Virus question

N

nasaalien

New Member
My aunt's laptop has been infected with some sort of virus for some time now. Someone tracked her IP address and Mac address and is controlling her computer. She has tried numerous things like anti-spyware and reformatting. She recently got a new desktop and when she was trying to register Norton, the same thing happened to it. (Not really sure what, i live 3K miles away so doing this over the phone is all I got).

So, is it possible for some sort of virus to still be in the network hardware, e.g. the modem, ethernet cable? Everything is hardwired. Thanks a bunch.
 
Firewall is already installed. What would be the content of the "Hijackthis" log? Also, can you respond to my other question of is it possible for the modem and or ethernet cable to be infected too? Thanks for replying.
 
I dont think it is posible for a virus to infect a modem or ethernet card I could be wrong though, but I do know for a fact that there are viruses that can infect your memory and even after a reformat will still be on your computer!
 
the hijackthis log will tell us what things are running and what they are using to control the computer. also, what firewall is running?
 
thats right, the reformatt did not kill the virus. she has zonealarm I believe, but it is impossible to download "highjackthis" right now because her internet is messed up from the virus and blocking her from doing other things. Another clue is she said that control panel looked different (not the windows classic default when you first set up windows). It changed from the weird one to the usual look right before her eyes then changed back. Freaky stuff.
 
Get her to boot into safemode with networking and go to merijn.org to download Hijackthis, even if it needs to be run in safemode it's better than nothing.
 
Logfile of HijackThis v1.99.1
Scan saved at 4:19:33 PM, on 10/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\j2\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QBReminderFlash] "C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\regmech.exe /S
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128668353925
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 
I sent her what you just said via hotmail. Here is what she wanted me to post. Sorry for the long read:

here are some of the issues that might be helpful in identifying what's going on...

Remote desktop access keeps cropping up as at least one of the means for gaining access to my desktop PC now (where the hijack file was run). No matter how many times I uncheck that access -- it keeps coming back. After a while -- like right now I think...although it appears that remote desktop has been "turned off" -- it's still running -- but, is now invisible to me. Every time I delete scripts, etc. that are clearly malicious -- typically, they return in a new locations. After finding them again and deleting them...typically what happens is that they are still present and running, but, no longer visible anywhere (even when I "unhide" programs/files).

Now that I have a new modem and Linksys Broadband Firewall Router sitting between my modem and PC...my modem IP address and MAC address may not be visible to the outside world -- but, fixed identifiers on my desktop system remain visible to those who previously had gained access to me and set up remote desktop to work. Dell had me run a new utiltity (via CTRL F11, as system starts boot), which supposedly had my system set-up return to its original state. I then setup the router and began the process of activating Norton 2005 Internet Security Suite. Naturally, it accessed the internet to download the definitions, etc. before I could perform a full scan of my system. The scan results showed all was ok. Just as I finished setting up the advanced parameters as secure as possible - Norton became inaccessible. It stopped functioning. Trying to access it became impossible. I ran Registry Mechanic, which initially identifed over 200 critical problems, but, before it would repair the problems, I had to register my copy. As I was doing it, the sceen that displayed those results flashed and instead of displaying over 200 issues, the number of issues suddenly changed to 3!! That's without me doing anything other than registering the program. Then it wouldn't let me download any updated definitions.

So, there's definitely something deeper in my system that does not get deleted or become disabled just by replacing the operating system and starting over. I also think that there is a fixed identifier that is known by those who had previously gained access to my system via remote desktop. So, I think it's probably a combination of the two that keeps this virus going despite starting over. The same thing happened with my laptop 4 times. Everything was deleted...including the only partition that was visible. New partition was created & formatted as part of loading Windows XP home edition operating system from the original CDs. The operating system on my desktop is Windows XP 2005 Media Edition.

Some suspicious stuff to consider: The user identity class # starting with "S-1-5-18.........." is the number that keeps cropping up in strange places. I had noticed either on this desktop or the laptop that it would appear in some of the local access policies in the management console -- rather than listing a "group" e.g. "users", administrators", "everyone", "owner", etc. ". The identify login in the registry associated with it is: 0x000098053 (633675). It is the same number associated with S-1-5-19 and "20". The last user to logon field is empty. S-1-5-21 is the only one that has a different identify login...a very long number that looks like it is more legitimate. The last user to logon field is "main identity".

In Windows Explorer path as follows...Do these 4 scripts mean anything??
Path: Windows/PcHealth/System/Scripts....
Common
Homepage__Desktop
Homepage__Server
Homepage__shared
wrapperparam
 
Have her download kaspersky from the link below.
http://www.kaspersky.com/trials?chapter=154373188
Check for updates.
Then boot to safemode (without networking).
Open kaspersky, but before running it, press ctrl+alt>del to open taskmanager, select "processes" and end the explorer.exe process. Leave taskmanager open.
Then run a full scan with kaspersky.
When the scan finishes, go back to taskmanager and select "file", then "new task (run)" and type explorer.exe, then hit "ok", then try to restart in normal mode.
 
You must log in or register to reply here.
Back
Top