Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A new malware problem... changing desktop to "website"


  • Please log in to reply
1 reply to this topic

#1 Dussander

Dussander

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 10 April 2005 - 05:50 PM

This PC has not been connected to the internet for 2 weeks. I connect again today and restart my PC... suddenly I have some new Malware/Spyware troubles. I try to be careful with the internet, I haven't installed many programs recently (ironically only spyware killers due to an infection many weeks ago), and because of the security risks of IE I only use Firefox now. My AV is McAffe's virus scan set to auto-update. I cannot use my Zone Alarm firewall since it affects normal internet operations (it blocks 192.168.0.1 alot [that's me?] and stops loading of trusted websites - hotmail, etc). I do not go on porn sites or warez sites.

I find some sort of spyware that installed a Start list icon called "Sex" and a desktop icon called the same. I also found a .exe file in C:\ (I'm not sure for certain if it's that folder) with only number characters in its name - and the same icon as the "Sex" shortcuts found. Deleted them all. McAffe found a few malicious files (winamp.exe one for example :s ). It said that they were deleted. Restarted later on.

After the restart, I found something very odd has taken over - my desktop picture is hidden and in its place was a website-type black page, with "You are infected with Spyware... blah blah about it will ruin my life... please click to remove" and it gives me a link on the page to remove it. I didn't click and immediately ran all the protection programs I had:
- Adaware
- Spybot - Search and Destroy
- ADSSpy
- aboutbuster
- HijackThis

My AV picked up a few files:
10/04/2005 20:01:51 Delete failed (Clean failed because the file isn't cleanable) GARRETT\Andy C:\WINDOWS\system32\msvcrta.dll Proxy-Agent.j
10/04/2005 20:01:57 Delete failed (Clean failed because the file isn't cleanable) GARRETT\Andy C:\WINDOWS\system32\msvcrta.dll Proxy-Agent.j
10/04/2005 20:02:02 Delete failed (Clean failed because the file isn't cleanable) GARRETT\Andy C:\WINDOWS\system32\msvcrta.dll Proxy-Agent.j
10/04/2005 20:02:07 Delete failed (Clean failed because the file isn't cleanable) GARRETT\Andy C:\WINDOWS\system32\msvcrta.dll Proxy-Agent.j
10/04/2005 20:02:13 Delete failed (Clean failed because the file isn't cleanable) GARRETT\Andy C:\WINDOWS\system32\msvcrta.dll Proxy-Agent.j
10/04/2005 20:33:01 Deleted GARRETT\Andy C:\WINDOWS\system32\spoolsrv32.exe Downloader-VV
10/04/2005 20:33:01 Deleted GARRETT\Andy C:\WINDOWS\system32\spoolsrv32.exe Downloader-VV
10/04/2005 20:33:11 Deleted GARRETT\Andy C:\WINDOWS\system32\prvdi.exe Downloader-ME.dr
10/04/2005 20:33:56 Deleted GARRETT\Andy C:\WINDOWS\system32\msvcrta.dll Proxy-Agent.j
10/04/2005 20:33:56 Deleted GARRETT\Andy C:\WINDOWS\system32\msvcrta.dll Proxy-Agent.j
10/04/2005 20:35:04 Deleted GARRETT\Andy C:\WINDOWS\system32\dload.exe Downloader-ME
10/04/2005 20:57:25 Deleted GARRETT\Andy C:\Documents and Settings\Andy\Local Settings\Temp\prvdi.exe Downloader-ME.dr
10/04/2005 20:57:25 Deleted GARRETT\Andy C:\Documents and Settings\Andy\Local Settings\Temp\runsvc32.exe Downloader-VV
10/04/2005 20:57:26 Deleted GARRETT\Andy C:\Documents and Settings\Andy\Local Settings\Temp\runsvc32.exe Downloader-VV
10/04/2005 21:29:45 Deleted (Clean failed because the file isn't cleanable) GARRETT\Andy C:\WINDOWS\browserxtras\pn\remove.exe Adware-KeenValue



I've had previous infections of:
27/02/2005 18:07:33 Deleted GARRETT\Andy C:\Documents and Settings\Andy\Local Settings\Temp\se.dll StartPage-DU.dll
27/02/2005 20:22:07 Deleted GARRETT\Andy C:\Documents and Settings\Andy\Local Settings\Temp\prvdi.exe Downloader-ME.dr


I run all the protection and downloaded the Microsoft AntiSpyware and ran it. It found 9 infections and removed them. I then restart my PC.

The desktop is now a clear white page that flashes regularly to grey. It is like a website. I've ran everything again and now they say my system is clean. I had a look in Group Policy - the desktop policies are all set to "Not configured". I am not confident in fixing it all by myself... if you can sort me out I will be very grateful. :thumbsup:

My HijackLog is:

Logfile of HijackThis v1.99.1
Scan saved at 21:58:57, on 10/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp29\Winampa.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Teamspeak2\TeamSpeak.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Andy\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp29\Winampa.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ProxyCap] C:\PROGRA~1\PROXYL~1\ProxyCap\ProxyCap.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\prvdi.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by Dussander, 10 April 2005 - 05:55 PM.


BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 11 April 2005 - 08:32 PM

Howdy Andy,The Infection you have has been labeled Spywad(Name Fits dont it!!)

Lets Take Care of the Desktop first!

Download the reg (registry) file to your desktop:
http://forums.net-integration.net/index.ph...=post&id=139544
Double-click and answer yes to the prompt, then restart your pc, you can then set up your wall paper as prefered.

You will also want to Seach the Entire Operating System for these 2:

DESKTOP.HTML
POPUP.HTML

Any positive IDs should be Deleted and the Recycle Bin Emptied!

Now lets do an Intensive Online Scan:
http://www.kaspersky.com/beta?product=161744315

First,Filling out the Registration Form:
Only fill out the Required Fields,
Name=Just use your Intials
Company Name=Anything you want!
Email=If you dont want to use yours,just set up one at Yahoo or the like!

You must to be using Internet Explorer,which if you followed the previous Steps,should be no Problem!
Follow the Prompts to Download all ActiveX Content and Let the Scan Begin!
I suggest doing this when you have plenty of time to Spare,this Scan can take up to 3 hours but is well worth it!

When finished, reboot your system again and bring it back up in normal mode. Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK.

Make Sure Normal Startup is Checked!!

Select the tab labeled Startup and put a Check by every box there!! Once everything is enabled, run "Hijack This!" and post a new log to this thread!!

Here is a link explaining:
http://netsquirrel.com/msconfig/

Edited by Cretemonster, 11 April 2005 - 08:33 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users