HiJackThis - Help mE :(

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Jsuradi

Thread Starter
Joined
Sep 16, 2003
Messages
12
NAV picked up backdoor.sdbot
Eversince, i cant unistall / install / download files from servers
NAV says my infected file is system32.exe
and it found other files, that i was able to delete.
Here is my HIJACKTHIS LOG FILE

IF you are able to help me, it would be very much appreciated :


Logfile of HijackThis v1.97.2
Scan saved at 2:38:52 PM, on 16/09/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
Z:\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
Z:\Norton\NetSecurity\NISUM.EXE
Z:\Norton\NetSecurity\NISSERV.EXE
Z:\Norton\NetSecurity\SymProxySvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
Z:\Norton\navapw32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Z:\Samurize\Client.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com/
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - Z:\Norton\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Z:\Norton\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InternodeUsage] Z:\INTERN~2\mum.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [EasyTuneIV] C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\et4Tray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] Z:\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Shortcut to Client.lnk = Z:\Samurize\Client.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 
Joined
Dec 9, 2000
Messages
45,855
Nav has probably deleted these and just left the registry entries since the file isn't showing up in Running Tasks.

Check these entries in HijackThis and click "fix checked":

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe

Can you give some info on what this does? Is it ISP related?

O4 - HKLM\..\Run: [InternodeUsage] Z:\INTERN~2\mum.exe

About all I can find is this:

http://216.239.53.104/search?q=cach...lies-print.cfm?t=55440+mum.exe&hl=en&ie=UTF-8

And this?

Samurize\Client.exe
 

Jsuradi

Thread Starter
Joined
Sep 16, 2003
Messages
12
Thanks Rollin Rog, ill do that

And, yes
Its a program that my ADSL ISP provides, so i can check my usage from a icon in the system tray.
MuM = Monthly Usage Meter

:)
 
Joined
Dec 9, 2000
Messages
45,855
Thanks for the info.

Unfortunately I'm not really seeing an explanation for your download problems in the Scanlog unless those system32.exe files are still loading but not showing in the Running Tasks. I don't think that's the case.

My assumption is that NAV deleted them and what you have there are just residual registry entries -- they would produce an error message on startup if the files are missing.
 

Jsuradi

Thread Starter
Joined
Sep 16, 2003
Messages
12
Ok this is weird

I checked, and "fixed"
those 2 files

rebooted


scanned with NAV

and it still picks up system32.exe as a virsus / unable to repair


here is the post-fix log file :

Logfile of HijackThis v1.97.2
Scan saved at 3:24:04 PM, on 16/09/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
Z:\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
Z:\Norton\NetSecurity\NISUM.EXE
Z:\Norton\NetSecurity\SymProxySvc.exe
Z:\Norton\NetSecurity\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
Z:\INTERN~2\mum.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\et4Tray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Z:\Samurize\Client.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
Z:\Norton\navw32.exe
Z:\( Internet Downloads )\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - Z:\Norton\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Z:\Norton\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InternodeUsage] Z:\INTERN~2\mum.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [EasyTuneIV] C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\et4Tray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - Startup: Shortcut to Client.lnk = Z:\Samurize\Client.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 

Jsuradi

Thread Starter
Joined
Sep 16, 2003
Messages
12
As you can see
when i scanned, before fixing, i ran it from my a cd that i burnt from a noter pc ( as i am unablet o d/l due to the virus )

"D:\HijackThis.exe"

and it came up with one of those error, when trying to fix

then i copy to

"Z:\( Internet Downloads )\HijackThis.exe"

and re-scan, but i find above ^

Did i somehow screw it over - fooling it to believe its fixed ?
 

Jsuradi

Thread Starter
Joined
Sep 16, 2003
Messages
12
Ok, i think i fixed that problem

i went to c:
and located the infected file - system32.exe

double clicked it

when back to HT on the HD
scanned
fixed those 2 Fx's

rebooted

re-scanned with NAV

still tells me its infected with backdoor.sdbot - unable to repair =(

Still not able to install / uninstall / download :confused:
 
Joined
Dec 9, 2000
Messages
45,855
Nav has probably quarantined the file. There is no need to repair it; it is not a system file and should be deleted.

I'm not sure what error you encountered with HijackThis, the "post fix" log file looks fine to me; I don't see any reason for the download problems there.

What exactly happens when you try to install, uninstall or download, do you get an error message?
 

Jsuradi

Thread Starter
Joined
Sep 16, 2003
Messages
12
e.g
"Error Writing temp file"
"Installer verification fail"

Download window stalls after i click download

"1628 : Failed to complete installation"
"Catastophic failure"


BTW : i searched around on google
and apparently there is no valid file called system32.exe (could you plz search your windows directory), and that that is the actual virus, just naming itself somthing important so you wont delete it.

So, as you do, delete it :), and scanned with NAV, and no virsus found :D

However, i still get the installation / uninstalltion / d./l problems
 
Joined
Dec 9, 2000
Messages
45,855
It sounds like either your Temporary Internet cache is full and needs to be deleted or your Temp folder or both.

And yes the system32.exe file is not a windows file at all, we are very familiar with this trojan.

I would reboot, and before opening Internet Explorer got to the Control Panel Internet Options applet and clear your Temporary Internet Cache.

I would also delete the contents of the Temp folder under your User Name.

If the problem persists, try troubleshooting it by creating a new User Profile and see if it persists there. If it doesn't then you know it is not a system problem but one related to this specific profile.

Perhaps a corrupt index.dat file.

The Temp folder under your User Name would typically be as such:

C:\Documents and Settings\%USERNAME%\Local Settings\Temp
 

Jsuradi

Thread Starter
Joined
Sep 16, 2003
Messages
12
Clear temp cache ?

Clear cookies / files / history ?

Actually, this is weird, when i click settings under "internet options" (next to clear cookies / files )
there is no "current location" for cache
and max disk space (mb) size for cache is 0
and im not able to change that value
:confused:

How and where should i point the cache files to be stored?
Thats prolly why i cant d/l from the net
 

Jsuradi

Thread Starter
Joined
Sep 16, 2003
Messages
12
I tried to move temp net files

It tells me it cant because theres not enough space for the currently downloaded files ?? Thats wrong, i got like 5gigs free...
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top