Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My Computer Has Been POSSESSED! PLEASE HELP!


  • Please log in to reply

#1
tagibb2

tagibb2

    New Member

  • Member
  • Pip
  • 4 posts
:tazz:

My apologies for the lengthy post. I wanted to try and include as much detail as possible.

I'm hoping someone can assist me. I'm at my wit's end... I was cruising the web last night, when I was hit by numerous threats that were picked up by Symantec. Symantec immediately quarrantined four threats. They were:

Adware.FastLook - Listed as Quarrantined.
Adware.Livechat - Listed as Quarrantined.
Download.Trojan - Listed as deleted.
Bloodhound.Exploit.54 - Listed as Quarrantined.

After the "attack," and assuming Symantec had captured everything, I decided to run UltraWinCleaner. I initialized the program, selected "One-Click" which performs all of the cleaning utilities is sequence, and let it run. The program crashed when it tried to read the Local Settings/TEMP/Temporary Internet Files/Content IE5 folder. This was very odd, as I had never seen the program act in this manner beofre, and I try and use on a daily basis, and have been doing so for a year, or so.

I then decided to try and run yahoo anti-spy, to see if anything came up. Well, it detected the following trojan: Trojan.Win32.Qhost.df. I selected "remove" (which it did) then decided to reboot the system. Well, as you already know, low and behold, it came back (guess I didn't get the registry entries?) I confirmed this by running Yahoo anti-spy again, after the reboot. The trojan is there, prompts to remove, i do so, reboot...the cycle continues. It's loading on startup, I don't know how to stop it.

I have followed all of your instructions you requested to follow prior to posting the hijack file in this forum. I have tried the following programs with associated dissappointing results:

UltraWin Cleaner - Program locks up when it tried to clean Winjunk (temp files) and will not complete the scan.
Yahoo Anti-Spy - Picks up the Trojan, removes it, but, it comes back on reboot.
RegRun - Program locks up and will not complete the scan.
Stinger - Program locks up and will not complete the scan.
Avast - Program locks up and will not complete the scan.
Cleanup 4.0 - Program locks up and will not complete the scan.
Ad-Aware - Program locks up and will not complete the scan.
Spybot - Runs through to completion. Not picking the Trojan up.
Tune-up Utilities 2006 - Program locks up and will not complete the scan.
Ewido - Program locks up and will not complete the scan.
CWShredder - Program locks up and will not complete the scan.
Symantec - Isn't picking up the Trojan...?? (Is this strange?)
Performed Windows Update like you requested. Installed several updates.
Rebooted
Ran HiJackThis and saved my log file.

I have even tried using Windows Explorer, to access the Local Settings/TEMP/Temporary Internet Files/Content IE5 folder, to manually delete the files, and whenever I attempt to access the folder Explorer crashes, giving me the same exact error message as for the above programs, stating Cannot read memory at xxxxxx, cick "ok" to terminate, click "cancel" to debug.

I will post my log file in reply to this thread.

Please help!!!!!! :)

Thanks and regards,
Tracy

P.S. Happy Holidays![u]

Edited by tagibb2, 14 December 2005 - 10:39 AM.

  • 0

Advertisements


#2
tagibb2

tagibb2

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Here is my hijack log file:

Logfile of HijackThis v1.99.1
Scan saved at 9:06:49 AM, on 12/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\LckFldService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\pctspk.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\Acrodist.exe
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe
C:\Program Files\Common Files\Adobe\Web\AOM.exe
C:\Documents and Settings\Gibb_Tracy\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://etimexp.northgrum.com/tesite/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CPortPatch] C:\WINNT\DockQuickInstall\cppch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestpatro...n/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127136496931
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://secure.photof...geUploader3.cab
O16 - DPF: {AAD32D2E-02C8-11D7-81B3-0050FC352236} - http://69.34.16.53/a...ctiveXSetup.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NSROC.NET
O17 - HKLM\System\CCS\Services\Tcpip\..\{52E54D18-69B2-4EF4-AB18-83AF4A21DAD4}: NameServer = 85.255.115.45,85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{92B955EB-D01C-4902-9C44-9979D26CC0E2}: NameServer = 85.255.115.45,85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C90F105-F41A-4EE9-91CC-E58443E32492}: NameServer = 85.255.115.45,85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3BB4FAE-E16E-4553-924C-F73C5A46C76D}: NameServer = 85.255.115.45,85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NSROC.NET
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NSROC.NET
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LckFldService - Unknown owner - C:\WINNT\system32\LckFldService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

If anything else is needed, please let me know and I will get that information posted immediately.

Thanks again!

Desperate Seeking Assistance,
Tracy
  • 0

#3
tagibb2

tagibb2

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I'm not sure if this will help, but, here is a copy of my Symantec Threat History (from last night:)


Risk: Adware.FastLook Action: Quarantined Count: 17 Filename: swkvb.dll Threat Type: Adware Original Location: C:\WINNT\system32\ Status: Infected Action: The file was quarantined successfully. Date: 12/13/2005 17:21

Risk: Adware.LiveChat Action: Quarantined Count: 5 Filename: sphlp32.exe Threat Type: Adware Original Location: C:\WINNT\system32\ Status: Infected Action: The file was quarantined successfully. Date: 12/13/2005 17:19

Risk: Download.Trojan Action: Deleted Count: 1 Filename: dgprpsetup.exe Threat Type: File Original Location: C:\WINNT\system32\ Status: Deleted Action: The file was deleted successfully. Date: 12/13/2005 17:18

Risk: Bloodhound.Exploit.54 Action: Quarantined Count: 1 Filename: xp[1].htm Threat Type: Heuristics Original Location: C:\Documents and Settings\Gibb_Tracy\Local Settings\Temporary Internet Files\Content.IE5\AH1U7QPW\ Status: Infected Action: The file was quarantined successfully. Date: 12/13/2005 17:17
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP