[i4ko]

Hi everbody. 10x in advance for any help.

I have severe problems posting so i'm breaking the post in mutiple posts.
I have put the whole text at http://web.orbitel.bg/igel/1.txt

I believe I've done most of the debugging and fixing myself but

My gf managed to add some spyware to her computer last saturday.
It was spysherrif - very nasty thing(blue desktop etc), coolwebsearch and some other I cannot find what. Some nasty proucess was reading all the harddrives and comsumed around 800mb of mem - i was afraid that it may be encrypting the disk and then ransome for money. There were two apparenty vb applications - smartdownloader paytime teatime.

The systems was win 2003 server with sp1 and all possible updates, no on-access anti-virus with dep turned only for windows system internals.

I managed to run ad-aware in safe mode, it removed some of the stuff, but no spysherrif. I used captive ndis emulation in linux to enable write support on the ntfs volme, deleted all temporary and cache files, prefetch, dll backup store.

There was this file mpcsrv.exe - i was not able to delete it so I just put 0s in the file with hex editor - no headers no nothing. All entries to suspicious files in the run clauses of the registry i deleted in safe mode and also via msconfig selected only minimal startup. Also there were many html files with names like wallpaper.html or secur32.html wich seemed to load a registry key with some app. All the desktop.ini files were the same - with another regkey to load. I've deleted all this files

However the explorer shell kept crashing and crashing every 10 secs, i managed to see that when this happens two new prouceses appear in the tasklist - on of them must have been dr watson because the harddrive started flooding with memory dumps.

Edited by i4ko, 22 December 2005 - 01:48 AM.

[Advertisements]

I was not able to find anything suspicius with ad-aware or looking on the task manager. lspfix also showed only two lsp on the stack - mswsock.dll and winrnr.dll which didnt look very disturbing to me.

So I uninstalled the sp1 - system was runnig stable and I was not able to see and flashing prouseses in the task manager. I attempted to install sp1 - after that the explorer went crashing like mad again. Then removed sp1 again and with minimal startup from msconfig installed it again. The same crashing.

At this moment the system is without sp1, but i have reinstalled all updates from windowsupdate (except sp1).

In the task manager one proucess continues to flash again ever 10 secs but for some ms that 1 cannot see its name. I believe after 100+ runs of hijackthis I managed to see that it was mpcsrv.exe that one that i filled up with 0. Fixed it with hijack but I'm not ready yet to experment another sp1 install.
I cannot afford to reformat and reinstall the whole system before march since there is heavy work on it.
I am very conced for the possibility of a keylogger laying around!

I would be grateful for any help and advice with the hijackthis log
Should I attempt to install sp1 again - this is a 3 hour downtime if it is not working.


Logfile of HijackThis v1.99.1
Scan saved at 00:22:29, on 22.12.2005 ã.
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

[i4ko]

I was not able to find anything suspicius with ad-aware or looking on the task manager. lspfix also showed only two lsp on the stack - mswsock.dll and winrnr.dll which didnt look very disturbing to me.

So I uninstalled the sp1 - system was runnig stable and I was not able to see and flashing prouseses in the task manager. I attempted to install sp1 - after that the explorer went crashing like mad again. Then removed sp1 again and with minimal startup from msconfig installed it again. The same crashing.

At this moment the system is without sp1, but i have reinstalled all updates from windowsupdate (except sp1).

In the task manager one proucess continues to flash again ever 10 secs but for some ms that 1 cannot see its name. I believe after 100+ runs of hijackthis I managed to see that it was mpcsrv.exe that one that i filled up with 0. Fixed it with hijack but I'm not ready yet to experment another sp1 install.
I cannot afford to reformat and reinstall the whole system before march since there is heavy work on it.
I am very conced for the possibility of a keylogger laying around!

I would be grateful for any help and advice with the hijackthis log
Should I attempt to install sp1 again - this is a 3 hour downtime if it is not working.


Logfile of HijackThis v1.99.1
Scan saved at 00:22:29, on 22.12.2005 ã.
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

[i4ko]

Looks like i cannot post the hijackthis log - the form just timeouts.

The log is here http://web.orbitel.bg/igel/1.txt

[i4ko]

Infetion reoccured. The mpcsrv.exe is in the system again, even after shredded with S&D.