Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Task Manager problem


  • Please log in to reply
3 replies to this topic

#1 11thPenguin

11thPenguin

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 14 August 2005 - 04:05 AM

Hello, I'm hoping someone can help me out here. About 48 hours ago my computer spent some time in the DMZ (live on the internet), and wound up with just about every virus/trojan known to man. I've run all of the removers I can find, removing this, deleting that, cleaning the other thing. Everything is gone except for one that I just can't get rid of. It seems to be similar to descriptions I've read of Win32.Bobax, but none of my attempts at removing it have succeeded. It manifests in two ways:

1. Creates %system%\[random file name].exe and %temp%\[random file name].tmp, plus a registry key and extra text in the hosts file.

2. This is the really odd one: The Proceeses tab of Task Manager is disabled. Note that the Task Manager itself has not been disabled, as can be done by setting a registry key. The Task Manager is accessable, but on the Processes tab the scroll bar is not clickable, the sort categories at the top are not functional, and the list window is greyed out. Staring at it for a while, I'd guess that the window is actually being repeatedly disabled -- it'll flash "active" for a split second, then immediately go grey again.

Anyway, I'm usually pretty good at handling this stuff but this one has me completely stumped. I've deleted all of the files and registry keys I can find (bold, below), but it keeps coming back! Any help would be very, very appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 1:47:15 AM, on 8/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NVATray.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Apps\Utils\CloneCD\CloneCDTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Apps\Audio\Winamp\winampa.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Apps\Dev\Firebird_1_5\bin\fbguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\P4REPO~1\p4s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Apps\Dev\Firebird_1_5\bin\fbserver.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Apps\Utils\HijackThis\HijackThis.exe

O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Apps\Utils\Acrobat5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Apps\Utils\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Apps\Utils\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [vSubst Q:] vSubst Q: C:\BUDCAT
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Apps\Audio\Winamp\winampa.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [_av`[WQZWyJPV] C:\WINDOWS\System32\yveyqbuppqe.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/adobe/MTSI...tm/gen_atm.html
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095433037156
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/...flowActiveX.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopr.../autopricer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Apps\Dev\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Apps\Dev\Firebird_1_5\bin\fbserver.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Perforce - Unknown owner - C:\P4REPO~1\p4s.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

Thanks!

BC AdBot (Login to Remove)

 


#2 11thPenguin

11thPenguin
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 14 August 2005 - 05:09 PM

After several more hours of investigation (and significant hair pulling/loss), I've figured out where this bugger was hiding and believe I have fully eradicated it. Apparently it had appended itself to several normally innocuous files from my regular startup:

O4 - HKLM..Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..Run: [CloneCDElbyCDFL] "C:\Apps\Utils\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

All of these contained the pre-existing body of the application, plus a copy (or several) of the infestation. I finally figured this out when I discovered that nwiz.exe had grown to about 275 MB. After loading this up in a hex editor, I was able to identify the additional rider code and, from there, identify other files with the same code appended.

So I think I'm good to go. A couple of questions for those who know more about this than I do:

1. Is it possible to tell what I was infected with? This is by far the nastiest thing I've yet seen, and I've been unable to find any good information (via Google) on what exactly this was.

2. None of the anti-virus software I tried was able to identify the rider code in these files, but I'd like to do a full system sweep with something that can identify it to make sure I'm truly clean. Any pointers here?

3. Perhaps this is predicated on the answer to #1 being "yes": I'm concerned about what exactly this beastie was doing, how much of my personal information may have been compromised, etc. Anyone have any info on this?

Any additional information would be most appreciated. I've saved off copies of all of the infected files. If seeing them would help provide more info, let me know.

Thanks!

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:02 PM

Posted 16 August 2005 - 12:55 PM

Hello 11thPenguin and welcome to the BC HijackThis forum. I am assuming that everything is back to normal and we do not need to do anything with this log.

To try and answer your questions:

1- unless you have the installer you will probably never know what it was. There are so many infections that are constantly mutating that unless you know where you were and what file started the install it's next to impossible to determine.

2 - different anti-virus programs pick up different things. There is no one program that catches every known infection out there. And that depends on if it was an infection. Typically, anti-virus programs do not detect or deal with any type of trojan or adware app, just like anti-spyware/anti-trojan apps do not detect or deal with infections. They are 2 different categories of programs that do different jobs. It's best to have 1 anti-virus, 1 anti-spyware and 1 firewall from reputable companies and to keep them updated. That's the most that anyone can do.

3 - without knowing what was on there it's hard to say regarding what information might or might not have been compromized. Some of the infections today do include email servers or web servers and collect information to send to a specific server on the web. Others do no more than to disrupt or destroy the operating system.

If you still have the files you can zip them up and submit them to the link below and they will be evaluated when someone has the chance:

http://www.bleepingcomputer.com/submit-malware.php

In the Link to topic where this file was requested: put the link that is in the address bar of this topic.

Cheers.

OT

Edited by OldTimer, 16 August 2005 - 12:58 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:10:02 PM

Posted 16 August 2005 - 01:01 PM

Sorry, Old Timer, didn't see that you were answering this post

Edited by viccy, 16 August 2005 - 01:03 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users