creative Posted October 10, 2011 Share Posted October 10, 2011 Is anyone able to tell me what I'm missing in a hijack this log? I have a pc that has a browser hijacker virus/malware. I have tried everything to beat this thing but it's proving to be stubourn fella! It turns off av, doesn't allow installation of av or anti malware progs. I have tried installing mwb from USB which worked up until it scans the infected file and promptly closes down without a log. If I then click MWB exe it won't work. Tried SAS from USB and same thing, gets to the file and closes. I have managed to get hijack this to run from USB and there is an exe, 2028550879:549787271.exe that runs at startup in normal and safe mode. Searching this exe results in nothing but if I search the second bunch of numbers it finds a file. I have deleted this file and manually removed the entries in the registry. I can't find any other traces of this file and reboot..... But it self installs again and I'm back to square one. I haven't come across this one before and it's got me stumped! It also causes ie to randomly open and try to connect to the web. Firefox works until I search any kind of av and it just gets hijacked and starts redirecting to adverts. Format is not an option on this pc and it's running xp pro. Any ideas? Quote Link to comment Share on other sites More sharing options...
creative Posted October 10, 2011 Author Share Posted October 10, 2011 Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 3:51:56 PM, on 10/10/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\2028550879:549787271.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\dgdersvc.exe C:\WINDOWS\system32\FsUsbExService.Exe C:\Program Files\Java\jre6\bin\jqs.exe c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe C:\Program Files\CyberLink\Shared files\RichVideo.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\TightVNC\WinVNC.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\WINDOWS\system32\wuauclt.exe F:\HijackThis.exe O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [Nuance PDF Reader-reminder] "C:\Program Files\Nuance\PDF Reader\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\PDF Reader\Ereg\Ereg.ini" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Device Error Recovery Service (dgdersvc) - Devguru Co., Ltd. - C:\WINDOWS\system32\dgdersvc.exe O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Microsoft Antimalware Service (MsMpSvc) - Unknown owner - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (file missing) O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe -- End of file - 6029 bytes Quote Link to comment Share on other sites More sharing options...
RobUK Posted October 10, 2011 Share Posted October 10, 2011 I have killed this a couple of times now, you need to get task manager running, find out the name of the exe. It changes each time so don't think you can find the same thing. Once you know the name you need to kill the task and delete the file in a command prompt, this appears to be the only thing it cannot track.... Then delete all temporary file directories and install AV.... Good luck.... Quote Link to comment Share on other sites More sharing options...
creative Posted October 10, 2011 Author Share Posted October 10, 2011 Thats the problem. I cant close this suss exe in taskmanager. Whenever i try and run ANY av or malware it closes it down. If i can get it to install... Mwb for example, it will scan, shutdown and i wont have permissiin run/uninstall the exe. Tried to find the exe file through linux with no joy. Pulling my hair out on this one! Lol Quote Link to comment Share on other sites More sharing options...
scotty71 Posted October 10, 2011 Share Posted October 10, 2011 bite the bullet and do a clean install Quote Link to comment Share on other sites More sharing options...
creative Posted October 10, 2011 Author Share Posted October 10, 2011 That is also a problem. Its a work pc. It has certain progs set up that use this pc as a host pc. Think i will have to make a few phoncalls to see if the can be moved to a server. Im fairly tech savvy but its looking more and more like a format is going to happen. Quote Link to comment Share on other sites More sharing options...
Abz Posted October 10, 2011 Share Posted October 10, 2011 I'll have a proper look when I am in the office (en-route at the moment). Though if it is as bad as it sounds you need to that PC rebuilt. AV will strip out as much of the Malware it can or parts of it but in the process of the Malware attacking your PC it would have already caused a trail of devastation. Registry files would be corrupt, core systems files could be corrupt, could effect data too. Can you in the meantime get onto the PC & use the mouse, open applications etc? If so, start jotting down the programs you need & if possible get critical data off (when you get data off you need to ensure it is scanned on a isolated machine before copying back to anything). Quote Link to comment Share on other sites More sharing options...
stevie_b Posted October 10, 2011 Share Posted October 10, 2011 I agree that the best thing would be to get the PC re-built, but if it were me and I wanted to avoid that then I would try to identify the virus. Is there any behaviour or text that you can google to find out what it is? Quote Link to comment Share on other sites More sharing options...
creative Posted October 10, 2011 Author Share Posted October 10, 2011 Thats what I have been doing Stevie. I think I have found what it is...Zero access rootkit. Nasty little bugler it is by what i read! There is a fix for it but quite frankly I think a format is in order! I still have use of the pc for now so I will be backing everything upto the server that I need and also a few phone calls to the program developers to see if I can move the important stuff across to the server with minimal fuss. I might even get them to re install onto the server and set this pc up as a client instead, just in case. First time I have come across something this hard to get rid of though! Quote Link to comment Share on other sites More sharing options...
creative Posted October 10, 2011 Author Share Posted October 10, 2011 Thats what I have been doing Stevie. I think I have found what it is...Zero access rootkit. Nasty little bugler it is by what i read! There is a fix for it but quite frankly I think a format is in order! I still have use of the pc for now so I will be backing everything upto the server that I need and also a few phone calls to the program developers to see if I can move the important stuff across to the server with minimal fuss. I might even get them to re install onto the server and set this pc up as a client instead, just in case. First time I have come across something this hard to get rid of though! Quote Link to comment Share on other sites More sharing options...
stevie_b Posted October 10, 2011 Share Posted October 10, 2011 I heard you the first time. Glad you found what it is. At least you can read up on what it does, and have taken a view on whether it's salvageable or not. Quote Link to comment Share on other sites More sharing options...
creative Posted October 10, 2011 Author Share Posted October 10, 2011 I heard you the first time. Glad you found what it is. At least you can read up on what it does, and have taken a view on whether it's salvageable or not. I blame this stupid iPad I'm on! Lol It's quite a bad one from I can read and is a pain in the butt to remove. Best dig my xp cd out I think! Lol Quote Link to comment Share on other sites More sharing options...
Angarak Posted October 10, 2011 Share Posted October 10, 2011 If you can get MalwareBytes on a USB stick and rename the exe to something innocent you may be able to install it without it being attacked. Some trojans looks for AV/Malware Removers by their EXE name (mbam.exe, etc) so renaming the EXE file before running it can get around it. Quote Link to comment Share on other sites More sharing options...
creative Posted October 11, 2011 Author Share Posted October 11, 2011 Tried all that angarak. I am fairly savvy when it comes to pc's but this one had me stumped! Apparently you can get through it via combo fix but tbh I can't be bothered! It will take exactly the same amount of time and effort to format and at least I know it will be clean then, especially seeing as this is a work pc attached to a network. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.