View Full Version : Not sure whats wrong
Hey just recently I began having alot of problems all at once. For starters my desktop turned into a spyware. Anyway, I ran HiJackThis. Here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 9:00:43 PM, on 1/13/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Raully\Desktop\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ba7e468555d] C:\WINDOWS\System32\ba7e468555d.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ba7e468555d] C:\WINDOWS\System32\ba7e468555d.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: WindowInstallSystem (ba7e468555dsvr) - Unknown owner - C:\WINDOWS\ba7e468555d.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Thanks, ahead of time.
-Raully
CalamityJane
2006-01-16, 02:37
Hi Raully,
*Gasp* You have not even SP1 installed. Do you have any Windows critical security updates? Also, what steps have you taken to clean this PC? Did you run the suggested programs in this post?
http://forums.spybot.info/showthread.php?t=288
I'm always reluctant to start with a HijackThis log on a totally unprotected computer as that should be the last step - not the first, because HijackThis doesn't scan the entire system.
Please do the online scans and the Spybot scan suggested in the link above and then post a fresh HijackThis log for review.
I actually do run alot of security type stuff. I have multiple pop-up stoppers (google and panicware to name some). Also I use to spyware programs, Ad-Aware SE and spybot S&D. Spybot showed that it cleaned all problems when I ran it before posting that log so I decided nothing to post about as far as that is concerned. As far as SP1 (thats the windows security patch right?. If it it I thought I had installed that.
Also I have McAfee for virus protection. I will run everything again and report more fully.
CalamityJane
2006-01-16, 21:17
Ok, well, SP1 would be showing up there in your headers and it isn't. We can come back to that once we get you fixed. Can you post the most recent Spybot Report and a fresh HijackThis log?
Ok. I didn't see a way to get a log file off spybot but what happened was it found Windows.Explorer and Spy Sheriff. It cleaned them both. I also went ahead to install and update windows. It's downloading as I post this.
This is the HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 2:42:31 PM, on 1/16/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7a57263d52ef89a3cee46b33df8a0a10\update\update.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Raully\Desktop\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ba7e468555d] C:\WINDOWS\System32\ba7e468555d.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ba7e468555d] C:\WINDOWS\System32\ba7e468555d.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137435685032
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4672/mcfscan.cab
O23 - Service: WindowInstallSystem (ba7e468555dsvr) - Unknown owner - C:\WINDOWS\ba7e468555d.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
CalamityJane
2006-01-16, 23:23
Ok, some other things got cleared out since your last HJT log so that's good :)
You have one mystery file there I'll need to check out.
Please check your private messages at the top (right) of the main forum under the Welcome message. I've sent you my email address and a request to send a file for analysis.
It's this file which is located in the windows folder on your hard drive:
C:\WINDOWS\ba7e468555d.exe <--send this file. See note below to show hidden files to be sure you can see it.
Please put that into a zip file and attach to an email to the address I have provided and I will check to see exactly what that is and if it belongs on your system.
I will get right back to you on whether we need to do something or not.
NOTE: Make sure your PC is configured to show hidden files:
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
............................
Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
....................
To find your Spybot report:
Open Spybot in the Advanced Mode.
Look for *Tools* in the left hand menu and click on that
Look for *View Report*, click on that
On that screen look at the top menu for *View Previous Report* - choose that.
It will open a folder where the Spybot logs are kept. Choose the one that says *fixes* with the most recent date. Attach that file or copy the contents back here for review.
heres the spybot log:
--- Report generated: 2006-01-16 17:44 ---
Spy Sheriff: Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-515967899-1383384898-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn!=dword:0
Windows.Explorer: User settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-515967899-1383384898-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn!=W=0
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-10-12 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-01-06 Includes\Cookies.sbi (*)
2006-01-06 Includes\Dialer.sbi (*)
2006-01-06 Includes\Hijackers.sbi (*)
2006-01-06 Includes\Keyloggers.sbi (*)
2006-01-06 Includes\Malware.sbi (*)
2006-01-06 Includes\PUPS.sbi (*)
2006-01-06 Includes\Revision.sbi (*)
2006-01-06 Includes\Security.sbi (*)
2006-01-06 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-01-06 Includes\Trojans.sbi (*)
CalamityJane
2006-01-17, 01:11
Great! Thanks.
Can you also reboot your PC and scan once more with HijackThis and post a fresh log please?
CalamityJane
2006-01-17, 01:16
Also, from the Spybot report. You're missing the latest update (Jan 13)
Could you also update spybot and do a scan with the newest updates too?
As for not being able to find the file requested
C:\WINDOWS\ba7e468555d.exe
Even after configuring your PC to show hidden files...
Let me see a log from this free tool as well.
