Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

nasty hijackers


  • Please log in to reply

#1
amozart

amozart

    New Member

  • Member
  • Pip
  • 5 posts
:tazz:
Hi,

My computer is infected with a virus that will drop sdfttte.exe, sefer.exe, protect.exe, and other stuff into my User folder. These files then invites other stuff to my computer. I tried Spyware Doctoer and it couldn't fix it. There are also programs like video2.exe, dload.exe in the system32 folder.

Here is the part of the Spyware Docter log file that shows the hijackers that cannot be removed.

Possible Website Hijack (50) 127.0.0.1 ca.com High
Possible Website Hijack (45) 127.0.0.1 f-secure.com High
Possible Website Hijack (72) 127.0.0.1 kaspersky.com High
Possible Website Hijack (67) 127.0.0.1 mcafee.com High
Possible Website Hijack (54) 127.0.0.1 my-etrust.com High
Possible Website Hijack (59) 127.0.0.1 nai.com High
Possible Website Hijack (34) 127.0.0.1 networkassociates.com High
Possible Website Hijack (48) 127.0.0.1 sophos.com High
Possible Website Hijack (52) 127.0.0.1 symantec.com High
Possible Website Hijack (64) 127.0.0.1 trendmicro.com High
Possible Website Hijack (32) 127.0.0.1 viruslist.com High
Possible Website Hijack (68) 127.0.0.1 viruslist.com High

It appears that the hijacker blocked my access to online virus checks.

After I used Spyware Doctor and ewido to clean up the viruses, it appears to be clean. But once I am online for a few minutes, the uninvited guesses starts to show up. It all started with Aurora. But I have since removed it. There is also Nail.exe that keeps coming back. Please hlep.

Here is the HJT log file:


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\securitysuite.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\system32\video2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


Any help would be appreciated. Thanks.
  • 0

Advertisements


#2
jdm

jdm

    Member

  • Member
  • PipPip
  • 79 posts
Hi, Welcome to GTG. Please post your hijackthis log in the forum below. It will receive more attention there.

Malware Removal - HiJackThis Logs Go Here

Kind Regards,

JDM

Edited by jdm, 14 May 2005 - 03:06 PM.

  • 0

#3
jdm

jdm

    Member

  • Member
  • PipPip
  • 79 posts
"My computer is infected with a virus that will drop sdfttte.exe, sefer.exe, protect.exe, and other stuff into my User folder. These files then invites other stuff to my computer. I tried Spyware Doctoer and it couldn't fix it. There are also programs like video2.exe, dload.exe in the system32 folder."

Have you tried booting into safe mode (tap the F8 key a few times while starting up) and deleting files you know for certain are rogue? Left alone these sorts of files run in the background every time Windows boots up and can, as you've experienced, wreck havoc on your machine.

JDM
  • 0

#4
amozart

amozart

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I tried the Safe mode many times already and they always come back. In fact, the HJT log and all the anti-virus and anti-adware programs detects no virus for about 40 minutes . . . I think the hijack is still in the system and it somehow never been detected by any of the anti-spyware programs I have. video2.exe is the main problem, I think. My computer runs fine when I am offline. Once I am only for more than a few minutes, the virus spreads like fire. Does anyone know of the hijacker that block computer from accessing the online adware and virus detections? Any help would be appreciated.

Latest news:

ewido detects a virus that redirects my computer to a website to download rdgUS1742.exe
After I tried everything, I do mean everything posted on this board, I still back to ground zero. . . tool.exe, protect.exe and sdfttte.exe start to show up in my user folder.
YourSiteBar seems to be the problem at this point. . .
Any help would be appreciated. Here is the HJT log file after 3 minutes online:
Logfile of HijackThis v1.99.1
Scan saved at 4:36:39 PM, on 5/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {7575109D-9D0E-4399-EE0A-6FDC49F0E6B9} - http://67.19.178.86/1/rdgUS1742.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Thanks again.

Amozart

Edited by amozart, 15 May 2005 - 02:47 PM.

  • 0

#5
amozart

amozart

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I think I had the Bube trojan. I already sloved the problem. It took sometime, among other things, to get it out. The ETrust onlone scan killed a few of the infected files. Then I have to use the information on this link to solve the rest of problem: http://www.thespykiller.co.uk/bube.htm. The update was not possible at first due to URL hijacks. After the E-Trust online scan I was able to update my kaspersky virus definitions. My computer is clean as of this morning. . . Hope this information would help others who has this virus on their computer.

Amozart
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP