Options
Serious Trojan/ Remote User attack!
I really dont know where to start. I have spent several hundred hours trying to fix this on my own, but I have to give up and hand this to you guys, if you want it. I guess I can start by telling you that I have 946 ports open. My system volume is corrupted with undeletable files, my bios is infected, And my ports have been hacked and I have a remote user completly in control of my computer. I have no admin rights. Someone changes them as fast as I do. I have re-installed windows 17 times in two weeks. Immediatley after a re-format, I have the same files in C: Recycler and Sytem volume information, and I know that is where many problems lie. I will be the absolute most help for anyone who wants to take on this challenge...I am at my wits end and just need some expert help. I have lost 4000 pictures of my family and friends and new-born, 6000 songs, 1000s of documents, and alot of sleep. I am running XP home addition with service pack 2 and all the hotties. Logfile of HiJackFree v3.0 Scan saved at 4:30:32 PM, on 2/26/2008 Platform: Windows XP Service Pack 2 (Windows NT 5.1.2600) MSIE: Internet Explorer v 6.0 Service Pack 2 (6.0.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\a-squared Anti-Malware\a2service.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\Program Files\CCleaner\CCleaner.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Hijackthis\HijackThis.exe C:\Program Files\a-squared Anti-Malware\a2HiJackFree.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O2 - BHO: - {82E5E2FF-9260-4d88-B0C6-7CC358C5D418} - O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" O4 - HKLM\..\Run: [ScanmetenderStandard3] C:\Program Files\Scanmetender[Soft]\Scanmetender Standard\candard.exe O7 - Regedit - Enabled O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra "Tools" menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1203850400921 O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab O20 - Winlogon Notify: AtiExtEvent - C:\WINDOWS\System32\Ati2evxx.dll O21 - ShellServiceObjectDelayLoad: PostBootReminder - O21 - ShellServiceObjectDelayLoad: CDBurn - O21 - ShellServiceObjectDelayLoad: WebCheck - O21 - ShellServiceObjectDelayLoad: SysTray - O22 - SharedTaskScheduler: Browseui preloader - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - C:\WINDOWS\System32\browseui.dll O23 - Service: a-squared Anti-Malware Service - C:\Program Files\a-squared Anti-Malware\a2service.exe O23 - Service: Ad-Aware 2007 Service - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Alerter - C:\WINDOWS\System32\svchost.exe O23 - Service: Application Layer Gateway Service - C:\WINDOWS\System32\alg.exe O23 - Service: Application Management - C:\WINDOWS\system32\svchost.exe O23 - Service: ASP.NET State Service - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe O23 - Service: ATI Smart - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Windows Audio - C:\WINDOWS\System32\svchost.exe O23 - Service: AVG7 Alert Manager Server - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Background Intelligent Transfer Service - C:\WINDOWS\System32\svchost.exe O23 - Service: Computer Browser - C:\WINDOWS\System32\svchost.exe O23 - Service: Indexing Service - C:\WINDOWS\system32\cisvc.exe O23 - Service: ClipBook - C:\WINDOWS\system32\clipsrv.exe O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe O23 - Service: COM+ System Application - C:\WINDOWS\System32\dllhost.exe O23 - Service: Cryptographic Services - C:\WINDOWS\system32\svchost.exe O23 - Service: DCOM Server Process Launcher - C:\WINDOWS\system32\svchost O23 - Service: DHCP Client - C:\WINDOWS\System32\svchost.exe O23 - Service: Logical Disk Manager Administrative Service - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Logical Disk Manager - C:\WINDOWS\System32\svchost.exe O23 - Service: DNS Client - C:\WINDOWS\System32\svchost.exe O23 - Service: Error Reporting Service - C:\WINDOWS\System32\svchost.exe O23 - Service: Event Log - C:\WINDOWS\system32\services.exe O23 - Service: COM+ Event System - C:\WINDOWS\System32\svchost.exe O23 - Service: Fast User Switching Compatibility - C:\WINDOWS\System32\svchost.exe O23 - Service: Help and Support - C:\WINDOWS\System32\svchost.exe O23 - Service: Human Interface Device Access - C:\WINDOWS\System32\svchost.exe O23 - Service: HTTP SSL - C:\WINDOWS\System32\svchost.exe O23 - Service: InstallDriver Table Manager - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IMAPI CD-Burning COM Service - C:\WINDOWS\System32\imapi.exe O23 - Service: Server - C:\WINDOWS\System32\svchost.exe O23 - Service: Workstation - C:\WINDOWS\System32\svchost.exe O23 - Service: TCP/IP NetBIOS