1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

nasty set of strings?

Discussion in 'Virus & Other Malware Removal' started by lemmonhead, Oct 3, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. lemmonhead

    lemmonhead Thread Starter

    Joined:
    Oct 3, 2003
    Messages:
    19
    Hi Guys and Gals, Have noticed some nasty stuff going on in my system lately and have been reading till my eyes are bleeding.

    Found a hidden server a few weeks back and got rid of that, then the other day I noticed a bunch of my files had been copied to a new folder of a trusted program, right in my documents so it was a given to spot.

    Could someone look at the strings I've attached from The IME in the system 32 folder. Noticed some lines of copying success, and then failed to delete the new folder. I'm guessing this is where my unkown sudden copied folder came from. Sure looks like it trying to access the whole system. Also NAV is most definetely hijacked and am having a hell of a time deleting everything.

    will post hijack and startup log as well. Running XP pro, Intel 2.4ghz, 1g ddr

    Thanks in advance for any help.

    Lemmonhead



    Logfile of HijackThis v1.97.2
    Scan saved at 8:46:20 PM, on 10/03/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\STOPzilla!\Stopzilla.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.52.129.222:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autorun
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: Joyo (HKLM)
    O9 - Extra button: PowerWord (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37896.8779861111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
     

    Attached Files:

  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  3. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,257
    What's with this stuff ??

    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

    This would have AHQinit.exe running twice ?
    I don't really know about the first one (probably legit) - but the second one is calling itself QD FastAndSafe and the executable associated with that is usually QDCSFS.exe (which is Fast & Safe clean-up from Norton/Quarterdeck Cleansweep)

    Are you in south america (brazil?) - 200.52.129.222 is.
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    That's an interesting catch. In looking about the web I can see at least several posts where that QD FastandSafe entry has become corrupted and either has nothing after it or points to file not associated with Quarter Deck.

    I would just delete this:

    O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
     
  5. lemmonhead

    lemmonhead Thread Starter

    Joined:
    Oct 3, 2003
    Messages:
    19
    Problem is that whatever corrupted Nav in the first place, did so in a way in which I am unable to uninstall it completely so as to be able to re-install. There are some leftovers that appear to be running, as I can't even rename to delete.

    Thought just re-installing would overwrite, but wants me to uninstall previous version and installation fails.

    As far as hijack log goes, I worked in reverse. Deleted everything and restored items one by one till system was stable.


    Here is new log

    Logfile of HijackThis v1.97.2
    Scan saved at 3:11:26 AM, on 10/04/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\STOPzilla!\Stopzilla.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autorun
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37896.8779861111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Have you tried the rnav2003 utility?

    You can also find manual uninstall instructions on the Symantec site if necessary.

    http://service1.symantec.com/SUPPOR...148515ef25eeb79788256a70006448f5?OpenDocument

    For what it's worth you can also check and fix these two items:

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    Updreg.exe is just a registration reminder for creative labs and KernelFaultCheck is an XP debugger of use only to developers and other experienced folks who know how to use it.

    http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - nasty strings
  1. alaf
    Replies:
    1
    Views:
    486
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/169354

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice