Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kingofallresearch.net Grabbing My Computer


  • This topic is locked This topic is locked
2 replies to this topic

#1 rch427

rch427

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 10 April 2006 - 04:05 PM

I've recently been having trouble with some malware grabbing control of my computer. For some reason, the page I'm loading (and it varies) will be seized and the address box will read "http://www.kingofallresearch.net/..." My computer freezes up, the hard-drive is 100% engaged (constant reading/writing noise), and I can't CTRL+ALT+DEL or stop the process without unplugging the computer. Even if I unplug the cable going to my modem, the network icon in the QuickStart tray is lit up in both monitor icons. What the hell is going on?!

I searched for any info about this URL, but there's nothing out there about them, other than their own site (one of those sleazy search/gambling/porn directories). A Whois search says they're located in New York.

Anyway, when I start my computer back up, I always do a Spybot search (which turns up nothing), a Microsoft Antispyware search (ditto) and a other searches, but I have yet to see anything wrong. Weird!

Here's the HijackThis! log. If anyone has any ideas, I'd love to hear them. Thanks in advance!

-- Robert



Logfile of HijackThis v1.99.1
Scan saved at 1:56:17 PM, on 4/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\DOCUME~1\Kelly\LOCALS~1\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.denofangels.com/forums/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126998101343
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127012128593
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AAEB6C2-1AA7-41C9-8BE3-C17FE4AF3EC7}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{A682BCF3-1664-49D9-A173-ACEFC8AF4EFC}: NameServer = 85.255.115.27,85.255.112.120
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:08 PM

Posted 10 April 2006 - 05:48 PM

Hello and Welcome to the Forum :thumbsup:

First of all, HijackThis is unzipped and still in the tempfolder.
I strongly advise you to unzip/extract hijackthis.zip.
You can read here how to unzip/extract properly:

http://metallica.geekstogo.com/xpcompressedexplanation.html

Create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

=========================================

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.
1. Open Microsoft AntiSpyware.
2. Click on Tools, Settings.
3. In the left pane, click on Real-time Protection.
4. Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
5. Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
6. After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
7. Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

==========================================

Please save or print these instructions before beginning so that you'll have access to them later when you are in Safe Mode. Read them carefully and follow them in the order they are presented without missing any for the fix to be successful.

Download ATF Cleaner by Atribune and save it to your Desktop.

===========================================

Download and install Ewido Anti-Malware

During the installation, uncheck the following under Additional Options:
Install background guard
Install scan via context menu


Check for updates but do not run it yet.

===========================================

Download FixWareoutŠ by LonnyRJones
or from here:
FixWareoutŠ by LonnyRJones
Save it to your desktop and run it
Click Next, then Install, then make sure "Run fixit" is checked and click Finish
The fix will begin; follow the prompts
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts
Afterwards, HijackThis will launch. Please click Scan, and check the following items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{4AAEB6C2-1AA7-41C9-8BE3-C17FE4AF3EC7}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{A682BCF3-1664-49D9-A173-ACEFC8AF4EFC}: NameServer = 85.255.115.27,85.255.112.120


If you see a new item that wasn't in your last log in the O4 section of HijackThis, five-letters long, starting with dm... for example:

O4 - HKLM\..\Run: [dm***.exe] C:\WINDOWS\system32\dm***.exe (the *** stand for random letters)
or starting with hg***.exe for example:
O4 - HKLM\..\Run: [hg***.exe] C:\Windows\System32\hg***.exe
or starting with cs***.exe for example:
O4 - HKLM\..\Run: [cscyd.exe] cscyd.exe


Check it as well. If you're not sure, leave it and only check the ones I asked you to check.

Then click Fix Checked
Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

==============================================

Now lets check some settings on your system.
(2000/XP)
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

==============================================

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Look in here for more information.

=============================================

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Opera :
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

When you have finished, click on the Exit button in the Main menu.

========================================

Run Ewido.
Click on Scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says 'Perform action with all infections' then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report - click it.
Save the report.txt file to your desktop.

Now close Ewido-Anti-Malware.

Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel !!

============================================

Restart in Normal Mode

============================================

You don't have a running AntiVirus. That's a problem.

Download one of these free anti-virus programs RIGHT NOW, update it and run a full scan. Have it fix anything it finds.

Grisoft AVG from here : http://free.grisoft.com/doc/1
AntiVir Free from here : http://www.free-av.com/
Avast Home Edition from here : http://www.avast.com/eng/down_home.html

============================================

Next, run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

============================================

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt, Ewido report and the results of the Panda Online Scan. You may need to post them separately, if too long.

#3 amateur

amateur

    Malware Fighter


  • Malware Response Team
  • 2,775 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:08 PM

Posted 18 April 2006 - 05:40 PM

Due to lack of response, this thread will now be closed. If you need this topic reopened, please PM me or a staff member with the address of the thread.and we will reopen it for you. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users