Jump to content


Nasty, Nasty hard one

  • Please log in to reply
3 replies to this topic

#1 zyxwv88



  • Full Member
  • Pip
  • 5 posts

Posted 27 July 2004 - 07:49 PM

Ok, I'm not a newbie to virus/spyware removal but this one really is a toughie.

I have something that will shut down cmd, task manager, and regedit (although running command.com will still give me a command prompt. Guess he missed that one).

It also loads with windows. If I go into safe mode, it still shuts everything down. It doesn't seem to be any of the usual strains of spyware that I'm used to dealing with, and it doesn't seem to be the look2me one that loads with windows.

As you will see from the hijack this log, there are a number of suspicious entries, but they like to keep coming back when I remove them.

Also, if someone with advanced knowledge could give me a heads up.... What are the possible ways of loading a program in safe mode? I did a check of the winlogon processes that I remmber at least one piece of spyware in the past using, but I'm not seeing anything that isn't a legit part of windows

I also just finished removing the sasser, blaster, dcomprc.gen trojan, and sbot worm, although none of them have the capabilities to start in safe mode and do all the screwing around that this one does.

Any assistance would be greatly appreciated. Oh, and if someone could post a link for the program that works like task manager that can be downloaded. I know I saw that once, but I can't find it again.

edit - And no, this isn't my system. I'm smart enough to keep my systems from getting infected and screwed up this badly. :)

Logfile of HijackThis v1.97.7
Scan saved at 6:48:35 PM, on 7/27/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
\Programmer\TECH\Virus Repair tools\STINGER.EXE
\Programmer\TECH\Software\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [iinetinfo] INETINFO.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [iinetinfo] INETINFO.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = id.calvarychapelboise.org
O17 - HKLM\Software\..\Telephony: DomainName = id.calvarychapelboise.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = id.calvarychapelboise.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = id.calvarychapelboise.org

Edited by zyxwv88, 28 July 2004 - 01:46 AM.

#2 zyxwv88



  • Full Member
  • Pip
  • 5 posts

Posted 28 July 2004 - 01:46 AM

No ideas on this one?

#3 zyxwv88



  • Full Member
  • Pip
  • 5 posts

Posted 30 July 2004 - 12:30 PM

Hasn't anyone run up against this before?

#4 zyxwv88



  • Full Member
  • Pip
  • 5 posts

Posted 02 August 2004 - 03:52 PM

I have determined that the inetinfo.exe that is tying into the explorer is spyware beyond a doubt. Normally this is a legit windows file, although usually just on win2k servers. It re-adds itself to the system whenever I remove it. Person decided they wanted system back before I finished fixing it, so I didn't find a soluction to extract it, but I do know for a fact that the inetinfo.exe was a problem.

The difference between this, and the standard REAL inetinfo is that the real one is in the windows /inet/ folder or something like that, and this one is in the windows folder and it somehow ties itself in to the OS to load during startup

Edited by zyxwv88, 02 August 2004 - 04:02 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button