Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware/remote User Attack


  • Please log in to reply
1 reply to this topic

#1 scottykil

scottykil

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 26 February 2008 - 09:09 PM

I really dont know where to start. I have spent several hundred hours trying to fix this on my own, but I have to give up and hand this to you guys, if you want it.
I guess I can start by telling you that I have 946 ports open. My system volume is corrupted with undeletable files, my bios is infected, And my ports have been hacked and I have a remote user completly in control of my computer. I have no admin rights. Someone changes them as fast as I do.
I have re-installed windows 17 times in two weeks. Immediatley after a re-format, I have the same files in C: Recycler and Sytem volume information, and I know that is where many problems lie. I will be the absolute most help for anyone who wants to take on this challenge...I am at my wits end and just need some expert help. I have lost 4000 pictures of my family and friends and new-born, 6000 songs, 1000s of documents, and alot of sleep.

I am running XP home addition with service pack 2 and all the hotties.


Logfile of HiJackFree v3.0
Scan saved at 4:30:32 PM, on 2/26/2008
Platform: Windows XP Service Pack 2 (Windows NT 5.1.2600)
MSIE: Internet Explorer v 6.0 Service Pack 2 (6.0.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\a-squared Anti-Malware\a2HiJackFree.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: - {82E5E2FF-9260-4d88-B0C6-7CC358C5D418} -
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [ScanmetenderStandard3] C:\Program Files\Scanmetender[Soft]\Scanmetender Standard\candard.exe
O7 - Regedit - Enabled
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra "Tools" menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1203850400921
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O20 - Winlogon Notify: AtiExtEvent - C:\WINDOWS\System32\Ati2evxx.dll
O21 - ShellServiceObjectDelayLoad: PostBootReminder -
O21 - ShellServiceObjectDelayLoad: CDBurn -
O21 - ShellServiceObjectDelayLoad: WebCheck -
O21 - ShellServiceObjectDelayLoad: SysTray -
O22 - SharedTaskScheduler: Browseui preloader - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - C:\WINDOWS\System32\browseui.dll
O23 - Service: a-squared Anti-Malware Service - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Alerter - C:\WINDOWS\System32\svchost.exe
O23 - Service: Application Layer Gateway Service - C:\WINDOWS\System32\alg.exe
O23 - Service: Application Management - C:\WINDOWS\system32\svchost.exe
O23 - Service: ASP.NET State Service - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
O23 - Service: ATI Smart - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Windows Audio - C:\WINDOWS\System32\svchost.exe
O23 - Service: AVG7 Alert Manager Server - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Background Intelligent Transfer Service - C:\WINDOWS\System32\svchost.exe
O23 - Service: Computer Browser - C:\WINDOWS\System32\svchost.exe
O23 - Service: Indexing Service - C:\WINDOWS\system32\cisvc.exe
O23 - Service: ClipBook - C:\WINDOWS\system32\clipsrv.exe
O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
O23 - Service: COM+ System Application - C:\WINDOWS\System32\dllhost.exe
O23 - Service: Cryptographic Services - C:\WINDOWS\system32\svchost.exe
O23 - Service: DCOM Server Process Launcher - C:\WINDOWS\system32\svchost
O23 - Service: DHCP Client - C:\WINDOWS\System32\svchost.exe
O23 - Service: Logical Disk Manager Administrative Service - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Logical Disk Manager - C:\WINDOWS\System32\svchost.exe
O23 - Service: DNS Client - C:\WINDOWS\System32\svchost.exe
O23 - Service: Error Reporting Service - C:\WINDOWS\System32\svchost.exe
O23 - Service: Event Log - C:\WINDOWS\system32\services.exe
O23 - Service: COM+ Event System - C:\WINDOWS\System32\svchost.exe
O23 - Service: Fast User Switching Compatibility - C:\WINDOWS\System32\svchost.exe
O23 - Service: Help and Support - C:\WINDOWS\System32\svchost.exe
O23 - Service: Human Interface Device Access - C:\WINDOWS\System32\svchost.exe
O23 - Service: HTTP SSL - C:\WINDOWS\System32\svchost.exe
O23 - Service: InstallDriver Table Manager - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service - C:\WINDOWS\System32\imapi.exe
O23 - Service: Server - C:\WINDOWS\System32\svchost.exe
O23 - Service: Workstation - C:\WINDOWS\System32\svchost.exe
O23 - Service: TCP/IP NetBIOS Helper - C:\WINDOWS\System32\svchost.exe
O23 - Service: Messenger - C:\WINDOWS\System32\svchost.exe
O23 - Service: NetMeeting Remote Desktop Sharing - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: Distributed Transaction Coordinator - C:\WINDOWS\System32\msdtc.exe
O23 - Service: Windows Installer - C:\WINDOWS\System32\msiexec.exe
O23 - Service: Network DDE - C:\WINDOWS\system32\netdde.exe
O23 - Service: Network DDE DSDM - C:\WINDOWS\system32\netdde.exe
O23 - Service: Net Logon - C:\WINDOWS\System32\lsass.exe
O23 - Service: Network Connections - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Location Awareness (NLA) - C:\WINDOWS\System32\svchost.exe
O23 - Service: NT LM Security Support Provider - C:\WINDOWS\System32\lsass.exe
O23 - Service: Removable Storage - C:\WINDOWS\system32\svchost.exe
O23 - Service: Plug and Play - C:\WINDOWS\system32\services.exe
O23 - Service: PunkBuster - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: IPSEC Services - C:\WINDOWS\System32\lsass.exe
O23 - Service: Protected Storage - C:\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Auto Connection Manager - C:\WINDOWS\System32\svchost.exe
O23 - Service: Remote Access Connection Manager - C:\WINDOWS\System32\svchost.exe
O23 - Service: Remote Desktop Help Session Manager - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Routing and Remote Access - C:\WINDOWS\System32\svchost.exe
O23 - Service: Remote Procedure Call (RPC) Locator - C:\WINDOWS\System32\locator.exe
O23 - Service: Remote Procedure Call (RPC) - C:\WINDOWS\system32\svchost
O23 - Service: QoS RSVP - C:\WINDOWS\System32\rsvp.exe
O23 - Service: Security Accounts Manager - C:\WINDOWS\system32\lsass.exe
O23 - Service: Smart Card - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Task Scheduler - C:\WINDOWS\System32\svchost.exe
O23 - Service: Secondary Logon - C:\WINDOWS\System32\svchost.exe
O23 - Service: System Event Notification - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) - C:\WINDOWS\System32\svchost.exe
O23 - Service: Shell Hardware Detection - C:\WINDOWS\System32\svchost.exe
O23 - Service: Print Spooler - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: System Restore Service - C:\WINDOWS\System32\svchost.exe
O23 - Service: SSDP Discovery Service - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Image Acquisition (WIA) - C:\WINDOWS\System32\svchost.exe
O23 - Service: MS Software Shadow Copy Provider - C:\WINDOWS\System32\dllhost.exe
O23 - Service: Performance Logs and Alerts - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telephony - C:\WINDOWS\System32\svchost.exe
O23 - Service: Terminal Services - C:\WINDOWS\System32\svchost
O23 - Service: Themes - C:\WINDOWS\System32\svchost.exe
O23 - Service: Distributed Link Tracking Client - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows User Mode Driver Framework - C:\WINDOWS\system32\wdfmgr.exe
O23 - Service: Universal Plug and Play Device Host - C:\WINDOWS\System32\svchost.exe
O23 - Service: Uninterruptible Power Supply - C:\WINDOWS\System32\ups.exe
O23 - Service: TrueVector Internet Monitor - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Volume Shadow Copy - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Windows Time - C:\WINDOWS\System32\svchost.exe
O23 - Service: WebClient - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Management Instrumentation - C:\WINDOWS\system32\svchost.exe
O23 - Service: Portable Media Serial Number Service - C:\WINDOWS\System32\svchost.exe
O23 - Service: WMI Performance Adapter - C:\WINDOWS\System32\wbem\wmiapsrv.exe
O23 - Service: Security Center - C:\WINDOWS\System32\svchost.exe
O23 - Service: Automatic Updates - C:\WINDOWS\system32\svchost.exe
O23 - Service: Wireless Zero Configuration - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Provisioning Service - C:\WINDOWS\System32\svchost.exe

I have alot more important logs, like sytem logs and events, just tell me when your ready...dont want to over-load ya. Thank you in advance for any help at all you can give.

If someone needs my phone number or any other help at all, please let me know...thank you so much.
Scott

BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:04:41 AM

Posted 06 March 2008 - 12:14 AM

Hi and welcome,

Sorry for delay.

If you still need help please let me know. I'd like to use a different app though to make a log.

I'm up to a good challange :blink:

Few things I should ask -- since it does seem kinda odd you should get re-infected immediately after re-installing the OS 17+ times!
don't feel I am prying in any way or trying to cause troubles -- just trying to sort the possible cause.
These things I need to know to help me narrow down possible causes.
And -- whatever answers you provide isn't going to get you in crap .. (like possibly knowing XP isn't legit for example)

Is your XP CD the origional CD? or a burnt copy from someone?
How about the apps you have installed? From a trusted source?
Any other computers on the network? Connected to a router or directly to internet?
If router --- is it wireless?
If wireless -- is it secured or "open" (so anyone can connect)
When you re-installed XP -- have you actually been formatting/installing or just doing repair installs?

I have the same files in C: Recycler and Sytem volume information, and I know that is where many problems lie.


What files do you see that keep showing up?

Now for the log --

Before running the scan let's clean out the temporoary folders.

Download ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind35U.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • At the top checkmark Include MD5
  • In the Drivers section click on Non-Microsoft.
  • In the rootkit section click on yes
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      Reg - Session Manager Settings
      File - Additional Folder Scans
      Evnt - EventViewer Errors/Warnings (last 7 days)
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

If, after posting, the last line is not /code with brackets around it then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.



Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users