DVR Machines

Unknown
edited February 2006 in Spyware & Virus Removal
I work with the government on networked DVR (digital video recording) machines that run on Win2000pro. I've cleaned this computer over and over again and i can't identify the problem, i get popups about once every 10-20 minutes, i don't know if its a network problem or if there is something affecting the actual PC.

Logfile of HijackThis v1.99.1
Scan saved at 2:10:08 PM, on 2/22/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Integral\MasterControl\MasterControl.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Integral\MasterControl\Remote Server\mcserver.exe
C:\Program Files\Integral\MasterControl\Plugins\mcplugin.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\DVX1\My Documents\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MasterControl.lnk = C:\Program Files\Integral\MasterControl\MasterControl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O15 - Trusted Zone: www.integraltech.com
O16 - DPF: Tarantella 3.x Framework Java Archive - http://10.28.90.24/ppwb/java/asadJ-du.cab
O16 - DPF: Tarantella 3.x Proxy Java Archive - http://10.28.90.24/ppwb/java/proxyJ-du.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139498987948
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5810F5D-4401-470F-BD1D-9886E0EC07F4}: NameServer = 10.128.7.25,10.128.7.24
O20 - Winlogon Notify: Group Policy - C:\WINNT\system32\hr6s05j7e.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

If there are any other steps you want me to take, i'd be happy to do it.

Comments

  • NecropolisNecropolis Hawarden, Wales Icrontian
    edited February 2006
    Moved to SVT
  • emajnthis
    edited February 2006
    Sorry, obviously i'm new to this forum i didn't quite understand where it was suppose to be. I just read the rules thread and i have already used both SB:S&D and AdAwareSE. There were a few spywares they couldn't remove (namely surf side kick 3 and newdotnet) that i removed manually using a "Run" command, and no matter how hard i look, i can't seem to find any other spyware. Still got pop ups though
  • skywalker45skywalker45 Bloomington, IN. USA
    edited February 2006
    Looks like another Look2Me/VX2 infection. Please follow the instructions below. We're getting a lot of these lately:

    Please download Look2Me-Destroyer.exe to your desktop.
    • Close all windows before continuing.
    • Double-click Look2Me-Destroyer.exe to run it.
    • Put a check next to Run this program as a task.
    • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
    • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
    • Once it's done scanning, click the Remove L2M button.
    • You will receive a Done Scanning message, click OK.
    • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    • Your computer will then shutdown.
    • turn your computer back on.
    • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

    If you receive a message from your firewall about this program accessing the internet please allow it.

    If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
    http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
  • emajnthis
    edited February 2006
    I actually did that (as i have gone through several threads and took these steps prior to this mention) and i still have no results, i'm going to give it one more shot just like you instructed tomorrow afternoon, and repost a hijack this report. Thanks a lot for all of your help.
  • skywalker45skywalker45 Bloomington, IN. USA
    edited February 2006
    It is this line in your log that troubles me:

    O20 - Winlogon Notify: Group Policy - C:\WINNT\system32\hr6s05j7e.dll

    Normally a line like this with the cryptic .dll indicates Look2Me. If the Look2Me Destroyer log does not return an infection then there are other tools we can use to find out what the problem is. I'll be waiting for your response.
  • emajnthis
    edited February 2006
    It seems i was mistaken, i actually used the L2M - Fix not the L2M - Destroyer, the destroyer.exe seems to have knocked out the pop ups, but i'm posting a new hijack this report for youre review, Thanks again for all of your help, very top notch :thumbsup:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:05:46 PM, on 2/24/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Documents and Settings\DVX1\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: MasterControl.lnk = C:\Program Files\Integral\MasterControl\MasterControl.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O15 - Trusted Zone: www.integraltech.com
    O16 - DPF: Tarantella 3.x Framework Java Archive - http://10.28.90.24/ppwb/java/asadJ-du.cab
    O16 - DPF: Tarantella 3.x Proxy Java Archive - http://10.28.90.24/ppwb/java/proxyJ-du.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140637978378
    O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A5810F5D-4401-470F-BD1D-9886E0EC07F4}: NameServer = 10.128.7.25,10.128.7.24
    O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
  • skywalker45skywalker45 Bloomington, IN. USA
    edited February 2006
    Yes the log is clean. Are you having any more problems I can help you with?
  • emajnthis
    edited February 2006
    I spent an hour monitoring the machines and everything checks out great; no pop ups and no unecessary process. Thanks again for all of your help, these government retards are always getting spyware on their computers, and none of the resident IT guys (shows how useful they are) could get the pop ups to go away.
  • skywalker45skywalker45 Bloomington, IN. USA
    edited February 2006
    Ah, what you said is not surprising. I myself used to be a contract government IT guy and I know just how things go :(

    I'm just glad you're clean! :)

    I'll close this thread now. If you need it re-opened just PM me or one of the other moderators.
This discussion has been closed.