Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Getting Desperate - Ready To Boot Machine To Trash!


  • Please log in to reply
2 replies to this topic

#1 midgie

midgie

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 05 July 2007 - 08:59 AM

Something took over my pc about 2 months ago.I have run every legit scan I could find and nothing really was detected except a win32 something that was taken care of by Norton, at the beginning of this - and some coolweb files also deleted. The first forced reformat cost me tons of personal stuff. I have reformatted a couple of doz times since then and restored uncountable times, A low leval format is not possible right now as this is off the shelf compac/hp piece of junk - out of waranty, with no true dos and no pure winXP.... I have got to find and get rid of this thing... guess it is a rootkit hacker....

It started by putting SpamSubtract (HP junk) over my windsock which locked me out of the net for over 2 weeks till I discovered the trick. Since I use ZA and block server and forbid anything out of here that I am not using and have never used any sharing software or networking stuff - was shocked to find it setting up a LAN connection and family network portoco, messinger (which I had disabled) a RAZ phone, and netmeeting with this last fresh reformat when I tossed out everything but the bare bones win - and a few freshly set up utilities. I could not delete those files and had to go to safe to do it. It has managed to d/l in spite of my warrieness loads of crap into this computer- and modified spybot and other such helpers, which often had to be set up fresh!

RkUnhooker was reporting for a time two pages of files hooked by a kernel file - and spybot that DSO exploit which I modified in regedit. Found 4 xcludes in spybot, where I had excluded nothing - SideStep, NewNet, MySearch and LSP.NewNet! But unchecked it found nothing, so may have still been excluding them.....
It was putting files linked to Cloacker into the run - till I was finally able to shread that and it's clones...
It again locked me out of the net for a long period till I discovered that a *scvhost NETWORK SERVICES* WAS doing the blocking and by bringing up task manager and tossing that I am then able to access the web -
and that is how it still stands, if I want to get on and get my mail etc. But my getting on I fear gives it access as it emulates my profile.............

Now I am the only user of this machine and have never had any viruses or problems since I was a newbee - nearly 10 years ago - and I have no idea how this SOB ever got into my machine!

I am sure hoping that some of you good folks might recognize some of those ploys and give me some clues as to what this thing is and what rootkit files it might be using. I will as soon as I am able get a HJ log up for the pros to look at hopefull get somebody to look at some other suspect stuff I have collected...

I am so glad I found this board - I know so little about this stuff and have just been boxing in the dark...
Much to learn here, as time permits.....

Thanks for listening and for any help you might have to offer!

Midgie

BC AdBot (Login to Remove)

 


#2 rowal5555

rowal5555

    Just enough info to be armed & dangerous...


  • Members
  • 2,644 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:St Kilda, Dunedin. South Island. NZ
  • Local time:07:07 PM

Posted 05 July 2007 - 12:34 PM

Hi midgie.

Sounds like it is time for the experts to have a look at your problems. If you do all the processes mentioned here: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/, and are still having problems after that, carry on and submit a HiJackThis log in that Forum.
Please do not use HJT to fix anything yourself as all its info is needed for a good diagnosis.

Good luck

rowal5555 (Rob )                                                             

Avid supporter of Bleeping Computer's
Team 38444

You can help find a cure


 


#3 midgie

midgie
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 09 July 2007 - 07:02 PM

Thanks for the reply Rowal...

Was hoping some of the experts in here would recognize some of these files &/or processes...
I cannot do a real reformat! and am very rural and isolated - no good tech that I know of...

Did find a rootkit file thru the list under startup - and opened and messed up the insides of it.
Was Secdrv - put in by the Troj/Agent-FXV - which is a windows downloader trojan - brought in by something
else they say.... There is so little info on that thing out there... Does anyone have a good source of info?
Sophos is supposed to get it but does not find it!!

Had quite a go round with it and hidden files today using sargui.exe, then because I was ruining all it's
efforts, I guess ti suddenly changed my graphic settings - then once again disabled net access - do not know
how this time - just did a restore to get back on the net!

I am hoping IceSword might be the solution - tho it finds nothing since I did the restore...
Perhaps the thing has to be active - so will try again later.....

I would sure like to wring the neck of the SOB behind this!!!!

Midgie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users