxma.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\elitebfi32.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\elitepmi32.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\elitewfu32.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\elitewgc32.exe
Virus:W32/Gaobot.DFE.worm Disinfected C:\WINDOWS\system32\TFTP2372
Virus:W32/Gaobot.DJK.worm Disinfected C:\WINDOWS\system32\winlite.exe
__________________________________________________________________

After running panda, I rebooted Windows normally, which worked but immediately started downloading trojans and malware once again. Thought it might help, due to info on specific worms and trojans...

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:47 AM

Posted 10 March 2005 - 02:19 AM

Hi Dyan,

Sorry for the delay. I found where you have a log posted at Castle Cops.
http://computercops.biz/postp484394.html

Please post back to that thread that you are getting help elsewhere. HJT logs are very time consuming and there are a massive amount of them on the net, so it will be a waste of someone's time to work on a log only to be told the problem has been solved. It also causes confusion.

Your log over there is also a bit different. Please post a new one for me to review.

From the fact that you ran a Panda scan I'm assuming that you are on DSL and booting to Safe Mode with networking? Are you not able to download in safe mode? I would like for you to try again. Go to the following page and try downloading the latest version of HijackThis 1.99.1 from the link in the tutorial:
How to post a HijackThis Log

Wehther successful or not, please do this:

In safe mode, run Disk Cleanup. Type cleanmgr in the run box by going to Start>Run. Allow it to clean up all options that are checked and be sure that these three are:
Temporary Files
Temporary Internet Files
Recycle Bin

Then try downloading again.

Also while in safe mode type the following bold text in the Run box and hit Enter:
C:\WINDOWS\system32\

Look for the file taskmgr.exe Rename the file taskmgr.com Now doubleclick to open taskmgr.com Does Task Manager open?

Let me know. In any event, post a fresh HijackThis log, in Normal Mode if possible. Open msconfig and set it for Normal startup under the general tab. Let me know if that helps and we need to see all startups anyway so we will know what all needs to be removed.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users