holy malware batman!

[Tsakali]

I've been totally fucked in the most peculiar way

I know this will be moved to T&T but I am not posting this here out of spite , hopefully it will get more peoples attention. This is very urgent.

somehow I have been infected with something that totally fucks up internet browsers...
the really fucking gay thing about it is how it wont let me access my usual sites (q3w, google, etc)but for some reason other websites work just fine.

I had to use another computer to post this here , my PC just can't seem to load Q3W at all, it's almost like a bad nightmare... many other websites work just fine.

I have no clue as to how to go about finding the problem since CC cleaner and Ad-aware didn't do shit to resolve my problem.

I really need help with this little fucker... I am too busy to consider an OS re-install atm.

at this point if it takes a shareware solution then so be it, I just want this issue resolved!

edit: a distinct feature of this malware I have noticed is how it has completely fucked up my quicklaunch icons ... matter of fact I can't get the quicklaunch to show at all.

[PhoeniX]

Can you post a Hijack this log? http://www.trendsecure.com/portal/en-US ... ckthis.php

BTW, if you restart in safe mode with networking you can usually do most things without the malware affecting you.

[seremtan]

flush dns?

[Tsakali]

Bonjour!?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:20 PM, on 4/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\NMSAccess.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\tsakali\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://timelesstreasuresstudio.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt

7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BM27d55196] Rundll32.exe "C:\WINDOWS\system32\nilwaclp.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth

Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF

Catcher\InternetExplorer.htm
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} -

C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program

Files\ICQLite\ICQLite.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program

Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program

Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common

Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program

Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware

2007\aawservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk

Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. -

C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth

Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision

Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia

Shared\Service\Macromedia Licensing.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program

Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NMSAccess - Unknown owner - C:\WINDOWS\system32\NMSAccess.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Prime95 Service-0 - Unknown owner - C:\Program Files\Prime95\Prime95.exe (file missing)
O23 - Service: Window Image Worker (windownetpker) - Unknown owner - C:\Program Files\Internet

Explorer\svchost.exe

--

[PhoeniX]

Bonjour is safe (it's from Adobe IIRC)

According to the log analyser here it looks like the following things are bad. Place a check next to it and click fix:

C:\Program Files\Internet Explorer\svchost.exe

[Scourge]

Bonjour is safe (it's from Adobe IIRC)

According to the log analyser here it looks like the following things are bad. Place a check next to it and click fix:

C:\Program Files\Internet Explorer\svchost.exe

Bonjour is iTunes related I believe.

[Tsakali]

I did as you said, and then rebooted but it is still fucked... not to mention that I ran the check again and svchost is still in the list... should I have done this while in safe mode?

[Foo]

You're always going to have svchost.exe in the list, it's a core windows process that services depend upon.

svchost can crop up on malware lists because it's often hijacked and replaced with a malicious svchost.exe replacement.

[Tsakali]

so how does it know that file is the problem then? I don't understand, but bottom line is I haven't fixed it yet

this sucks

[Foo]

ah wait, didn't spot the penultimate line in the log.

The genuine svchost.exe is located in C:\Windows\System32. Almost any other location on your hard drive and you know it's not legit.

So in this case there's windownetpker which is trying to hide itself

From a quick google you may be able to remove it by putting this in a text file:

sc config windownetpker start= disabled
sc stop windownetpker
sc delete windownetpker

then renaming the file to whatever.bat and running it.

All it'll do is stop then delete the service.

[Tsakali]

ok it seemed to have removed that entry... which is progress.. IE seems to be working better now but firefox is still fuxed. I'll try to reinstall it..


ps

how about the svchost under system32 can I jt safely delete it and it will recreate itselfif it is a needed file?




edit: never mind the problems seems to still be there.. this post pretty much got posted but IE was stuck on stupid ... I had to go to another pc to see if it posted or not..... this is so frustrating ...feels like someone cut my legs off

[Foo]

You can't remove the real svchost.exe in system32.

I'm not much cop at getting rid of spyware - If the automatic tools can't be found it's usually a messy process of deleting files and editing the registry.

My approach is prevention and if i do manage to get one a reformat is often the simplest choice. For me. Your circumstances likely differ.

[Tsakali]

yeah that would be my usual solution to something like this, but I am in the middle of a project as of right now and it would take me hours to get my system where it needs to be again for me to continue...but I have wasted hours on this problem as it is, hmm

[Tsakali]

might as well...see you on the other side

[seremtan]

*crickets*

[axbaby]

there goes Pisquali .. scambling for an xp disk and finding his scratched to hell .. OH WAIT that was me

[Tsakali]

well I'm back, ...I got a new hdd cause i didn't want to overlook anything... besides this is actually a SATA drive which is an update from my IDE previous setup... not sure what kind of performance increase I can expect but it's more quiet and it does feel faster though it might be the fresh install.

All things considered it always feels good to have a clean slate

now back to getting things installed

[axbaby]

good news

[Captain]

Bonjour is safe (it's from Adobe IIRC)

According to the log analyser here it looks like the following things are bad. Place a check next to it and click fix:

C:\Program Files\Internet Explorer\svchost.exe

Bonjour is iTunes related I believe.

It's used by a wide variety of software, including Adobe CS3.