Jump to content


Photo

I've been hijacked...is it a worm?


  • This topic is locked This topic is locked
15 replies to this topic

#1 Alissa

Alissa

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 07 July 2004 - 04:12 PM

Hi,

The day after I got my PC Norton Antivirus detected two worms...W32.Spybot.Worm and a W32.HLLW.Gaobot.gen worm. It eventually removed them and I hoped I wouldn't have to clean up the registry.

In the meantime, I have a nasty browser hijacker program. I've run Adaware, Spybot S&D. and SpySweeper and various nasties were removed. I ran HijackThis since I still had the problem. I read your postings about how to remove spyware and hijackers, and have done all those things with no luck. My hijackthis log looks okay as far as I have been able to see....

So, my question is, is my problem due to those two worms, and if so, will it be resolved if I disable system restore and scan the registry? I'm not sure what to look for when I do.

Here is a copy of my hijackthis log:

Logfile of HijackThis v1.98.0
Scan saved at 11:53:02 AM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.8b\Disk_Monitor.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ImageIt\ItRun.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\taskmngrs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.downloadthis.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.downloadthis.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.8b\Disk_Monitor.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinIt] C:\Program Files\ImageIt\ItRun.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] taskmngrs.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\RunServices: [Microsoft Update Machine] taskmngrs.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] taskmngrs.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup145.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2DA5CF4-1B08-4B47-8048-9C87C7425CE7}: NameServer = 209.193.4.7 209.193.4.8

thanks so much for your help!

Alissa

#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 07 July 2004 - 04:23 PM

It doesnt look like anything nasty in your logfile, other than your homepage being down :-p. Anyway id suggest doing an online scan which is updated more frequently.

Housecall
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#3 thesh

thesh

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 07 July 2004 - 04:26 PM

you need to do Windows Updates as soon as Possible. So you dont get Reinfected.

#4 thesh

thesh

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 07 July 2004 - 04:27 PM

You can also run Cwshredder to get rid of the Hijacks.

#5 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 07 July 2004 - 05:59 PM

CWShredder will not get rid of the hijacks... Please wait for qualified help....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#6 sardak

sardak

    I know everything.

  • Full Member
  • Pip
  • 14 posts

Posted 07 July 2004 - 08:03 PM

...

Running processes:
C:\WINDOWS\System32\taskmngrs.exe

...

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.downloadthis.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.downloadthis.com
...
O4 - HKLM\..\Run: [Microsoft Update Machine] taskmngrs.exe
...
O4 - HKLM\..\RunServices: [Microsoft Update Machine] taskmngrs.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] taskmngrs.exe
...
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2DA5CF4-1B08-4B47-8048-9C87C7425CE7}: NameServer = 209.193.4.7 209.193.4.8

It doesnt look like anything nasty in your logfile, other than your homepage being down :-p. Anyway id suggest doing an online scan which is updated more frequently.


C:\WINDOWS\System32\taskmngrs.exe
Well, obviously this is supposed to be there because the startup name for it is "Windows Update Machine," right? I think not.

As for the name servers entry, it appears that they are being hardcoded into your network connection. The IP addresses given (209.193.4.7, 209.193.4.8) map out to ns1.acsalaska.net and ns2.acsalaska.net. If you're using ACS for internet access, that's fine, but I would have thought DHCP would have covered that for them.

And, yes, the homepage is down, but it appears to be a legitimate site from the WHOIS query, assuming you visit Canadian websites often.

#7 sardak

sardak

    I know everything.

  • Full Member
  • Pip
  • 14 posts

Posted 07 July 2004 - 08:06 PM

CWShredder will not get rid of the hijacks... Please wait for qualified help....

Interesting, since a quick google search provides the following product description:

PRODUCT DESCRIPTION

A small utility for removing CoolWebSearch (aka CoolWwwSearch, YouFindAll, White-Pages.ws and a dozen other names).

Spybot S&D tends to forget essential parts of the hijack, so until it updates, you can just this to completely remove the hijack. Updated to remove the new variants once they come out.

More information on the CWS hijacker, including recent variants of it, can be found here.

This tool will find and destroy all traces of the CoolWebSearch (CWS) hijacker on your system.


Maybe try researching the application a bit before posting blatantly false information?

#8 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 07 July 2004 - 09:49 PM

sardak,

You clearly believe that you know more than you do... CWShredder is a wonderful tool if the log has CWS in it.. This one does not... It does have other malware that needs attention which is why I asked Alissa to wait for qualified help...

If you want to learn how to deal with malware I suggest you join Boot Camp and get some training in it rather than going around making statements that are provocative, but inaccurate...

And Alissa I still suggest you wait for qualified help...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#9 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 07 July 2004 - 10:15 PM

sardak, CWShredder was written and is maintained by one of our own Developers, so we know exactly what it does and doesn't do. Please stay out of the helping threads. If you want to help here, then sign up for training: http://www.spywarein...hp?showtopic=34

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#10 sardak

sardak

    I know everything.

  • Full Member
  • Pip
  • 14 posts

Posted 08 July 2004 - 12:15 AM

sardak, CWShredder was written and is maintained by one of our own Developers, so we know exactly what it does and doesn't do. Please stay out of the helping threads. If you want to help here, then sign up for training: http://www.spywarein...hp?showtopic=34

Sorry, but I don't need any training. I've got about 16 years of computer experience under my belt, including software development, hardware repair, network administration and just about any other related field.

Also, I'm well aware of the origin of CWShredder, and it's my fault for misunderstanding the context to which I replied. Upon originally reading through, it sounded as though the person was saying that CWShredder would be effective, but would not remove "the" hijack.

It's obvious that there is quite a rigid policy as far as providing the same redundant answers and methods regardless of situation, and you don't take kindly to those who think outside of your box. I can understand the desire to make sure accurate, useful, and most of all, non-malicious suggestions and solutions are provided, but you might try actually considering the validity of someone's suggestion before simply shooting it down with your blanket statement of "join boot camp."

I do this for 10 hours a day professionally and get paid for it, I just happened to stumble on the site and decided to offer my recommendations, but if they're not welcome, that's fine; I have better things to do with my time.

I will admit that some of my comments may have been misconstrued as derogative towards your administrative staff. I meant no offense to the person(s) involved, as it was mainly aimed at your policy than any particular individual.

#11 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 08 July 2004 - 09:42 AM

Your help will be more than welcome once you join the helper program. Anyone with strong knowledge and skills will quickly rise to Helper or higher. In the meantime we prefer that you do not intervene in the helping threads.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#12 Gwyrox732

Gwyrox732

    Gwy|is|here

  • Helper
  • PipPipPipPipPip
  • 514 posts

Posted 08 July 2004 - 03:05 PM

At the risk of spamming this thread any more (my apologies to the author of this thread):

I don't recall anything in your usage policy that says someone who has a valid answer can't offer it.

We generally don't mind if a member offers valid help, but fixing that O17 would've broken the poster's connection. And CNM is qualified to judge you (on this particular forum/board) because she is an admin, and you don't screw with the admins.
Quote from Original CWS Article at SWI: "There could be other domains involved in the future." ... We've come a long way since then

Malware esan mala, ji mi disaman. SWI ji kikan ekster!

PM me if you know what that says. Whoever gets it right gets put here!
Bagman wins, good job!

#13 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 09 July 2004 - 02:35 PM

Alissa, I am sorry that your post should have been interrupted for that!

If you are still watching this post, then there are a couple of things in your original log that need to be fixed.

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O4 - HKLM\..\Run: [Microsoft Update Machine] taskmngrs.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] taskmngrs.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] taskmngrs.exe

Reboot, and delete the file taskmngrs.exe.

Please post a fresh Hijack this log, and say if your problems persist

.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#14 Alissa

Alissa

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 11 July 2004 - 02:09 AM

Boys, I appreciate all the attention...

When I reopened Hijack this and made a new log, taskmngrs.exe had vanished. ?!?! In a search, I found taskmngrs.exe-OF776703.pf in C:\windows\prefetch and the file C:\windows\system32\taskmngrs. I have not been hijacked yet today, but my husband was last night and I've no reason to think that anything's changed.

Here is the new log:
Logfile of HijackThis v1.98.0
Scan saved at 10:49:22 PM, on 7/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.8b\Disk_Monitor.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ImageIt\ItRun.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\lsasse.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.download.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.download.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\6-in-1 USB Card Reader Driver v1.8b\Disk_Monitor.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinIt] C:\Program Files\ImageIt\ItRun.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [Microsoft Update Machine] lsasse.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] lsasse.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Microsoft Update Machine] lsasse.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup145.cab


BTW, my fault on the previous <downloadthis.com> website. And ACS is my ISP service provider. Also, I did do the updates...oops.

So...what now? And can someone answer my question about the relationship between a worm and a trojan?

thanks again! ;) Alissa

#15 Alissa

Alissa

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 13 July 2004 - 04:18 PM

The hijacking problem is back again today, but still no sign of taskmngrs.exe in my log (same as above).

Can someone please help?

thank you, Alissa

#16 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 13 July 2004 - 04:55 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O4 - HKLM\..\Run: [Microsoft Update Machine] lsasse.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] lsasse.exe

O4 - HKCU\..\Run: [Microsoft Update Machine] lsasse.exe

Reboot and delete the file lsasse.exe

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button