Member Avatar for burnsy

OK. I'm an idiot. I've managed to get my laptop hijacked... though I'm still not entirely sure how. I don't recall having gone to any websites that I haven't been to before, but... when I went to look at history everything had been cleared. About a week ago I installed Morpheus (to get my hands on one stupid chess document that turned out to be useless!) and I uninstalled it the same day. After my system started melting down last night and while I was starting the cleansing ritual, I noticed there were a couple of hidden Morpheus shared directoried containing several hundred MB of pirated software/music, most of which I didn't even recognize. Could Morpheus have been the source of a trojan? I tought everybody used it? Ok, I AM an idiot.

Symptoms: very few CPU cycles left, can't start Task Manager, Adaware runs, but runs funny, vermin seem to repropagate after removal and system restart.

Steps taken: ran Adaware (twice), updated and ran ewido, updated and ran Adaware, ran McAfee Stinger, generated HijackThis log immediately after these (which is given below.)

Can anyone help with this?

Logfile of HijackThis v1.99.1
Scan saved at 8:26:52 PM, on 2/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\explorer.exe
C:\packages\VerminTools\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\John\Application Data\Mozilla\Profiles\default\sh27cbaj.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\John\Application Data\Mozilla\Profiles\default\sh27cbaj.slt\prefs.js)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\iwinmkqa.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dllhost.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000140 (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obg\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

  • 2 Contributors
  • 2 Replies
  • 123 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by burnsy

Recommended Answers

All 2 Replies

Member Avatar for Joshua Gourgues

OK, First download AVG-ANTISPYWARE from HERE.... http://free.grisoft.com . Then INSTALL it and run it. Click on the UPDATE tab and then click the START UPDATE button. Once that's done, then click on the ANALYSIS tab. Next, click on AUTOSTART. Log your findings in a REPLY POST here. Then SCAN your PC using this. It will most likely find LOTS of infections. Just let it use the RECOMMENDED ACTIONS. GEt back with me when that's done.

Member Avatar for burnsy

Thanks for the reply. I had actually already run AVG (Ewido is the old name) and Ad-aware. They both found their own unique sets of problems.

I'm pretty far along on this now. I was hoping to spare myself the indiginity of knowing anything more about Windows (I'm an old UNIX internals guy... I had done some NT internals work about 15? years ago, but that was pretty targeted to 16 - 64 processor functionality... anyway I managed to not have to learn much about the higher level stuff in the OS.) In any case, I've come up to speed over-night on the readily available tools.

You were right, things were a mess... a half dozen apps/dlls were hijacked or masked as respectable citizens. With HijackThis and Security Task Manager I've managed to pare things down to bare bones. Life is better, but there are clearly some nasty vermin still to exterminated.

The worst of the lot was a dllhost process that sucked up 98-99% of all CPU cycles. There were a couple of unidentified dlls (inwinmkqa.dll and xspflmnq.dll) that were easy to dispatch, but two (wvuussr.dll and rqrst.dll) that were not so willing to disappear in the night. As it stands, I can now bring up the Windows Task Manager, there are no CPU hogs spawned, and Ad-aware can now be started without interference and a full scan runs clean. I am still running AVG (ewido), but it takes 2 hours to complete a full scan. It is clear, however, that something remains, as periodically a window pops up asking me if I want to work offline (I have my ethernet cable unplugged.)

Since one of the vermin so far seems resistant to the prescribed methods of extermination... and since there is absolutely no reference to it using Google, I'm going to start a new thread on it since it looks like it might be something new. I'll post current HJT and process logs there.

Thanks again.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.