Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malicious Activity


  • Please log in to reply
1 reply to this topic

#1 seeker33

seeker33

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 01 December 2005 - 12:31 PM

Greetings,

On 11/28/05 @ 8:30 pm I logged onto internet and placed my new music cd in the drive to listen as I browsed.The cd drive spun madly but didnt play a thing. I couldnt get it to stop or shut down so I hit the power button. I turned it back on and it took about ten minutes to boot up. I removed the cd. I think I repeated the process but this time a screen popped up asking if i wanted to boot to previously good boot time. I chose that option. Previous to this I had gotten a music download that looking back could be the sourse of these problems as I had forgotten to turn one of my protection programs on. Then I wondered if it was because I restored to an earlier time. I scanned pc with Avast, BitDefender, Stinger, Avg, Housecall, Adaware, ad infinitum. Nothing turns up except, maybe tracking cookies and something about MRU I forget what that was. I happened up on Management Console or something in XP and started reading the recent errors I had. Many for the cd-rw. First important one @ 8:52 pm that nite Error Event ID 12: The device Samsung CD-r/RW SW-248f dissapeared from the system without first being prepared for removal. Then Windows detected it as CDROM Samsuog_cd-r/rw_sw-248f. Then that dissapeared also and when it came back the name changed again. The words had "!" inserted everywhere and the model number was changed to 349 or something.
I tried to use sfc /scannow and thats when I found out my files neccessary to keep Windows stable needed to be copied to the .dll cache and it asked me for service pack 2 cd. I dont have that. I previously downloaded it or something. I thought I'd update the computer and get it again. Windows update does not offer it to me because it shows I have it. I tried to get a new driver for cd-rw from manufacturer website but it says its the wrong one for the device. Windows cant update it because the name is screwy.
I went back to the console to review more error logs. I noted that one said I had a bad memory block in the device (cd-rw) and another that said My controller was bad. By now the device is listed as :Samsuog! ce-s/sw! sw-248f! All this time, Windows was trying to install it and whatever was removing it, like four times. I thought maybe I could put my xp cd in and repair the installation. It spun madly again and left me with a blank cd. I was going to just format it and start over till I realized possibly my cdrom is broken. Every time I boot up now, Windows asks me to wait while it verifies the integrity of my system files then it prompts me for the servive pack 2 cd.
I'm wore out with this so I got Hijackthis! and I need some help with the log to see if there is anything malicious going on. Oh BTW, there are errors also in that log about tcpip, connections exceeding the amount allowed that may be indicative of malicious activity. I am hoping this was a one time attack. I need to know if anything is left malicious and how to remove it. I also need to know how to restore my .dll files (there is a log of some of the need ones in there too)I can't download service pack 2 for IT professionals as it takes like 15 hours (266mb) if you dont get disconnected. I cant use a cd to run it anyway. My jump drive is too small to transfer it.(128mb) I could possibly take out the HD and take it somewhere with dsl and piggy it to their computer but they run win2k and mine is xp. Would it be ok to unhook their hd and just hang mine there temporarily to get it? Finally how to check and see if my cd-rw is still functional or how to repair it. I am wondering if moving my components around with infect anyone elses stuff. Thanks so much in advance!
Oh yes, here is my first Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 8:32:40 AM, on 12/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
e:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
e:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Internet Alert\ia99.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\unzipped\IPhider\ip hider.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
e:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
e:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\My downloads\WinZip\WZQKPICK.EXE
e:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
e:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livingstonitown.com/message/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe Acrobat\7.05\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntruderAlert] C:\Program Files\Internet Alert\ia99.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WFIPS] C:\unzipped\IPhider\ip hider.exe -autoboot
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] e:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] e:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [avast!] e:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AnVir Virus Destroyer] "C:\Program Files\AnVir Virus Destroyer\AnVir.exe" Minimized
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe Acrobat\7.05\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133397708375
O17 - HKLM\System\CCS\Services\Tcpip\..\{A37BBF56-8D83-4DE3-9C4E-11CB980CBE84}: NameServer = 216.207.88.9 69.60.160.196
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - e:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - e:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - e:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - e:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - e:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - e:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:21 AM

Posted 06 December 2005 - 12:16 PM

Hi there and welcome to Bleeping Computer ! :thumbsup:

As you may have noticed already, the forums are very busy at the moment and i have noticed your log has gone unanswered so far!

We look at the oldest logs first, and we were wondering that if you still need help, please start by posting a new HijackThis log in this topic and i will then be able to take a look!

Thanks very much :flowers:

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users