This is the most tenacious, vicious [bleep] I have ever seen. I have done my best but I need some help.
Symptoms:
1) Favorites changed to include:
AdultGambling.url
Free Online Dating.url
F--- Real Girls.url
Kill Annoying Popups.url
Online Sex Poker
Play Adult-Poker.url
Remove Toolbars.url
Spyware Uninstall.url
XXX personal photos.url
2) Unexpectedly redirected to poker/[bleep] sites when browsing
3) [bleep]/Gambling Pop-ups
Here are the steps I have taken so far:
aa) Windows Update for all Critical Security patches
a) Run McAfee Anti-Spyware (caught a few)
b) Run Microsoft Anti Spyware (shows clean)
c) Run Ad-Aware SE (shows clean)
d) Run Spybot S&D (shows clean)
e) Run OfficeScan Anti-Virus (shows clean)
f) Run Ewido (shows clean)
g) Run HijackThis (following advice here to fix every questionable entry)
h) Run Nail Fix
i) Run CWShredder (shows clean)
j) Run CleanUp to delete all TEMP files, all cookies, all offline content
At this point I was really hoping I was clean. I restart, fire up IE, and cruise around a bit. It usually takes 5 or 6 visits for anything to happen.
Sigh. Still getting redirected. I haven't seen any popups yet. So I took this step:
k) Run PANDA Active Scan. Panda finds 9 'infected' files-- the Favorites mentioned above.
I'm including my Panda log, my Ewido log, and my current HJT log.
Note: I have masked (#) the corporate domain servers; they look fine to me.
The WinVNC entries were installed by corporate IT. They may be compromised now, somehow, for all I know. I am worried about the last O23 entry for WinVNC marked [file missing].
PANDA
Incident Status Location
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\AdultGambling.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Free Online Dating.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\[bleep] Real Girls.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Kill Annoying Popups.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Online Sex Poker Rooms.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Play Adult-Poker.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Remove Toolbars.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\Spyware Uninstall.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\All Users\Favorites\XXX personal photos.url
EWIDO
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 9:54:16 AM, 6/8/2005
+ Report-Checksum: B8167123
+ Date of database: 6/8/2005
+ Version of scan engine: v3.0
+ Duration: 31 min
+ Scanned Files: 120829
+ Speed: 63.41 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
D:\
+ Scan result:
No infected files found!
::Report End
HIJACK THIS LOG (perfoming as of this exact moment)
Logfile of HijackThis v1.99.1
Scan saved at 12:04:06 PM, on 6/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\netOctopus Agent\Nant.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\Tablet.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\RAUAgent.exe
C:\Program Files\netOctopus Agent\nantsecc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\Wtablet\TabUserW.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\BEN\hijackthis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RemoteAgent] C:\Program Files\Trend Micro\OfficeScan Client\RAUAgent.exe
O4 - HKLM\..\Run: [NANTSessionAgent] C:\Program Files\netOctopus Agent\nantsecc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.#.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.#.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = #.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.#.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = #.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = #.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: netOctopus Agent - Netopia, Inc. - C:\Program Files\netOctopus Agent\Nant.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)