The problem started when a colleague had an excel file he'd forgotten the password to. I downloaded a password utility and ran it. It was not a program at all but a suite of spyware. (I still have the program if you want to have a look! via a VMware machine or similar).

Now the windows firewall is switched off and I'm told I don't have admin rights to switch it back on again (this applies when logged on as admin in safe mode as well). I cannot call up task manager either. Adaware detects and fixes the task manager problem but it comes back at re-boot

I've used Adaware, Spybot and Spyware doctor and cleared out a load but the main problem remains. Spydoctor reports Backdoor.CIADoor.13 - it says it has fixed it but it's there when re-scanned

As the 'login startup' begins the firewall is 'on' but gets turned off as the computer finishes it's startup which make me think that there is something in the startup sequence. I've used Hijackthis and suspect a 'userinit' entry that I'd not noticed before but best internet advice says it should be there.

I hope someone out there can help me ....

Have you run any online virus scanners?
Try these:
http://www.pandasoftware.com/activescan/
http://housecall.trendmicro.com/

Also this online Trojan scanner:
TrojanScan

tg - thanks for getting back

I've tried what you suggested and they did find 'bits and bobs' and fixed them but nothing to tough the problem. The Trojan Scanner engine (activeX Controls) wouldn't download properly - but I'm running that much antispyware at the moment I'm not suprised.

I've tried (in safe mode) deleting these entries in Hijackthis but they pop back again on reboot:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\svcvhost.exe
F3 - REG:win.ini: load=C:\WINDOWS\system32\svcvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\svcvhost.exe
O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\svcvhost.exe

this one worries me - I just wonder if this is responsible for the loss of admin rights? What do you think?

F2 - REG:system.ini: UserInit=userinit.exe

These two I'm just not sure about:

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

Latest update.

XoftSpy promissed a fix and tech support. It detected CIA keylogger and said it fixed it but it came back on reboot. Nothing from support yet (why am I not suprised). SO ...

In Safe mode - logged in as admin - ran Xoft, Spudoctor, Adaware and spybot to thoroughly clean. Removed entries in Hijackthis as suggested. Logged on as me (bob) and repeated - got a clean bill of health.

Logged on as normal and everything was back as before - no difference.

Current hijackthis log below ... Current thinking is a rebuild over the weekend!!! I do have an applic called Startuplist which looks very comprehensive but is beyond my ability to read - it has a log file which I could send?

Bob

Logfile of HijackThis v1.99.1
Scan saved at 14:28:43, on 18/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Utilities\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2 a.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Utilities\Skype Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Utilities\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Utilities\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Utilities\ObjectDock\ObjectDock.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bob\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\svcvhost.exe
F3 - REG:win.ini: load=C:\WINDOWS\system32\svcvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\svcvhost.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Utilities\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\UTILIT~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\UTILIT~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\Utilities\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2 a.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Generic Host Process] C:\WINDOWS\system32\svcvhost.exe
O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\svcvhost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Utilities\Skype Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Utilities\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Utilities\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Utilities\ObjectDock\ObjectDock.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\UTILIT~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144762899859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144763800015
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Utilities\Spyware Doctor\sdhelp.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

I have split your most current HJT log away from this thread and moved it into the HJT forum.

You can find your log here: http://www.bleepingcomputer.com/forums/topic62596.html

I left the previous one that you posted above in case it is need as a reference.

Now that your log is posted there, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files on your own, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted. Further, any modification you make may complicate the malware removal process and could adversely affect your system.

Please be patient and wait for a response from an HJT Team member.

Thanks Quietman - It's such a good service that you're offering I just can't believe that you're prepared to stick with it, it really good of you. I shall be making a donation for sure.

I wasthinking of setting up a VMware machine and doing a hijackthis log and a startup log then running the dodgy software and seeing what changes were made. I've never created a vmware machine before though and it sounds like I shouldn't install any software whilst you guys are working on it.

Incidentally the rubbish seems to be over and hasn't come back - possibly the CIA.backdoor trojan/keylogger/whatever is now gone. Just the access rights to sort out?

I can't help but wonder what made it come back the once though?

nothing much to add except the original offending software contained the snippet at the bottom ..

The offending software seems to be linked to 54.164.213.201; this belongs to :
OrgName: Merck and Co., Inc.
OrgID: MERCKA
Address: 126 East Lincoln Avenue
City: Rahway
StateProv: NJ
PostalCode: 07095
Country: US
Comment:
RegDate: 1992-03-17
Updated: 2005-12-21

I'm not the first to run foul of them ... I don't think it helps at all though ..

http://gladiator-antivirus.com/forum/index...showtopic=20173


**********Offending proigram snippet**********
;Der Kommentar unten enthält SFX Skript Befehle!

Path=%systemroot%\
SavePath
Setup=[O]meg[A]_Engine.exe
Presetup=Prices.txt
Silent=1
Overwrite=1
Title=[O]meg[A]_Final Counterstrike Hack Engine
Text
{
Released @ 08.14.2006
CS 1.6
By the [O]meg[A] Group
}
License=[O]meg[A]_Final
{
[O]meg[A]_Final Edition released @ 08.14.2006

Kenntucky USA

By The [O]meg[A] Group

Visit us
TS2@54.164.213.201:5465

Have Fun
}

Update

I seem to be clear now. The command prompt was a registry key:

I had to search for regedit because I can't run it from the command prompt of course ..

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]

In the right-pane, double-click DisableCMD and set it's data to 0

The main problem left is access to the windows firewall settings. I've killed Shared Access to clear the virus but need it again to access the windows firewall and am a little anxious about re-initialising it.

As I said before, after posting a log you should NOT make further changes to your computer unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted and any modification you make may complicate the malware removal process.

Sorry quietman

I thought I was helping to reduce the work, hoping to share any little knowledge I'd gained. You're probably right though because the Administrator accounts also couldn't access the command prompt so a 'current user' key doesn't seem 100% correct. (unless it set it every time I logged in for whatever 'current user' I guess).

I'll do nothing more until I hear from you guys.

The windows firewall seems to be on now (I didn't do anything - it just was on) but I cannot access the firewall configuration from the control panel applet - error is "Due to and unidentified error, windows cannot display windows firewall settings")

Bob