Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hjt Log Analysis Needed -- Severe Malware Infestation


  • This topic is locked This topic is locked
2 replies to this topic

#1 azkid

azkid

    New Member

  • New Member
  • Pip
  • 1 posts

Posted 31 July 2007 - 11:36 AM

Hello and thanks for the help!

I have included my HJT log (way down below) for analysis. I can see some of the malware, but before I try any of the various removal tools, I need a professional opinion on how best to proceed. But first, here is the history of the infestation and the current symptoms.

Yesterday I was using IE on my Win2k laptop and simply followed a google search result for how to tune the carburetor on my chainsaw and when I clicked, I saw a command prompt window appear which was obviously running an unauthorized executable. I immediately closed it, but I was already infected. (Just for the record, I have, until recently, always run the automatic MS update stuff, but in April, something in the update was running continuously and slowing the laptop to a crawl, so I disabled it in utter frustration with M$--with the result that I have not had an update to Win2k, IE, or MS Office since April. Also, I had a pending Java update which I hadn't installed. Anyway, any of these omissions probably made me vulnerable...)

Immediately after the infection, I started seeing unexpected popups from "Outerinfo" which was obviously included as one Adware component of the overall Malware payload. I did a quick search here on Tom Coyote and found some instructions for removing Outerinfo, and did so using the Add/Remove Programs tool in the control panel. Somewhere about this time, I saw a popup that wanted me to buy some kind of malware removal tool--obviously part of the payload as well.

In the spirit of removing things in Add/Remove Programs tool that I did not recognize, I removed several other suspicious things.

I then rebooted and opened IE--which was probably a mistake, because then all H*** began to break loose. I was getting multiple popups, and my porn filter was complaining about porn, apparently on my new default home page. I then got several application errors from .exe programs I did not recognize, including g4356cbvy63.exe and vedxg6ame4.exe (both of which are currently running again per the HJT log below). After a few minutes of this, I got the dreaded blue screen of death stating that there was a 0x0000001E "Stop" at 0xC0000005, 0x00000000, 0x00000000, 0x00000000 with the following message: KMODE_EXCEPTION_NOT_HANDLED.

I'm a little foggy as to the exact sequence of events, but I think I then rebooted again, opened IE again, and the blue screen of death happened again. Then on all subsequent reboots, Windows would never get fully rebooted, instead giving me the same blue screen of death shortly after it gave the startup message "preparing network connections" or something like that. Just an aside here, I have since looked in the event manager, and can see messages stating that tcpip.sys and c:\winnt\system32\drivers\netdtect.sys were both being targeted, i.e. "file replacement was attempted" but then Windows "restored" them to "maintain stability". I suspect that this was related to the problem.

Anyway, I WAS still able to boot the machine in safe mode (safe mode with networking gave the blue screen) and because of the snippets of information above, i deduced that the networking was casing the blue screen, so while in safe mode, I disabled my Network "card" and was thus able to finally reboot the machine again in normal mode--but I don't have a network anymore.

I then downloaded HJT onto a floppy using another computer and used the floppy to install it on the sick laptop. However, HJT also seems to be affected by the malware (is that possible??), as it throws an application error (The instruction at "0x017411f3" referenced memory at "0x00000000". The memory could not be "read") every time I attempt to scan and save a log file in one operation. I can successfully do a stand-alone scan, but then when I press the "save log" button, HJT terminates immediately with no error message, no saved log, nothing. But what I have done to capture the "log" is to use a handy screen-to-text capture utility that enabled me to extract my own log from the scan and "running processes" display screens. Then with the appropriate version information from Windows and IE, I was able to piece together a log file.

Anyway, that is how the infection progressed to where I am now. In addition to the clobbered networking and everything else I described above, here are the other symptoms that I have been able to notice:

--The computer is running everything very, VERY slowly.

--My start menu setting (small icons) were reset to large icons

--I now have a red "X" icon in the lower right portion of my screen (the system tray?) which does not do anything when either right or left clicked, but when hovering over it, the message reads "your computer is infected".

--When pressing CNTL-ALT-DEL, the "Task Manager" button is grayed out. I am, of course, and administrator, so I have always had access to this. But now, I do not. When I press CNTL-ALT-ESC (which should take me directly to Task Manager" I get the error message, "Task Manager has been disabled by your administrator." My user still appears to be an administrator, but the malware has obviously mucked something up here. Maybe it is a setting that I can still reset to its correct value.

