Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xp Home Infected--%systemroot% \system32\ Msdos


  • Please log in to reply
3 replies to this topic

#1 redgenie77

redgenie77

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Location:Nebraska
  • Local time:09:40 AM

Posted 03 May 2006 - 04:34 AM

Hi--
I tried to follow directions, and downloaded the Antivirus software and ran it. But since I am not really in charge here, . . . You can't tell from the Hijack This, but I am Windows XP home and someone is running a couple of servers off of me. Yes I had up-to-date NAV and Zone Alarm, and updated Windows. I was just unaware that my files were being uninstalled as fast as I could install them. I think it has to do with the Buffer overflow Problem. But updating will do no good until I get rid of the culprit. No matter what I run, it is intercepted and everything comes out fine-- no viruses. But I can look and see I have no drivers on my local computer, but if I dig, I have dozens of monitors, keyboards and many different languages. I have tried to grab, copy and print as much as I could, while the computer would turn off the equipment I was trying to use. My C\Windows32\dll file has 3136 files in it. And almost everthing runs Dll As an App. Logically I understand what was done- swapping file execstd ="dosx.exe" - but have NO idea how to break it.

Please help. Below is my Hijack this.
Thanks.
Jean


Logfile of HijackThis v1.99.1
Scan saved at 3:47:25 AM, on 5/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://www.f-secure.com
O15 - Trusted Zone: http://safety.live.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://esupport.sony.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/downl...lscbase7617.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095449797906
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126119161234
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4053/ftp...02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F1A9DAA5-FB03-4CF7-B6B4-35EBD4ED60B1} - https://giftzclub.com/OCX/AXUpload.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\rm_sv.exe

BC AdBot (Login to Remove)

 


m

#2 redgenie77

redgenie77
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Location:Nebraska
  • Local time:09:40 AM

Posted 03 May 2006 - 04:45 PM

Maybe this will help. I found this vminst.log in the windows folder.
Can anyone help. Please!!!!!!!!!

=== OS Information ==========================================

OS Flags : 00001208
OS : XP
OSVI.dwMajor : 00000005 [5]
OSVI.dwMinor : 00000001 [1]
OSVI.dwBuild : 00000A28 [0.2600]
OSVI.dwPlatID : 00000002 [2]
OSVI.szCSD : Service Pack 1
Platform : X86
OS Language : 0409
Lang Code : EN
Browser Version : 6.0.2800.1154 (shdocvw.dll)
: IE5+
Existing VM Version : 5.0.3809.0 (msjava.dll)
Incoming VM Version : 5.0.3810.0 [Newer]

=== Command Line ============================================

[00] "C:\DOCUME~1\Jean\LOCALS~1\Temp\IXP000.TMP\javatrig.exe"
[01] /exe_install
[02] /l
[03] /q

==========
IE is 5.0 or newer. Disallowing VM rollback.
Running WFCClean.
NT5 Install. Placing utilities in system32.
Installing WFC
EXE Installation over NT5. Using XMLDSO.CAB and extrac32 from system32

=== INF Invocation ==========================================

Type : RunSetupCommand
INF : C:\DOCUME~1\Jean\LOCALS~1\Temp\IXP000.TMP\java.inf

00000000 : WFCClean.RunNow
00000000 : CleanUp
00000000 : BaseInstallation.NT5
00000000 : BaseInstallation.RegNow
00000000 : IEOptions.Register
00000000 : IEOptions.X86.Register
00000000 : BaseInstallation.ClassFiles
00000000 : BasePkgMgr.Install.Execute
00000000 : X86Installation.ClassFiles
00000000 : X86Installation.PkgMgr.Execute
00000000 : X86Installation
00000000 : X86Installation.RegNow
00000000 : WFCInstallation.CopyFiles
00000000 : WFCInstallation.PkgMgr.Execute
00000000 : WFCInstallation.RegisterNow
00000000 : CAB.AddUninstallKey
00000000 : NT5.MSXML.MoveFile
00000000 : IE40.MSXML.PkgMgr.RunNow

=============================================================


=== Help Files ==============================================

[ID:005006] C:\WINDOWS\help\javaperm.hlp
[ID:006006] C:\WINDOWS\help\javasec.hlp

=============================================================

Install successful.
Exit code: 00000000

#3 redgenie77

redgenie77
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Location:Nebraska
  • Local time:09:40 AM

Posted 04 May 2006 - 03:36 PM

Is there anyone out there to try to help me?

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:40 AM

Posted 08 May 2006 - 05:15 PM

Hello redgenie77 and welcome to the BC HijackThis forum. I do not see any signs of viruses or malware in the log but it does look like the log was made from Safe Mode which can hide many malware issues if they are present. Also, I see that MsConfig is set to run in Auto mode which can hide malware if it is present. Let's start by turning off MsConfig and then creating a log from a normal boot and see what we can find.

Please click on Start, then Run, and type msconfig and then press Enter. When the window opens you should be on the General tab. Click on the Normal Startup item. Then press ok until you are out of the program. It will ask you to reboot so reboot normally.

Now please create a new Hijackthis Log and post it here as a reply. I will review it when it comes in.

The vminst.log is present because the Microsoft Java Virtual Machineis installed on this computer. It was included with almost every MS operating system until XP SP2 soit is not uncommon for the installation log to be present.

OT

Edited by OldTimer, 08 May 2006 - 05:17 PM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users