Please download Rootkit Revealer
http://www.sysinternals.com/utilities/rootkitrevealer.html
(link is at the very bottom of the page)
Unzip it to your desktop.
Open the rootkitrevealer folder and double-click rootkitrevealer.exe
Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to File > Save. Choose to save it to your desktop.
Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here
Rootkitrevealer:
HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\szLastScanned 1/16/2006 8:01 PM 156 bytes Windows API length not consistent with raw hive data.
HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\dwFilesScanned 1/16/2006 8:01 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\dwLastModified 1/16/2006 8:01 PM 4 bytes Data mismatch between Windows API and raw hive data.
C:\WINDOWS\ba7e468555d.exe 1/11/2006 12:51 PM 37.00 KB Hidden from Windows API.
C:\WINDOWS\ba7e468555d.ini 1/11/2006 12:51 PM 564 bytes Hidden from Windows API.
C:\WINDOWS\ba7e468555ddrv.sys 1/16/2006 2:30 PM 3.39 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\BA7E468555D.EXE-31EF8D36.pf 1/11/2006 12:52 PM 5.70 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\BA7E468555D.EXE-337CCE80.pf 1/16/2006 1:05 PM 18.31 KB Hidden from Windows API.
C:\WINDOWS\system32\ba7e468555d.exe 1/16/2006 2:36 PM 80.08 KB Hidden from Windows API.
I'll send the spybot shortly. if it allows me to update. I know I tried updating twice after the problems started.
Spybot: after update
--- Report generated: 2006-01-16 21:10 ---
Congratulations!: No immediate threats were found. ()
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-10-12 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-01-13 Includes\Cookies.sbi (*)
2006-01-13 Includes\Dialer.sbi (*)
2006-01-13 Includes\Hijackers.sbi (*)
2006-01-13 Includes\Keyloggers.sbi (*)
2006-01-13 Includes\Malware.sbi (*)
2006-01-13 Includes\PUPS.sbi (*)
2006-01-13 Includes\Revision.sbi (*)
2006-01-13 Includes\Security.sbi (*)
2006-01-13 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-01-13 Includes\Trojans.sbi (*)
restarting comp now. sending HiJackThis log ASAP
and finally, the fresh hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 9:26:00 PM, on 1/16/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Raully\Desktop\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ba7e468555d] C:\WINDOWS\System32\ba7e468555d.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ba7e468555d] C:\WINDOWS\System32\ba7e468555d.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk =
C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program
files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program
files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137435685032
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4672/mcfscan.cab
O23 - Service: WindowInstallSystem (ba7e468555dsvr) - Unknown owner - C:\WINDOWS\ba7e468555d.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common
Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel
Networks\Extranet_serv.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network
Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network
Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network
Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
On a scale of 1-10, how bad does it look? Cause right now its really hard to do anything. Even my notebook program disappeared. Luckily I have wordpad.
CalamityJane
2006-01-17, 19:14
Not good. It appears to be a rootkit and while the registry entries show on HijackThis, the file is hidden from Windows (which is why you couldn't find it).
I'm not a real expert at rootkis but let's try the tools I do know and then if that doesn't work, I'll need to call in some help on this.
1. Scan with HijackThis and checkmark the following entries in the list and then press *fix checked*
O4 - HKLM\..\Run: [ba7e468555d] C:\WINDOWS\System32\ba7e468555d.exe
O4 - HKCU\..\Run: [ba7e468555d] C:\WINDOWS\System32\ba7e468555d.exe
O23 - Service: WindowInstallSystem (ba7e468555dsvr) - Unknown owner - C:\WINDOWS\ba7e468555d.exe
2. Download and run the Microsoft Malicious Software Removal tool
(it would be best to run the tool in SAFE MODE)
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
Download the Malicious Software Removal tool here:
http://www.microsoft.com/security/malwareremove/default.mspx
If it detects and finds anything to remove let it, and save the report to post back here please.
3. Post a report from this tool
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
!!Do not rename any files yet
4. Also please post a fresh Hijackthis log
Ok I did everything as you said, same order.
First I did the hijack this.
Then the malicious software removal tool. Even though it said it would make a report it was only viewable, but it stated "No malicious software detected". the full report listed some things out and stated "not infected" for all of them.
