Solved Windows 2003 server hijacked-can't access control panel as admin

[Resolved] Windows 2003 server hijacked-can't access control panel as admin

I would greatly appreciate assistance with this issue. Starting yesterday we received an error when logging in to the system (as admin): "windows cannot find 'c:\documents\. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click search ". Also, control panel is missing from the start menu. If I attempt to enter "control panel" on a window such as the network connections, window, I receive the "this operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator. ". Same thing if I try to go to "properties" on "my computer ". I am running Symantec corporate with definitions of 11/8 up to yesterday. I updated the definitions to 11/14 yesterday and ran scans until they came clean. However the issues are continuing. malware found include: adware.purityscan, adware.webbuy, backdoor.trojan, downloader, downloader.mislead, spyware.isearch, and trojan.dropper. Below is the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:22 AM, on 11/15/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.65GW2003\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
e:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
E:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
E:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\rdpclip.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\System32\vds.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\dell\homepage\dellhome.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\dell\homepage\dellhome.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = jtpdial1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = secure.deyta.com
F2 - REG:system.ini: Shell=Explorer.exe C:\Documents and Settings\Administrator.65GW2003\WINDOWS\shell.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [DBISQL9] "E:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [SybaseCentral43] "E:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" -preload
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.65gw2003\windows\system32\winrnr.dll' missing
O15 - ESC Trusted Zone: http://rad.msn.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1191889896244
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1191889888916
O16 - DPF: {8613571C-30D2-4BD4-9710-3DFDBADE8190} (AMI Pictorial Control CWeb 2.1 SPa05) - http://10.34.33.18/amI/install/amiviewer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://join-test.webex.com/client/T25L/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://southeast.clio.medcity.net/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\Software\..\Telephony: DomainName = 65GW2003.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EEA7297-A00F-44F3-9D7E-F507B82D3E52}: NameServer = 10.10.1.70,10.10.1.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{5EEA7297-A00F-44F3-9D7E-F507B82D3E52}: NameServer = 10.10.1.70,10.10.1.72
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{5EEA7297-A00F-44F3-9D7E-F507B82D3E52}: NameServer = 10.10.1.70,10.10.1.72
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - e:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 10615 bytes

 

Welcome to WindowsBBS mcseadogs

While I can see the infection(s) that need to be removed, and know which tools are needed to remove them, I have a concern that I'd like to address first ...... the first entry in your log.

C:\Documents and Settings\Administrator.65GW2003\WINDOWS\System32\smss.exe


smss.exe (Session Manager) should be running from C:\Windows\system32, and C:\Documents and Settings\Administrator.65GW2003\WINDOWS is not normally even a valid path. Is this a custom configuration, or has something created, moved, modified and/or copied smss.exe (and the Windows\system32 path) to that location? Please check for the existence of smss.exe in the C:\Windows\system32 directory, it's size and datestamp.

Check also the size, creation and modified date on the Docs and Settings copy I mentioned above, and what other files are in that folder along with smss.exe

If I counted correctly, your log has 33 winlogon.exe processes. 1 of those should be the Admin account ....... safe to assume the other 32 represent client connections? Are any of them showing signs of infection?

Do you have a drive imaging program?

 

SMSS.exe info update

Thank you so much for the quick reply. This is really strange...
A little more info I left out. This is a Windows 2003 terminal server, R2, sp2 which should account for the client sessions. If I login as myself I get the "cannot find c:\documents" error, but I can get to the control and the properties of "my computer ".

I check on another system that is not infected and we do use the C:\Documents and Settings\Administrator.65GW2003\WINDOWS path, although I don't recall that it was a custom setup.

I have folder view to show all files including protected system and check via dos prompt but cannot find the "C:\Documents and Settings\Administrator.65GW2003\WINDOWS\System32\" directory. There is a system directory there, but no smss.exe file.

smss.exe is in C:\Windows\system32 with the following information:
Size: 52.5 KB, Created 5/2/05, modified 2/17/07, accessed 11/16/07. version 5.2.3790.3959.

Under the C:\Documents and Settings\Administrator.65GW2003\WINDOWS folder I have the following: sun\java\deployment with no files and a system folder with no files. At the same level as the sun and system folder I have the following files: inifile.upd (54bytes,10/18/07), VPC32.ini (0bytes, 10/8/07), win.ctx (645bytes, 10/18/07), and win.ini (645bytes, 6/14/07).

I do not have a drive imaging program. Any suggestions on resources to learn more about these issues would be greatly appreciated in addition to your help on this particular issue. I have quickly learned that I know very little about this and would like to remedy that.

 

As in a separate user account? How many user accounts are on the server, and do they all have the same behavior?

Where did you check this from, eg; another server within the domain or a workstation?

Before we attempt any fixes, I recommend you at the least obtain a trial version of a drive imaging program and create (and test) an image of the drive. Acronis True Image, Norton Ghost and R-Drive are a few I'm familiar with.

 

update to hijack issue

I logged in as myself under a separate user account with just regular user permissions. Other users who are more restricted also receive the C:\documents error when logging in, but are already restricted from running control panel etc.

The other system I compared this one to was also a windows 2003 terminal server in the same domain. A windows 2000 terminal server in a different domain has a similar configuration.

I am working on getting an image set up with Ghost. We also fully backup this server every day using veritas. Is a drive image still needed in this case?
Thanks again!

 

Unless it is something like Backup Exec, which can do full system recovery, a backup of that type can only restore whatever files might be needed in the event of something catastrophic, after doing a system re-installation. A disk image can put everything back into place as it was, regardless of what you do to the system. An unbootable, completely borked system can be restored quickly with an image. I strongly recommend it as a precaution simply because it is a domain server. Make sure you have the necessary boot disks and image stored externally.

I'm frankly outside my area of knowledge with this smss.exe location as well, so I can only make suggestions based on what I do know, which is a combination of what I see in the logs and what you report. The Server 2003 test machine I have is a virtual machine, and while it's configured as a domain controller, I have no clients or local logon accounts other than the Admin acct.

On the unaffected server, logon to a standard user account and check the path to smss by creating a HijackThis log. Do the same from the Admin account. Then repeat on the affected machine and compare the results. What I would be looking for is if they all point to the Administrator folder in Docs and Settings.

Lets say we try cleaning up the infection now, once you're satisfied you can easily restore the computer to it's current state should something go south on us. You'll need to disconnect client sessions and shut down all non-essential programs during the fix. I just ran this tool on my test machine to verify that it will run. The only thing I noted was that it removed the folder C:\Windows\system32\cache, which on this machine was empty. Check yours for content and backup if necessary. The folder can easily be recreated if need be. It needs to be run from the Admin account because that's the account where restrictions have been placed.

Download ComboFix by sUBs from here, saving the file to your desktop.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Hello mcseadogs

2 cents worth!!

"We also fully backup this server every day using veritas. Is a drive image still needed in this case?

No that is the problem with automated backups. They have to backup what they are told to do.

But you on the otherhand "know" this system has problems.

Why would you want to image a crupted system. Especially if you have other backups "veritas ".

You should restore back via veritas, to the point before the problem occured.

Only image when you are confident the system is clean. Once the system is clean you may want to remove some of your veritas bacups.

Then post the HJT logs and let noahdfear bring you forward to a completely clean system if there are still indications of what what he sees.

I would also advise you do both of the below.

======================================
Registry backup
http://www.larshederer.homepage.t-online.de/erunt/

Install XP system restore on W3k server
http://www.neowin.net/forum/?showtopic=91476
=======================================

As an aside. I would remove any unnessesary Dell junk from this (especially a Server) machine.

Is this machine used as a workstation also? If not are you serving Acrobat in some way? If not basic arcrobat reader should suffice and improve performance.

Same for MS Office if you are not serving it, then it should be removed. If you are serving these then they are heavy apps to be running remotely multiple times under terminals services.

If you need only MS Word, on a TS connection you should use a standalone MS word compatable app such as ABIWord etc.

Pete

 

Hmm

Sorry I guess we we composing at the same time!

Pete

 

new combofix log part 1

ComboFix 07-11-08.3 - Administrator 2007-11-18 12:48:33.1 - NTFSx86
Microsoft(R) Windows(R) Server 2003, Standard Edition 5.2.3790.2.1252.1.1033.18.3405 [GMT -5:00]
Running from: E:\Apps\malwareremove\combfix\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

CNetworks
2007-05-10 00:12:07 1,463,098 --sh--w C:\WINDOWS\system32\bygafmhs.ini2
2007-05-02 01:02:55 1,368,440 --sh--w C:\WINDOWS\system32\rtutv.bak1
2007-05-04 00:48:08 1,376,800 --sh--w C:\WINDOWS\system32\rtutv.bak2
2007-05-04 00:57:19 1,378,246 --sh--w C:\WINDOWS\system32\rtutv.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

combofix log part 2

.
.
*Note* empty entries & legit default entries are not shown

 

combofix log part 3

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-18 12:51:22
.
--- E O F ---

 

new hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53, on 2007-11-18
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.65GW2003\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
e:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
E:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
E:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--
End of file - 8667 bytes

I can now login without the c:\documents error and access the control panel etc. as admin

 

Looks good! Glad to hear logon and CP problems are fixed.

I've found nothing on the executables in the list below, and they strike me as rogue so I included them for removal. Feel free to check their properties for validity and remove them from the script if needed.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINDOWS\mqkwogs7.exe
C:\WINDOWS\u70cf8yh.exe
C:\WINDOWS\pht0dcxt.exe
C:\WINDOWS\java\g2mdlhlpx.exe
C:\WINDOWS\system32\bygafmhs.ini2
C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.bak2
C:\WINDOWS\system32\rtutv.ini2
Folder::
C:\WINDOWS\system32\Mz02r
C:\Temp\mZOr
C:\Program Files\E404 Helper

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

 

new combofix log part 1

ComboFix 07-11-08.3 - Administrator 2007-11-18 13:48:46.2 - NTFSx86
Microsoft(R) Windows(R) Server 2003, Standard Edition 5.2.3790.2.1252.1.1033.18.3399 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator.65GW2003\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator.65GW2003\Desktop\CFScript.txt

