Help - Search - Members - Calendar
Full Version: Some kind of problem
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
Khaz
Mar 24 2005, 04:49 PM
For a while now, I've been concerned about the health of my PC. I would've reformatted by now, as nothing else has worked, but there are some programs I have installed that I don't have the CDs for anymore (left at home, not living there, etc).

I've run HijackThis, Ad-Aware scans, Trend Micro & Panda Software virus scans, and the problem does not go away.

Description of the Problem: From time to time, my notebook computer locks up. It's not a freeze however, and the symptoms slowly come into place. Here's what happens, slowly and surely:
  • folders slow down; task manager stops refreshing
  • folders, windows, and Run commands fail: they simply dont do anything
  • open windows still function, minimally; in winXP, the file descriptions and "Other Places" categories on the left hand side disappear
  • window main menu bars (containing File, Edit, etc) disappear, and are replaced by white space with a windows logo in the middle
  • everything fails; task manager refuses to load, windows and applications refuse to load, right-click functions cease; only way to restore is through a restart
This happened today, about five minutes ago. I'm now in SafeMode w/Networking, 'cause I don't know what to do. This time, I caught something very odd. I'm sorry I don't have a screenshot, but I'll do my best to describe what I saw.
QUOTE
When my windows and functions started to fail, I quickly popped up the Windows DOS Command console, and plugged in netstat -a. What came up was strange: there were several established and time_wait connections on low-number ports, all in the 2500-2600 range. These ports are not open, or are stealthed according to ShieldsUP, and I am working behind the WindowsXP firewall as well as a University firewall system.
The 'foreign address' for the various connections varied. One of them that I remember was "www.zipzoomfly.com:80", and some others were coming through as something like "ajp-48- ....... someDomain.name". I tried to capture the screen, but my graphics program wouldn't load by the time I had it. I also tried taking a digital photo, but that just left the console text really blurry. I can provide a picture of it anyway, if you'd like.


Solutions Attempted: Numerous Ad-Aware, TrendMicro, and Panda Software spyware/malware/virus/trojan scans; HijackThis comes up clean; Windows System Recoveries are ineffective at best

I'm at a loss for where to go from here. My machine is dying 'cause of this, and any help is appreciated. Also, if there is some place more 'popular' for computer software assistance, please send me there too. Best,

Khaz
Khaz
Mar 24 2005, 04:58 PM
Sorry for the second reply, but I re-tested HijackThis, and came up with the following:
QUOTE
Logfile of HijackThis v1.99.1
Scan saved at 4:55:15 PM, on 3/24/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [razertra] C:\Program Files\Razer\razertra.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103432258265
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
The stuff in red is what concerns me, especially that Winlogon Notify.
Mosaic1
Mar 24 2005, 07:21 PM
That notify definitely is a cause for concern. But I think you have a bigger problem. And I am wondering if it is your Video card or its drivers.


Let's deal with the spyware first. Download this file.


http://www.atribune.org/downloads/HSFix.zip



Extract its folder to C:\

So now you have a folder D:\HSFIX


Boot to Safe mode no Networking and open the hsfix folder.

Double click on hsfix.bat to run it.

You'll lose your desktop and taskbar. That's normal. This is going to kill explorer.

Double click on hsfix.bat to run it again immediately.

Restart back into safe mode with networking. Find this file:

C:\hslog.txt

Post its contents into your next reply.
Mosaic1
Mar 24 2005, 07:29 PM
Also, you are running with no Anti Virus installed and no firewall. Are you using a hardware firewall?


AVG offers a free AV and it is very good. You can download and install it from this page:
http://free.grisoft.com/doc/Get+AVG+FREE/lng/us/tpl/v5

And then update it immediately.
Khaz
Mar 24 2005, 07:53 PM
I've done a few things now. I located this website and messageboard thread: SpyWare beware messageboard

Next, I came here and ran the HorseServer Removal Tool. Here're the log contents:
QUOTE
Horseserver Removal Tool v1.05
      by Atri
-
-
1. Registry Fix Started
-
  Registry fix complete
-
2. Deleted Services
-
vdmt16
[SC] DeleteService SUCCESS
-
3. Finding files Located on system
-
vdmt16.sys
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-

After following the thread from the SpyWare BeWare messageboard, my HijackThis log turned up clean, and all the nasties gone... for now.

The fix you suggested there, Mosaic, solved a video driver problem I've been having. It's solved as far as I can tell. What is HorseServer?

As for anti-virus and firewall software -- I turned off the anti-virus software in SafeMode 'cause I wanted the computer resources. I have the WinXP Pro firewall enabled on my conn, along with the University's firewall system.
Mosaic1
Mar 24 2005, 09:01 PM
horseserver is a domain to which the home and search pages were often hijacked in this one. Thi hijack is now referred to as Haxdoor.


I am glad you are set, but I do caution people about going off on their own. It often can cause problems. The Fix I had you download would have performed the jog with possibly less risk. And it was automated.

I take it you upgraded your video drivers? Let me know if any of your previous problems return. Did that solve the rest and can you run in regular widows mode now? Time will tell. One Firewall running at a time is the general rule. Two can cause conflicts.


The problem with this hijack is also that your privacy has been compromised. They use a keylogger and get your typed passwords and other information.

ASAP Change any sensitive information on your computer. Banking passwords, even Forum Passwords.

Re-enable your AV and do a full scan. I would also do some online scans to get any orphans you might have hanging around.

Here are some choices:
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www3.ca.com/virusinfo/
http://www.bitdefender.com/scan/licence.php
http://www.commandondemand.com/eval/index.cfm
http://info.ahnlab.com/english/
http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp

I'd like to see a follow up log too please. You had some trusted zones inneed of removal.

And you need to be sure your System Restore is in working order too. The fix should have taken care of it. But do a check anyway.

Once you have rebooted a time or two, be sure everything is in working order. It is time to flush your system restore points. Once you do that you will not be able to correct any problems you may have now by going back to a point before today.


After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore.


Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
----------------------------
Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html
Khaz
Mar 24 2005, 09:12 PM
QUOTE
I take it you upgraded your video drivers? Let me know if any of your previous problems return. Did that solve the rest and can you run in regular widows mode now? Time will tell. One Firewall running at a time is the general rule. Two can cause conflicts.

No. I had been unable to enter a resolution less than 1400x1050, and the dialog prompt warning me about fuzziness refused to leave. Something above fixed it, anyway.
The second firewall is not on my machine. It's on the University network/router or however they have it set up, and I don't have access to it to see what it blocks and allows.

The SpyWare BeWare thread pointed out that my passwords may have been caught. I've just finished changing all the passwords I care about.

I didn't know there were so many viable online scanners. I'd only been using TrendMicro and Panda to clean up after mine. Thanks for the links.

The trusted sites were removed and happy to go.

I'm off to deal with the System Restore points. Thanks for the help. Greatly appreciated.
Mosaic1
Mar 24 2005, 09:45 PM
You're welcome. Good luck. And if you celebrate it, Happy Easter.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.