I immediately had all kind of desktop icons, that when deleted just come back. I have an icon in the system tray that looks like the Windows error icon, the red circle with white X in it. When clicked a browser page opens of the website http://www.newgenlook.info/ad/ad0278/ or other various pages at that domain and my browser keeps re-directing during use. I also get balloon pop-ups from this icon stating things such as "My computer has been infected by a stealth trojan and will not boot properly next startup, and Unkown Pop-ups detected.
My home page was changed to a newgenlook.info page, and I get various pop-ups and redirects. One real annoying thing is I will get a system message that states the following:
Error #317 - Microsoft Internet Security Warning
Windows is corrupted with spyware virus.
You must patch your pc urgently to protect your system
Private info is accessed by ports:
-8080
-3128
You can patch your pc for free now and delete all spyware viruses
Click ok to choose and download free spyware removal using AntiSpy
I always close or "cancel" this message and it always redirects me.
I have run the following:
Microsoft AntiSpyware Beta
Trend Micro PC-cillin (7.100.1003/2.184.00)
Ad-Aware (found hotoffers and removed)
CW Shredder 2.14
Trend Housecall
Spybot – Search & Destroy (found 8 items, fixed and immunized)
I am on an office network so am unsure as to how to disconnect this workstation from internet access if needed.
Below is HJT log… thank you in advance
---------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:21:52 AM, on 29/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Vet\isafe.exe
C:\Program Files\InterBase Corp\InterBase\bin\ibguard.exe
C:\WINDOWS\Explorer.EXE
C:\Vet\VetMsg.exe
C:\Vet\VetTray.exe
C:\Documents and Settings\ksamiotis.CARMICHAELWEBER\Application Data\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\Macpro\Enterprise\scktsrvr.exe
C:\Documents and Settings\ksamiotis.CARMICHAELWEBER\Desktop\HijackThis.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
C:\WINDOWS\system32\userinit.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://PDCSRV:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Documents and Settings\ksamiotis.CARMICHAELWEBER\Application Data\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Borland Socket Server.lnk = C:\Program Files\Macpro\Enterprise\scktsrvr.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.co...laxoInstall.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/t.../webinstall.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15....es/MsnPUpld.cab
O16 - DPF: {5A3C6507-730A-43B2-8EAC-4C430F2EF35E} (PortfolioManager Class) - https://portfolioman...oliomanager.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = carmichaelweber.com.au
O17 - HKLM\Software\..\Telephony: DomainName = carmichaelweber.com.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{60F00273-EC81-4F16-BCEE-4354B736CE94}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = carmichaelweber.com.au
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - InterBase Software Corp. - C:\Program Files\InterBase Corp\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - InterBase Software Corp. - C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe