don't know what i have

Discussion in 'malware problems & news' started by zekky, Jun 16, 2004.

Thread Status:
Not open for further replies.
  1. zekky

    zekky Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    4
    taskmgr & regedit disabled, i can re-enable them using ad-aware but then when logoff or reboot my pc it reverts back to being disabled. I have tried a lot of things already. Used adaware, NAV, stinger.exe, dougknox.com scripts, xteq pro. Nothing seems to give me a permanent resolution.

    Any thoughts, ideas?

    Below is the saved log from HijackThis:
    Logfile of HijackThis v1.97.7
    Scan saved at 1:40:49 PM, on 6/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINNT\SPOOLSVR.EXE
    C:\Program Files\3dhq Tools\v_ctrl.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
    C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
    C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\Program Files\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
    C:\Program Files\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
    C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\WINNT\System32\CTSvcCDA.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
    C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\Program Files\Google\ggviewer81-48.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\Temp\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr...rch/search.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [xv_crtl] C:\Program Files\3dhq Tools\v_ctrl.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Startup: taskmgr.lnk = C:\WINNT\system32\taskmgr.exe
    O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
    O4 - Global Startup: Image Transfer.lnk = ?
    O4 - Global Startup: PCSuiteForNokia6600 Detect.lnk = ?
    O4 - Global Startup: PCSuiteForNokia6600 TS.lnk = ?
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Arcsoft Web Uploader - http://www.hpphoto.com/downloads/ReadFileApplet.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
    O16 - DPF: {52D7DDE4-F150-4D82-AAB5-6EED6AB7C708} (my printer) - http://www.hpphoto.com/downloads/HPPrint.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8134.8659606481
    O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuit.../ITDetector.cab
     
  2. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    I can see two suspicious things in that HijackThis log:

    Under running processes:
    C:\WINNT\SPOOLSVR.EXE

    (refer to http://www.sophos.com/virusinfo/analyses/trojpwssagib.html )

    And this one:
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    (that one's probably the reason why your Regedit won't work)

    Other than that, I can't see anything suspicious. But then again, I'm no expert either..
     
  3. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi zekky,

    Gavin has also replied to your post in this thread too:
    https://www.wilderssecurity.com/showthread.php?t=21396

    If you have not done so already, please download and install the 30-day free trial of TDS-3 from here: http://tds.diamondcs.com.au/

    As the trial version does not have auto update enabled, update it manually as described here: http://tds.diamondcs.com.au/index.php?page=update

    Then press scan control, and tick all the little boxes in the bottom part of that window, press save configuration and then close the window by pressing the red X in top right corner, then select System Testing and select Full System Scan.

    Once the scan is finished, right-click the file(s) it finds and you will be given a choice of what to do with the file(s). The normal selection would be delete.

    As mentioned by Gavin in the other thread, TDS-3 should detect this trojan, but if nothing is detected, then email support@diamondcs.com.au and they will help you remove it.

    Regards,

    snap
     
  4. zekky

    zekky Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    4
    Thanks alot everyone.

    Through further research I found out that I was infected by an older version of Magic_PS i think it was v1.42. Since this experience I am now afraid of downloading and installing any other utilities in my pc. Having said that, the way I removed the infection is by deleting the files and the registry entry that it created. Is that enough?

    Z

    removed:
    c:\WINDOWS\spoolsvr.exe size: 11.500 bytes
    c:\WINDOWS\SYSTEM\FlashPlayer32.exe size: 11.500 bytes

    deleted registry entry:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{142A6800-3I18-11C0-821H-4M4GICH20010S} "StubPath"
    data: C:\WINDOWS\SYSTEM\FlashPlayer32.exe
     
  5. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi zekky,

    From what I've read too, those are the files and the registry entry.

    I would suggest you still do a full system scan with one (preferably two) of these free on-line scanners, just to be sure: Free Services

    Use the Disk cleanup Utility to clean out your Temp folders. Disk Cleanup Utility

    Disable System Restore, then do the on-line virus scans. After doing the on-line scans, reboot your computer and re-enable System Restore, and set a new Restore Point.

    Make sure you also change all your passwords.

    And here's some reading to help with how to tighten your security and help keep your computer clean: https://www.wilderssecurity.com/showthread.php?t=27971

    Regards,

    snap
     
    Last edited: Jun 17, 2004
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.