Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

phuey

14 Posts

1043

February 13th, 2006 23:00

Has My Computer Been Hijacked??? Please Help!!!

Recently my computer has quit running all Microsoft Office programs as well as Norton AntiVirus when i am connected to the internet. When I am not connected everything seems to run fine. I have tried resetting the computer, running a virus scan in safemode, running smitre.exe, and this is my final hope before erasing the hard drive and starting clean. If you can help me i would greatly appreciate it. Thanks
 
 
Logfile of HijackThis v1.99.1
Scan saved at 8:58:40 PM, on 2/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\Pat\My Documents\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Pat\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gvsu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,;localhost
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\Pat\My Documents\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe   /brand=ESPN   /priority=0   /poll=24
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\RunServices: [AOL Services Hosts] aolserviceshosts.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540012} (CInstall Class) - http://www.funnytaf.com/fun/installer/Install.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
 

RKinner

2 Intern

 • 

5.9K Posts

February 14th, 2006 00:00

Nothing obvious in the log.  Connect to the internet and
 
 Rightclick on the clock and select Task Manager then Processes then click twice on CPU.  The top process should now be System Idle with over 95% of the CPU Usage.  IF not what are the top three and what % do they have?
 
 
Also Start, Run, sigverif, OK
 
When the new program comes up press Start.  When it finishes, sort the programs by date by clicking on the Modified column heading.  What .exe, .dll or .sys files show up with dates since the problem started?  Do you see wininet.dll?
 
Ron

phuey

14 Posts

February 14th, 2006 02:00

the top item is system idle process with between 82% and 98%. Other top programs are taskmgr.exe, explorer.exe, msmsgs.exe, svchost.exe, Apoint.exe, and Isass.exe and they run anwhere from 0 to 14%. The only things that appeared using sigverif was omci.sys, acfpdf.txt, acpdf207.dll, and acpdfiu207.dll.

RKinner

2 Intern

 • 

5.9K Posts

February 14th, 2006 21:00

When I let mine sit in Task Manager. I never see anything over 1% except for System Idle.  You can turn off msmsgs.exe that's nothing but msn instant messenger.  Apoint.exe is the touchpad software. 

Try RootKitRevealer from SysInternals and see if it finds anything:

http://www.sysinternals.com/Utilities/RootkitRevealer.html

 

Also

If you have a fast link you can get the 10 meg mwav.exe from:

http://www.spywareinfo.dk/download/mwav.exe
and install it and check for updates then
 
Please download mwav.exe by clicking the above link.
Save the file to your Desktop and then double click on mwav.exe.
It should then install to C:\Kaspersky.

 

I prefer to run it in Safe Mode.  If there is no entry in All Programs and no shortcut on the desktop you can always run it with  Start, Run, C:\kaspersky\mwavscan.com, OK


Once the main screen appears, please make sure there is a checkmark in:
Memory
Startup folders
Drive (All Local Drives)
Registry
System folders
Services
Scan all files

Now, click on the "Scan Clean" button.
The scan is very long and can take several hours (upwards of 3+ hours).

 

The program only removes what it thinks of as viruses and just flags other malware in its log as not-a-virus.  You get to go through the log manually and remove anything not-a-virus that it finds.

I suggest using killbox to remove any not-a-virus that it finds.  http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Ron

 

phuey

14 Posts

February 15th, 2006 05:00

I have tried using the root kit reavealer and here is the log that I have recieved. I am not sure what any of it means.

 

HKLM\SOFTWARE\Classes\webcal\URL Protocol 6/23/2005 2:42 PM 13 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Pat\Application Data\Aim\mlmtuayt\orionol73\urlcache\aim38.tmp 2/14/2006 8:21 PM 393 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Pat\Application Data\Aim\mlmtuayt\orionol73\urlcache\aim3E.tmp 2/14/2006 8:51 PM 393 bytes Hidden from Windows API.
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0990NAV~.TMP 2/14/2006 8:48 PM 0 bytes Hidden from Windows API.

Also, i have tried using the mwave.exe. It seems to worked pretty well and it found 4 files that were infected. They are as follows.

File C:\PROGRA~1\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll tagged as not-a-virus:AdWare.Win32.MyWay.v. No Action Taken.

It tells me that this one cannot be deleted.

C:\PROGRA~1\DIGSTR~1\DIGSTR~1.EXE tagged as not-a-virus:Downloader.Win32.DigStream.a. No Action Taken.

 This one could not be deleted either.

File C:\Program Files\DIGStream\digstream.exe tagged as not-a-virus:Downloader.Win32.DigStream.a. No Action Taken.

I was able to delete this file.

and the fourth one that was found i cannot find in the log. This was all done using poket killbox.

Do you have any other ideas or should I justd reset the computer to it original state?

Could this be any sort of problem? I was wondering just because of the trojan part on the end.      File C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\HTML\diag\trojan.ini

RKinner

2 Intern

 • 

5.9K Posts

February 15th, 2006 15:00

None of the files that mwav found are really bad.  Mostly just adware stuff.  Shouldn't be causing a problem.  The trojan.ini file sounds interesting.  Can you open it?  It should open in notepad and just be some text.  Copy the text and post it as a reply.

 

Ron

phuey

14 Posts

February 15th, 2006 16:00

Here is the what i found when i opened the trojan program.
 
[Version]
BuildVersion=6
[WinDSNX]
StartupPathRegistryValue=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDSNX
[Sdbot]
StartFilenameRun=*Msdrv.exe*
StartFilenameRun=*Sdkcore.exe*
StartFilenameRunServices=*Sdkcore.exe*
StartFilenameRunServices=*Msdrv.exe*
StartFilenameRunCurrent=*Msdrv.exe*
StartFilenameRunCurrent=*Sdkcore.exe*
StartFilenameRunServicesCurrent=*Sdkcore.exe*
StartFilenameRunServicesCurrent=*Msdrv.exe*
Filename=%systemdrive%\msdirectx.sys
Filename=%systemdrive%\haxdrv.sys
Filename=%systemdrive%\msdrv.exe
Filename=%systemdrive%\sdkcore.exe
Filename=%system%\msdirectx.sys
Filename=%system%\haxdrv.sys
Filename=%system%\msdrv.exe
Filename=%system%\sdkcore.exe
Filename=%system%\drivers\msdirectx.sys
Filename=%system%\drivers\haxdrv.sys
Filename=%system%\drivers\msdrv.exe
Filename=%system%\drivers\sdkcore.exe
Filename=%systemdrive%\system32\msdirectx.sys
Filename=%systemdrive%\system32\haxdrv.sys
Filename=%systemdrive%\system32\msdrv.exe
Filename=%systemdrive%\system32\sdkcore.exe
Filename=%systemdrive%\system32\drivers\msdirectx.sys
Filename=%systemdrive%\system32\drivers\haxdrv.sys
Filename=%systemdrive%\system32\drivers\msdrv.exe
Filename=%systemdrive%\system32\drivers\sdkcore.exe
ControlSet1Services=*Msdirectx*
ControlSet2Services=*Msdirectx*
ControlSetCurrentServices=*Msdirectx*
ControlSet1Services=*Haxdrv*
ControlSet2Services=*Haxdrv*
ControlSetCurrentServices=*Haxdrv*
[Mytob-CI]
Filename=%system%\LienVandeKelder.exe
StartFilenameRun=*LienVandeKelder.exe*
StartFilenameRunServices=*LienVandeKelder.exe*

RKinner

2 Intern

 • 

5.9K Posts

February 15th, 2006 20:00

Very interesting indeed!  It's talking about installing a rootkit.  That's a program that hides from Windows and Hijackthis.  Looks like rootkitrevealer dropped the ball.  You can try a different one if it still available for free:
 
Download and run blacklite
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
leave scan through windows explorer checked,
click > scan then > next,
If any items show, have blacklite rename them except for wbemtest.exe"
Do not rename "wbemtest.exe" it's a windows file
The tool will ask if you want to reboot (restart) choose yes.
 
 
explains how to manually remove it.  May or may not work but try it.  It may help to use Killbox to remove the files.
 
Use the information in the ini file to make sure you get all of the files. 
 
Filename=%system%\haxdrv.sys  = C:\Windows\System32\haxdrv.sys
Filename=%system%\msdrv.exe
Filename=%system%\sdkcore.exe
Filename=%system%\drivers\msdirectx.sys = C:\Windows\System32\drivers\msdirectx.sys
 
%systemdrive% appears to be a way of referring to the C:\Documents and Settings\YourUserName folder.
 
It also talks about a .exe associated with mydoom:
 
 
Above has a link to a removal tool.
 
You might also try the Malicious Software Removal Tool from Microsoft.
 
 
Ron
 
 
 
 

 

phuey

14 Posts

February 15th, 2006 21:00

I tried using the blacklight and that found no problems. Also, the symantec scan produced no results, and when i was tryung to intall the microsoft scan, it would fail to initialize.

RKinner

2 Intern

 • 

5.9K Posts

February 16th, 2006 00:00

Looks like we have to do it the hard way.  First try with Killbox.
 
Download the killbox:
Unzip it to your desktop but don't run it.

Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option.
 
Run Hijackthis, (scan only) and check these two then Fix Checked.
 
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\RunServices: [AOL Services Hosts] aolserviceshosts.exe  <== This is a bad one that I overlooked!
 
