[Matthew C Miller]

Immediately following a reboot I can get to the web via IE7 on our Windows 2003 Server R2 (SP2) . Just a few minutes after rebooting, I'm unable to do so any longer (including ftp, telnet, etc). I am able to ping, both by address and by name, so there isn't a problem with the network itself.

What I get when it fails is "http:///" in the address bar and an error message in IE reading "The address is not valid."

I've found various entries on the web related to spyware, but I can't identify what might be installed on the server. I've attached the most recent HijackThis log below for details.

I've run Spybot Search & Destroy 1.5.2 with the most recent manual updates (since I can't get to the web long enough to download the auto-updates) and it comes up clean. Currently I'm running a SuperAntiSpyware scan to see if that catches anything, which I intend to follow-up with a RootKitRevealer unless someone can point me in another direction.

I'd tear out my hair if I had any left... All assistance greatly appreciated!

-Matthew

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:51 AM, on 3/7/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lockstep\BackupForWorkgroups Client\BackupClientService.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ismserv.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
D:\OpenBase\bin\openexec.exe
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
D:\OpenBase\bin\openinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\OpenBase\bin\OpenBase.exe
D:\OpenBase\bin\OpenBase.exe
D:\OpenBase\bin\OpenBase.exe
C:\Program Files\TrippLite\PowerAlert\engine\pa.exe
D:\OpenBase\bin\OpenBase.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\Program Files\Lockstep\BackupForWorkgroups Client\BackupClient.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PDDM] C:\Program Files\PatchLink\Update Agent\pddm.exe
O4 - HKLM\..\Run: [Backup for Workgroups Client] "C:\Program Files\Lockstep\BackupForWorkgroups Client\BackupClient.exe" -IconMode
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1714117996-2775418566-1422623273-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1195156897921
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mumc.local
O17 - HKLM\Software\..\Telephony: DomainName = mumc.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{22A6B273-7549-4C49-8C4A-A0D4F90114BC}: NameServer = 10.30.106.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mumc.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mumc.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Backup for Workgroups Client - Lockstep Systems, Inc. - C:\Program Files\Lockstep\BackupForWorkgroups Client\BackupClientService.exe
O23 - Service: Backup for Workgroups Data Repository Manager - Lockstep Systems, Inc. - C:\Program Files\Lockstep\BackupForWorkgroups Data Repository Manager\DataRepositoryService.exe
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: LogMeIn Rescue (LMIRescue) - Unknown owner - C:\WINDOWS\LMI1.tmp\rescue.exe (file missing)
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: OpenBase Service (openexec) - Unknown owner - D:\\OpenBase/bin/openexec.exe
O23 - Service: PatchLink Update - PatchLink Corporation - C:\Program Files\PatchLink\Update Agent\GravitixService.exe
O23 - Service: PowerAlert Agent - Unknown owner - C:\Program Files\TrippLite\PowerAlert\engine/pa.exe
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7160 bytes

[Advertisements]

Problem appears to be sorted out. Staff will be checking later this morning to ensure all our other symptoms have disappeared, but I can get to the internet and printers again, which were the biggest issues. More later if this is actually solved.

[Matthew C Miller]

Problem appears to be sorted out. Staff will be checking later this morning to ensure all our other symptoms have disappeared, but I can get to the internet and printers again, which were the biggest issues. More later if this is actually solved.

[Matthew C Miller]

Yep, it is now fixed. The problem was a malicious program that SuperAntiSpyware caught which Spybot S&D did not catch. Once that was uninstalled access was restored. Not sure why it didn't appear on HiJackThis, though.

Thanks for the great instructions and links to utilities that saved the bacon again!

-Matthew

[Rorschach112]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.