Help - Search - Members
Full Version: Acer Aspire Infected
Piriform Community Forums > Computer Help and Discussion > Spyware Hell
depawl
May 7 2007, 01:43 AM
This is an Acer Aspire 3003 notebook running XP Pro. AMD Sempron 3.0 w/512 M RAM. This belongs to a friend’s foreign exchange student. When brought to me it was severly infected, several error messages at startup, popups, lockups etc. Ran the typical removals:
CCleaner
Cool Web Shredder
AdAware (Safe Mode – twice)
Spybot (Safwe Mode – twice)
AVG Antivirus
AVG 7.5 Anitvirus
Trend Micro Housecall
Cleaned up msconfig

Each scan found numerous infections (first run of AdAware found over 1200). Trend Micro Housecall would never complete. Got to the “Removing and Deleting
Spyware and Grayware”, and that’s it, would never get beyond this point, even after several hours. Ran hijack this, removed several entries (consider myself a good log analyzer) but need an expert. After reboot, AVG found several Trojans, and several new entries were discovered in msconfig (file attached). Also, HiJackThis has several new entries that weren’t there the last time (most notably NewDot). Was able to restore internet connectivity with LSP fix, but obviously problems remain. On startup I am now getting a “the system has recovered from a serious error, please tell Microsoft about this problem, etc.”. My HJT log file follows. Thanks in advance for your expert assistance.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:07:55 PM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\hung muhamath.H-A830BD26DCB14\win32.exe
C:\WINDOWS\system32\dlh9jkd1q2.exe
C:\WINDOWS\cfg32.exe
c:\windows\system32\dwdsregt.exe
C:\WINDOWS\system32\vexg4am1et2.exe
C:\WINDOWS\system32\vexga4m1et4.exe
C:\WINDOWS\system32\sony.exe.exe
C:\WINDOWS\system32\pdp.exe.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\system32\aspi67655.exe
C:\WINDOWS\system32\ucmoreiex.exe
C:\Documents and Settings\hung muhamath.H-A830BD26DCB14\click.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\sony.exe
C:\WINDOWS\system32\rundll32.exe
c:\windows\system32\rlvknlg.exe







C:\hjt\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://asia.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://aa.rd.yahoo.com/customize/ie/defaul...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\RunOnce: [OSSProxy] c:\windows\system32\rlvknlg.exe -bootinstall
O4 - HKCU\..\RunOnce: [Del24581] cmd /c del C:\WINDOWS\rk.exe
O4 - HKCU\..\Policies\Explorer\Run: [{D8E14A87-0708-1033-0815-050330050001}] "C:\Program Files\Common Files\{D8E14A87-0708-1033-0815-050330050001}\Update.exe" mc-110-12-0000140
O4 - HKCU\..\Policies\Explorer\Run: [{D8E14A87-0707-1033-0815-050330050001}] "C:\Program Files\Common Files\{D8E14A87-0707-1033-0815-050330050001}\Update.exe" mc-110-12-0000140
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\system32\rpcc1.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi67655.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - F:\Program\iolo\System Mechanic 6\IoloSGCtrl.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - F:\program files\Trend Micro\Antivirus\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - F:\program files\Trend Micro\Antivirus\tmproxy.exe (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6513 bytes
rridgely
May 7 2007, 07:35 AM
Welcome to the forum. biggrin.gif
You definitely have an infected computer.

Run BitDefender Online Scanner
  • Using internet Explorer please go HERE to run BitDefender's Online scan.
  • Read the terms and then click I Agree
  • You may receive a Security Warning about the BitDefender ActiveX control, If you do, please allow it to install.
  • On the scanning Options screen, Press Click Here To Scan and then follow the on screen prompts.
  • Once bit defender is finished scanning your computer it will automatically remove the infections. Once the removal process is finished press the close button and a dialog box will appear asking if you want to send your scan log back to the makers of bitdefender. You do not have to do this but what you do want to do is press the button that says "view log" and then copy and paste that log into notepad and save it to your desktop as bitdefender.txt.
  • Reboot your computer


Download Superantispyware
  1. Load Superantispyware and click the check for updates button.
  2. Once the update is finished click the scan your computer button.
  3. Check Perform Complete Scan and then next.
  4. Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  5. Make sure that they all have a check next to them and press next.
  6. Click finish and you will be taken back to the main interface.
  7. Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  8. Copy and paste the log onto the forum.

In your next reply post the bitdefender log, a superantispyware log and a new hijackthis log taken after both logs.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.