MALWARE/Hijacker

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mark24, Nov 30, 2004.

  1. mark24

    mark24 Private E-2

    Hi all,

    I appear to have contracted a nasty piece of morphing malware, I have no idea what it is called. It works like this; my browser gets redirected on opening to various search & porn pages. A program now crashes on launch, & I have seen from the games (star wars galaxies) tech support that the malware may be involved ( http://forums.station.sony.com/swg/board/message?board.id=Techsupport&message.id=201813 ). I CAN clear the redirection temporarily, but SWG fails to run at all now.

    I have seen various people have problems with STOPGUARD/VIRTUMUNDO, but have no idea as to how I detect or identify them.

    I have run through the following, step by step, to no effect.

    http://forums.majorgeeks.com/showthread.php?t=35407
    http://forums.majorgeeks.com/showthread.php?t=47297

    Star Wars still refuses to run.

    Pls help!

    Thanks,

    Mark Pullen
     
    mark24, Nov 30, 2004
    #1
  2. mark24

    mark24 Private E-2

    I have just run Ad-aware SE again after clearing the system as per your instructions & it comes up with 3 new objects if it helps:

    Win32.Adverts.TrojanDownloader Object Recognized!
    Type : Regkey
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_USERS
    Object : S-1-5-21-3438141586-2437969446-162025716-1005\software\program info

    Win32.Adverts.TrojanDownloader Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_USERS
    Object : S-1-5-21-3438141586-2437969446-162025716-1005\software\program info
    Value : ClientID

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : mark pullen@tribalfusion[1].txt
    Category : Data Miner
    Comment : Hits:4
    Value : Cookie:mark pullen@tribalfusion.com/
    Expires : 01-01-2038
    LastSync : Hits:4
    UseCount : 0
    Hits : 4

    Mark Pullen
     
    mark24, Nov 30, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you have followed ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal and you are still having a problem, do the below.

    Make sure you have HJT Version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Nov 30, 2004
    #3
  4. mark24

    mark24 Private E-2

    Chaslang,

    I can't tell you how much I appreciate your help. Thank you.

    Here's the logfile, running from a folder in Program files, with everything else shut down, including the folder HijackThis is located in.



    Mark
     

    Attached Files:

    • hjt.txt
      File size:
      7.8 KB
      Views:
      4
    Last edited by a moderator: Nov 30, 2004
    mark24, Nov 30, 2004
    #4
  5. mark24

    mark24 Private E-2

    Chaslang,

    I had an idea, rebooted into normal mode & did a Hijack log before opening anything.

    [log removed]

    Mark
     
    Last edited by a moderator: Nov 30, 2004
    mark24, Nov 30, 2004
    #5
  6. Kodo

    Kodo SNATCHSQUATCH

    no change in that log. Log files must be posted as an attachment.

    You have tons of Trojans on your machine. Have you tried ALL the online scanners AND the alternate scans listed at the bottom of the tutorial? A-Squared more specifically.
     
    Kodo, Nov 30, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As Kodo said, you have a load of problems.

    Make sure you have system restore disabled and viewing of hidden files enabled.
    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them:
    sncntr.exe
    evthtm.exe
    netdllex.exe


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find-on-the-net.com/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findin.org/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.evcforum.net/cgi-bin/forumdisplay.cgi?action=listalltopics
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.evcforum.net/cgi-bin/forumdisplay.cgi?action=listalltopics
    R3 - Default URLSearchHook is missing
    F3 - REG:win.ini: run=c:\windows\system32\netdllex.exe
    O2 - BHO: IE Search Toolbar Helper - {2C5175A2-ADF3-4F57-AB70-BA90FD60A383} - C:\Program Files\IESearchToolbar\IESearchToolbar.dll
    O3 - Toolbar: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)
    O4 - HKLM\..\Run: [win32info] c:\windows\system32\win32info.exe /noconnect
    O4 - HKLM\..\Run: [Mscnt] c:\windows\system32\mscnt.exe /nocomm
    O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
    O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.8.0\WeatherOnTray.exe
    O4 - HKLM\..\Run: [EvtHtm] c:\windows\system32\evthtm.exe /nocomm
    O4 - HKLM\..\Run: [Mqinx] c:\windows\system32\mqinx.exe
    O4 - HKLM\..\Run: [Netdllex] c:\windows\system32\netdllex.exe
    O4 - HKCU\..\Run: [Svcinfo] c:\windows\system32\svcinfo.exe
    O4 - HKCU\..\Run: [Pwr32ctr] c:\windows\system32\pwr32ctr.exe
    O4 - HKCU\..\Run: [Bluecol] c:\windows\system32\bluecol.exe
    O4 - HKCU\..\Run: [Pwr32ctrl] c:\windows\system32\pwr32ctrl.exe
    O4 - HKCU\..\Run: [Audiodrv] c:\windows\system32\audiodrv.exe
    O4 - HKCU\..\Run: [Mqinx] c:\windows\system32\mqinx.exe
    O4 - HKCU\..\Run: [Netdllex] c:\windows\system32\netdllex.exe



    Boot into safe mode and use Windows Explorer to delete:

    C:\windows\system32\sncntr.exe
    C:\windows\system32\evthtm.exe
    C:\WINDOWS\system32\netdllex.exe
    C:\Program Files\IESearchToolbar <- the whole directory
    C:\Program Files\Hotbar <- the whole directory
    c:\windows\system32\win32info.exe
    c:\windows\system32\mscnt.exe
    c:\windows\system32\sncntr.exe
    c:\windows\system32\mqinx.exe
    c:\windows\system32\svcinfo.exe
    c:\windows\system32\pwr32ctr.exe
    c:\windows\system32\bluecol.exe
    c:\windows\system32\pwr32ctrl.exe
    c:\windows\system32\audiodrv.exe


    No reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Nov 30, 2004
    #7
  8. mark24

    mark24 Private E-2

    Chaslang (& Kodo thanks for your input),

    Here's the new .log

    Ad-Aware netted 35-ish new criticals after less than 24 hours of a ZERO critical scan. Wierd...

    Mark
     

    Attached Files:

    mark24, Nov 30, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The below two items are still in your log:
    O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\Program Files\IESearchToolbar\IESearchToolbar.dll (file missing)
    O4 - HKLM\..\Run: [win32info] c:\windows\system32\win32info.exe /noconnect


    Repeat the parts of my previous procedure mentioning them.
     
    chaslang, Nov 30, 2004
    #9
  10. mark24

    mark24 Private E-2

    Chaslang,

    OK, got 'em. I did the same check in its entirety & there's no recurrence other than the 2 I missed.

    Thank you very, very much for your help. I'll let you know how it goes, if it recurs it will do it today.

    What, in your opinion is the best virus checker protection that I can put on my system?

    Mark
     

    Attached Files:

    mark24, Dec 1, 2004
    #10
  11. Kodo

    Kodo SNATCHSQUATCH

    Kodo, Dec 1, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay you log is clean now. What Kodo is point you to includes all the things you should be doing to protect your system. It includes my preferences for antivirus program. Avast is my first choice.
     
    chaslang, Dec 1, 2004
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds