Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Out, out, d*mnded sdbot!


  • Please log in to reply

#1
scarecrow

scarecrow

    New Member

  • Member
  • Pip
  • 3 posts
Getting very close to reformat time here, any suggestions much appreciated...

Symptoms:

Dial-up, modem swamped with comm traffic as soon as there's a connection, so NO useful downloading from that machine is possible. I'm communicating from a Windows 98/Linux box in the same room. Lockups, reboots, blue-screen core-dumps to a file which gets sent to MS, which directs me to this page:

http://support.micro....com/?id=897079

on reboot.

In normal mode, taskmanager, regedit, HJT all close the instant they're opened. All will run in "safe" mode, but... no comm.

I'm downloading on another machine and moving files to the infected machine on CD. This complicates software updates. I say again, I cannot update software (definition files etc.) IN PLACE. Downloads must be on another machine.

Ad-Aware sometimes finds infected files, Antivir has found nothing. Spybot says DSO exploits, which it never seems to fix (all updates & auxiliary stuff in place).

Also means that I have to run HJT and save the output file to CD, move it back to this machine to post it. Very cumbersome.

What I've tried:

Renaming taskmgr.exe (to, say, "foo.com") so that it executes and I can see what's going on. No joy, I can't spot the culprit, even when comm is being swamped, no processor usage stands out.

Following the instructions on the MS page above... basically going into "safe" mode, removing registry entries, deleting files, running Ad-Aware SE, cwshredder, and Antivir, over and over again. Following forum threads to find the names for more suspicious files and registry entries. Repeat.

So far, I've tried dozens, and found (and removed, sometimes mutiple times) hits in these categories:

mediaacck.exe (lots of assciated folders/files/reg entries)
msdrv
sdkcore
copq

nothing has made any difference. I can tell by rebooting into normal mode and trying to invoke Task Manager- closes instantly. Connect, and comm traffic is instantly swamped. Registry entries re-appear. Oh, and I did turn off system restore.

Fascinatingly:
When I connect to the net, the thing seems to *learn*. Suddenly, taskmgr renamed as "foo.com" no longer works. Disconnect, copy taskmgr.exe to "bar.com", and "bar.com" works. Connect for too long, "bar.com" ceases to work. Spooky.

The real problem:
Is probably that I'm an Oracle dweeb, with some Linux/Unix, and the whole Windows thing is sort of alien to me. Can't say I'm getting better at it this way.

Again, many thanks for any help. Here's the HJT log (run in "safe" mode).

Logfile of HijackThis v1.99.1
Scan saved at 8:57:35 AM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = E:\WINDOWS\System32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,E:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [Windows Service Drivers] mswin32.exe
O4 - HKLM\..\RunServices: [Windows Service Drivers] mswin32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Felix] C:\Program Files\ScreenMates\Full_fel.exe
O4 - HKCU\..\Run: [Windows Service Drivers] mswin32.exe
O4 - HKCU\..\RunServices: [Windows Service Drivers] mswin32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093124166392
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - E:\WINDOWS\System32\mnmsrvc.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - E:\WINDOWS\system32\sessmgr.exe (file missing)

Edited by scarecrow, 21 April 2005 - 08:08 AM.

  • 0

Advertisements


#2
scarecrow

scarecrow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Later,

Unloaded AntiVir off of the infected machine, loaded AVG. AVG, Ad-Aware and Spybot now all up to date, no updates available. AVG initially found nothing, but with the latest updates found 9 more "infected" files.

All three now report nothing found, until I connect again. HJT, TaskManager and Regedit, however, still abort instantly in "normal" mode, comm port still swamped quickly once I connect, and infections immediately detected after. Sigh.

Thanks,
  • 0

#3
scarecrow

scarecrow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Later - managed to get the thing slowed down enough to get Panda on-line loaded and run. It reported 14 infected files that none of the others so far have found. Many were junk- adware in spam mailboxes, etc. but two seemed legitimate. What they didn't "fix" I removed. Made no difference.

I see that there are other similar messages here that have also gotten no respose- I guess this one is ahead of whatever fixes are available. Backing up data in preparation for reformat/reinstall now.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP