1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Cannot locate spyware

Discussion in 'Malware and Virus Removal Archive' started by Beardy, 2007/02/28.

  1. 2007/02/28
    Beardy

    Beardy Inactive Thread Starter

    Joined:
    2007/02/28
    Messages:
    2
    Likes Received:
    0
    I have a Windows XP SP2 PC in the office that seems to have some nasty
    on it that I'm unable to detect. AdAware cannot find anything, Spybot
    Search and Destroy also comes up clean and Mcafee anti-virus didn't find anything either. All of these programs are fully up-to-date with definitions.

    I know this machine is compromised since a network sniffer shows a horde of spam messages being sent from its IP address...

    I'm currently running RootkitRevealer from Microsoft (formerly sysinternals)

    Can anyone offer up additional suggestions? I'm tempted to just wipe the PC but I'm intrigued at to what is running on there and how it's remaining hidden.

    Here is the Hijackthis log. It was taken whilst Rootkit Revealer was still running, hoe that doesn't cause a problem with the results:-


    Logfile of HijackThis v1.99.1
    Scan saved at 11:34:25, on 28/02/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\windows\system32\spoolsv.exe
    C:\csserver\formserver\srvany.exe
    C:\GS_UTS\GS_Tnet.exe
    C:\csserver\formserver\formserver.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlservr.exe
    F:\seachange\usr106p6\seachange\bin\nhnet.exe
    C:\windows\system32\nvsvc32.exe
    C:\WINDOWS\system32\r_server.exe
    C:\windows\system32\svchost.exe
    C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    C:\WINDOWS\system32\vmnat.exe
    C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
    C:\WINDOWS\system32\vmnetdhcp.exe
    C:\PROGRA~1\MICROS~2\MSSQL\binn\sqlagent.exe
    C:\windows\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\windows\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\MultiView\MultiView 2000\jsblpd.exe
    C:\windows\system32\taskmgr.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\Program Files\Network Associates\VirusScan\scan32.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\WINDOWS\system32\LVComsX.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\windows\system32\wuauclt.exe
    C:\tmp\tools\RootkitRevealer\RootkitRevealer.exe
    C:\TMP\CSZRNUJ.exe
    C:\windows\system32\wuauclt.exe
    C:\tmp\tools\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AutoSys] C:\windows\system32\autosys.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - Startup: Assign Network Drives.lnk = C:\WINDOWS\system32\netlogin.bat
    O4 - Startup: Remote Print Server.lnk = C:\Program Files\MultiView\MultiView 2000\jsblpd.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
    O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\windows\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\windows\system32\shdocvw.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...tonmartin.com/configurator/db9coupe_load.html
    O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://81.137.171.51/vdesk/terminal/urTermProxy.cab#version=5500,0,50803,1
    O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://81.137.171.51/vdesk/terminal/urxhost.cab
    O16 - DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} (URVNCX Class) - https://81.137.171.51/vdesk/terminal/urvncx.cab#version=5400,0,50202,1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{58A18C20-A7FB-4F2D-A8D0-469A85452C02}: NameServer = 158.152.1.43,158.152.1.58
    O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
    O23 - Service: CSAgent - Unknown owner - C:\csserver\Services\srvany.exe
    O23 - Service: CSZRNUJ - Sysinternals - www.sysinternals.com - C:\TMP\CSZRNUJ.exe
    O23 - Service: FormServer - Unknown owner - C:\csserver\formserver\srvany.exe
    O23 - Service: Georgia SoftWorks UTS (GS_Tnet) - Unknown owner - C:\GS_UTS\GS_Tnet.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    O23 - Service: NHNet - XKO Group Plc - F:\seachange\usr106p6\seachange\bin\nhnet.exe
    O23 - Service: NMWOEO - Sysinternals - www.sysinternals.com - C:\TMP\NMWOEO.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\windows\system32\HPZipm12.exe
    O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
    O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
     
  2. 2007/02/28
    Dytrog

    Dytrog Inactive

    Joined:
    2007/01/13
    Messages:
    341
    Likes Received:
    0

  3. to hide this advert.

  4. 2007/03/01
    Beardy

    Beardy Inactive Thread Starter

    Joined:
    2007/02/28
    Messages:
    2
    Likes Received:
    0
    I've run an additional anti-spyware program, "A-squared" and this also did not find anything other than legitimate remote access programs on the PC.

    The spam coming from this machine sppears to have stopped, but I havent actually done anythig to fix it, leading me to believe it could start again at any time...
     
  5. 2007/03/01
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Unless you're really willing to get into some long drawn out analysis, I'd suggest wiping the drive.

    RKR gets tricked quite often as do many other RK detectors.
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.