FILE
C:\WINDOWS\java\g2mdlhlpx.exe
C:\WINDOWS\mqkwogs7.exe
C:\WINDOWS\pht0dcxt.exe
C:\WINDOWS\system32\bygafmhs.ini2
C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.bak2
C:\WINDOWS\system32\rtutv.ini2
C:\WINDOWS\u70cf8yh.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

 

new cobofix log part 2

part 2

 

new combofix log part 3

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 13:53:45
Windows 5.2.3790 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-18 13:54:25 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-18 12:51
.
--- E O F ---

 

All looks good to me. Click Start>Run and type ComboFix /u then hit enter to remove ComboFix and it's quarantined files. Recommend you run an online scan to see if anything was missed. My standard reply follows .... yo may want to tweak things a bit to exclude network drives, etc.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log

 

Kaspersky log part 1

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-11-18 21:47
Operating System: Microsoft Windows Server 2003, Standard Edition, Service Pack 2 (Build 3790)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/11/2007
Kaspersky Anti-Virus database records: 461377
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\
E:\

Scan Statistics:
Total number of scanned objects: 198967
Number of viruses found: 32
Number of infected objects: 150
Number of suspicious objects: 7
Duration of the scan process: 03:04:43

 

kaspersky log part 2

Scan process completed.

 

Not bad!

Empty the Symantec quarantined items.
Then, you have a number of infected Outlook emails. I've broken it down into groups for you. Empty the Deleted Items folder on the accounts showing that folder.

E:\Accounts\HOC\Corpshare\Employees\Steplight.pst/Personal Folders/Inbox/26 Jul 2004 17:09 from Bounced mail:Report/transcript.zip/TRANSCRIPT.PIF Infected: Email-Worm.Win32.Mydoom.m skipped
E:\Accounts\HOC\Corpshare\Employees\Steplight.pst/Personal Folders/Inbox/26 Jul 2004 17:09 from Bounced mail:Report/transcript.zip Infected: Email-Worm.Win32.Mydoom.m skipped

E:\Temp\HOCPST\Exch.006\McCallum, Kate.PST/McCallum, Kate/Deleted Items

E:\Temp\HOCPST\Exch.006\Mellichamp, Paula.PST/Mellichamp, Paula/Deleted Items

E:\Temp\HOCPST\Exch.008\Slater, Faye.PST/Slater, Faye/Deleted Items

E:\Temp\HOCPST\Exch.010\Washington, Annetta.PST/Washington, Annetta/Deleted Items

E:\Temp\HOCPST\Exch.010\Wells, Becky.PST/Wells, Becky/Inbox/04 Feb 2007 11:41 from Fuentes:You're Soo kissable/postcard.exe Infected: Email-Worm.Win32.Zhelatin.o skipped
E:\Temp\HOCPST\Exch.010\Wells, Becky.PST/Wells, Becky/Inbox/03 Feb 2007 22:46 from Ted Glass:Let's Get Frisky/Flash Postcard.exe Infected: Email-Worm.Win32.Zhelatin.o skipped
E:\Temp\HOCPST\Exch.010\Wells, Becky.PST/Wells, Becky/Inbox/31 Jan 2007 03:59 from Lamb:Brand New Love/flash postcard.exe Infected: Email-Worm.Win32.Zhelatin.k skipped
E:\Temp\HOCPST\Exch.010\Wells, Becky.PST/Wells, Becky/Inbox/22 Jan 2007 21:25 from Wyatt:You Lucky Duck!/postcard.exe Infected: Trojan-Proxy.Win32.Lager.dp skipped
E:\Temp\HOCPST\Exch.010\Wells, Becky.PST/Wells, Becky/Inbox/21 Jan 2007 18:53 from Nicholson Charley:Every Inch of Your Body/Flash Postcard.exe Infected: Email-Worm.Win32.Zhelatin.a skipped
E:\Temp\HOCPST\Exch.010\Wells, Becky.PST/Wells, Becky/Inbox/21 Jan 2007 10:17 from Biddy:The commander of a U.S. nuclear sub/Full Clip.exe Infected: Email-Worm.Win32.Zhelatin.a skipped
E:\Temp\HOCPST\Exch.010\Wells, Becky.PST/Wells, Becky/Inbox/20 Jan 2007 17:54 from Mosley X. Ranald:The commander of a U.S. /Full Video.exe Infected: Email-Worm.Win32.Zhelatin.a skipped
E:\Temp\HOCPST\Exch.010\Wells, Becky.PST/Wells, Becky/Inbox/20 Jan 2007 04:00 from Pauline Hyde:Radical Muslim drinking enem/Full Video.exe Infected: Email-Worm.Win32.Zhelatin.a skipped

E:\Temp\HOCPST\Exch.010\Zeelsdorf, Dana.PST/Zeelsdorf, Dana/Inbox/04 Apr 2007 13:09 from keyl@ycawlgos.k12.sc.us:I love you!/story_dzeelsdorf.pif Infected: Email-Worm.Win32.NetSky.q skipped

I'm sending you a PM also.