1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HiJackThis - Help mE :(

Discussion in 'Virus & Other Malware Removal' started by Jsuradi, Sep 16, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Jsuradi

    Jsuradi Thread Starter

    Joined:
    Sep 16, 2003
    Messages:
    12
    NAV picked up backdoor.sdbot
    Eversince, i cant unistall / install / download files from servers
    NAV says my infected file is system32.exe
    and it found other files, that i was able to delete.
    Here is my HIJACKTHIS LOG FILE

    IF you are able to help me, it would be very much appreciated :


    Logfile of HijackThis v1.97.2
    Scan saved at 2:38:52 PM, on 16/09/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    Z:\WindowBlinds\wbload.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    Z:\Norton\NetSecurity\NISUM.EXE
    Z:\Norton\NetSecurity\NISSERV.EXE
    Z:\Norton\NetSecurity\SymProxySvc.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    Z:\Norton\navapw32.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    Z:\Samurize\Client.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    D:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com/
    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - Z:\Norton\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Z:\Norton\NavShExt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [InternodeUsage] Z:\INTERN~2\mum.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [EasyTuneIV] C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\et4Tray.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKCU\..\RunOnce: [ICQ Lite] Z:\ICQLite\ICQLite.exe -trayboot
    O4 - Startup: Shortcut to Client.lnk = Z:\Samurize\Client.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. sinsation

    sinsation

    Joined:
    Sep 15, 2003
    Messages:
    323
    From what I've been reading, F0's are very bad (trying to learn these).
     
  3. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Nav has probably deleted these and just left the registry entries since the file isn't showing up in Running Tasks.

    Check these entries in HijackThis and click "fix checked":

    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe

    Can you give some info on what this does? Is it ISP related?

    O4 - HKLM\..\Run: [InternodeUsage] Z:\INTERN~2\mum.exe

    About all I can find is this:

    http://216.239.53.104/search?q=cach...lies-print.cfm?t=55440+mum.exe&hl=en&ie=UTF-8

    And this?

    Samurize\Client.exe
     
  4. Jsuradi

    Jsuradi Thread Starter

    Joined:
    Sep 16, 2003
    Messages:
    12
    Thanks Rollin Rog, ill do that

    And, yes
    Its a program that my ADSL ISP provides, so i can check my usage from a icon in the system tray.
    MuM = Monthly Usage Meter

    :)
     
  5. Jsuradi

    Jsuradi Thread Starter

    Joined:
    Sep 16, 2003
    Messages:
    12
  6. Jsuradi

    Jsuradi Thread Starter

    Joined:
    Sep 16, 2003
    Messages:
    12
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Thanks for the info.

    Unfortunately I'm not really seeing an explanation for your download problems in the Scanlog unless those system32.exe files are still loading but not showing in the Running Tasks. I don't think that's the case.

    My assumption is that NAV deleted them and what you have there are just residual registry entries -- they would produce an error message on startup if the files are missing.
     
  8. Jsuradi

    Jsuradi Thread Starter

    Joined:
    Sep 16, 2003
    Messages:
    12
    Ok this is weird

    I checked, and "fixed"
    those 2 files

    rebooted


    scanned with NAV

    and it still picks up system32.exe as a virsus / unable to repair


    here is the post-fix log file :

    Logfile of HijackThis v1.97.2
    Scan saved at 3:24:04 PM, on 16/09/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    Z:\WindowBlinds\wbload.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    Z:\Norton\NetSecurity\NISUM.EXE
    Z:\Norton\NetSecurity\SymProxySvc.exe
    Z:\Norton\NetSecurity\NISSERV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    Z:\INTERN~2\mum.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\et4Tray.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    Z:\Samurize\Client.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Symantec Shared\NMain.exe
    Z:\Norton\navw32.exe
    Z:\( Internet Downloads )\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com/
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - Z:\Norton\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Z:\Norton\NavShExt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [InternodeUsage] Z:\INTERN~2\mum.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [EasyTuneIV] C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\et4Tray.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - Startup: Shortcut to Client.lnk = Z:\Samurize\Client.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  9. Jsuradi

    Jsuradi Thread Starter

    Joined:
    Sep 16, 2003
    Messages:
    12
    As you can see
    when i scanned, before fixing, i ran it from my a cd that i burnt from a noter pc ( as i am unablet o d/l due to the virus )

    "D:\HijackThis.exe"

    and it came up with one of those error, when trying to fix

    then i copy to

    "Z:\( Internet Downloads )\HijackThis.exe"

    and re-scan, but i find above ^

    Did i somehow screw it over - fooling it to believe its fixed ?
     
  10. Jsuradi

    Jsuradi Thread Starter

    Joined:
    Sep 16, 2003
    Messages:
    12
    Ok, i think i fixed that problem

    i went to c:
    and located the infected file - system32.exe

    double clicked it

    when back to HT on the HD
    scanned
    fixed those 2 Fx's

    rebooted

    re-scanned with NAV

    still tells me its infected with backdoor.sdbot - unable to repair =(

    Still not able to install / uninstall / download :confused:
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Nav has probably quarantined the file. There is no need to repair it; it is not a system file and should be deleted.

    I'm not sure what error you encountered with HijackThis, the "post fix" log file looks fine to me; I don't see any reason for the download problems there.

    What exactly happens when you try to install, uninstall or download, do you get an error message?
     
  12. Jsuradi

    Jsuradi Thread Starter

    Joined:
    Sep 16, 2003
    Messages:
    12
    e.g
    "Error Writing temp file"
    "Installer verification fail"

    Download window stalls after i click download

    "1628 : Failed to complete installation"
    "Catastophic failure"


    BTW : i searched around on google
    and apparently there is no valid file called system32.exe (could you plz search your windows directory), and that that is the actual virus, just naming itself somthing important so you wont delete it.

    So, as you do, delete it :), and scanned with NAV, and no virsus found :D

    However, i still get the installation / uninstalltion / d./l problems
     
  13. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It sounds like either your Temporary Internet cache is full and needs to be deleted or your Temp folder or both.

    And yes the system32.exe file is not a windows file at all, we are very familiar with this trojan.

    I would reboot, and before opening Internet Explorer got to the Control Panel Internet Options applet and clear your Temporary Internet Cache.

    I would also delete the contents of the Temp folder under your User Name.

    If the problem persists, try troubleshooting it by creating a new User Profile and see if it persists there. If it doesn't then you know it is not a system problem but one related to this specific profile.

    Perhaps a corrupt index.dat file.

    The Temp folder under your User Name would typically be as such:

    C:\Documents and Settings\%USERNAME%\Local Settings\Temp
     
  14. Jsuradi

    Jsuradi Thread Starter

    Joined:
    Sep 16, 2003
    Messages:
    12
    Clear temp cache ?

    Clear cookies / files / history ?

    Actually, this is weird, when i click settings under "internet options" (next to clear cookies / files )
    there is no "current location" for cache
    and max disk space (mb) size for cache is 0
    and im not able to change that value
    :confused:

    How and where should i point the cache files to be stored?
    Thats prolly why i cant d/l from the net
     
  15. Jsuradi

    Jsuradi Thread Starter

    Joined:
    Sep 16, 2003
    Messages:
    12
    I tried to move temp net files

    It tells me it cant because theres not enough space for the currently downloaded files ?? Thats wrong, i got like 5gigs free...
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/165155

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice