Windows 2k... was infected with a W32.spybot variant named W32.SillyP2P (I don't have any p2p software installed)... There was also a file by the name of explore.exe (as opposed to exploreR.exe) that was apparently the operating shell. Eventually, I would login, but windowswould directly logout immediately. I had to remote registry from another computer to change the userinit value just to log in to the original computer. I have since cleaned out (at least it looks that way) the threat... but decided to run HijackThis to make sure. There appears to be somesort of lingering infection...
The HijackThis log:
------------------------------------------
- Code: Select all
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:43:47 AM, on 12/5/2008 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Frontstep Shared\Service\FSConfigSvc.exe C:\Program Files\Common Files\Frontstep Shared\Service\FSValidationSvc.exe C:\WINNT\system32\hidserv.exe C:\WINNT\System32\llssrv.exe C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\System32\snmp.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\Dfssvc.exe C:\WINNT\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\MDM.EXE C:\WINNT\system32\dllhost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe F2 - REG:system.ini: UserInit= O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {952C5C34-B6D2-4786-A941-FBFE2913D60A} (FSCrm Control) - http://12.184.154.133/CRMLIVE/fsCtrls.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://infor.webex.com/client/T26L10NSP49EP5/webex/ieatgpc.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = paratech.com O17 - HKLM\System\CCS\Services\Tcpip\..\{97BCB850-0C90-472C-AEED-D8AA398A5515}: NameServer = 10.0.100.63 O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINNT\system32\afisicx.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: eConfigService - Unknown owner - C:\Program Files\Frontstep\Components\Commerce\Server\eConfigService.exe O23 - Service: Frontstep Configuration Service (FSConfigSvc) - Unknown owner - C:\Program Files\Common Files\Frontstep Shared\Service\FSConfigSvc.exe O23 - Service: Frontstep Validation Service (FSValidationSvc) - Unknown owner - C:\Program Files\Common Files\Frontstep Shared\Service\FSValidationSvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\WINNT\system32\mabidwe.exe O23 - Service: Ms File Manager Services (mscecosd) - Unknown owner - C:\WINNT\system32\msceco.exe O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINNT\system32\noytcyr.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINNT\system32\roytctm.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINNT\system32\soxpeca.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINNT\system32\tdydowkc.exe O23 - Service: wsldoekd Service (wsldoekd) - Unknown owner - C:\WINNT\system32\wsldoekd.exe -- End of file - 5730 bytes
-------------------------------
I greatly appreciate any advice and/or direction...