Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

cant open task manager


  • Please log in to reply

#1
Leines

Leines

    New Member

  • Member
  • Pip
  • 5 posts
iv tried it all ;spybot, cw, adaware ...
not only i cant open task manager i cant open hotmail.com specifically, i also can't open search in windows as well as have much trouble switching profiles on xp


Please help, this is my HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:38:00 PM, on 28/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\navapqwa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Steph Smith\Local Settings\Temporary Internet Files\Content.IE5\T7WQXM9D\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Compaq Service Drivers] navapqwa.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] navapqwa.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co....cab?10,0,910,0
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107294173173
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D99DA3CC-1359-4AB5-947C-B744D973E23A}: NameServer = 192.168.1.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
mus2635

mus2635

    New Member

  • Member
  • Pip
  • 1 posts
Howdy,

i'm not 100% sure but it looks like you have this one running...

We have had a new "type of" SpyBot worm infection. I say "type of" because, Symantec NAV/SAV does recognize / identify this worm in the "vaguest" of terms. However Symantec/Norton AV does not remove the worm. It only quarantines it.

As of yet, the worm doesn't appear to be doing any harm. It resides in memory and can't be easily removed. We have had to reboot the machine and manually remove the file navapqwa.EXE . The file will return if SQL or the system isn't patched. This is a major concern. It is thought that this type of file can lie doormat but eventually elevate its privileges. This type of "RootKit" worm is thought to be the means hackers gained access and stole "Half-Life 2"… which is also the means of deploying additional SpyBot malware.


Symptoms:
- Lies hidden in memory. You won't find it running in the task list.
- Actually hasn't done any damage. No real amount of traffic is detected.
- Slight TFTP and FTP activity is detected.
- It propagates over shares and ports 1133-1134
- File navapqwa.EXE is found in %systemroot%\system32 directory.
- It may be found in the "RUN" keys of the registry.
- File MSDIRECTX.SYS is found on machine. (See Troj_RootKit.H)

Vulnerabilities:
- Tends to infect SQL servers, particularly those with weak passwords. MSDE is also affected.
- The servers that it has infected have been patched… with that in mind, it is suggested that all systems have a current patch level with specific emphasis on MS03-026 and MS04-011 vulnerabilities.

Detection / Prevention Action:
- Make sure all systems are updated to the current patch level.
- Check systems for SQL vulnerabilities.

Infection Action:
- Reboot server and manually remove navapqwa.
- Check registry for file navapqwa and remove it. (This is sometimes listed as a Compaq file. Spot check all "Run" keys for suspicious EXEs.)
- Search directory for MSdirectX.sys and remove.
- Strengthen all SQL SA account passwords.
- Strengthen local administrator passwords.
- Update local AV product to current date of 30Mar05.
- Run a complete scan on the system.
- Report this to "EHQ Virus Response Team" and/or "[ITS] Systems and Information Security Group". We will keep statistics on all infections and deliver summary reports to this larger group. By all means share any "breaking news", detection or removal tips with this global group.

Other Notes:
- The file is being submitted to Symantec and Trend. We hope to have better detection, prevention and removal tools.
- We will be running scans on subnets and recruiting anyone that can participate in scanning and patching.
- Users are not largely aware of this infection.
- We still don't know exactly how it was triggered. General assumption points to downloads of utilities or P2P programs that have embedded code in the installation of downloads.
- The world, in general, aren't fielding this problem.


Reference:
Symantec 32.Spybot.Worm
http://securityrespo...pybot.worm.html

Trend Troj_RootKit.H
http://www.trendmicr.....KIT.H&VSect=T

Worm_Rbot.ALT
http://www.trendmicr.....T.ALT&VSect=T


SpyBot / MSdirectX.sys
http://www.antisourc...ebc08-msdirectx


RootKit Tool and Info
http://www.f-secure....t/rootkit.shtml
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP