Does anyone have a clue how to spot this monster? Any help is appreciated.
Avast 4.7.936.0 02.06.2007 Win32:Tibs-AIE
Is the apparent Avast detection name but the programme is just a dropper for the rest of the malware. Very little constructive info on the net at the moment.
In a broader sense HckPk is a set of tools that provides a new way to hide malware though encryption and packing
http://www.itnews.com.au/newsstory.aspx?CIaNID=46701&src=site-marq
The symptoms of infection would depend on what malware has been stealthed.
Well…(deep subject shallow mind). I got something that is undetectable. I cannot login to many websites with Kaspersky running. I even wiped the drive to no avail. I have run many rootkits, no detection, many anti-viruses online, etc.
My mouse sticks which is driving me bananas and is another main indicator. Also the websites that I try to log into with Kaspersky running have the pages changed around and some info missing.
hjt log. nada, nothing.
But, DallasPCDoctor, are you using Kaspersky and avast? Just Kaspersky?
Have you tried Comboscan that looks a lot deeper
Download ComboScan to your Desktop.
[*]Close all applications and windows.
[*]Double-click on comboscan.exe to run it, and follow the prompts.
[*]The scan may take a minute. When the scan is complete, a text file will open - ComboScan.txt
Extra Note: When running Comboscan, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags Comboscan as suspicious. Please allow the Comboscan to run and don’t let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)
Post the Comboscan.txt from the Comboscan into your next reply.
Tech, I was using Kaspersky but uninstalled because of the probs. I use avast on my usb stick along with clam (useless as far as I am concerned). Also to note I tried to install sophos but it says it cannot install because of simple file sharing although I believe all sharing is turned off on the folders and on the control panel network install.
Thanks essexboy, I will download and post the results now.
– HijackThis (run as julie.exe) ------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 6:01:49 PM, on 3/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\julie\My Documents\comboscan.exe
C:\PROGRA~1\HIJACK~1\julie.exe
C:\WINDOWS\system32\wuauclt.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - Global Startup: D-Link AirPlus.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
Essexoy, I am having difficulty posting the comboscan because of the size limits. I have attempted to break it down but keep getting the message “post exceeds 10,000” characters although the post appears much smaller. Here is the finishing results of the comboscan. Do you still need the main body or can you see problems in the final results? I see a few things here that disturb me.
– Find3M Report ----------------------------------------------------------------
2007-02-26 23:07:00 0 d—s---- C:\Documents and Settings\julie\Application Data\Microsoft<MICROS~1>
2007-02-25 23:53:02 0 d-------- C:\Documents and Settings\julie\Application Data\Macromedia<MACROM~1>
2007-02-25 13:56:23 0 d-------- C:\Program Files\Common Files\Macromedia<MACROM~1>
2007-02-25 13:56:21 0 d-------- C:\Program Files\Macromedia<MACROM~1>
2007-02-24 23:15:00 0 d-------- C:\Documents and Settings\julie\Application Data\Mozilla
2007-02-24 23:00:34 0 d-------- C:\Documents and Settings\julie\Application Data\Identities<IDENTI~1>
2007-02-24 16:20:15 62 --ahs---- C:\Documents and Settings\julie\Application Data\desktop.ini
– Registry Dump ----------------------------------------------------------------
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“SunJavaUpdateSched”=“"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"”
“QuickTime Task”=“"C:\Program Files\QuickTime\qttask.exe" -atboottime”
“iTunesHelper”=“"C:\Program Files\iTunes\iTunesHelper.exe"”
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
“SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll”
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
– End of ComboScan: finished at 2007-03-04 at 18:23:06 -------------------------
Outch> Kaspersky online scanner just found this
C:\Documents and Settings\julie\Application Data\Mozilla\Firefox\Profiles\0idcwadr.default\cert8.db Object is locked skipped
C:\Documents and Settings\julie\Application Data\Mozilla\Firefox\Profiles\0idcwadr.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\julie\Application Data\Mozilla\Firefox\Profiles\0idcwadr.default\history.dat Object is locked skipped
C:\Documents and Settings\julie\Application Data\Mozilla\Firefox\Profiles\0idcwadr.default\key3.db Object is locked skipped
C:\Documents and Settings\julie\Application Data\Mozilla\Firefox\Profiles\0idcwadr.default\parent.lock Object is locked skipped
C:\Documents and Settings\julie\Application Data\Mozilla\Firefox\Profiles\0idcwadr.default\search.sqlite Object is locked skipped
C:\Documents and Settings\julie\Application Data\Mozilla\Firefox\Profiles\0idcwadr.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\julie\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\julie\Local Settings\Application Data\Adobe\Acrobat\8.0\Updater\updater.log Object is locked skipped
C:\Documents and Settings\julie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\julie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\julie\Local Settings\Application Data\Mozilla\Firefox\Profiles\0idcwadr.default\Cache_CACHE_001_ Object is locked skipped
C:\Documents and Settings\julie\Local Settings\Application Data\Mozilla\Firefox\Profiles\0idcwadr.default\Cache_CACHE_002_ Object is locked skipped
C:\Documents and Settings\julie\Local Settings\Application Data\Mozilla\Firefox\Profiles\0idcwadr.default\Cache_CACHE_003_ Object is locked skipped
C:\Documents and Settings\julie\Local Settings\Application Data\Mozilla\Firefox\Profiles\0idcwadr.default\Cache_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\julie\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\julie\Local Settings\Temp\Acr6489.tmp Object is locked skipped
C:\Documents and Settings\julie\Local Settings\Temp\Acr648A.tmp Object is locked skipped
C:\Documents and Settings\julie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\julie\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\julie\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information_restore{8DBCFDF3-F25A-423D-9D8F-EE590F3100A9}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
And I apologize to spiritsongs for posting logs here since she chastised me for this previously…and told me to move on to other forums where “malware experts” reside.
You seem to be clean.
These messages are due to files being used that cannot being scanned. Don’t worry.
Did you try to download, install, update and run other trojan remover tools?
a-squared and/or Free AVG Antispyware (trojan removers). Some users recommend SUPERantispyware or Spyware Terminator.
Why apologize? You were asked to post them.
mauserme, she jumped me previously when I posted a log telling me to go to other forums where “experts” could handle malware probs. I think you guys are quite capable.
I don’t feel like the machine is clean though. I am going to wait and log the details I believe are an indicator of the issues. I probably have not been thorough in the details. There is something going on but for the life of me, I cannot pin it down.
Of course I am not banking online or buying stuff so any hacked attempt would be a joke and waste of time. Maybe humorous for a hacker or virus writer.
I will compile a list of symptoms that may be more useful. Thanks for the effort, many times over.
Oops - another missed nuance …
For my sake would you post a traditional hijackthis log in addition to the other details you mentioned. I’m not familiar with comboscan.
I will post an independent hjt file. Let me go online for several hours and then post. I am heavy into marketing so I should trigger the bad stuff. It appears I am running clean, to my personal, biased thinking, but I have not deleted anything of significance lately which is a warning to me. Malware does not disappear on its own. I will post after much traveling the internet.
It would be good to see before and after logs if you get infected just by being on line. I mean, you’re not frequenting warez sites and such, right?