Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Nasty hijacking! Please help


  • Please log in to reply

#1
russpix

russpix

    New Member

  • Member
  • Pip
  • 2 posts
I'm in a wrestling match with a NASTY take-over of some kind. Don't know if anyone can help, but I would appreciate any and all attempts.

First, know that I spent a good part of this day on the phone with Symantec support (India!) trying to fix this thing, and they've had me delete files in regedit, download HijackThis & Ad-Aware... tried all kinds of things. Worked mostly in Safe Mode with them. Finally ran into their closing time, and hung up with the promise that they'd call back tomorrow to dig back in. So you gotta give 'em an "e" for effort.

Second disclaimer is that I am currently working on my Mac Powerbook, as whatever has invaded my PC is denying access to Internet Explorer (among other things... description below). So my procedure thusfar has been to download fix software on the Mac & transfer to the PC via Compact Flash card. Obviously, e-mail is handled on the Mac right now as well. I have physically disabled my wi-fi connection on the PC for now.

So here is the best list or description of what all is messed up, and just in case it helps, a brief description of how it got that way. I've had some viruses in my time, but I've never seen anything like this:

I'm a professional photographer. 98% digital for 3 years now. BIG files. Camera captures at 16MG. Interested in learning more about Raw Capture, I was surfing some websites & Googling away 3 days ago, and one click rendered a sudden burst of about ten really disgusting, "adult" pages with "Raw" in their titles that popped up almost simultaneously. I started closing them out immediately, and saw that several Norton alerts had popped up as well. In hindsight, I should have written down each of the files, but I've never seen Norton fail, so the message "Norton Antivirus was unable to delete this file" didn't register with me until it was too late. The following problems occured immediately:

*Double-clicking on desktop icons with left mouse button only highlights icon; does NOT open it. I can open most things on the desktop via right-click/"open." It's like the shell or desktop is a fake or something.

*Start Menu contains no Search, Run, My Computer or Help buttons, and "All Programs" button has no affect (no program list appears).

*Ugly effect when attempting to open Internet Explorer: before Symantec's changes, open command produced a blank (all-white with blue title bar) window, NO address bar in it, and after a few seconds the "program is not responding" message appeared. Had to close in Task Manager. After Symantec, open command produces a small, quick-flash "download" window that appears for maybe half a second, then closes. That's it. (Yes, my homepage had been changed to the dreaded "About Blank"). Symantec had me ping Google's home page through a DOS prompt, and we were gettin' out there. Hmmm...

*Outlook Express opens, and I can see messages, but if I try to open and read one I get a message that says "error: one or more parts of this message is missing." Closing that message window, I get another that says there is not enough memory to open this message. (BTW, I have 1G RAM installed.) No other signs of a fake memory crisis, and perfomance tab in TaskMgr looks normal.

*Norton Antivirus and SpyWare Nuker are disabled. I can get the Norton screen, but all the buttons and choices are inactive, and within a few seconds it stops responding. SWN does the quickie "download" like Internet Explorer.

I ran out and bought a new external drive when this happened, and have copied all my data to it. So I guess I could just rip the thing down to nothing and start over. But I have lots of pro-level photo software that would have to be re-installed (much of it downloaded), and the whole system ran like a top until the attack. So I'd like to give it some more effort before throwing in the towel.

Sorry for the non-tech description, but I figured it might help if I described the symptoms. Again, any help would be appreciated. I will have a fresh download of HijackThis in a new, dedicated folder should anyone want to see a scan log. Oh... should mention that the first time I ran Ad-Aware, there were about 75 recognized files. Now a scan in AA is clean (0 files).

Thanks, R. Russell

Hep me! Hep me!
  • 0

Advertisements


#2
Michlos

Michlos

    Member

  • Member
  • PipPip
  • 48 posts
Hi!

Sounds like you are having just a bit of trouble there mate

Please post the Hijack This log here and we'll take a look at it. :tazz:
  • 0

#3
russpix

russpix

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Sorry to take so long in getting this posted. Symantec has been calling sporadically & trying to help. They believe the malicious stuff has been deleted, but that many programs have been corrupted and need to be re-installed. I dunno. I can't do a system restore; unable to access through normal desktop methods and when I try at startup my administrator password is invalid. Oh joy, oh rapture.

So here's a new HiJackThis log.

Mucho appreciato to anyone who tries to help.

Best, Russpix

Logfile of HijackThis v1.99.1

Scan saved at 12:35:11 PM, on 3/1/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Softex\OmniPass\Omniserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Owner\Desktop\hijack\HijackThis 3.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [EPSON Stylus Photo 2200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus Photo 2200" /O6 "USB003" /M "Stylus Photo 2200"

O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE

O4 - HKCU\..\Run: [QuickGammaLoader] C:\Program Files\QuickGamma\QuickGammaLOADER.EXE

O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Startup: Portfolio Express.lnk = C:\Program Files\Extensis\Portfolio 7\Portfolio Express.exe

O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O4 - Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe

O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP