Hi-jacked-!!!

[Chiquito]

Hello, I guess its my turn, last night I was in the internet and something flashed on the screen before my eyes and then the whole system crashed, I mean it did not even reboot just out. I rebooted amd the M$window came up that windows has just recovered from a serious would I like to send report? I clicked no then another window comes up that I had a courppted file in my "desktop.ini" or was corrupted. Anyway I ran all of the spyware and virus utilities and nothing. Now I keep getting a window where the O/S is trying to connect to the internet. Since I always physically disconnect from the modem it can not connect so when this window comes up that it can not connect to the internet I just click cancel and it disappears fo about 30 seconds. So every 30 seconds it tries to connect by itself. I tried changing the settings in network connections but nothing seems to affect it. I downloaded Hi-jack this and ran a scan and it comes up clean.Any ideas short of a reinstall? Thank you Chiquito!!!

[glc]

If you have done all the prerequisites in the sticky thread in the Security forum, feel free to post your HJT log.

[Chiquito]

Did not get a log because I don't understand all the codes or words or what they mean, if its important I will get a log. The other thing if you know is Hi-Jack this used to be free now it takes you to another page and they want $29.95, so in desperation I downloaded M$ bete anti-spyware and nothing.As long as I'm connected to the web everything is fine as soon as I disconnect it goes nuts or is driving me nuts. If you think that that log is important I will get it! Thank you Chiquito !!!

[Force Flow]

hijackthis is and always has been free. I don't know what page you were looking at.

http://www.spywareinfo.com/~merijn/downloads.html

Scroll down a bit to get to the hijackthis download links.

[glc]

Quote:

I downloaded Hi-jack this and ran a scan and it comes up clean.

Quote:

I don't understand all the codes or words or what they mean

Then how do you know it's clean?

Save the log and post it, please.

[Chiquito]

You peeps are right, I went for Hi-jackthis and got CWShrewdder instead. I thought they had just changed their name. I will have to install HJthis and run it again. Thanks and I'll post it, Chiquito!!!

[Chiquito]

Got it: file of HijackThis v1.99.1
Scan saved at 5:12:29 PM, on 3/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
G:\Program Files\Alwil Software\Avast4\ashServ.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
G:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
G:\WINDOWS\system32\ZoneLabs\vsmon.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
G:\Program Files\RFA\rfagent.exe
G:\Program Files\Microsoft AntiSpyware\gcasServ.exe
G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
G:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
G:\Program Files\Messenger\msmsgs.exe
G:\WINDOWS\System32\ctfmon.exe
G:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
G:\Program Files\SpywareGuard\sgmain.exe
G:\Program Files\program\soffice.exe
G:\Program Files\OpenOffice.org 1.9.65\program\soffice.exe
G:\Program Files\OpenOffice.org 1.9.65\program\soffice.BIN
G:\Program Files\SpywareGuard\sgbhp.exe
G:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
G:\Documents and Settings\3\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.******.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - G:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] G:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [rfagent] G:\Program Files\RFA\rfagent.exe
O4 - HKLM\..\Run: [gcasServ] "G:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpySweeper] "G:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\System32\ctfmon.exe
O4 - Startup: OpenOffice.org 1.1.2.lnk = G:\Program Files\program\quickstart.exe
O4 - Startup: OpenOffice.org 1.9.65.lnk = G:\Program Files\OpenOffice.org 1.9.65\program\quickstart.exe
O4 - Startup: SpywareGuard.lnk = G:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = G:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - G:\WINDOWS\system32\ZoneLabs\vsmon.exe

O.K. this the file, and I still can't read it!!!

[bigz]

Boy o boy u use way too much anti spyware tools....

[Chiquito]

Bigz, Maybe I do use too many spyware tools but since I'm a little on the ignorant side of computing and if one don't get the other one does. Except for this time!!! If you are not in the know like Glc or Forceflow and Villarosa and you have to depend on someone that knows next to nothing like myself or all the sales ads that are not that accurate on doesn't have much of a choice. In seven months I've been hit really bad and I've had to do three reinstalls and you know where it happened, right here at Pcmech. The first two times I was lurking and the other night I was coming to surf the site. Now I know its not this site thats doing it but but why a tech site instead of a porno site or sales ad site? Who knows its just that you never know. Anyway do you have any idea of one spyware that gets it all? Can you read the above code? Either way thanks for posting your opinion,Chiquito!!!

[glc]

Your log is clean, but there's several items that could legitimately be looking for Internet access to check for updates. You have 2 resident antivirus apps and 3 resident antispyware apps, this not only is overkill, they are all fighting each other. Pick ONE of each to run in the background, and get that registry first aid out of the startup.

[Chiquito]

Glc,thank you, and how do I go about doing that? How do I get registry first Aid out of the startup? And the other apps how do I stop them so they do not run in the back round but can activate them when needed? Thank you Chiquito!!!

[Jaggannath]

Go into "run" in your start menu and type in 'msconfig'
Then go into the start-up tab and disable the programs you don't want running.
I think, though, that glc meant to remove them altogether, you really don't need them

[glc]

You can stop all the spyware apps from running at startup somewhere in each program's options/preferences. I'd personally leave the M$ one running and use the others as manual scanners only. Same with the antivirus, pick one for real time protection. Registry first aid should be able to be out of the startup the same way.

[rjfvillarosa]

Quote:

Originally Posted by Chiquito Now I keep getting a window where the O/S is trying to connect to the internet. Since I always physically disconnect from the modem it can not connect so when this window comes up that it can not connect to the internet I just click cancel and it disappears fo about 30 seconds. So every 30 seconds it tries to connect by itself.

The suggestions that the others have given you about reducing the amount of antivirus and spyware scanners are very good, you could have conflicts with all of them running.
At the moment I have AVG7 free running all the time and I use adaware and microsoft to scan for malware, BUT, when I want them to, in other words they are switched off and are activated once a day by me and I manually run the scans.
I notice you have messenger running all the time, try going to tools>options and stop it starting with windows and connecting to the internet automatically, you can run messenger from your programs list you don't need it running all the time. There are quite a few nasties going around associated with messenger and it could be one of those that is trying to connect to the internet all the time or even messenger itself.
Richard.

[Chiquito]

Richard, thank you, but where do I find Tools, options? Is it in network connections? Ot is it in internet options or IE? I looked everywhere and I don't know where to find Messenger. Thank You Chiquito!!!

[rjfvillarosa]

Do you actually use msn messenger??

[Chiquito]

Richard, no I don't use messenger, its that some of these programs have different names or code so I don't recognize them. I just tried what Jaggnnath sugested and it worked to some degree. I went into the system comfiguration utility and disabled some of the programs and it worked, the window stopped looking for the internet but then I couldn't connect at all. I had to restore everything and now the window or program is back looking for the web all by itself. I done as Glc suggested and went to the utilities themselves and I have them to seek updates manually not automatically. Some I couldn't find the options or preferences. Do I go to system.ini, or boot.ini, or win.ini, services, or startup? Thank you Chiquito!!!

[rjfvillarosa]

There are a few variations on the windows messenger, 4.7 and the newer 6.2(and beta7.0).
XP comes bundled with messenger 4.7 and it is primarily used for talking to people on your personal LAN rather than internet instant messaging.
The 4.7 bundled with XP is a little bit of a pain and awkward to switch off/disable, copy and paste this script into the "run" box in Start and click OK and 4.7 will be uninstalled instantly:

RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove

Messenger is very insecure and it's just possible you have picked something up or messenger could be trying to update itself and therefore constantly prompting you for an internet connection.
Richard.

[Chiquito]

Richard, thank you, I tried that link in "run" and I guess it isn't messenger. I also took Glc's, and Forceflow's advice and have diabled all automatic updates, all to no avail. Could a virus do that? Also in my XP some of the stuff that you folks say to do, there isn't a place to do it in or I can't find it. Seemly it doesnt do any harm but there is something amiss because for no reason at all all the information in the address bar drop down window of IE and Firefox disappeared. One moment I'm using the drop down window in Firefox and when I went to change sites it was gone. So I went to using Mozilla and IE and when I came home from work this afternoon and I came to check this site I went to IE and that is now as clean as a whistle. Any ideas short of a reinstallation? Chiquito!!!
Oh yeah, I also tried to log into this site with IE and the password doesn't work only with Mozilla and Firefox, strange huh?

[rjfvillarosa]

To be honest I think you have too many things running on that machine and they are conflicting with one another, you say the drop down box was clean, that means some kind of cleaning has been done which means something is running and you are not aware of it.
Is a format and reinstall out of the question?, do you have a lot of stuff on the hard drive that would need to be backed up?

[Chiquito]

Rjf, No I really don't have a lot of stuff its just stuff that I've down loaded to learn how to be a tech . I want to be as good as you or Glc or Forceflow so as I can trouble shoot a problem. You know there is a lot of people out there that are disenfranchised and barley have enough $ to own a computer much less pay a tech what he is worth. And I know a lot children from mid grammar school on up that could use a helping hand and some time what people need is not $$s but some assistance to give them direction or a little push on their way. So I want to make the $$s and when I can help peeps out in a direction that influences them positively. That is the reason you see a lot of utilities on my chart. I have Windows 98,2000, and XP and Mepis. I know I don't need that much, but it was to learn the in n outs of Win 9x and ntfs and Linux. That is the other reason that I have so much open source stuff on my computer. I have registry first aid and the ultimate trouble because when you have a problem you can research the codes on their web sites. The problem this time is that what ever happened happened before I could learn to use the utilities. As far as files or documents and important files, no, but the files that are important to me is stuff that I copied on advice that you or Glc and some of the other peeps would give me and or some one else so when I got another box I could break the os and follow you guys instructions and see if I could fix whatever was broke. Either way I do want to thank you and Glc and Force flow and Jaggannath and Bigz for your help and assistance, Chiquito!!!

[rjfvillarosa]

Chiquito... How many machines have you got, if you have more than one try and give me a run down of what each one is and what it contains hardware and software wise?
I think you have just learned a major lesson in over kill and your idea to be able to help others is very comendable, keep up what you are doing, you are delving into a world of great interest.

[Chiquito]

Good morning Richard, Thanks for the reply. I only have one machine but now I know I have to get another one I just have about 20 O/Ss. The last time I had only XP but it was really weighted down and I did not have the religion of back up then but I got a good dose of veneral disease of the O/S ( adware and Virus)!!! I am grateful to one and all for your asssistance but what is driving me is to find out what I done wrong or what caused this and see if I can repair it.
Thanks again and have a good day Chiquito!!!

[macko72]

Don't wory, sometimes it's very hard to find explanation 'cos wrong explanation or missunderstanding off yours problem but it will eventualy be solved!!
If you don't know what to do and trying to learn, the best way of learning something is trying to find and resolve problem by you self(you can have some hints of course) you make mistake you delete something you install something but you must be sure to HAVE YOUR RECOVERY DISC OR INSTALLATION DISC AT ALL TIMES READY 'cos you must make mistake to learn from it and install or reinstall windows as many times possible.
That's just my oppinion of best way for you to learn something. Is to learn from your on mistakes and hints from guys like GLC, FORCE FLOW AND RJFVILLAROSA and others who make your learning much more faster than usual.

At the end my recomedation is this:[AFTER YOU HAVE TRIED ALL POSSIBILITIES AND THERE IS NO HELP FOR YOU !!!]
1. Choose one antivirus, one antispy, one ICF
2. Reformat HDD and install fresh copy of windows
3. Enjoy

[glc]

Any time you start experimenting - installing stuff, uninstalling stuff, playing, etc. to try to learn things, you have to be prepared for problems. I do not do this on my primary production machine, I use another box. If you must play on your primary machine, it would be advisable to use imaging software so you can wipe and restore it with minimal hassles. Bottom line - if you play, be prepared to wipe.

[macko72]

You are right glc at first I was learning on my primary machine(only machine at the time) but now investigate all sort of problems on non-primary machine!!!

[Chiquito]

Well Richard, Glc,Forceflow,Bigz and Jagganath, guess what? Get ready because guys are going to be very busy, I am the proud owner of the newest and latest TROJAN!!! It is totally or virtually undected by any spyware removal program. AS you folks know I use Zone Alarm and I have it set to the highest settiongs in and out, and not even M$ beta sees it. I guess all of this is going to make a good tech out of me anyway, but I do want to thank one and all of you for your time and concern because as hard as I work to learn I can only imagine what you guys went through to aquire what you do know and give freely of yourselves,again thank you Chiquito!!!

[bigz]

which new trojan are you refering too? also personally I like to use the trendmicro website a lot for virus information and removal techniques. Trend micro gives very thorough statistics and ways to remove and is detailed better than symantecs website...and if u know what trojan I will post you the removal techniques from Trend micro... Good luck

[bigz]

I just headed to trendmicro's site for some information on a new trojan... Please forgive me for this long post... This might be what u have based on the symptoms u gave us...

TROJ_DLOADER.DH

Overview
Malware type: Trojan
Aliases: Downloader.a, Win32.SillyDl.GN
In the wild: No
Language: English
Platform: Windows 95, 98, ME, NT, 2000, XP

Overall risk rating: Low
Reported infections: Low
Damage potential: High
Distribution potential: Low

Description:

A Trojan is a type of malware that poses as legitimate software. When executed by unsuspecting users, it performs unexpected or unauthorized, often malicious actions.

This Trojan may arrive in a computer as part of another malware’s installation package. It is dropped by TROJ_DLOADER.DG

It checks for Internet connection on the affected system. If Internet connection is available, it attempts to download other malware or adware.


Description created: Mar 11, 2005

Solution
Minimum scan engine version needed: 6.810
Pattern file needed: 2.485.01
Pattern release date: Mar 9, 2005

Solution:


Removing Related Malware

To remove related malware, please refer to the following Web page:

* TROJ_DLOADER.DG

Identifying the Malware Program

To remove this malware, first identify the malware program.

1. Scan your system with your Trend Micro antivirus product.
2. NOTE all files detected as TROJ_DLOADERL.DH.

Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro's online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

1. Open Windows Task Manager.
• On Windows 95, 98, and ME, press
CTRL+ALT+DELETE
• On Windows NT, 2000, and XP, press
CTRL+SHIFT+ESC, then click the Processes tab.
2. In the list of running programs*, locate the malware file(s) detected earlier.
3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
4. Do the same for all detected malware files in the list of running processes.
5. To check if the malware process has been terminated, close Task Manager, and then open it again.
6. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
3. Windows>CurrentVersion>Run In the right panel, locate and delete the entry:

= “%Malware path and filename%”
4. (Note: %Malware path & file name% is the complete path of the malware, including the root directory, and the malware's detected file name.) Close Registry Editor.

NOTE:If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete files detected as TROJ_DLOADERL.DH. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's online virus scanner.



Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.


Technical Details
File type: PE
Memory resident: Yes
Size of malware: 34,816 Bytes
Initial samples received on: Mar 9, 2005
Related to: TROJ_DLOADER.DG

Details:

A Trojan is a type of malware that poses as legitimate software. When executed by unsuspecting users, it performs unexpected or unauthorized, often malicious actions.

This Trojan may arrive in a computer as part of another malware’s installation package. It is dropped by TROJ_DLOADER.DG

It checks for Internet connection on the affected system. If Internet connection is available, it attempts to download other malware or adware.

Upon execution, it drops the file .INI, in the current directory. This .INI file is used to log the Trojan’s activities.

It also attempts to connect to the following sites:

* http://.farmmext.com//a/Aid.sen?StubName=1farmmext&Cookie=cntry%3DPH%26fstcidt%3D20050315%26cicnt%3D1%26&StubInstID={317425FF-1047-4335-A94B-A6635B986B07}&ErrorCode=1002&Build=0.1.1.3
* http://.farmmext.com/a/Aid.sen?StubName=1farmmext&ErrorCode=1001&Build=0.1.1.3

It creates the following registry entry to ensure it automatically executes during every Windows startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
% = “%Malware path and filename%”

(Note: %Malware path & file name% is the complete path of the malware, including the root directory, and the malware's detected file name.)



Analysis By: Elda Viray Dimakiling


I read the statistics for this month... Over 15000 infected with this trojan!!

[Chiquito]

BBBBBigzZZZZZz, THANK YOU, I can't or didn't do all you have there but it was enough. I am able to stop it with the task manager. If I reboot it comes back. At least now I know its controlable. I have to be very careful when I go into the registry so its going to take me a couple of days. I personally do not have any luck with Trend-Micro but I know its very good, its probably me and being a newbie. Next time I'll post the file name. I was going to live with it but what happened was I started receiving e-mail that I was supposed to have sent to people I didn't know and as I was trying to decipher the code I seen that I was to have sent sexually explict material to some one. I called the my isp and was talking to one of the techs and he said that sometimes trojans do that, after I ended my call to him I went to my e-mail to make sure I hadn't seen wrong, and lo an behold there was another one, the same thing but to a different person. Thats when I had made up my mind to reinstall. I want to ask you one thing, if I stopped the process with the task manager, and I know its still there can it still function and be sending info or what ever it does with the processes stopped?
I am really thankfull to you and the the other peeps because I just got a job, not IT related but I found a shortcut to make me some bucks at least liveable with the computer up and running. Also I haven't been going to church lately, and I mean to church of Backup!!! Thanks again and I'll keep everyone posted,Chiquito!!!