Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

A really sneaky spyware - Please helmp

Started by bch7773 , Feb 04 2005 11:23 PM

This topic is locked

#1
bch7773

Posted 04 February 2005 - 11:23 PM

New Member

Member
3 posts

My computer has become infected with some type of really sneaky spyware that can't be totally erased. Whenever I reboot, it comes back somehow. I have win XP pro, and here is a list of all the anti spyware programs I have run, in both safe mode and normally:

Symentec Antivirus
Microsoft Antispyware beta
Adaware SE with pvlxcleaner
Spybot S&E
CWSchredder
HSremove
Kill2me
Aboutbuster

they get rid of the spywares/trojans, but as soon as I restart they come back. They attempt to change my start page, they try to install new .exe files and .dlls to my system folder. They also show popups randomly, the popups are titled "Only The Best". And it also adds bad sites to my trusted sites.

Heres my Hijack this log, PLEASE HELP me.

Logfile of HijackThis v1.97.7
Scan saved at 11:14:48 PM, on 2/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\sdkmq32.exe
C:\WINDOWS\system32\addvl.exe
C:\DOCUME~1\BRIAN~1.TRO\LOCALS~1\Temp\2.tmp
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\tibs5.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dafmk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dafmk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dafmk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dafmk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dafmk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dafmk.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dafmk.dll/sp.html#12345
O2 - BHO: (no name) - {F1B51150-D9B4-4CAE-8739-FCA1CC8D224D} - C:\WINDOWS\system32\iecm32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [2.tmp] C:\DOCUME~1\BRIAN~1.TRO\LOCALS~1\Temp\2.tmp.exe 1 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [addvl.exe] C:\WINDOWS\system32\addvl.exe
O9 - Extra button: AIM (HKLM)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2
ilago

Posted 05 February 2005 - 07:52 PM

Visiting Staff

Visiting Consultant
363 posts

Hi bch7773

You have a nasty infection there. We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

You will also need to update to the most recent version of HijackThis. The version you are using is badly out of date. The new version can be downloaded here http://www.geekstogo...action=cat&id=3

#3
bch7773

Posted 05 February 2005 - 10:01 PM

New Member

Topic Starter
Member
3 posts

hey thanks for responding. I get worried when I saw my post disappear in all the other posts.

Ok I went and got Service pack 1a, I just installed XP a few weeks ago and never got around to it. I also got the newer version of Hijack this, and heres the log i just ran.

Logfile of HijackThis v1.99.0
Scan saved at 9:02:43 PM, on 2/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
F:\Download\Spyware finders\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [8.tmp] C:\DOCUME~1\BRIAN~1.TRO\LOCALS~1\Temp\8.tmp.exe 1 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107655414838
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\sdkmq32.exe (file missing)

#4
ilago

Posted 05 February 2005 - 10:16 PM

Visiting Staff

Visiting Consultant
363 posts

Hi bch7773

You need to install Service Pack 1a. At the moment your log shows that it's not installed. Please install it, reboot and do another log. Then we'll be able to help you. The installation of this service pack is really important or we wouldn't ask for it.

#5
bch7773

Posted 06 February 2005 - 02:04 PM

New Member

Topic Starter
Member
3 posts

Thats weird because I really did install service pack 1a. but I went back there and got service pack 2 installed as well now.
I've tried again to get rid of this bad stuff but there must be a hidden file that is recreating the .exe files inside the system32 folder. This thing is much worse then any spybot I've had before.
And those trusted sites appear instantly back as soon as I delete them. I mean that as soon as I hit delete they pop back up. grrrrr

Heres the latest log

Logfile of HijackThis v1.99.0
Scan saved at 2:00:48 PM, on 2/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Download\Spyware finders\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [8.tmp] C:\DOCUME~1\BRIAN~1.TRO\LOCALS~1\Temp\8.tmp.exe 1 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1107655414838
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\sdkmq32.exe (file missing)

#6
ilago

Posted 08 February 2005 - 05:19 AM

Visiting Staff

Visiting Consultant
363 posts

Hi bch7773

Download Deldomains.inf from here http://mvps.org/winh.../DelDomains.inf Save it to your desktop but don't run it yet.

Please disable System Restore by right-clicking the My Computer icon on the desktop > go to Properties and then the System Restore tab. Put a tick in the box "Turn off System Restore on all drives" Apply. OK.

Disable Microsoft Antispyware monitoring - right click the icon in the system tray and shut it down.

You may need to print this out or copy and paste into a Notepad file so you can keep track of the deletions when you are working in Safe Mode and not connected to the internet.

Open HijackThis and click on "Open Misc Tools Section" and "Open Process Manager"

Check if either of these are in the process list. If they are, select and click on "Kill Process". Read the name very carefully as there may be some names that are similar but that are genuine files.

8.tmp.exe
tibs5.exe

Then click on Back which will open the HijackThis Scan Screen. Click on Scan. When the scan is complete check all the following items. Then disconnect from the internet and close all open windows including this browser window and all instant messaging - Yahoo messenger, MSN messenger, ICQ and anything else that is not essential and click on Fix checked.

O4 - HKLM\..\Run: [8.tmp] C:\DOCUME~1\BRIAN~1.TRO\LOCALS~1\Temp\8.tmp.exe 1 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: (HKLM)
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\sdkmq32.exe (file missing)

Find the deldomains.inf file - it should be on your desktop. Right-click and select > Install
This will remove all entries in the "Trusted Zone" and "Ranges" also. You may need to replace any entries that you had in trusted zones already.

Reboot into Safe Mode by continually tapping the F8 key as soon as the computer starts to boot up - after the beep. When the Windows XP Safe Mode menu comes up - Choose Safe Mode. You don't need any networking.

Open Windows Explorer and go to > Tools> Folder Options> View, select:*Show hidden files and folders
*Display the contents of system folders
Uncheck:*Hide protected operating system files
Set search options
Next go to Search > All files and folders > More advanced options and click.

Be sure the first three boxes are selected:*Search System folders
*Search Hidden Files and folders
*Search SubFolders
Delete all the files and folders noted in bold below. Some may not be there but use the search function in Windows Explorer to make sure.

Go to "Find all Files and Folders". Copy and paste this file name into the "All or Part of a File Name" and Select "Local Hard Drives" in the drop-down box. Delete each instance of it that is found.

C:\WINDOWS\system32\sdkmq32.exe Check that this is not there - delete if it is - but it should be gone.
C:\WINDOWS\System32\ tibs5.exe - file only
C:\Documents and Settings\BRIAN~1.TRO\Local Settings\Temp\ Delete ALL files from this folder.

If you have other users on the computer, delete the files from their \temp folder as well.

c:\Documents and Settings\<username>\Local Settings\temp

Reboot into normal mode and do another HijackThis log so we can check that everything is now gone.

[edit] As there has been no response from the original poster, this thread is now closed. If you have any other problems, please post a new topic.

Edited by bananafanafo, 08 April 2005 - 01:16 AM.