19 replies to this topic

[be1ieve1111]

I had the popup saying that I have a spyware trying to install itself.


Automatically I realized that It was in fact a some type of malware itself.

I am running Windows 2000 5.00.2195 SP4

It disabled my task manager and my internet is not functional

I did a scan with Malwarebytes.

It detected two registry files and one .htm file which is used to launch the website being linked by the pop up.

Hijack.Desktop Reference 90554,11744

Another one that disables my Task Manager.

Every time I click on remove selected and restart the computer, they reproduce themselves during
the restart, and Malwarebytes detects them again, and its a vicious cycle. I tried cutting off the internet
by unplugging the cable to make sure the "malware" doesn't reach its host on the internet in order to restore
the just deleted files. After failing at that, I turn the computer off, so I can bring in another computer to post this
thread. Now, Malwarebytes freezes during the scanning process after a few seconds, both during full and quick scans, so
I can't even get to removing this.

Any help?

[nosirrah]

Download and run hijackthis :

http://www.trendsecure.com/portal/en-US/_d.../HiJackThis.exe

Choose "do a system scan and save a logfile" . Open the saved load and then copy and paste the contents of the log into your next post .

[be1ieve1111]

With the latest version of Malware:

These are the three recurring files were:

Trojan.Agent File C:\WINNT\default.htm
Hijack.Desktop Registry Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper
Hijack.TaskManager Registry Data HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

[be1ieve1111]

Here is the Malware Log file:

Malwarebytes' Anti-Malware 1.26
Database version: 1103
Windows 5.0.2195 Service Pack 4

9/7/2008 3:15:52 PM
mbam-log-2008-09-07 (15-15-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 53585
Time elapsed: 7 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Desktop) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\default.htm (Trojan.Agent) -> Quarantined and deleted successfully.


Hijack this log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:28 PM, on 9/7/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\uesiuqcr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ridgefoods.hopto.org/
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\system32\uesiuqcr.exe,
O2 - BHO: getsn32.msiesn - {2D9F1530-0B38-4DCB-A90A-CECD559F3514} - C:\WINNT\system32\getsn32.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
O10 - Broken Internet access because of LSP chain gap (#13 in chain of 13 missing)
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopc...oad/SOPCORE.CAB
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.idesitv.com/livetv.ocx
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Still Image Service StiSvcBrowser (StiSvcBrowser) - Unknown owner - C:\WINNT\system32\acelpdecz.exe (file missing)

--
End of file - 3441 bytes

[be1ieve1111]

Looks like the culprit is uesiuqcr.exe

[nosirrah]

I think I have your problem solved but need 2 files to know for sure .

Please zip a copy of C:\WINNT\system32\getsn32.dll and C:\WINNT\system32\uesiuqcr.exe and attach them to your next post .

[nosirrah]

If you need assistance the attached file when run will create a folder on your desktop containing the files I need .

Attached Files

•  capture.zip   254bytes   22 downloads

[be1ieve1111]

here they are

Attached Files

•  malware.zip   82.8K   37 downloads

[nosirrah]

Thanks , within 15 minutes ill have an update up

[be1ieve1111]

nosirrah, on Sep 7 2008, 09:09 PM, said:

Thanks , within 15 minutes ill have an update up

Thanks alot for your help nosirrah!

[nosirrah]

Update and scan again , you should be good .

Please post another log as well (MBAM and HJT) just to be sure .

[be1ieve1111]

How do I update if the computer has no ability get online?

[nosirrah]

Ok , lets try this , download and unzip the file attached to this post . First close MBAM if its open .

Copy it to :

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware

Let it overwrite what is there .

Now do another scan and post the log after reboot .

Attached Files

•  rules.zip   1011.25K   36 downloads

[be1ieve1111]

Thanks, scanning right now, will post both logs in 15 minutes.

[be1ieve1111]

My internet is still dead, I know its the computer, because this computer is on the same network. It is a moneygram computer, and the money gram program still will not boot.

here are the files:

MBAM
Malwarebytes' Anti-Malware 1.26
Database version: 1126
Windows 5.0.2195 Service Pack 4

9/7/2008 5:00:08 PM
mbam-log-2008-09-07 (17-00-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 54169
Time elapsed: 7 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\getsn32.msiesn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{252874d8-5b00-4b93-a282-4ca656598278} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e221c81b-e518-4f93-b0d2-14e52065417a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2d9f1530-0b38-4dcb-a90a-cecd559f3514} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d9f1530-0b38-4dcb-a90a-cecd559f3514} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smwin32.mdr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e6be5e3a-23f3-4ec2-b9b7-bcd9a601f2a3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38754e01-ac2e-482b-95fa-f1aee41823c4} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9f146720-43f3-4fa6-b9e5-4fb13f8c2ffd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Desktop) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINNT\system32\userinit.exe,C:\WINNT\system32\uesiuqcr.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\getsn32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\smwin32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\New Folder\getsn32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\New Folder\uesiuqcr.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Administrator\Local Settings\Temp\dkf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\mainti2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\newsys.exe (Rogue.Spymonitor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5AR6NQ5K\mainti2[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\HTW1Z589\newsys[1].exe (Rogue.Spymonitor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J85TR9CT\dkf[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINNT\default.htm (Trojan.Agent) -> Quarantined and deleted successfully.


Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:05:54 PM, on 9/7/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ridgefoods.hopto.org/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
O10 - Broken Internet access because of LSP chain gap (#13 in chain of 13 missing)
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopc...oad/SOPCORE.CAB
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.idesitv.com/livetv.ocx
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Still Image Service StiSvcBrowser (StiSvcBrowser) - Unknown owner - C:\WINNT\system32\acelpdecz.exe (file missing)

--
End of file - 3235 bytes

[nosirrah]

Nice , we did get the other file I knew was there , looks clean now .

As far as networking goes I would try this :

http://www.majorgeek...wnload4372.html

This will reset a lot of networking components and could fix things , good luck .

[be1ieve1111]

nosirrah, on Sep 7 2008, 11:20 PM, said:

Nice , we did get the other file I knew was there , looks clean now .

As far as networking goes I would try this :

http://www.majorgeek...wnload4372.html

This will reset a lot of networking components and could fix things , good luck .

anything for a windows 2000 machine?

[nosirrah]

ah , yes

http://www.softpedia.com/get/Tweak/Network...inSockFix.shtml

I think this version works on all OSs .

[be1ieve1111]

You're a savior thanks alot for your help, and I apologize for my neediness. I could have easily found them myself.

Thanks again.

[nosirrah]

Are we 100% again ?

If so thanks go out to you as well , I cant help anyone with malware without that person helping everyone else at the same time .