Hello Everyone,
I'd like to thank everyone before-hand for any assistance provided. One of our workstations seems to be infected. There is a blue and yellow box on the logon screen Displaying text that reads. "Warning Spyware detected on your computer install an anti-virus or spyware remover to clean-up your computer"
When we try to login to the machine, windows immediately logs us out and returns to the logon screen. We've scanned with a few spyware removal tools and up till now have had no luck. If i've posted this question in the wrong section i apologize. Any help will be appreciated. Here is the Hijackthis log. I've scoured the internet for more information on this subject, but have found many different versions of this malware but not one that has the same symptoms as my issue. Thanks again in advance.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:37 AM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.e
xe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\system32\servic
es.exe
C:\WINDOWS\system32\lsass.
exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThi
s.exe
C:\WINDOWS\system32\igfxsr
vc.exe
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Default_Page
_URL =
http://www.dell.ca/mywayR1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Search Bar =
http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DCR0 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Start Page =
http://intranet.hmssoftware.ca/default.aspxR1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Page
_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Sear
ch_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\In
ternet Connection Wizard,ShellNext =
http://www.dell.ca/mywayR3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8
AB8210D6D7
5} - C:\Program Files\MyWaySA\SrchAsDe\deS
rcAs.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
84B7D6BE0B
3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d
ll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8
AB8210D6D7
5} - C:\Program Files\MyWaySA\SrchAsDe\deS
rcAs.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
06D7942484
F} - C:\PROGRA~1\SPYBOT~1\SDHel
per.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
0123456789
0} - C:\WINDOWS\System32\DLA\DL
ASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0
BBC1D38A37
E} - C:\PROGRA~1\MICROS~4\Offic
e12\GRA8E1
~1.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bi
n\jusched.
exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\Real
Play.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DL
ACTRLW.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MS
KDetct.exe
/uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\a
vgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\a
vgemc.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtr
ay.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.
exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpe
rs.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMoni
tor.exe"
O4 - HKLM\..\Run: [lphcct4j0ee27] C:\WINDOWS\system32\lphcct
4j0ee27.ex
e
O4 - HKLM\..\Run: [SMrhc9t4j0ee27] C:\Program Files\rhc9t4j0ee27\rhc9t4j
0ee27.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\RunOnce: [SpybotDeletingA7631] command /c del "C:\Documents and Settings\rhodgson.AD_HMSSO
FTWARE\App
lication Data\Starware343\Weather\A
lertArchiv
e.xml"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8139] cmd /c del "C:\Documents and Settings\rhodgson.AD_HMSSO
FTWARE\App
lication Data\Starware343\Weather\A
lertArchiv
e.xml"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateMana
ger.exe" AcRdB7_0_7
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB2453] command /c del "C:\Documents and Settings\rhodgson.AD_HMSSO
FTWARE\App
lication Data\Starware343\Weather\A
lertArchiv
e.xml"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3482] cmd /c del "C:\Documents and Settings\rhodgson.AD_HMSSO
FTWARE\App
lication Data\Starware343\Weather\A
lertArchiv
e.xml"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\a
vgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\a
vgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\a
vgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\a
vgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.E
XE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4
\Office12\
EXCEL.EXE/
3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
0401C60850
1} - C:\Program Files\Java\j2re1.4.2_03\bi
n\npjpi142
_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
0401C60850
1} - C:\Program Files\Java\j2re1.4.2_03\bi
n\npjpi142
_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5
663EE0C6C4
9} - C:\PROGRA~1\MICROS~4\Offic
e12\ONBttn
IE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5
663EE0C6C4
9} - C:\PROGRA~1\MICROS~4\Offic
e12\ONBttn
IE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
C9C571A826
3} - C:\PROGRA~1\MICROS~4\Offic
e12\REFIEB
AR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
0C0F0318AF
E} - C:\WINDOWS\system32\Shdocv
w.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
8CAB36FD2A
2} - C:\PROGRA~1\SPYBOT~1\SDHel
per.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
8CAB36FD2A
2} - C:\PROGRA~1\SPYBOT~1\SDHel
per.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
2ba3849658
3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
2ba3849658
3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range:
http://192.168.1.83O16 - DPF: {5DC97AE1-709A-4A8C-BF05-7
2EB5085AA4
5} (TC5Time Control) -
http://timecontrol.hmssoftware.ca/inc/object/TCTime5.cabO16 - DPF: {6E32070A-766D-4EE6-879C-D
C1FA91D2FC
3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144172891214O16 - DPF: {89A32E28-6CC6-49B0-971A-7
FA4F958BA7
7} (TC5Rep Control) -
http://timecontrol.hmssoftware.ca/inc/object/TCRep5.cabO16 - DPF: {E1D42686-AAC4-4BFC-87A6-1
B578B517F2
1} (TC5Admin Control) -
http://timecontrol.hmssoftware.ca/inc/object/TCAdmin5.cabO16 - DPF: {F49140B7-F9CF-45D2-A507-A
5BD558BCFE
8} (TC5Tables Control) -
http://timecontrol.hmssoftware.ca/inc/object/TCTables5.cabO17 - HKLM\System\CCS\Services\T
cpip\Param
eters: Domain = hmssoftware.ca
O17 - HKLM\Software\..\Telephony
: DomainName = hmssoftware.ca
O17 - HKLM\System\CCS\Services\T
cpip\..\{3
5AFD518-73
F8-4763-99
AD-2890A72
6A8BA}: NameServer = 198.232.216.134,192.168.1.
78
O17 - HKLM\System\CS1\Services\T
cpip\Param
eters: Domain = hmssoftware.ca
O17 - HKLM\System\CS2\Services\T
cpip\Param
eters: Domain = hmssoftware.ca
O17 - HKLM\System\CS3\Services\T
cpip\Param
eters: Domain = hmssoftware.ca
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3
CB6248B04C
D} - C:\PROGRA~1\MICROS~4\Offic
e12\GR99D3
~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
vgamsvr.ex
e
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\a
vgupsvc.ex
e
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\PROGRA~1\borland\INTERB
~1\Bin\ibg
uard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\PROGRA~1\borland\INTERB
~1\Bin\ibs
erver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC
S\Sync\Net
Svc.exe
--
End of file - 8793 bytes
Start Free Trial
