PDA

View Full Version : Spybot will not load/install, program being closed by malware?



upxtech
2006-11-11, 19:27
Sorry about that.

Also, add AVG AntiSpyware to programs/IE windows that this thing is closing.

Here's the HT log...

Logfile of HijackThis v1.99.1
Scan saved at 11:24:37 AM, on 11/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Cisco\CSAgent\bin\CSAControl.exe
C:\Program Files\Cisco\CSAgent\bin\leventmgr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\idr3hlpr.exe
C:\WINNT\system32\irdvxc.exe
C:\WINNT\system\msie701.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\FLRSERV.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\TEMP\POC900.EXE
C:\WINNT\system32\bootini.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CryptoEx\Common\CexTray.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\CryptoEx\Common\EASServer.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINNT\System32\SCardSvr.exe
C:\Documents and Settings\markej\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.siemens.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Siemens Energy & Automation, Inc
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = isaproxy.us002.siemens.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.siemens.com;*.siemens.net;*.sitest.net;*.sbs.de;*.spls.de;*.murrayconnect.com;*.
murrayelectrical.com;*.smartpipes.net;*.esm.uu.net;*.siemens.co.in;*.pbk.mci.com;*.s
iemens.de;sales.asirobicon.com;*.us.na-asirob.local;<local>
F2 - REG:system.ini: Shell=Explorer.exe bootini.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,bootini.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [StoreCleanup] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmconfig.dll,StoreCleanup
O4 - HKLM\..\Run: [NetManage LaunchNow Init] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmgoinn.dll,VerifyStartMenu
O4 - HKLM\..\Run: [DirXconnect settings] C:\PROGRA~1\SIEMENS\DIRXDI~1\dxdSetup.exe -silent -dxcsettings
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CryptoExTrayV3] "C:\Program Files\CryptoEx\Common\CexTray.exe" /ShowTrayIcon
O4 - HKLM\..\Run: [Migrator] "C:\Program Files\CryptoEx\Migrator\Migrator.exe" -StartUp
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [Microsoft Windows] bootini.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Windows] bootini.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Security Agent.lnk = C:\Program Files\Cisco\CSAgent\bin\okclient.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://go.siemens.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://connect2.sea.siemens.com/vdesk/cachecleaner.cab
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://connect.sea.siemens.com/vdesk/terminal/urxvpn.cab#version=5500,0,51230,1
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154630437884
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://connect.sea.siemens.com/vdesk/terminal/urTermProxy.cab#version=5500,0,60116,2328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://connect.sea.siemens.com/vdesk/terminal/urxshost.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://connect.sea.siemens.com/vdesk/terminal/urxhost.cab#version=5500,0,51124,1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us002.siemens.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{38C80C8E-60FA-4F46-AD3D-4D98D14C86C5}: Domain = sea.siemens.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{38C80C8E-60FA-4F46-AD3D-4D98D14C86C5}: NameServer = 161.218.7.12,161.218.9.10,161.218.10.50
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us002.siemens.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sea.siemens.com,us002.siemens.net,sea.siemens.com,sea.siemens.com,sea.siemens.com,sea.siemens.com,sea.siemens.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us002.siemens.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = sea.siemens.com,us002.siemens.net,sea.siemens.com,sea.siemens.com,sea.siemens.com,sea.siemens.com,sea.siemens.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sea.siemens.com,us002.siemens.net,sea.siemens.com,sea.siemens.com,sea.siemens.com,sea.siemens.com,sea.siemens.com
O20 - AppInit_DLLs: csauser.dll
O20 - Winlogon Notify: CexTrayWinLogon - C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WLogon - C:\WINNT\SYSTEM32\srvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Cisco Security Agent (CSAgent) - Unknown owner - C:\Program Files\Cisco\CSAgent\bin\CSAControl.exe" -t c (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NetManage NFS Client (InterDrive) Helper (InterDrive) - NetManage, Inc. - C:\WINNT\System32\idr3hlpr.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINNT\system32\irdvxc.exe" /service (file missing)
O23 - Service: msie7 - Unknown owner - C:\WINNT\system\msie701.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Shared Folders Server (SFOLDER) - NetManage. - C:\WINNT\System32\FLRSERV.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe

Original topic:
http://forums.spybot.info/showthread.php?p=52314#post52314

upxtech
2006-11-11, 19:30
tashi asked that I post this info in this forum as well, so here it is:

I was traveling in ND this weekend and looks like I picked up something nasty in the hotel. (Insert joke here.)

