i think I have a virus/trojan

[j511180]

symptoms:
- browser started crashing a lot (I use Opera 99% of the time)
- then browser gets highjacked/redirected to other sites
- can't run regedit or cmd prompt (there's no error message, just my taskbar disappears along with my desktop icons for a few seconds; same result in safemode)
- can't update Windows manually (IE freezes/stops responding)
- can't update Antivir or AVG

I think that's it. But overall, the pc seems to run normally; doesn't feel sluggish. I've reinstalled Opera (v9.64), tried an older version, and have since reinstalled 9.64 - same results.

So far I've run full scans in safe mode with Malwarebytes and Superantispyware. Nothing was detected. I also tried McAfee Stinger and klwk.com utility.

I've also updated Acrobat Reader and Flash and Java as requested by Secunia PSI

So maybe it's not malware and I've just funked something up. here's my HJT log if it matters:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:05 PM, on 3/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\VolumeTray\VolumeTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\j\Desktop\Core Temp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [VolumeTray] C:\Program Files\VolumeTray\VolumeTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Core Temp] C:\Documents and Settings\j\Desktop\Core Temp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro....n32/activex/hcImpl.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.co...site.cab?1230279255562
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.co...site.cab?1230279248421
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia....cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 5276 bytes

 

[Lemon law]

- can't update Windows manually (IE freezes/stops responding)
- can't update Antivir or AVG

Might be a symptom of the confictor worm, go to today's major geeks and download the sophos removal tool.

But you did the right thing by posting a hijackthis logfile, a real good logfile reader can do wonders.

But on a been there done that when I bought a used computer pre infected with malware , most malware yields easily to scans, but the real 3-5% nasties make it a real science on how to evade detection. Prevention is always the key, and nuking the hard drive is the one sure way. Root kits are particularly nasty.

 

[mechBgon]

1) how about install the free version of AntiVir antivirus software from http://www.free-av.com and when you install it, max out the settings you'll see for optional detections (spyware and such) and the AHEAD heuristics.

2) update AntiVir's virus definitions by right-clicking its red umbrella icon in the system tray and starting the updater.

3) after updating, right-click the icon and choose "Start AntiVir" and then click the "Scan system now" link.


If you run into trouble doing those steps, then post what happened (couldn't reach the site, couldn't update, whatever)


Also: tell us about your Internet connection and network. It's possible you have a "poisoned" device sending your computer's DNS requests to a hostile DNS server.

1) What kind of Internet connection do you have (dial-up, cable, DSL, college network, or whatever)?

2) Do you have a router inbetween your modem and computer?

3) What firewall, if any, do you use on the computer (Windows Firewall, none, or whatever)?

 

[j511180]

issue appears to be fixed

Results from the Google search string "cmd regedit redirect" gave me lots of other similarly affected users. So I followed at thread at another site (major geeks) and thru a combination of MGTools and avenger, I was able to get my cmd and regedit functions back. I was also able to update Windows and Antivir. I let Antivir scan early this morning and it found TR/Spy.Agent.frt, which was just added to the Antivir virus definition file today (April 1).

I just use Windows Firewall. I'm on a cable connection (Comcast) and use a Linksys WRT54G router.

 

[mechBgon]

Originally posted by: j511180
issue appears to be fixed

Results from the Google search string "cmd regedit redirect" gave me lots of other similarly affected users. So I followed at thread at another site (major geeks) and thru a combination of MGTools and avenger, I was able to get my cmd and regedit functions back. I was also able to update Windows and Antivir. I let Antivir scan early this morning and it found TR/Spy.Agent.frt, which was just added to the Antivir virus definition file today (April 1).

I just use Windows Firewall. I'm on a cable connection (Comcast) and use a Linksys WRT54G router.

That's good news. While you're at it, it would also be a good idea to give your WRT54G a strong password, because there *is* malware out there that'll reprogram your router's DNS settings if you're using the publicly-known default password. Log into your WRT54G at http://192.168.0.1 and you can set a new strong password, e.g. j511180@AT.

Also, Secunia's free vulnerability-checkup utility is excellent. Only 2% of their first-time users already have all their software up-to-date, so this is probably going to be worth your time: http://secunia.com/vulnerability_scanning/personal/ Wait, never mind, you already have Secunia PSI my bad!

 

[Atheus]

Originally posted by: mechBgon

Originally posted by: j511180
issue appears to be fixed

Results from the Google search string "cmd regedit redirect" gave me lots of other similarly affected users. So I followed at thread at another site (major geeks) and thru a combination of MGTools and avenger, I was able to get my cmd and regedit functions back. I was also able to update Windows and Antivir. I let Antivir scan early this morning and it found TR/Spy.Agent.frt, which was just added to the Antivir virus definition file today (April 1).

I just use Windows Firewall. I'm on a cable connection (Comcast) and use a Linksys WRT54G router.

That's good news. While you're at it, it would also be a good idea to give your WRT54G a strong password, because there *is* malware out there that'll reprogram your router's DNS settings if you're using the publicly-known default password. Log into your WRT54G at http://192.168.0.1 and you can set a new strong password, e.g. j511180@AT.

Also, Secunia's free vulnerability-checkup utility is excellent. Only 2% of their first-time users already have all their software up-to-date, so this is probably going to be worth your time: http://secunia.com/vulnerability_scanning/personal/ Wait, never mind, you already have Secunia PSI my bad!

Actually I believe it is possible to cache poison some versions of the WRT54G without knowing the password. I would suggest the OP updates to the latest firmware, or even better, puts one of the many excellent 3rd party firmwares on it. The WRT is a wonderfully moddable device. One of mine has a serial port soldered on through which you can access a SSH server, another is a pretty useful iptables firewall, another is set up to pull IM conversations out of the air, etc.