Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Trojan or Hijacker after


  • This topic is locked This topic is locked
2 replies to this topic

#1 JayneM

JayneM

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 18 July 2010 - 05:47 PM

Running an old Windows XP Home Edition, 2003.

At the beginning of the week I was having problems with Trojans and redirects, which for the most part were fixed, with help from people at malwareremovalforum.com. Then, something caused my entire system to crash..no operating system, no restore...nothing. AFter 3 days of work I finally got my operating system back, the files were intact, but a lot of the original components of the system were there. I switched to Firefox because I was having problems getting internet explorer to run properly.

The lingering problem is that something is preventing Windows Update (this could be because my XP is old and they aren't available anymore?), but I am also blocked from most internet sites, including the malwareremoval forum I was working in, ZDnet, Symantec, Microsoft, TrendMicro, etc. etc, and while I was finally able to reload Malwarebytes removal and Avast, I cannot update them, and every scan tells me there is nothing wrong.

I'm attaching a Hijack This log, and a DDS log. You may notice ComboFix loaded on my computer. That was the next step the other forum was ready for, and I have not run it because I don't have the knowledge to run it.

Any help would be appreciated. i can't even locate the name of whatever virus or trojan is in the computer, because it seems anytime I get close the computer prevents it (kind of eerie). I'm actually afraid that once I sign out of here the computer will recognize this as an anti-virus site as well and I won't be able to get back in, but I could possible try it from a different computer on MOnday.

HIJACK THIS:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:37 PM, on 7/18/2010
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\qe31oah0.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - S-1-5-18 Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4729 bytes


DDS:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 7/16/2010 12:37:18 AM
System Uptime: 7/17/2010 9:06:40 PM (19 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-6577
Processor: Intel® Pentium® 4 CPU 2.53GHz | Socket 478 | 2533/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 108 GiB total, 31.501 GiB free.
D: is FIXED (FAT32) - 3 GiB total, 0.45 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 7/16/2010 5:37:26 AM - System Checkpoint
RP2: 7/16/2010 9:16:21 AM - Restore Operation
RP3: 7/16/2010 12:03:29 PM - after big restore
RP4: 7/16/2010 12:50:04 PM - avast! Free Antivirus Setup
RP5: 7/16/2010 11:58:45 AM - avast! Free Antivirus Setup
RP6: 7/16/2010 1:09:26 PM - avast! Free Antivirus Setup
RP7: 7/16/2010 1:17:34 PM - Removed Norton AntiVirus 2003
RP8: 7/17/2010 1:29:24 PM - System Checkpoint
RP9: 7/17/2010 6:59:16 PM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP10: 7/17/2010 8:38:34 PM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.

==== Installed Programs ======================


Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
America Online
avast! Free Antivirus
Coloreal
CompuServe
Detto IntelliMover Demo
easy Internet sign-up
HijackThis 2.0.2
Inactive HP Printer Drivers (Remove only)
Indeo® Software
Intel® 82845G Graphics Driver Software
InterVideo WinDVD 4
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java 2 Runtime Environment, SE v1.4.0_01
Java Web Start
KBD
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Microsoft .NET Framework (English) v1.0.3705
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works 7.0
Mozilla Firefox (3.6.6)
Netscape (7.0)
NVIDIA Windows 2000/XP Display Drivers
PC-Doctor for Windows
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2003 New User Edition
RealOne Player
RecordNow
RecordNow Update Manager
S3Display
S3Gamma2
S3Info2
S3Overlay
ShowBiz
Simple Installer - Multilanguage Version
Viewpoint Media Player (Remove Only)
WebFldrs XP
Windows XP Hotfix (SP2) [See q330638 for more information]
Windows XP Hotfix (SP2) [See Q331060 for more information]
Yahoo! Essentials
Yahoo! Internet Mail
Yahoo! Login
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

7/17/2010 4:17:35 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
7/17/2010 3:38:56 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
7/17/2010 3:37:36 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
7/17/2010 3:37:06 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the szserver service.
7/17/2010 3:16:29 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440 SISAGP viaagp1
7/17/2010 3:16:29 PM, error: Service Control Manager [7023] - The Shell Update service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
7/17/2010 3:16:29 PM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.
7/16/2010 6:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
7/16/2010 6:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.
7/16/2010 6:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.
7/16/2010 6:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the jmnozj service.
7/16/2010 6:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the helpsvc service.
7/16/2010 6:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the EventSystem service.
7/16/2010 6:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the CryptSvc service.
7/16/2010 6:59:56 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the AudioSrv service.
7/16/2010 6:59:56 AM, error: Service Control Manager [7001] - The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
7/16/2010 6:59:56 AM, error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The service has not been started.
7/16/2010 6:59:56 AM, error: Service Control Manager [7000] - The Windows Time service failed to start due to the following error: The service has not been started.
7/16/2010 6:59:56 AM, error: Service Control Manager [7000] - The Server service failed to start due to the following error: The service has not been started.
7/16/2010 6:59:56 AM, error: Service Control Manager [7000] - The Portable Media Serial Number service failed to start due to the following error: All pipe instances are busy.
7/16/2010 6:59:56 AM, error: Service Control Manager [7000] - The Messenger service failed to start due to the following error: All pipe instances are busy.
7/16/2010 6:59:56 AM, error: Service Control Manager [7000] - The Help and Support service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/16/2010 6:59:56 AM, error: Service Control Manager [7000] - The Cryptographic Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/16/2010 6:59:56 AM, error: Service Control Manager [7000] - The COM+ Event System service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/16/2010 4:23:25 AM, error: Dhcp [1002] - The IP address lease 207.191.200.153 for the Network Card with network address 0010DC8E975A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
7/16/2010 4:20:33 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
7/16/2010 4:20:32 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.
7/16/2010 4:20:32 AM, error: Service Control Manager [7000] - The Network Connections service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/16/2010 10:45:10 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E9376CC6-121A-447E-81CF-D8BCC200007C}

==== End Of File ===========================

Edited by Orange Blossom, 18 July 2010 - 07:41 PM.
Move to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 JayneM

JayneM
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 20 July 2010 - 10:48 AM

I can access the other malware forum on my work computer so I will go with their assistance - I hadn't received a reply here except for moving the post, so hopefully I haven't inconvenienced anyone. Thanks!

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,111 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:56 PM

Posted 20 July 2010 - 11:50 PM

Thank you for letting us know.

This topic is now closed.

Orange Blossom fruits_cherry.gif
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users