Anyway, it's on my company laptop which has a TrendMicro AntiVirus program. The computer operates 100% normal. It's quick and does everything it should, except I noticed that the TrendMicro icon (system tray) goes away once the mouse gets close to it. After looking around I figured I must have picked up some spyware. I have a program in my root that keeps coming back. "smartftp2.exe" Also, there is a program called "upapp" that keeps showing up in my Add/Remove Programs. (HP Printer related?"

Naturally, I went to Google and typed in Spybot. As soon a I hit enter, IE closes. So I got home, put spybotsd14.exe on a dvd and moved it to the laptop. It present the language selection window and then closes. Finally, I moved the entire directory tree from my PC to the laptop via dvd and placed it in C:\program files. As soon as I clicked on Spybot Search and Destroy, the window closes. So I changed the name to naner. (Gibberish) After clicking on naner, the window stayed open. Double clicking spybot.exe caused the window to load and then crash. So I changed spybot.exe to naner.exe and I've got the same results.

I've tried the built in TM virus scan, Microsoft Malicious Software Removal, AdAware, Spyblaster, AVG Antispyware, and Spybot doctor. They all seem to install and load fine, but they have no effect. Obviously, Spybot will if I can get it to work. I have a 2.5" external HDD case. If I put the work HDD in there and attach it to my PC, will Spybot find that or does it just look for the local C: drive.

Thanks in advance for any help!

Here's the HT log...

Logfile of HijackThis v1.99.1
Scan saved at 11:24:37 AM, on 11/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Cisco\CSAgent\bin\CSAControl.exe
C:\Program Files\Cisco\CSAgent\bin\leventmgr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\idr3hlpr.exe
C:\WINNT\system32\irdvxc.exe
C:\WINNT\system\msie701.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\FLRSERV.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\TEMP\POC900.EXE
C:\WINNT\system32\bootini.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CryptoEx\Common\CexTray.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\CryptoEx\Common\EASServer.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINNT\System32\SCardSvr.exe
C:\Documents and Settings\markej\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.siemens.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Siemens Energy & Automation, Inc
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = isaproxy.us002.siemens.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.siemens.com;*.siemens.net;*.sitest.net;*.sbs.de;*.spls.de;*.murrayconnect.com;*.
murrayelectrical.com;*.smartpipes.net;*.esm.uu.net;*.siemens.co.in;*.pbk.mci.com;*.s
iemens.de;sales.asirobicon.com;*.us.na-asirob.local;<local>
F2 - REG:system.ini: Shell=Explorer.exe bootini.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,bootini.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [StoreCleanup] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmconfig.dll,StoreCleanup
O4 - HKLM\..\Run: [NetManage LaunchNow Init] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmgoinn.dll,VerifyStartMenu
O4 - HKLM\..\Run: [DirXconnect settings] C:\PROGRA~1\SIEMENS\DIRXDI~1\dxdSetup.exe -silent -dxcsettings
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CryptoExTrayV3] "C:\Program Files\CryptoEx\Common\CexTray.exe" /ShowTrayIcon
O4 - HKLM\..\Run: [Migrator] "C:\Program Files\CryptoEx\Migrator\Migrator.exe" -StartUp
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [Microsoft Windows] bootini.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Windows] bootini.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Security Agent.lnk = C:\Program Files\Cisco\CSAgent\bin\okclient.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://go.siemens.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://connect2.sea.siemens.com/vdesk/cachecleaner.cab
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://connect.sea.siemens.com/vdes...5500,0,51230,1
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1154630437884
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://connect.sea.siemens.com/vdes...0,0,60116,2328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresponse.one.microso.../TLIEFlash.CAB
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://connect.sea.siemens.com/vdes...l/urxshost.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://connect.sea.siemens.com/vdes...5500,0,51124,1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us002.siemens.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{38C80C8E-60FA-4F46-AD3D-4D98D14C86C5}: Domain = sea.siemens.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{38C80C8E-60FA-4F46-AD3D-4D98D14C86C5}: NameServer = 161.218.7.12,161.218.9.10,161.218.10.50
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us002.siemens.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sea.siemens.com,us002.siemens.net,sea.siemens.com,sea.siemens.com,sea.siemens.com,sea.siemens.com,sea.siemens.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us002.siemens.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = sea.siemens.com,us002.siemens.net,sea.siemens.com,sea.siemens.com,sea.siemens.com,sea.siemens.com,sea.siemens.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sea.siemens.com,us002.siemens.net,sea.siemens.com,sea.siemens.com,sea.siemens.com,sea.siemens.com,sea.siemens.com
O20 - AppInit_DLLs: csauser.dll
O20 - Winlogon Notify: CexTrayWinLogon - C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WLogon - C:\WINNT\SYSTEM32\srvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Cisco Security Agent (CSAgent) - Unknown owner - C:\Program Files\Cisco\CSAgent\bin\CSAControl.exe" -t c (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NetManage NFS Client (InterDrive) Helper (InterDrive) - NetManage, Inc. - C:\WINNT\System32\idr3hlpr.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINNT\system32\irdvxc.exe" /service (file missing)
O23 - Service: msie7 - Unknown owner - C:\WINNT\system\msie701.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Shared Folders Server (SFOLDER) - NetManage. - C:\WINNT\System32\FLRSERV.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe

LonnyRJones
2006-11-12, 02:41
Hello

Click Start-> Settings-> Control Panel-> Administrative Tools-> Services
Scroll down and highlight "Network helper Service"
Right-click the highlighted line and choose Properties
Doublecheck to ensure you have the correct service , C:\WINNT\system32\irdvxc.exe
Set it to Disabled in the Startup Type scroll bar
Click OK
Do the same for this service
msie7
C:\WINNT\system\msie701.exe
click ok then exit service

Start Hijackthis and place a check next to these items If there.
Fix this unless you have greenborder installed ?
O20 - Winlogon Notify: WLogon - C:\WINNT\SYSTEM32\srvc.dll
http://greenborder.com/
====================================
Hit fix checked and close Hijackthis.

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.


Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

upxtech
2006-11-13, 05:51
Looks like that worked like a champ! Thank you so much!

How bad was the malware? Should I definately be changing passwords? I will anyway, but I'm just curious what it was I picked up. I'm very careful what sites I visit, especially on my work laptop.

Attached is report.txt and the HT log.


SDFix: Version 1.36
-------------------

Scan run on:
Sun 11/12/2006

Time:
9:32p

Microsoft Windows 2000 [Version 5.00.2195]

Running from: C:\Documents and Settings\markej\Desktop\SDFix

Stage One...

Checking Services...

Name:
-----

Path:
----


Repairing Registry...

Killing PID 436 'bootini.exe'

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------

C:\WINNT\system32\10638_netapi.exe
C:\WINNT\system32\12072_netapi.exe
C:\WINNT\system32\44162_netapi.exe
C:\WINNT\system32\88357_netapi.exe
C:\bootini.exe
C:\WINNT\system32\atiphexx.exe
C:\WINNT\system32\bootini.exe
C:\WINNT\system32\i
C:\WINNT\system32\srvc.dll

Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Files:
------


Any files removed are saved to the SDFix\backups Folder

FINISHED

Logfile of HijackThis v1.99.1
Scan saved at 9:50:57 PM, on 11/12/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Cisco\CSAgent\bin\CSAControl.exe
C:\Program Files\Cisco\CSAgent\bin\leventmgr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\idr3hlpr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\FLRSERV.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\TEMP\NO98F9.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\Program Files\OfficeScan NT\Pccntmon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CryptoEx\Common\CexTray.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\CryptoEx\Common\EASServer.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HiJack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.siemens.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Siemens Energy & Automation, Inc
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = isaproxy.us002.siemens.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.siemens.com;*.siemens.net;*.sitest.net;*.sbs.de;*.spls.de;*.murrayconnect.com;*.
murrayelectrical.com;*.smartpipes.net;*.esm.uu.net;*.siemens.co.in;*.pbk.mci.com;*.
siemens.de;sales.asirobicon.com;*.us.na-asirob.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [StoreCleanup] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmconfig.dll,StoreCleanup
O4 - HKLM\..\Run: [NetManage LaunchNow Init] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmgoinn.dll,VerifyStartMenu
O4 - HKLM\..\Run: [DirXconnect settings] C:\PROGRA~1\SIEMENS\DIRXDI~1\dxdSetup.exe -silent -dxcsettings
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\OfficeScan NT\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CryptoExTrayV3] "C:\Program Files\CryptoEx\Common\CexTray.exe" /ShowTrayIcon
O4 - HKLM\..\Run: [Migrator] "C:\Program Files\CryptoEx\Migrator\Migrator.exe" -StartUp
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Security Agent.lnk = C:\Program Files\Cisco\CSAgent\bin\okclient.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://go.siemens.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://connect2.sea.siemens.com/vdesk/cachecleaner.cab
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://connect.sea.siemens.com/vdesk/terminal/urxvpn.cab#version=5500,0,51230,1
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154630437884
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://connect.sea.siemens.com/vdesk/terminal/urTermProxy.cab#version=5500,0,60116,2328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://connect.sea.siemens.com/vdesk/terminal/urxshost.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://connect.sea.siemens.com/vdesk/terminal/urxhost.cab#version=5500,0,51124,1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us002.siemens.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{38C80C8E-60FA-4F46-AD3D-4D98D14C86C5}: Domain = sea.siemens.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{38C80C8E-60FA-4F46-AD3D-4D98D14C86C5}: NameServer = 161.218.7.12,161.218.9.10,161.218.10.50
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us002.siemens.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sea.siemens.com,us002.siemens.net,sea.siemens.com,sea.siemens.com,sea.siemens.com,sea.siemens.com,sea.siemens.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us002.siemens.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = sea.siemens.com,us002.siemens.net,sea.siemens.com,sea.siemens.com,sea.siemens.com,sea.siemens.com,sea.siemens.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sea.siemens.com,us002.siemens.net,sea.siemens.com,sea.siemens.com,sea.siemens.com,sea.siemens.com,sea.siemens.com
O20 - AppInit_DLLs: csauser.dll
O20 - Winlogon Notify: CexTrayWinLogon - C:\Program Files\CryptoEx\Common\CexTrayWinLogon.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Cisco Security Agent (CSAgent) - Unknown owner - C:\Program Files\Cisco\CSAgent\bin\CSAControl.exe" -t c (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NetManage NFS Client (InterDrive) Helper (InterDrive) - NetManage, Inc. - C:\WINNT\System32\idr3hlpr.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\ntrtscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Shared Folders Server (SFOLDER) - NetManage. - C:\WINNT\System32\FLRSERV.EXE
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\OfficeScan NT\tmlisten.exe

Thanks again!

LonnyRJones
2006-11-13, 06:39
Looks good, thanks to the author of SDfix.


Submit this file here please
C:\WINNT\system\msie701.exe
http://www.thespykiller.co.uk/forum/index.php?board=1.0
Then it can be deleted
I suggest a full Trend Micro scan after getting updates and an additional online scan, Computer Associates eTrust AV Web Scanner: http://www3.ca.com/virusinfo/virusscan.aspx
select all drives, scan, Try to cure/repair, if it cannot choose delete! If it cannot delete tell us the files names and locations.