The blacklight program ran and this is the log:
01/17/06 15:23:13 [Info]: BlackLight Engine 1.0.30 initialized
01/17/06 15:23:13 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/17/06 15:23:14 [Note]: 7019 4
01/17/06 15:23:14 [Note]: 7005 0
01/17/06 15:23:17 [Note]: 7006 0
01/17/06 15:23:17 [Note]: 7011 220
01/17/06 15:23:18 [Note]: 7018 1920
01/17/06 15:23:18 [Info]: Hidden process: C:\WINDOWS\ba7e468555d.exe
01/17/06 15:23:18 [Note]: 7018 2144
01/17/06 15:23:18 [Info]: Hidden process: C:\WINDOWS\System32\ba7e468555d.exe
01/17/06 15:23:18 [Note]: 7018 2456
01/17/06 15:23:18 [Info]: Hidden process: C:\WINDOWS\System32\ba7e468555d.exe
01/17/06 15:23:18 [Note]: FSRAW library version 1.7.1014
01/17/06 15:23:29 [Info]: Hidden file: C:\WINDOWS\ba7e468555d.exe
01/17/06 15:23:29 [Note]: 10002 1
01/17/06 15:23:29 [Info]: Hidden file: C:\WINDOWS\ba7e468555d.ini
01/17/06 15:23:29 [Note]: 10002 1
01/17/06 15:23:29 [Info]: Hidden file: C:\WINDOWS\ba7e468555ddrv.sys
01/17/06 15:23:29 [Note]: 10002 1
01/17/06 15:23:40 [Info]: Hidden file: C:\WINDOWS\System32\ba7e468555d.exe
01/17/06 15:23:40 [Note]: 10002 1
01/17/06 15:24:32 [Note]: 7007 0
Then ran hijackthis again, and heres the log:
Logfile of HijackThis v1.99.1
Scan saved at 3:25:55 PM, on 1/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Raully\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.wpi.edu:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ba7e468555d] C:\WINDOWS\System32\ba7e468555d.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ba7e468555d] C:\WINDOWS\System32\ba7e468555d.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137435685032
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4672/mcfscan.cab
O23 - Service: WindowInstallSystem (ba7e468555dsvr) - Unknown owner - C:\WINDOWS\ba7e468555d.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
There is no visable change so far. I still have things like the spyware desktop background that loads over my background prmpting me to click here to remove the threat. and i also get 2 runtime errors. both say run time arror 229. one at 00413562 and the other at 004133CB.
hope some of this extra info helps.
Thanks for all your help so far.
CalamityJane
2006-01-17, 22:59
Ok, good job! That's interesting. We need to find out what those files are.
Please run Blacklight and this time, let it rename the files it finds.
Please download this free tool called Suspicious File Packer
http://www.safer-networking.org/files/sfp.zip
Unzip the zip and save to your desktop
Doubleclick on sfp.exe
Copy then paste the list below into it and hit continue.
C:\WINDOWS\ba7e468555d.exe.ren
C:\WINDOWS\System32\ba7e468555d.exe.ren
C:\WINDOWS\ba7e468555d.ini.ren
C:\WINDOWS\ba7e468555ddrv.sys.ren
That will create an archive of files called requested-files.... on your desktop that I want you to email to me (by clicking this link)so I can submit to the Spybot team (and others) for analysis {edit: email address removed as no longer needed}
After sending the files, please reboot the PC and post up a fresh hijackthis log.
Note: I edited the list of files so please refresh the page to see the new list
Hope you got the email.
Here's the hijackthis log.
Logfile of HijackThis v1.99.1
Scan saved at 4:48:49 PM, on 1/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Raully\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.wpi.edu:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ba7e468555d] C:\WINDOWS\System32\ba7e468555d.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ba7e468555d] C:\WINDOWS\System32\ba7e468555d.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137435685032
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4672/mcfscan.cab
O23 - Service: WindowInstallSystem (ba7e468555dsvr) - Unknown owner - C:\WINDOWS\ba7e468555d.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
CalamityJane
2006-01-18, 00:22
Ok, this is HackerDefender which is a rootkit. Not good :(
I'm not sure at all what else this may have hidden or planted on your PC.
What is a rootkit? In the simpliest of terms, it is technology to hide an attackers tools. Rootkits can prevent detection and removal and in some cases, attempting to remove a rootkit can destroy a system. You can't know what else a rootkit has done.
Once you've identified a rootkit on your system, the remediation options are somewhat limited. Because rootkits can hide themselves, you may not know how long they've been on the system. You also may not know what information the rootkits have compromised. The best reaction to an identified rootkit is to wipe and reinstall the system. Although drastic, this is the only proven method to completely remove rootkits.
Rootkits: The Obscure Hacker Attack
http://www.microsoft.com/technet/community/columns/sectip/st1005.mspx
Anyone may have had access to anything on your system or done whatever they want to it and hidden it from you. The rootkit makes it worse as your system is no longer trustworthy.
IMHO, You need to disconnect this PC from the internet and from your network if it is on a network. Then, access this information from a non-compromised computer to follow the steps needed.
Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community/columns/secmgmt/sm0704.mspx
:with a rootkit on the system that makes the system no longer trustworthy. Windows Explorer and the command line will no longer show you the files that are actually on the system. The registry editor is now lying. Account manager tools will not show you all the users. At this stage of an intrusion, you can no longer trust the system to tell you about itself. That’s where you get into a flatten and rebuild (some people call it "nuke and pave") scenario. The system is now completely compromised.
The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications)
And that is why I recommend a reformat and reinstall, after saving any important files on your PC to removable media.
When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063
.................
If that is not a viable option for you, and you have no choice but to try to "clean" the system, naturally, you'll need to delete all of the files found by Blacklight and also you can delete the "requested-files" archive that you sent to me. But I can't guarantee anything about your system being trustworthy after this.
After that you'll need to reboot and scan again and post a fresh HijackThis log.
I think you'll need to revisit all of the scans done previously too (Spybot, Housecall, etc.)
These were the results from a scan of one of the files from Virus Total
This is a report processed by VirusTotal on 01/17/2006 at 22:53:21 (CET) after scanning the file "ba7e468555d.exe.ren" file.
Antivirus Version Update Result
AntiVir 6.33.0.77 01.17.2006 BDS/HacDef.BJ
Avast 4.6.695.0 01.17.2006 no virus found
AVG 718 01.17.2006 BackDoor.Generic.MTB
Avira 6.33.0.77 01.17.2006 BDS/HacDef.BJ
BitDefender 7.2 01.17.2006 Backdoor.Hacdef.BJ
CAT-QuickHeal 8.00 01.17.2006 Backdoor.HacDef.bj
ClamAV devel-20051123 01.17.2006 no virus found
DrWeb 4.33 01.17.2006 BackDoor.HackDef.117
eTrust-InoculateIT 23.71.51 01.17.2006 Win32/Hackdef.37888!Trojan
eTrust-Vet 12.4.2046 01.17.2006 Win32/HacDef.E
Ewido 3.5 01.17.2006 Backdoor.HacDef.bj
Fortinet 2.54.0.0 01.17.2006 W32/HacDef.BJ-bdr
F-Prot 3.16c 01.16.2006 security risk named W32/Hackdef.FD
Ikarus 0.2.59.0 01.17.2006 Backdoor.Win32.HacDef.BJ
Kaspersky 4.0.2.24 01.17.2006 Backdoor.Win32.HacDef.bj
McAfee 4676 01.17.2006 HackerDefender
NOD32v2 1.1369 01.17.2006 Win32/HacDef
Norman 5.70.10 01.17.2006 W32/Hacdef.AP
Panda 9.0.0.4 01.17.2006 Bck/Hackdef.AI
Sophos 4.01.0 01.17.2006 no virus found
Symantec 8.0 01.17.2006 Backdoor.HackDefender
TheHacker 5.9.2.075 01.17.2006 no virus found
UNA 1.83 01.17.2006 Backdoor.Hacdef
VBA32 3.10.5 01.17.2006 Backdoor.Win32.HacDef.bj
Sounds like I need to reformat then. But how do I know any files I transfer to say a second hard drive, doesnt have some of this 'problem' attached to it?
I would like to save my songs and pictures and necessary school work and work from work.
Can I wipe my second hard drive clean, transfer everything I want to save, unplug the second hard drive and reformat the first hard drive and install the fresh OS?
CalamityJane
2006-01-18, 03:38
Sounds like I need to reformat then. But how do I know any files I transfer to say a second hard drive, doesnt have some of this 'problem' attached to it?
I would like to save my songs and pictures and necessary school work and work from work.
Can I wipe my second hard drive clean, transfer everything I want to save, unplug the second hard drive and reformat the first hard drive and install the fresh OS?
Scan the files you save with a freshly updated AV program first before you add them.
format complete.
I ran hijackthis to see if that ba......etc file was still around and it is not.
Thanks for all your help.
-Raully
CalamityJane
2006-01-18, 21:41
Great, glad to hear it and you can be more certain of a clean system now.
You need to turn ON the windows firewall if you're not behind a router or have a software firewall. And then run, do not walk, to Windows update and grab SP2 and any other critical security updates recommended before going surfing or doing anything really.
That said, let me leave you with some advice on prevention:
I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
"So, how did I get infected in the first place?" (by Tony Klein)
http://forums.spybot.info/showthread.php?t=279
Service Pack 2 for XP is now available and it will address numerous security issues in your Operating System and IE :)
http://v5.windowsupdate.microsoft.com/en/default.asp
And see this link for instructions on how to configure the enhanced security features in SP2:
http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/iesecxp.mspx
I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.
MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.
Microsoft also has a free Antispyware program that offers resident protection to prevent infections as well. I do recommend it as an extra layer of protection for you.
http://www.microsoft.com/athome/security/spyware/software/default.mspx
Hello, this topic will now be archived.
Best wishes. :)