[bshaw]

Hey guys,
I need some help right now. I'm on my friends computer and they have something (trojan or some kind of virus) on their computer that I can not get off. There are icons on the right hand side of the desktop that actually load if you move the cursor over them. I can not right click to see what the properties are. I have also went in and checked for process's running, checked them all out on google but found nothing. They have norton's anit-virus installed, but it is not detecting anything at all. What is on their computer? If more details are needed, please let me know. I'll install Hi-Jack This in the mean time and post back as soon as I get a report. Thanks ahead of time!!

[Advertisements]

Go to start - my computer - documents and settings - their login name - desktop. From there, right click them and view their properties.
Also when you move the mouse cursor over them, what do they load? And are you able to kill the process in task manager?

[Aslyfox]

Go to start - my computer - documents and settings - their login name - desktop. From there, right click them and view their properties.
Also when you move the mouse cursor over them, what do they load? And are you able to kill the process in task manager?

[bshaw]

Heres the HiJackThis Log on their computer:

Logfile of HijackThis v1.99.1
Scan saved at 4:56:50 PM, on 12/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\Intel\NCS\WMIProv\NcsWmiCo.exe
C:\Program Files\Intel\NCS\Sync\NetSvc.exe
C:\PROGRA~1\Intel\NCS\WMIProv\8023\NcsWmiEv.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {13307A3B-D872-C1E5-61D4-88BCCE9527F2} - WinInitDll.dll (file missing)
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\cbgji.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\cbgji.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SAPSTR] SysSupport.exe
O4 - HKLM\..\Run: [LOPTCON] cmon14.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [UnSpyPC] C:\Program Files\UnSpyPC\UnSpyPC.exe
O4 - HKCU\..\Run: [MNTP] zxc.exe
O4 - HKCU\..\Run: [MONITER] MONITER.exe
O4 - HKCU\..\Run: [trycrt] NukeSpan.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C895BD5-B364-4A35-815B-7A467EA9BC22}: NameServer = 85.255.115.115,85.255.112.24
O17 - HKLM\System\CCS\Services\Tcpip\..\{C27DD784-4BE8-416D-8D66-C8389E0873FE}: NameServer = 85.255.115.115 85.255.112.24
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[Aslyfox]

Please post this in the malware forums, as you will get help quicker there.

[bshaw]

Go to start - my computer - documents and settings - their login name - desktop. From there, right click them and view their properties.
Also when you move the mouse cursor over them, what do they load? And are you able to kill the process in task manager?

i'm not for sure what you want me to do on the first thing you were talking about. I can not find a user name in their documents and settings
when I move the cursor over the icons they load a website called: http://finddaily.net...hp?q=cheap soma - then it reloads itself to another website depending on the icons your on: xxx, pharmacy=http://medscheap.com/carisoprodol.htm,
gambling,dating, spyware, and something else I can't see.

[Aslyfox]

"Go to start - my computer - documents and settings - their login name - desktop."
It gets you a view of their desktop, from here you should be able to look at the icons.
If there is no names that you can see, just look for desktop.

C:\Documents and Settings\User\Desktop\

Go there, It will give you a view of the desktop which may let you see the icons.

Edited by Aslyfox, 18 December 2005 - 04:20 PM.