Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help I have been Hijacked


  • This topic is locked This topic is locked
5 replies to this topic

#1 Dragonsoul

Dragonsoul

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 10 July 2005 - 10:09 PM

Hello,

I am having MAJOR issues with my computer. Today I was searching the web and all of a sudden my firewall notification popped up that a misc prog wanted access to the net. I checked the box to remember this setting and clicked deny. Then my browser shut down with an IE error report and when I reopened it, the start page was changed to some blank page. Then I started to get milicious data messages and I ran a full system scan with McAfee. It found a trojan that referenced the name start page something ( sorry I did not get the name because it deleted the trojan before I could write it down ) and also referenced the file uktii.dll. I was happy at this point because I thought awsome the problem has been found and deleted. The next thing I did was proceed to trendhousemicro to run their online virus scanner just for a second opinion that my system was infact clean. As I started to run this scanner, IE encountered an error and shut itself down (almost like the trojan new I was trying to kill it and shut me down). Then I was extreamly frustrated and out of curiosity I opened Add/Remove Programs to see what was listed there. I found 3 programs that I never installed and I knew for a fact that they must be linked to this issue, Home Search Assistent was at the top of the list and the other 2 names I cannot get because when I went to open Add/Remove Programs again to write down the other 2 names it will no longer open (once again, may be a coincidence but why is this now the second way I might try to remove this program and it is blocking my access ). I immediately hit the net in search of information on this Home Search Assistent (the spelling of assistant incorrectly was my first clue) and I found your web site. Now I will tell you what else I have done so far to try and illiminate any postings telling me to try this so we might save some time. I have turned off System Restore since I know that it might contain copies of the trojan and reinfect me everytime I reboot. I have gone into safe mode and tried to remove those 3 programs and they do nothing, they will not remove this way. I have installed Firefox so I can search the web with a browser that is more secure (yes I have kicked myself for not useing it in the first place). I tried to use Panda and Trendhouse to do online virus scans and they do not support Firefox ( Only IE ) which we all know that I cannot use because its hijacked. I also Downloaded Hijackthis and this is the report it has given me. (I also noticed many programs that were not ever running before, including some that are referencing the named trojan uktii.dll and also ipwh.exe which was the program that tried to access the net when this first started and I blocked that with my firewall)

Logfile of HijackThis v1.99.1
Scan saved at 8:24:16 PM, on 7/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\appll.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\ipwh.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Dragon\Desktop\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uktii.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uktii.dll/sp.html#12047
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uktii.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uktii.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uktii.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uktii.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GDS module - {A084A565-B09B-4e4c-A497-7CC50AEAB2A7} - C:\WINDOWS\gds5.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [ipwh.exe] C:\WINDOWS\ipwh.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\appll.exe" /s (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

If any of you can please help me I would be indebted to you forever, I am 100% disabled and my computer is my main link to the outside world.

BC AdBot (Login to Remove)

 


#2 Dragonsoul

Dragonsoul
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 11 July 2005 - 02:03 AM

Ok still waiting for a reply here but I have found some more information on the net while I wait. I seem to have removed the files that are causing the issues but there is still some stuff that concerns me. First I found that the program that is causing this trojan to replicate is the Microsoft Service (NSS) Network Security Service. It was advised to disable this service while trying to eliminate this problem so I did. I deleted all files that seemed to be malicious and hit my registry with searches for Home Search Assistent, Shopping Wizzard, and Search Extender (those were the 3 files in my add/remove programs listings. I found all 3 in the registry and deleted the registry folders that were named HSA, SW, and SE. I ran my virus scanner one more time to be sure there was nothing it would find and it found nothing. I ran Adaware and another spyware killer and they both found nothing. I did file searches for all of the named items and found nothing , so it seemed that it was time to reboot. I rebooted and soon as Windows opened Internet Explorer opened itself, now this should not be happening and it has been said in the numerous threads I have read here and other places that whenever you open IE is when this thing starts all over again. So I haven't seen any signs of this thing so far so I decide ok lets open add/remove programs and see if they are gone from the list. Please wait while the list populates.... pc is going slower than a snail and the list never populates it just sits there. So I close the add/remove programs window and give the pc a min to catch a breath and it starts moving at normal speeds. Then I decide to go into the services and look at this Network Security Service and see what its about. I go into properties and this is what it says :

Service Name: a bunch of jarbled characters that I could not copy to show you here but its deffinately not right.

Path to Executable:"C:\WINDOWS\appll.exe" /s

Now I have mentioned in my previous post that appll.exe was one of the programs associated with this trojan.

As far as I know appll.exe does not exist on my computer anymore and I am afraid to turn the service back on. When I forced appll.exe to close via task manager it would just reopen instantly but as soon as I shut off this service it has not popped back up in my tsk mgr.

Something is still in my system somewhere or IE would not have opened on reboot expecially since Firefox is now my default browser.

Here is fresh copy of my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:59:37 AM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dragon\Desktop\hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

From what I can tell there doesn't appear to be anything abnormal anylonger with the exception of that service mentioned linking itself to run that virus instead of the intended program and of course my IE opening by itself on reboot.

Please if you can help me I would greatly appreciate it

#3 Dragonsoul

Dragonsoul
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 11 July 2005 - 02:26 AM

Another odd thing, I just rebooted my computer and once again IE opened up, I had changed my security settings to tell me when activex is accessing the net and as soon as IE popped up on yahoo.com it gave me the msg that activex was trying to do something on this page that is secure, I of course clicked no but this leads me to believe that something in activex is infected as well. Just wanted you to have the most information possible.

#4 Dragonsoul

Dragonsoul
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 11 July 2005 - 02:38 AM

Ok it seemed common sense to me that IE was being told to launch on start up so that the trojan could reinfect itself so I checked msconfig and sure enough it was added to the system start process so I stopped that. IE did not start on reboot but when I did start it to see if that activex control msg popped up again and sure enough it did so there is still an issue here.

#5 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:09:07 AM

Posted 12 July 2005 - 12:05 AM

Hello Dragonsoul and welcome to BleepingComputer. Looks like you got most of it yourself, you sure you need help? :thumbsup:

First, go back into msconfig and re-enable iexplore and reboot. We'll remove it from startup properly in a moment.


It appears you have it fully disabled, but let's be sure that service is completely removed:

Open Notepad, (Start button, click on Run, type in Notepad, and click OK) copy & pastes the following block of text into Notepad.

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
  ("Select * from Win32_Service Where DisplayName = 'Network Security Service (NSS)'")
For Each objService in colListOfServices
If objService.State = "Stopped" then
MsgBox "Stopped Already"
Else
objService.StopService()
MsgBox "Service Stopped"

End IF
  objService.Delete()

Next

MsgBox "Done"

Click on 'File', then 'Save as'
Select 'Save as type:' as All Files,
Save the file to the desktop as remsvc.vbs. Close Notepad.

Locate the remsvc.vbs file on your desktop and double-click on it to run it. You'll get a message box saying 'Stopped Already' and then another message box saying 'Done!'. (If you anti-virus complains of an unknown script, allow it to run)


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab

With ALL OTHER WINDOWS CLOSED, click on Fix Checked. Close HJT.


This infection may have deleted the windows file 'shell.dll' and corrupted the 'hosts' file.

Download the Hoster from here.
- Unzip hoster.zip into it's own folder.
- Run Hoster.
- Press 'Restore Original Hosts' and press 'OK'
- Exit Program.


Check for the existance of shell.dll in both the 'C:\WINDOWS\system' and 'C:\WINDOWS\system32' folders. If it is missing, then:

Please download shell.dll from here: shell-dll.zip. Once the file is downloaded uncompress the zip file and copy shell.dll to the following locations

C:\WINDOWS\system
C:\WINDOWS\system32


Reboot and post a fresh HJT log. How is it running now?

Edited by ddeerrff, 12 July 2005 - 12:20 AM.

Derfram
~~~~~~

#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:09:07 AM

Posted 26 July 2005 - 04:47 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users