Helper - C:\WINDOWS\System32\svchost.exe O23 - Service: Messenger - C:\WINDOWS\System32\svchost.exe O23 - Service: NetMeeting Remote Desktop Sharing - C:\WINDOWS\System32\mnmsrvc.exe O23 - Service: Distributed Transaction Coordinator - C:\WINDOWS\System32\msdtc.exe O23 - Service: Windows Installer - C:\WINDOWS\System32\msiexec.exe O23 - Service: Network DDE - C:\WINDOWS\system32\netdde.exe O23 - Service: Network DDE DSDM - C:\WINDOWS\system32\netdde.exe O23 - Service: Net Logon - C:\WINDOWS\System32\lsass.exe O23 - Service: Network Connections - C:\WINDOWS\System32\svchost.exe O23 - Service: Network Location Awareness (NLA) - C:\WINDOWS\System32\svchost.exe O23 - Service: NT LM Security Support Provider - C:\WINDOWS\System32\lsass.exe O23 - Service: Removable Storage - C:\WINDOWS\system32\svchost.exe O23 - Service: Plug and Play - C:\WINDOWS\system32\services.exe O23 - Service: PunkBuster - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe O23 - Service: IPSEC Services - C:\WINDOWS\System32\lsass.exe O23 - Service: Protected Storage - C:\WINDOWS\system32\lsass.exe O23 - Service: Remote Access Auto Connection Manager - C:\WINDOWS\System32\svchost.exe O23 - Service: Remote Access Connection Manager - C:\WINDOWS\System32\svchost.exe O23 - Service: Remote Desktop Help Session Manager - C:\WINDOWS\system32\sessmgr.exe O23 - Service: Routing and Remote Access - C:\WINDOWS\System32\svchost.exe O23 - Service: Remote Procedure Call (RPC) Locator - C:\WINDOWS\System32\locator.exe O23 - Service: Remote Procedure Call (RPC) - C:\WINDOWS\system32\svchost O23 - Service: QoS RSVP - C:\WINDOWS\System32\rsvp.exe O23 - Service: Security Accounts Manager - C:\WINDOWS\system32\lsass.exe O23 - Service: Smart Card - C:\WINDOWS\System32\SCardSvr.exe O23 - Service: Task Scheduler - C:\WINDOWS\System32\svchost.exe O23 - Service: Secondary Logon - C:\WINDOWS\System32\svchost.exe O23 - Service: System Event Notification - C:\WINDOWS\system32\svchost.exe O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) - C:\WINDOWS\System32\svchost.exe O23 - Service: Shell Hardware Detection - C:\WINDOWS\System32\svchost.exe O23 - Service: Print Spooler - C:\WINDOWS\system32\spoolsv.exe O23 - Service: System Restore Service - C:\WINDOWS\System32\svchost.exe O23 - Service: SSDP Discovery Service - C:\WINDOWS\System32\svchost.exe O23 - Service: Windows Image Acquisition (WIA) - C:\WINDOWS\System32\svchost.exe O23 - Service: MS Software Shadow Copy Provider - C:\WINDOWS\System32\dllhost.exe O23 - Service: Performance Logs and Alerts - C:\WINDOWS\system32\smlogsvc.exe O23 - Service: Telephony - C:\WINDOWS\System32\svchost.exe O23 - Service: Terminal Services - C:\WINDOWS\System32\svchost O23 - Service: Themes - C:\WINDOWS\System32\svchost.exe O23 - Service: Distributed Link Tracking Client - C:\WINDOWS\system32\svchost.exe O23 - Service: Windows User Mode Driver Framework - C:\WINDOWS\system32\wdfmgr.exe O23 - Service: Universal Plug and Play Device Host - C:\WINDOWS\System32\svchost.exe O23 - Service: Uninterruptible Power Supply - C:\WINDOWS\System32\ups.exe O23 - Service: TrueVector Internet Monitor - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Volume Shadow Copy - C:\WINDOWS\System32\vssvc.exe O23 - Service: Windows Time - C:\WINDOWS\System32\svchost.exe O23 - Service: WebClient - C:\WINDOWS\System32\svchost.exe O23 - Service: Windows Management Instrumentation - C:\WINDOWS\system32\svchost.exe O23 - Service: Portable Media Serial Number Service - C:\WINDOWS\System32\svchost.exe O23 - Service: WMI Performance Adapter - C:\WINDOWS\System32\wbem\wmiapsrv.exe O23 - Service: Security Center - C:\WINDOWS\System32\svchost.exe O23 - Service: Automatic Updates - C:\WINDOWS\system32\svchost.exe O23 - Service: Wireless Zero Configuration - C:\WINDOWS\System32\svchost.exe O23 - Service: Network Provisioning Service - C:\WINDOWS\System32\svchost.exe I have alot more important logs, like sytem logs and events, just tell me when your ready...dont want to over-load ya. Thank you in advance for any help at all you can give. If someone needs my phone number or any other help at all, please let me know...thank you so much. Scott
0
Comments
Scan saved at 8:14:19 PM, on 2/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\RegistryFix\RegistryFix.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - HKUS\S-1-5-21-789336058-2139871995-725345543-1003\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart (User '?')
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PunkBuster (PnkBstrA) - Unknown owner - C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 2916 bytes
Now I need you to rename HijackThis, and post another log (Very important!)