don't know what i have

Discussion in 'malware problems & news' started by zekky, Jun 16, 2004.

Thread Status:
Not open for further replies.
  1. zekky

    zekky Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    4
    taskmgr & regedit disabled, i can re-enable them using ad-aware but then when logoff or reboot my pc it reverts back to being disabled. I have tried a lot of things already. Used adaware, NAV, stinger.exe, dougknox.com scripts, xteq pro. Nothing seems to give me a permanent resolution.

    Any thoughts, ideas?

    Below is the saved log from HijackThis:
    Logfile of HijackThis v1.97.7
    Scan saved at 1:40:49 PM, on 6/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINNT\SPOOLSVR.EXE
    C:\Program Files\3dhq Tools\v_ctrl.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
    C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
    C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
    C:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
    C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\WINNT\System32\CTSvcCDA.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
    C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\Program Files\Google\ggviewer81-48.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\Temp\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr...rch/search.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [xv_crtl] C:\Program Files\3dhq Tools\v_ctrl.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Startup: taskmgr.lnk = C:\WINNT\system32\taskmgr.exe
    O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
    O4 - Global Startup: Image Transfer.lnk = ?
    O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ?
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Arcsoft Web Uploader - http://www.hpphoto.com/downloads/ReadFileApplet.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
    O16 - DPF: {52D7DDE4-F150-4D82-AAB5-6EED6AB7C708} (my printer) - http://www.hpphoto.com/downloads/HPPrint.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8134.8659606481
    O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuit.../ITDetector.cab
     
  2. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    I can see two suspicious things in that HijackThis log:

    Under running processes:
    C:\WINNT\SPOOLSVR.EXE

    (refer to http://www.sophos.com/virusinfo/analyses/trojpwssagib.html )

    And this one:
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    (that one's probably the reason why your Regedit won't work)

    Other than that, I can't see anything suspicious. But then again, I'm no expert either..
     
  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi zekky,

    Gavin has also replied to your post in this thread too:
    https://www.wilderssecurity.com/showthread.php?t=21396

    If you have not done so already, please download and install the 30-day free trial of TDS-3 from here: http://tds.diamondcs.com.au/

    As the trial version does not have auto update enabled, update it manually as described here: http://tds.diamondcs.com.au/index.php?page=update

    Then press scan control, and tick all the little boxes in the bottom part of that window, press save configuration and then close the window by pressing the red X in top right corner, then select System Testing and select Full System Scan.

    Once the scan is finished, right-click the file(s) it finds and you will be given a choice of what to do with the file(s). The normal selection would be delete.

    As mentioned by Gavin in the other thread, TDS-3 should detect this trojan, but if nothing is detected, then email support@diamondcs.com.au and they will help you remove it.

    Regards,

    snap
     
  4. zekky

    zekky Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    4
    Thanks alot everyone.

    Through further research I found out that I was infected by an older version of Magic_PS i think it was v1.42. Since this experience I am now afraid of downloading and installing any other utilities in my pc. Having said that, the way I removed the infection is by deleting the files and the registry entry that it created. Is that enough?

    Z

    removed:
    c:\WINDOWS\spoolsvr.exe size: 11.500 bytes
    c:\WINDOWS\SYSTEM\FlashPlayer32.exe size: 11.500 bytes

    deleted registry entry:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{142A6800-3I18-11C0-821H-4M4GICH20010S} "StubPath"
    data: C:\WINDOWS\SYSTEM\FlashPlayer32.exe
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi zekky,

    From what I've read too, those are the files and the registry entry.

    I would suggest you still do a full system scan with one (preferably two) of these free on-line scanners, just to be sure: Free Services

    Use the Disk cleanup Utility to clean out your Temp folders. Disk Cleanup Utility

    Disable System Restore, then do the on-line virus scans. After doing the on-line scans, reboot your computer and re-enable System Restore, and set a new Restore Point.

    Make sure you also change all your passwords.

    And here's some reading to help with how to tighten your security and help keep your computer clean: https://www.wilderssecurity.com/showthread.php?t=27971

    Regards,

    snap
     
    Last edited: Jun 17, 2004
Loading...
Thread Status:
Not open for further replies.