Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Various Problems With Pc, Possibly Spyware?


  • Please log in to reply
5 replies to this topic

#1 fengfamily

fengfamily

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 13 September 2006 - 04:16 AM

Hello folks at bleeping computer,
Just recently while surfing the net, I was told that 'windows xp has been succesfully updated'. Cool I thought. Then weird things started to happen. For starters my wallpaper got changed into this thing saying that my computer was infected. Weirdest thing was that I could highlight the text. Furthermore, whenever I now try to delete this 'xpupdate.exe', my computer crashes. Last but not least this crashing happens randomly while I'm just trying to open/close windows as well. Please help!!

here is my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 7:09:26 PM, on 13/09/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\David\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {9FFD60F8-B07B-CDC1-9952-F674C3CBC9B4} - C:\WINDOWS\tnhqt1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ninemsn Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://fengsfotos.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Cheers,
Feng family

BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:11:43 AM

Posted 14 September 2006 - 09:34 PM

Hello Feng Family,

Welcome to Bleeping Computer. :thumbsup:

I will be assisting you in cleaning up your system. I will be consulting one of our expert coaches before I get back to you with instructions.

Thanks for your patience --

Dave

Edited by DaveM59, 14 September 2006 - 09:46 PM.


#3 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:11:43 AM

Posted 15 September 2006 - 08:46 PM

Hello again,

I'm afraid I have bad news for you. Your computer is terribly infected. You have two of the worst types of malware on your computer: a Bot trojan and a rootkit.

A bot trojan is a trojan which, besides stealing data from your machine (passwords and so on), also enables a hacker on another machine -- perhaps thousands of miles away -- to take control of your computer and use it for such purposes as sending out thousands of spam messages or launching a Denial-of-Service attack. This is an attempt to shut down a web server by bombarding it with thousands of simultaneous requests for data. To launch such an attack, the hacker orders all his "bots" -- computers like yours, which have his personalized bot trojan installed -- to log onto the target website and begin requesting data (web pages) stored on the site's server.

A rootkit is a piece of malware which hides from detection by standard antimalware programs by making most or all of its key files invisible to the operating system. Those few files which may be visible are made difficult or impossible to delete, and the protected hidden files can easily re-install them. Rootkits are a growing threat and require special tools and techniques to eradicate, and sometimes even to detect.

You can read more about a typical Bot trojan here:

http://www.sophos.com/security/analyses/w32rbotqe.html

You can read more about the Gromozon rootkit (the one you are infected with) here:

http://www.scmagazine.com/us/news/article/591084

Both types of spyware can cause widespread damage and corrupt many files on a host computer, besides using it to spread themselves far and wide.

Your Hijack This log shows only the tip of the iceberg. There is no telling how many more malware files there may be on your computer.

I must add, I am not surprised that you got this infection, because your Windows has not been updated and you are running with no antivirus or antispyware protection, and as far as I can tell, no firewall. In today's internet climate, this is like playing Russian Roulette with five of the six chambers loaded.

I therefore advise you, in all seriousness, that you have a choice to make. You can reformat the hard drive and reinstall your windows operating system, or you can attempt to clean the computer. If you take the second choice I must tell you that I will never be able to declare your system malware-free. I will do my best to help you, but the most I can promise is to eliminate all visible signs of infection. If it were my machine I would never again trust it to use for security-critical tasks like online banking or shopping.

You should take two steps immediately:

First, take the computer offline. Keep it turned off when possible, and, when you are working with it, leave it physically disconnected from the modem or router.

Second, from another computer that is clean, please change all your internet passwords -- e-mail, banking, anything that asks for a password to log you on. Also monitor your accounts for suspicious activities or transactions. This goes for everybody in your family.

One more step I would advise, if there are other computers in your household and they are connected to this one on a network, don't assume they are clean. I would post HijackThis logs for all of them on this or another service, and take them offline until the logs are analyzed.

Now, decide what you want to do. Please post a reply to this topic (on another, clean computer, of course) as soon as you can. Also, please give me some basic information about your computer, such as the make and model number, and what Windows Install or recovery disks you have for it.

#4 fengfamily

fengfamily
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 25 September 2006 - 06:51 AM

Dear Dave,
Sorry its taken so long to make a reply, I tend to manage the houses computers and I'm currently studying for my final exams. I'd love to be able to somehow recover the computer without wiping everything out, if possible. My computer make I'm not too sure about, my father and I built it up from the ground with bits and pieces we bought at a swap-meet. We're currently running Windows XP and don't have much in the way of recovery disks. While my computer (the infection riddled one) isn't so important (a long due physics assignment is the most important thing there), my father's is for reasons I won't go into. The computers are linked by a network, however no file sharing has gone on for the last 8-9 months, and the computers symptoms only developed in the last say 4-5 weeks.
Cheers,
Feng Family

#5 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:11:43 AM

Posted 25 September 2006 - 08:23 PM

Hi again Fengfamily,

Thanks for getting back to me.

I hope you have done as I suggested and kept your computer isolated as much as possible. Remember that any time you are connected to the internet you could be spreading this infection or doing other damage.

Regarding your father's computer, I am not sure what you mean by "no file sharing for the past 9 months." Be assured that your Bot trojan is no respecter of file permissions, and you do not need to deliberately transfer it from one computer to the other in order to spread it. If at any time after your machine became infected, you and your father's machines were networked together, and his computer (any folders or drives) showed up when you clicked "my network places" in the Start menu, then the trojan could see it too.

From now on, please try to make sure that any time your computer is powered on, his is powered off. If you must have both computers powered on at the same time, one of them must be disconnected from your network. Otherwise you may see the infection passed from one to the other, back and forth.

If you have not done it as yet, put his machine through the procedure described in this tutorial. Then start a fresh topic for that machine, here at Bleeping Computer, or on another forum. It sounds like his computer is more important so we need to make sure it is clean as soon as possible. When you post the log, add a link to this topic and mention in the new topic title that the reason for review is that it has been networked to a computer infected with a Bot trojan.

Now, as to your own machine, I have already stated that the best course of action would be to reformat the hard drive and reinstall Windows. Whether you choose to do that or not, I suggest backing up your physics paper and any other critical data to CD or some other removable media. If you want to try to clean up the machine instead, you should start with the rootkit.

Please download http://download.bleepingcomputer.com/grinler/dumpwin.zip and save it to your desktop.

Once the file has completed downloading, extract the file by right-clicking on it and selecting Extract all. Then keep pressing the Next button till you see the Finished button. Now click on the Finished button.

A folder should have opened. Now double-click on the dumpwin folder and then double-click on the dumpwin.bat file. When it has completed it will have opened a notepad. Save that Notepad file to your desktop as I will want you to post it later, but for now proceed to the next step.

Please Download to your desktop and run this: Gromozon Removal Tool

It prompts you to download and try the Prevx1 software after you clean the PC, just say no to that offer.

Please Copy & Paste the Results of the c:\gromozon_removal.txt in your next reply.

Finally, run a fresh HijackThis scan and save the log. Post that log, along with the Dumpwin and Gromozon removal logs, in a reply to this topic.

#6 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:11:43 AM

Posted 04 October 2006 - 10:34 AM

Hi FengFamily,

Are you still there?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users