Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Thursday 6.3.2025 / 14:21
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > crazy virus...please help
Show topics
 
Forums
Forums
crazy virus...please help
  Jump to:
 
Posted Message
speedamp
Newbie
_ 		30. July 2008 @ 13:09 _ Link to this message    Send private message to this user   
hello everybody,

i have a nasty virus the i can't seem to get rid of. hopefully somebody here will have some ideas.

here is the history. Last week i grabbed an iso of latest ubuntu through bittorrent, and i assume something nasty entered my system.

here is what happens (in no particular order or timing....very random):

1) system beeps
2) explorer (or whatever browser is default) will start opening over and over again. in some of the google searches, i see "p..,"
3) printer will sometimes print the google page
4) if i'm in a program it will automatically start 'entering' whatever i have on the screen. thus making installing, uninstalling, etc. VERY difficult.

I have Mcafee, super antispyware, spybot, and windows defender running. NONE have detected or stopped anything....even when the attack is happening.

I also did a full system reinstall of my operating system partition, and a day or so later it came back.....

here is the attached 'hijackthis' report:

Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:05 AM, on 7/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP3 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\xampp\mysql\bin\winmysqladmin.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
D:\xampp\xampp-control.exe
D:\xampp\apache\bin\apache.exe
D:\xampp\mysql\bin\mysqld-nt.exe
D:\xampp\apache\bin\apache.exe
D:\Program Files\Mozilla Thunderbird\thunderbird.exe
D:\Program Files\Pidgin\pidgin.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
D:\Program Files\WinRAR\WinRAR.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.4.lnk = D:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: WinMySQLadmin.lnk = D:\xampp\mysql\bin\winmysqladmin.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/inst...nosticsxp2k.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apache2.2 - Apache Software Foundation - D:\xampp\apache\bin\apache.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MySql - Unknown owner - D:/xampp/mysql/bin/mysqld-nt.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 6268 bytes
any help would be much appreciated...i'm at a loss.

-Michael
[ + quote]
Advertisement
_ 		__
bandit008
Member
_ 		30. July 2008 @ 15:27 _ Link to this message    Send private message to this user   
if you say that you did a full OS re-install and the virus came back a couple days later then i dont think its a virus attack...i think its a hacker attack. once a hacker can go undetected into your system, they will come and go as they please (hence your random computer activities..) ...Im not completely sure though...ive looked over your log and i dont see anything out of the ordinary... There a couple of things that caught my eye though...

1)D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE - why outlook.exe is the only one all capitalized compared to the others? Or has it always been like that?...
2)O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ? is this a broken/missing link? Sometimes virus/spy/malware desguise themselves as links...


[ + quote]
m' kay..
speedamp
Newbie
_ 		30. July 2008 @ 17:27 _ Link to this message    Send private message to this user   
that makes some sense, yeah.

I also found a NolE4StubProcessing Entry in the registry.

the item was deleted. could this have been part of it?

anyways, if this is a hacker, how can i block his activity on my machine?

-Michael
[ + quote]
speedamp
Newbie
_ 		30. July 2008 @ 17:55 _ Link to this message    Send private message to this user   
starting to agree with you.....if this is a hacker.....any idea how to block this?

i run mcafee and have my netgear router pretty tight.

any suggestions on anti-hacker software?

-Michael
[ + quote]
bandit008
Member
_ 		31. July 2008 @ 10:36 _ Link to this message    Send private message to this user   
there are several ways to do this...
1)you could setup a firewall and monitor/block any suspicios incoming/outgoing connections...a good one is comodo firewall pro (freeware)
2) If your NETBIOS ports are open then you must close them,the hacker is probably accessing your pc thru these ports.. (NETBIOS ports allow you to remotely access a machine and pretty much do whatever you want to it. These ports are sometimes opened by Microsoft for their updates) For more info on NETBIOS go here.
3)Turn off any file sharing and disable Remote Desktop Connection if you have it enabled...
4)you could manually monitor your connections. To do this hit start,then run. On new window type CMD hit ok. In the ComandPrompt type the following: netstat -a or netstat -n
netstat -a lists the names of the connections you have
netstat -n lists the ip addresses of the connections you have
5) set an admin password. Usually when trying to access a remote computer it will ask you a name and pass.
[ + quote]
m' kay..
cdavfrew
Senior Member
_ 		1. August 2008 @ 05:57 _ Link to this message    Send private message to this user   
@bandit008

If you are not learned in analyzing HijackThis logs, please don't. It will not do for anyone to fix any random "suspicious looking" entries in HijackThis, because frankly, to any non-tech-savvy person, an entire HijackThis log looks suspicious.

Hi speedamp

It seems that you may or may not be infected. The symptons I see on your computer may be related to hardware problems, especially your keyboard, as it seems that the Enter, Ctrl, and P keys are stuck. I will recommend a hardware check at your local computer store.

If the hardware check comes back clean, then perhaps you are indeed in a security-compromised situation. I will need further analyzing of your system which can be done by a second tool: Deckard's System Scanner.

Download Deckard's System Scanner, run it, and follow the prompts. When the scan is done, please post the results (located at main.txt) here.

Best Regards :D
[ + quote]
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.

Advertisement
_ 		__
 
_
bandit008
Member
_ 		1. August 2008 @ 10:16 _ Link to this message    Send private message to this user   
Originally posted by cdavfrew:
 @bandit008

If you are not learned in analyzing HijackThis logs, please don't. It will not do for anyone to fix any random "suspicious looking" entries in HijackThis, because frankly, to any non-tech-savvy person, an entire HijackThis log looks suspicious.

ok fine...later thread...
[ + quote]
m' kay..
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > crazy virus...please help
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2025 by AfterDawn Ltd.

  IDG TechNetwork