A Hijack This based worm??

I've been having problems for months. The latest symptom I noticed starting yesterday is that when I run Security Task Manager I now see the following processes (name & file) :

HijackThis 1.99.1 D:\APPS\FIREFOX\FIREFOX.EXE
HijackThis 1.99.1 D:\Apps\Eudora\Eudora.exe
HijackThis 1.99.1 C:\WINDOWS\Explorer.EXE

SpybotSD, AdAware SE, Hijack This, and TDS-3 all ran clean earlier this morning.

Marty

 

Hi Marty,

Sounds strange. Re-install STM?? Could you expand a bit on what other problems you're experiencing?

 

Hi Noah,

Ok it turned out to be pretty simple. Reinstalling STM didn't do a thing, but reinstalling HJT has cleared it up.

Funny thing - HJT doesn't install visibly. IOW I uninstalled from the control panel as usual, but afaik HJT just comes as a .exe which is on a network drive. So I ran it after uninstalling, right from the network share. Then ran STM which now looks fine, then looked at the add/rem pgms screen and HJT is there so apparently it installs itself, at least putting in registry entries when run for the 'first' time.

As far as other problems go, I recently removed a rootkit - located with TDS-3, forget which it was. Now I seem to not have problems of my connection being hijacked etc.., all scans (STM, TDS-3, AdAware, Spybot S&D, HJT) are running clean... but my system gets unstable after several hours.

What happens is that a variety of actions which all seem to do a similar thing will eventually stop working; at that point I might get away with ending the app, but eventually I'll lose my taskbar, or the modem icon disappears, or I just lose all control of my machine, so I reboot.

The actions that will do this are

- going to a link on Firefox from a click on Eudora email
- trying to save a web page from Firefox
- attempting a 'save as' from Textpad and then trying to navigate to another location on my computer in the resulting dialog box

Each of these times I note that Win Explorer seems to continue working properly, and STM doesn't show any unusual processes running. Before removing that rootkit at this point I would see malware processes running e.g. veritas.exe, tftp1234.exe (any four digits), and others.

What a mess, eh?

Marty

 

Hi Marty,

FYI, to double check TDS: http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml rootkitrevealer It's updated fairly frequently with newer versions, the latest v1.4

And out of curiousity, what was the rootkit that TDS caught?

Regards - Charles

 

Charles,

I had been running Rootkit Revealer 1.2 with clean results before TDS found one a few days ago. But I don't recall which. I did have consistent problems with Agobot related agents so if there's an Agobot related rootkit betcha that's what I had.

Just installed and ran RKR 1.4 with clean results.

 

Ok, thanks Marty.

Regards - Charles