--Windows is behaving oddly, trying to hit the floppy drive when I do certain things, like opening Windows explorer. Perhaps this is because I have been transferring things by floppy (in the absence of a network), I don't know. Regardless of this, Windows Explorer has been hanging frequently.

--Something on the computer is constantly, and repeatedly trying to go out to the internet, as I continually get "Work Offline" dialog boxes popping up (since I have no internet connection). Perhaps this is just a normal result when one disables the NIC, or perhaps it is malware related.

Now, here is the HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 10:15:59 AM, on 7/31/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.0.2800.1106)


Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mail Enable\Bin\MELSC.EXE
C:\Program Files\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINNT\system32\PGPsdkServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\kilkdth.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\system32\khooker.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaServer.exe
C:\WINNT\system32\BtUsrBdg.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\retadpu27.exe
C:\WINNT\kilkdthA.exe
C:\winnt\system32\mpdsregm.exe
C:\WINNT\system32\kernelwind32.exe
C:\WINNT\g4356cbvy63.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINNT\system32\dllh8jkd1q2.exe
C:\WINNT\system32\vedxg6ame4.exe
C:\WINNT\system32\dllh8jkd1q6.exe
C:\WINNT\system32\dllh8jkd1q7.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Franklin Covey\Planner\Compass.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\SCREEN~1\OCR.exe
C:\WINNT\hh.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pornograb.com
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [NBCUniversal Media Manager Tray] "C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" /CustomId:NBCUniversal
O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu27.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [kilkdthA] C:\WINNT\kilkdthA.exe
O4 - HKLM\..\Run: [{8B-BA-AC-C4-ZN}] C:\winnt\system32\mpdsregm.exe SKY009
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINNT\system32\twinqndt.exe SKY009
O4 - HKLM\..\Run: [System] C:\WINNT\system32\kernelwind32.exe
O4 - HKLM\..\Run: [g4356cbvy63] C:\WINNT\g4356cbvy63
O4 - HKCU\..\Run: [Clean Space Tray Agent] C:\PROGRA~1\CLEANS~1\csta.exe startup
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [con] C:\WINNT\system32\dllh8jkd1q2.exe
O4 - HKCU\..\Run: [Service Pack 1] C:\WINNT\system32\vedxg6ame4.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\TISKY009.exe
O4 - Startup: Think-Adz.lnk = C:\WINNT\system32\twinqndt.exe
O4 - Startup: Weekly Compass.lnk = C:\Program Files\Franklin Covey\Planner\Compass.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: PGPtray.lnk = C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cwalsp.dll
O16 - DPF: {00110000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (11.5)) - http://docimg.co.uta...ls/ltocx11n.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136410545968
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1156483926282
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlonte...2ie06041001.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6876935-33DF-4334-B8C3-AE95D8CD0CE9}: NameServer = 68.12.16.25,68.12.16.30
O20 - AppInit_DLLs: :\winnt\system32\ldcore.dll
O21 - SSODL: qqhagoi - {3468BAC5-9EC2-106F-6BCC-BF9A63CA6034} - C:\WINNT\system32\ryh.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICF - Unknown owner - C:\WINNT\system32\svchost.exe:exe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - Unknown owner - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Net Agent - Unknown owner - C:\WINNT\dls0523pmw.exe
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINNT\system32\PGPsdkServ.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\kilkdth.exe

    Advertisements

Register to Remove


#2 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 01 August 2007 - 11:48 AM

Azkid,

I see you're being helped in another forum, Tech Support Guy. At this link:

http://forums.techgu...ded-severe.html

Please continue to follow the instructions there and I'm going to close this thread here. It doesn't do anyone any good to have 2 people helping you. It would only confuse matters. You do have one of the most seriously infected machines I've ever seen, so good luck!
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#3 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 01 August 2007 - 11:49 AM

Your post has been Moved, Closed or Edited for one of the following reasons:

1.) You posted multiple topics and only one is required

2.) You are spamming links to other places without approval

3.) You have posted your hijackthis log to the wrong forum:
( http://forums.tomcoy...hp?showforum=27 ) <--- correct forum for HijackThis Logs

4.) Abusive language or other problems in your text

5.) Your log is too old (20 days or more) and no replies from you after a volunteer tried to help you

If you came here for help, and you have not posted a Hijackthis log to the proper forum, then you may do so now, if you came here to spam or abuse, you will be dealt with harsher on your next offense

This is a family oriented forum to help those that need help.

==============================


Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users