Run killbox.  Open Options and check Remove Directories
Where it says Full Path of File to Delete you need to type or copy (Hightlight and Ctrl + c)
and Paste (move to the killbox and place the cursor in the box and Ctrl + V):
C:\Windows\System32\haxdrv.sys
 
Then check the Delete on Reboot box then the red button. 
It will say:  File Will Be Removed On Reboot, Do you want to reboot Now.
Tell it NO.  (If it can't find it that's OK just go on to the next one)
 
Repeat for:
 
C:\Windows\System32\msdrv.exe
C:\Windows\System32\msdirectx.sys
C:\Windows\System32\sdkcore.exe
C:\Windows\System32\drivers\msdirectx.sys
 
C:\Windows\System32\LienVandeKelder.exe
 
C:\Documents and Settings\Pat\msdrv.exe
C:\Documents and Settings\Pat\msdirectx.sys
C:\Documents and Settings\Pat\sdkcore.exe
C:\Documents and Settings\Pat\haxdrv.sys
C:\Documents and Settings\Pat\system32
 
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\HTML\diag\trojan.ini
Let it reboot after the last one.
 
reboot and make a new log and post it as a reply and let's see how things go.
 
Ron

phuey

14 Posts

February 16th, 2006 05:00

I havent tried this yet but I will do it first thing in the morning. I was just wondering, at this point would it be easier just to reset the computer to its original state and start with a clean slate? Also, if I were to do that, what programs would you reccommend that I download to help protect my computer along with the Norton AntiVirus?

phuey

14 Posts

February 16th, 2006 14:00

I have done the above mentioned steps and I am not sure what program you would like me to make a log with. Also, when i was deleting items in killbox, the trojan file was not found so i could not delete that.

RKinner

2 Intern

 • 

5.9K Posts

February 16th, 2006 20:00

I found a tool that is designed to remove the haxdoor stuff.

http://www.ik-cs.com/programs/virtools/Haxdoor.exe

 

Instructions:

 

http://www.ik-cs.com/programs/virtools/special%20disinfection%20routine.txt

 

If you do reformat then make sure your firewall is turned on and go directly to windowsupdate.microsoft.com and get all of the patches before going anywhere else.

Then

 

A Few Recommendations:


Make sure you have System Restore running and then you can just go back to an earlier time if you hit a bad site.

http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx

One way to make an infection more obvious is to check everything in your current HijackThis and Add to Ignore List then set up Hijackthis to run at boot and to show you if it finds anything new.

 
To avoid going to a bad site you might want to install IE-SpyAd and SpywareBlaster and make the other changes recommended at:.
http://www.mvps.org/winhelp2002/restricted.htm
I used to recommend Spybot's Immunize system but have recently learned it is not as good as the one at:
http://www.mvps.org/winhelp2002/hosts.htm

Always run a firewall.  The one in XP SP2 is pretty good tho I think the free one from Zone Alarm is better.

http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads

Turn on Autoupdates so you always get the latest patches from Windows.

Never hurts to do one of the free on line scans from Panda or Trend.  They take a while but are pretty good.
www.pandasoftware.com/activescan/activescan.asp?
http://housecall.trendmicro.com/
In addition to Microsoft AntiSpy
http://www.microsoft.com/athome/security/downloads/default.mspx
I like to run Spybot S&D. 
http://www.safer-networking.org/en/download/index.html
Also like to run AdAware once in a while. 
http://www.lavasoftusa.com/software/adaware/

Get the latest version of
Java:
http://www.java.com/en/download/windows_automatic.jsp

 Make sure you have removed any older versions of Java or JRE  with Control Panel, Add/Remove Programs.  Updates do not remove the older versions which have exploitable flaws.

If you are not running the latest version of Adobe you should consider updating.  There are reports of a loophole for hackers in pre 7.03 versions.
As an alternative you can dump adobe completely and use fox-it instead:
http://www.foxitsoftware.com/pdf/rd_intro.php

Ron

 

 

phuey

14 Posts

February 17th, 2006 12:00

Well, I have done a complete system reset on my computer. I have downloaded and installed Spyware Blaster, SpyBot, Adaware SE, and ZoneAlarm along with Norton AntiVirus. Unfortunatley I am still having some troubles. I did not make the changes that you had talked about for Spyware Blaster and SpyBot because i wasnt sure what i was supposed to do. Also, upon startup i get a message that states "TrueVector Service has encountered a problem and needs to close". I have tried sending the error report and not sending it but the window will immediatly pop back up about 7 to 10 seconds later, not matter how many times I close it. And also upon startup i get a message from Norton that says a necessary fil could not be loaded ( C:\PROGRA~1\NORTON~1\NORTON~1\STATUSHP.DLL ). And one last thing, I would like to thank you for all of the attempts you have made at helping me to fix my computer.

RKinner

2 Intern

 • 

5.9K Posts

February 17th, 2006 13:00

Sounds like you just did a system restore to an earlier time period.
 
True Vector is part of Zone Alarm.  Sounds like it might need to be uninstalled and reinstalled.
 
I never have much luck with Norton.  They do have a program on their website which might help.
 
 
Ron
 
 
 
 

RKinner

2 Intern

 • 

5.9K Posts

February 17th, 2006 15:00

Word needs to have a printer installed or it will hang.

Ron

Was this post helpful?

View All

No Events found!

Top