• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Serious Spyware/Virus Issue!

jamesbond007

jamesbond007

Diamond Member
Hey everyone! Just when you thought you've seen everything as you've worked on a ton of computers, there's always something that comes up to suprise you. I'm working on someone's computer and the symptoms are unlike any other I've seen...sorta. The taskbar is somewhat minimized/gone. It's like the auto-hide option was selected (so you see just a sliver of it on the bottom of the screen) but you can't drag it up, the 'unlock taskbar' option is grey/disabled. Even in safe mode, the taskbar is the same way!

The machine runs EXTREMELY slow. (took about 35 minutes to install Spy Bot) I've tried putting a trial of Spy Sweeper on there, but after installation the program says it's damaged and needs to be reinstalled. MS AntiSpyware won't install because it can't load the Windows Installer. AdAware 1.06SE was loaded and updated, but it doesn't detect anything either. I've put my copy of Kaspersky Personal Pro 5 on there for the time being in an attempt to get past this issue, but it's not detecting anything. I've ran some scans in and out of safe mode and regular mode, too.

The machine also has an outdated copy of NAV2003, Windows Home SP1, and needs updating badly. I'm not even going to attempt to install SP2 until this thing is fixed up.

I'm contemplating just doing a system restore and saving thier existing photos/docs to a flash drive of mine. I hate doing this option, though.

Thanks for any help and here's a copy of the HJT log for anyone interested:

Logfile of HijackThis v1.99.1
Scan saved at 7:11:39 AM, on 3/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Softex\OmniPass\OPXPApp.exe
F:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hp.netscape.com/hp.adp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: HP Organize.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm103YYUS
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Click to expand...
 
i think it would save you a lot of time/grief if you just backed up everything they need, and format everything. run DBAN on the drive a few times to make sure everything is gone, and reinstall. then, scan all the backed up stuff, and put it back on. make sure you give these people a good lecture on not being stupid and not updating and going to pron websites that spreads spyware everywhere.

even if you are able to clear up alot of it without formating, you still wont be sure wether or not its gone, and it might pop up later, its better to stick on the safe side.
 
theman, thanks for a fast reply!

Yeah, I am agreeing with you on that one. They say they don't use the computer a lot, but it's in a kid's room and he's in the 6th grade. 😉 I see a nice LimeWire icon in the upper-left corner, so I'm sure the kid was the culprit. The dad said he left ESPN's website open for a couple hours as he left promptly to a basketball game and when he came home, this is what he was left with. 😛

Perusing the HDD, I see a hidden/light colored folder called 'cmdcons'. Not sure if that's something from HP, but it definitely looks fishy. There's a System32 folder in there with a bunch of system files in there. Also, when you type in CMD in the console, there's a DOS-like console that opens up, but nothing loads and it hangs. Typing in CMD.EXE brings up the real console window. 😛

I feel so helpless. 🙂 This is the first system in over a year I have had to reinstall the OS due to a virus/spyware. There goes my record for '06! Haha...
 
WIPE IT!

Yep, always a good solution. Consider the time required re-installing everything vs. the time to figure out the most bizarre spyware issue you've ever seen. Your customer can thank you later for the lower bill, and clean system. 😉

Unless you destroy their data in the process. hehe. I usually do a full ghost image of the drive to a spare drive somewhere just to be safe.
 
Wipe it, and that kid (and the dad) should use a Limited account in the future too.

If you want to work on it a bit more, though, try F-Secure's BlackLight beta rootkit detector in normal Windows to see if there are any rootkits detected.

Next, follow the instructions in this text file: http://www.omnicast.net/~tmcfadden/scan.txt If you wouldn't mind PM'ing me the report.html file when it is finished, I'd be curious to see it. This runs a command-line McAfee scanner/cleaner with all its options switched on, and it'll go after a certain amount of prevalant spyware/adware too. After this has run, you may be able to re-enable the Windows Installer service and install some specific antispyware apps to scan further.

Also, if you didn't already, set Kaspersky to the Extended Database option in the Threats & Exclusions section, update it, and then do another Kaspersky scan in Safe Mode too.
 
Have to agree with the WIPE IT idea. Also, there's so much crap loading at start-up, I'm surprized it will run at all. If you're motivated to spend hours on it, mechBgon offers solid advice. Beyond that, I would stop EVERYTHING from loading at startup and uninstall Norton. Will the system go into safe-mode? If so, I'd start there.
 
I just did a quick scan and I don't even any malicious entries in the HJT log. If you try to run Spy Sweeper in safe mode and choose the safe mode option when you launch the program it will tell you that the installation is damaged. Be sure to choose normal mode.

As far as the PC being slow it sounds like a possible bad hard drive, especially if it's slow in safe mode. Try a chkdsk and scan for bad sectors. If you have access to a spare drive you could clone the old one to it and see if the new drive solves the current issue. It wouldn't hurt to try a new IDE cable as well. Also be sure to check the bios to make sure the cpu is not in compatibility mode.
 
I just got done wiping the disk and performing a HP recovery on the machine. All is well! Now to remove all the BS that comes on the default install. 😛

John, I also had speculated a bad disk as well, but running some HDD utilities of mine yesterday proved that to not be the case as the drive didn't have any reported problems. Spy Sweeper wasn't able to be used at all. The SWEEP button was greyed out and I tried everything to get it to work, in and out of safe mode.

mechBgon, thanks for the utils and links. Yes, Kaspersky was set to the extended database. I did run the McAfee thing and it didn't find much:
Scanning C: [HP_PAVILION]
Scanning C:\*.*
C:\hp\bin\Terminator.exe ... Found application KillApp.
The file or process has been deleted.
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf ... Found application Adware-MWS.
The file or process has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 604837
Clean: ................. 600518
Possibly Infected: ..... 0
Deleted: ............... 2
Non-critical Error(s): 2
Master Boot Record(s): ......... 2
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0
Click to expand...

It started to scan the D drive, but I halted that as it is the system recovery partition and I didn't want it to accidentially remove or alter any files on there.

Is anyone familiar with any kind of program or code/virus that is able to mutilate the Operating System in some form and then remove itself? In order to backup files, I zipped them using the built-in compression feature of XP and had to use cmd.exe to back them up to a flash drive. CTRL+C/V would not work nor would the right-click on a file | COPY | PASTE function! The features were greyed out in the EDIT menus of all explorer windows. Opening IE didn't give me any clues either. It looked untouched, there were no weird BHO or taskbars. It's just the weirdest thing I've ran into in a *LONG* time!
 
The only thing that would mutilate XP is a regestry error, or regestry hole(missing file) that XP hasnt detected. Once spyware installs itself into the regestry, itll make cheese outta XP...
 
To add more to this story, the floppy drive was also being accessed quite often...too often. The desktop icons would also refresh every now and then, which I thought was weird as well. I'm just floored as to why I/we couldn't find an answer to their problem. What would have made the CPU run so slow in the first place? Computational things (like compression and file copying to the flash drive) were fast and flawless.

Whatever!!! Ugh, at least they have a working machine again. 🙂
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top