Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Highjack This Log-scarlett


  • Please log in to reply
6 replies to this topic

#1 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:09:56 AM

Posted 12 February 2007 - 10:06 AM

Symptoms are:
Scrolling enlarges text
Keyboard shutsdown (switched it out and still same thing happens) At times I am unable to type. I barely got to post this log.
Clicking to type opens up history, windows as if I were to install something, page view , edit >find on this page, all sorts of stuff. Can not run system restore it opens but doesn't allow me to click "next", refreshing pages brings up another tab (Firefox). Same thing happens when I click on a link on my site which should just go straight to the page when I click on a link on one of my pages. Same thing on others sites, when they have links to open in same window. Last night when this stuff was happening I closed browser and I couldn't open any webpage except those set as homepages, all brought up 404 errors.. Google and MSN even. Tabs in system tray lay dead and right clicking brings up the options of cascade, tile etc. I have to keep trying till they finally are restored. When I try to re-boot I get an error that says something like keyboard not working. Desktop icons dont work correctly either. IE opened a geneology program. I have new shortcuts in my desktop shortcut listing. The icons for them look like a file not the program icon. They are programs I have but the icons have changed. I did not see any new programs in startups or add/remove.
It is as if my comp is haunted.

I scanned with AVG, A-Squared and Spybot they found nothing.


Logfile of HijackThis v1.99.1
Scan saved at 8:37:08 AM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\SiteAdv.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstall...w.viewpoint.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139349804618
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139447889875
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by Scarlett, 12 February 2007 - 10:14 AM.

Posted Image

BC AdBot (Login to Remove)

 


#2 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:09:56 AM

Posted 12 February 2007 - 11:21 AM

I cant type sometimes. It is touch and go. I am so screwed. Do not know where the heck this infection came from. :thumbsup: Bobbi suggested a re-format. How do I do that?

http://img442.imageshack.us/my.php?image=w...ileiconsrj6.jpg

Edited by Scarlett, 12 February 2007 - 12:32 PM.

Posted Image

#3 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:09:56 AM

Posted 12 February 2007 - 02:46 PM

Panda online - wont run HTTP 500
Bitdefender online - wont run website could not be displayed
Trend Micro online found nothing
Mc Afee online found nothing
I am going to try Rootkit Revealer next
Posted Image

#4 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:09:56 AM

Posted 12 February 2007 - 04:59 PM

Rootkit Revealer showed nothing. I'd be thrilled to hear any more advice besides re-format. LOL I can wait my turn.

Thanks to all who have helped me so far. :thumbsup:

Edited by Scarlett, 12 February 2007 - 05:00 PM.

Posted Image

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:56 PM

Posted 12 February 2007 - 05:24 PM

Hi Scarlett, post the Combofix log here once done. :thumbsup:

#6 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:09:56 AM

Posted 12 February 2007 - 05:53 PM

Here you go DT Thanks.

While Combofix was running I received three alerts from Spyware Guard. They show in activity log but cant copy paste them here. They were Browser Highjack Alerts. I restored to old value. They were attempts to change my homepage, my search engine and my search bar.
Edit: This shows in My Services DSAZOG Manufacture unknown Status Stopped

"comp name" - 07-02-12 16:18:52 Service Pack 2
ComboFix 07-02-11 - Running from: "C:\Documents and Settings\comp name\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-12 to 2007-02-12 ))))))))))))))))))))))))))))))))))


2007-02-12 13:35 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-02-12 13:32 <DIR> d-------- C:\Program Files\MSECACHE
2007-02-12 12:46 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-02-12 12:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-02-12 12:17 <DIR> d-------- C:\WINDOWS\LastGood
2007-02-12 11:46 <DIR> d-------- C:\DOCUME~1\*****~1\.housecall6.6
2007-02-12 00:07 <DIR> d-------- C:\DOCUME~1\******~1\Application Data\BlogDesk
2007-02-04 11:07 <DIR> d-------- C:\WINDOWS\ie7updates


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-12 14:25 -------- d-------- C:\Program Files\mozilla firefox
2007-02-12 11:32 -------- d-------- C:\Program Files\icechat5
2007-02-12 11:17 -------- d-------- C:\Program Files\google
2007-02-12 08:37 4709 --a------ C:\Program Files\hijackthis.log
2007-02-11 23:10 -------- d-------- C:\Program Files\spywareblaster
2007-02-11 23:09 -------- d-------- C:\Program Files\spywareguard
2007-02-04 11:09 -------- d-------- C:\DOCUME~1\******~1\Application Data\siteadvisor
2007-02-01 17:49 -------- d-------- C:\Program Files\keynote
2007-01-23 08:10 -------- d-------- C:\Program Files\java
2007-01-23 05:50 -------- d-------- C:\DOCUME~1\******~1\Application Data\openoffice.org2
2006-12-23 16:51 -------- d-------- C:\Program Files\myfantasyleague
2006-12-23 16:43 4650 --a------ C:\WINDOWS\mozver.dat
2006-12-21 08:23 -------- d-------- C:\DOCUME~1\*****~1\Application Data\real
2006-12-21 08:22 -------- d-------- C:\DOCUME~1\*****~1\Application Data\media player classic
2006-12-21 08:19 -------- d-------- C:\Program Files\real alternative
2006-12-21 08:19 -------- d-------- C:\Program Files\media player classic
2006-12-21 08:01 -------- d-------- C:\Program Files\real
2006-12-21 07:58 -------- d-------- C:\Program Files\Common Files\real
2006-12-19 17:38 -------- d-------- C:\Program Files\a-squared free
2006-12-06 23:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-27 02:45 60416 --------- C:\WINDOWS\system32\tzchange.exe
2006-11-01 13:05 84792 --a------ C:\Program Files\zoomit.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kgsystray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Kuma_tray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Kuma Games\\kgsystray\\Kuma_tray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ http://p3k.org/rss/index.r?url=http://blee...d.php?act=posts

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_DSAZOG
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_RKREVEAL150


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-12 16:20:19

Edited by Scarlett, 13 February 2007 - 11:49 AM.

Posted Image

#7 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:09:56 AM

Posted 12 February 2007 - 07:17 PM

Sometimes I am not able to type. So if I do not reply to any posts right away, it does not mean I am ignoring anyone.

Edited by Scarlett, 12 February 2007 - 07:30 PM.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users