Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Halp! Nasty Spyware Gnomes


  • Please log in to reply
1 reply to this topic

#1 sarcastro

sarcastro

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 11 September 2007 - 10:31 AM

I've got a nasty infection on this machine. Here's some background info

1) Ran Adaware and Spybot per the instructions here and removed all the findings

2) Ran Stinger and the locally installed AV (none fond)

3) Ran HijackThis and the log is below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:52 AM, on 9/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nusrmgr.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\gcnet
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: oembios32.msdn_hlp - {AB5FE6E5-7C72-4B89-85D0-D57E7AEAC236} - C:\WINDOWS\system32\oembios32.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [sysalgg] C:\WINDOWS\system32\sysalgg.exe
O4 - HKLM\..\Run: [MVS Splash] C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exe
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\myagttry.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1971] command /c del "C:\WINDOWS\iexplorr23.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8662] cmd /c del "C:\WINDOWS\iexplorr23.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7737] command /c del "C:\WINDOWS\system32\wml.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9160] cmd /c del "C:\WINDOWS\system32\wml.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3570] command /c del "C:\WINDOWS\system32\vxddsk.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9981] cmd /c del "C:\WINDOWS\system32\vxddsk.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7848] command /c del "C:\WINDOWS\iexplorr23.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4150] cmd /c del "C:\WINDOWS\iexplorr23.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7101] command /c del "C:\WINDOWS\system32\wml.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8343] cmd /c del "C:\WINDOWS\system32\wml.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9677] command /c del "C:\WINDOWS\system32\vxddsk.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9062] cmd /c del "C:\WINDOWS\system32\vxddsk.exe_tobedeleted"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http:\\gcnet
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dogcr.com
O17 - HKLM\Software\..\Telephony: DomainName = dogcr.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dogcr.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Virus and Spyware Protection Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SonicWALL Agent Service (SWAGENT) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe

--
End of file - 6140 bytes



BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 899 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:09:40 PM

Posted 24 September 2007 - 09:14 PM

sarcastro, sorry for the delay

If you still require assistance, please post a fresh hijackthis log. Thanks :thumbsup:
Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users