Jump to content

ecoli HijackThis

ecoli

By ecoli
in Malware Prevention and Security

 Share

Recommended Posts

ecoli

ecoli

Posted
Posted

I need HELP!!!

I have a client computer that continues to launch this ntsystem.exe. I have removed it manually, I have edited the registry, I have removed it with HJT. I have removed it with killbox, I have removed it in Safe Mode and out. I can't find where it is originating.

The system was originally infected with Pesttrap, SpywareSherrif, and Internet.Explorer.

Using Spybot, Adaware and Windows Defender I think I am rid of that although it keeps trying to come back through Java 5.06.

Here is the latest HJT log. I hope someone sees what I miss:

Logfile of HijackThis v1.99.1

Scan saved at 1:58:32 PM, on 9/14/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

C:\WINNT\System32\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINNT\System32\RegSrvc.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINNT\wanmpsvc.exe

C:\WINNT\system32\ZCfgSvc.exe

C:\WINNT\SYSTEM32\WISPTIS.EXE

C:\WINNT\System32\tabbtnu.exe

C:\WINNT\system32\ctfmon.exe

C:\WINNT\System32\1XConfig.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Documents and Settings\bbowman\Desktop\HijackThis_v1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intellicast.com/IcastPage/LoadP...mp;prodnav=none

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [gwiz] C:\WINNT\system32\ntsystem.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1092917525499

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mercynt.pri

O17 - HKLM\Software\..\Telephony: DomainName = mercynt.pri

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mercynt.pri

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mercynt.pri

O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll

O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll

O20 - Winlogon Notify: Sebring - c:\WINNT\System32\LgNotify.dll

O20 - Winlogon Notify: TabBtnWL - C:\WINNT\SYSTEM32\TabBtnWL.dll

O20 - Winlogon Notify: tpgwlnotify - C:\WINNT\SYSTEM32\tpgwlnot.dll

O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Thanks in advance.


Tarun

Tarun

Posted
Posted

O4 - HKLM\..\Run: [gwiz] C:\WINNT\system32\ntsystem.exe

That is a Malware.J virus. You should boot into safe mode and navigate to your %WinDir%\System32 directory and delete the ntsystem.exe file.

taltamir

taltamir

Posted
Posted (edited)

If removing that file wasn't enough (or just for security's sake since viruses sometimes install eachother)...

If it keeps on comming back through java? uninstall java and delete the java runtime user/settings files and folders. (you can reinstall it later when the outbreak is over).

While you are at it, disable system restore (it might save some copies there aswell)

Scan it from the online scanner housecall: http://housecall.trendmicro.com/

get the zonealarm trial and have it try and clean it: http://www.zonealarm.com/

Edited by taltamir
LLXX

LLXX

Posted
Posted
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [gwiz] C:\WINNT\system32\ntsystem.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mercynt.pri

O17 - HKLM\Software\..\Telephony: DomainName = mercynt.pri

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mercynt.pri

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mercynt.pri

From those O17s it looks like your TCP/IP stack was messed with...
ecoli

ecoli

Posted
  • Author
Posted
O4 - HKLM\..\Run: [gwiz] C:\WINNT\system32\ntsystem.exe

That is a Malware.J virus. You should boot into safe mode and navigate to your %WinDir%\System32 directory and delete the ntsystem.exe file.

When I delete it it always comes back on restarts. I have used HJT tools to remove it from startup folder, I have removed Reg entries as well. It always comes back. I can't seem to locate where it is originating from in the registry..there has to be something else telling it to load.

I am hoping to not have to do a complete mindwipe and reinstall.

Thanks all for the help. I'll try some of the software suggestions.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...