Jump to content

Another SpyLock thread =/

duster1d
 Share

Recommended Posts

duster1d

duster1d

Posted
Posted

First of all let me say that I am new to the boards, and aprreciate any help i can get. I have read some of the other post about this problem and have tried some of the steps, and it hasnt worked.

The computer that is affected is a computer where i work at. Its a shared computer that 4 of us have to use. Normally i would ask our IT guy to fix it, buthe left the company yesterday and this computer was infected last night. My friend called me and told me what was going on and asked if i could try and fix it when i got here tonight, and i told him i would try.

I was able to follow a step i read in a previous post about deleting a folder called O22 - SharedTaskScheduler: curdler - {bd0fc212-0a36-4232-83cc-2063fb9282e0} - C:\WINDOWS\system32\qzviz.dll It stoped the problem for about 10 min and then it started back again. Please help.

So here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 9:07:31 PM, on 4/7/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe

C:\WINDOWS\CDProxyServ.exe

C:\WINDOWS\SYSTEM32\DWRCS.EXE

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

c:\SvcTools\1.3.1\bin\lnchr.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Video ActiveX Object\pmsnrr.exe

C:\Program Files\RightFax\FaxCtrl.exe

C:\WINDOWS\system32\DSentry.exe

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\WINDOWS\SYSTEM32\DWRCST.exe

C:\SvcTools\1.3.1\bin\lnchr.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Video ActiveX Object\pmmnt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe

C:\Documents and Settings\dustin.morris\Desktop\Jeff's Problem Fixers\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hrweb.huber.com/huber.central/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hrweb.huber.com/huber.central/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hrweb.huber.com/huber.cental/index.cfm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=157.126.224.252:80;https=157.126.224.252:443

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 157.126.*;*.huber.com;novinet.*;fixnetti.*;kennet.*;nnet.*;akimail.*;nijmail.*;s

khmail.*;arnmail.*;*.cpkelco.com;*.noviantgroup.com;*.jmhuber.com;<local>

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Video ActiveX Object\isadd.dll (file missing)

O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\system32\DSentry.exe

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [sMA1.3.1] c:\SvcTools\1.3.1\bin\lnchr.exe --context=user --control-dir=c:\SvcTools\1.3.1\ctrl

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Object\isamntr.exe

O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Video ActiveX Object\pmsnrr.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://hrweb.huber.com/huber.central/

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hew.jmhuber.com

O17 - HKLM\Software\..\Telephony: DomainName = hew.jmhuber.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hew.jmhuber.com

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe

O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: Software Management Agent 1.3.1 (SMA1.3.1) - Everdream - c:\SvcTools\1.3.1\bin\lnchr.exe

--

End of file - 5766 bytes

Link to post
Share on other sites
  • Root Admin
RubbeR DuckY

RubbeR DuckY

Posted
  • Root Admin
Posted

Please download RogueRemover PRO from http://www.malwarebytes.org/rogueremoverpro.php. It is a free 30 day trial and will help you remove this problem.

Install the application and start it. Select 'Check for Updates'. Download the latest database updates (which should be 119). Run a scan and remove everything it finds.

After that is complete, please show me a new HijackThis log. Good luck!

Link to post
Share on other sites
duster1d

duster1d

Posted
  • Author
Posted

That seemed to have fixed my problem, thanks a ton. Here is a new HJT log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 9:59:09 PM, on 4/7/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe

C:\WINDOWS\CDProxyServ.exe

C:\WINDOWS\SYSTEM32\DWRCS.EXE

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

c:\SvcTools\1.3.1\bin\lnchr.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\RightFax\FaxCtrl.exe

C:\WINDOWS\system32\DSentry.exe

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\WINDOWS\SYSTEM32\DWRCST.exe

C:\SvcTools\1.3.1\bin\lnchr.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\RogueRemover PRO\RogueRemoverPRO.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\dustin.morris\Desktop\Jeff's Problem Fixers\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hrweb.huber.com/huber.central/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hrweb.huber.com/huber.central/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hrweb.huber.com/huber.cental/index.cfm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=157.126.224.252:80;https=157.126.224.252:443

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 157.126.*;*.huber.com;novinet.*;fixnetti.*;kennet.*;nnet.*;akimail.*;nijmail.*;s

khmail.*;arnmail.*;*.cpkelco.com;*.noviantgroup.com;*.jmhuber.com;<local>

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\\FaxCtrl.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\system32\DSentry.exe

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [sMA1.3.1] c:\SvcTools\1.3.1\bin\lnchr.exe --context=user --control-dir=c:\SvcTools\1.3.1\ctrl

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [RogueMonitor] C:\Program Files\RogueRemover PRO\RogueRemoverPRO.exe /monitor

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://hrweb.huber.com/huber.central/

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hew.jmhuber.com

O17 - HKLM\Software\..\Telephony: DomainName = hew.jmhuber.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hew.jmhuber.com

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe

O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe

O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: Software Management Agent 1.3.1 (SMA1.3.1) - Everdream - c:\SvcTools\1.3.1\bin\lnchr.exe

--

End of file - 5252 bytes

Link to post
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.