Spyware loves me!, I think I'm screwed Options

[kittylemew]

I'm pretty sure this is spyware, but I'll let the experts decide. Basically the network here was suffering some pretty bad lag that we couldn't figure out. We isolated it to one machine, of course the web/email server. This machine was sending packets out like crazy, but with a fresh install/def files of Nortons Corporate 10.0/Spybot/Ad-Aware we weren't able to find anything. We thought perhaps it was a net card problem, so we replaced that. Upon booting the computer informed us that since it couldn't find the netcard, it wanted us to know if we wanted to use Dial up connection to connect to the sites. Then we had to click close many prompts, that included dialing to {aaquire.net, dailynineus.com, easyfranc.com, printbattery.com, dealjewels.com, golf-arizona.com, greenshirtrewards.info, jauntyjewls.com, my.drujok.ru, tvspecials006.info} (not the full list obviously). But we can't find this stuff anywhere. Half of the names the popped up aren't in the registry (using a simple find). This is a win2k server running exchange, IIS, IIS lockdown, MYSQL, PHP.

Here is the hijackthis file. I appreciate any help that can be provided.

Logfile of HijackThis v1.99.1
Scan saved at 7:40:51 PM, on 1/25/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Exchsrvr\bin\chatsrv.exe
c:\mysql\bin\mysqld-nt.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\nvsvc32.exe
C:\PVSW\BIN\W3SQLMGR.EXE
C:\PVSW\BIN\NTBTRV.EXE
C:\PVSW\BIN\NTDBSMGR.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\WI7098~1\WScheduler.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINNT\system32\initsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\rasautou.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\cmd.exe
F:\Software\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.schuylerhouse.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WScheduler] C:\PROGRA~1\WI7098~1\WScheduler.exe /LOGON
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Service Manager] initsvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\RunServices: [Windows Service Manager] initsvc.exe
O4 - Global Startup: Host.lnk = C:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\Host.BHF
O4 - Global Startup: Windows Scheduler.lnk = C:\Program Files\WindowsScheduler\Scheduler.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.one.microsoft.com/MCP/to...scriptPrint.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = schuylerhouse.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{080590F4-E5A6-4521-89D8-B4B65BE6D5FD}: NameServer = 192.168.0.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E56F564-160E-4320-91CC-EA841CB232A6}: NameServer = 66.51.205.100,66.51.206.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{71719419-0F9F-45C1-B37A-3E6FA3DF02C5}: Domain = schuylerhouse.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{71719419-0F9F-45C1-B37A-3E6FA3DF02C5}: NameServer = 207.155.184.72,206.173.119.72
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1384758-FA67-4311-BE76-78DA388EB56C}: NameServer = 192.168.0.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = schuylerhouse.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = schuylerhouse.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{080590F4-E5A6-4521-89D8-B4B65BE6D5FD}: NameServer = 192.168.0.3
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = schuylerhouse.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = schuylerhouse.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{080590F4-E5A6-4521-89D8-B4B65BE6D5FD}: NameServer = 192.168.0.3
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = schuylerhouse.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: MySql - Unknown owner - c:\mysql\bin\mysqld-nt (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pervasive.SQL 2000 (relational) - Pervasive Software Inc. - C:\PVSW\BIN\W3SQLMGR.EXE
O23 - Service: Pervasive.SQL 2000 (transactional) - Unknown owner - C:\PVSW\BIN\NTBTRV.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

[kittylemew]

Well after forum diving I found the link for Ewido. It did what Nortons / Spy Bot / Ad Aware did not do, and removed the spyware worms. Weeeeeeeeeeee!

[Bobbi Flekman]

Hi kittylemew,

does this mean your troubles are over? Can I consider this case as resolved?

[kittylemew]

Resolved! Thanks!