SCtri.exe et al

Help and Discussion

Moderator: The Mod Squad

SCtri.exe et al

Postby ~PJ~ » Fri Jan 30, 2009 2:22 pm

Got a real doozy here. One of these semi-portable Sony VAIO jobbies brought in with all sorts of probs - very quickly discovered it's riddled with viruses.
Here's the score...

Registry editing is disabled
Task manager is disabled
Will NOT connect to the internet however hard I try
Whenever I put a memory stick in, it says 'SCtri.exe - there is no disk in the drive. Please insert a disk into drive \Device\Hardisk1\DR3' - which doesn't stop the stick working but is a pest...
Can't install AVG - says the OS [XP Home] won't allow it to run, and promptly rolls back.
Installed PCtools, which is finding and disinfecting stuff all over the place - but when I try a scan run, I get this weird error message which says
C:\WINDOWS\system32\lsass.exe terminated unexpectedly with status code 0. And I can't update it because I can't get on the internet... The things it finds before it restarts are worm.Rbot.MCG, worm.Virut.Gen.4 [lots!] and worm.Allaple.K
Tried to run Hijackthis, and PCtools promptly stopped it because it found a win32.Virut.Gen.4

Tried backing up the files to a memory stick and running PCtools on it from my computer - and promptly got a message from the Firewall saying that SCtri.exe was trying to access the internet. I blocked it, and the memory stick wouldn't open

Has anyone got any ideas at all?? I can [and will!] do a low level format and reinstall Windows - but at the mo I can't get her data off without running the risk of infecting my system as far as I can tell...

TIA
Image

Let there be respect for the earth,
Peace for its people,
Love in our lives,
Delight in the good,
Forgiveness for past wrongs,
And from now on a new start.
~PJ~
Black Belt 5th Degree
Black Belt 5th Degree
 
Posts: 5791
Joined: Fri Apr 11, 2003 5:59 pm
Location: Leeds, UK

Postby ~PJ~ » Fri Jan 30, 2009 2:34 pm

Uninstalled PCtools [surprised it let me - tried to uninstall NIS2003 and it really argued].
So here we are...
Have to say I can't see anything suspicious, but then I really don't know what I'm looking for.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:22:44, on 30/01/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\sony\giga pocket\shwserv.exe
C:\WINDOWS\system32\drivers\SCtri.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\vaio media music server\SSSvr.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Wireless Desktop\LgWDskTp.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\ssms.exe
C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
C:\Program Files\Sony\giga pocket\RM_SV.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
F2 - REG:system.ini: Shell=Explorer.exe %windir%\system32\drivers\SCtri.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [LgWDskTp] C:\Program Files\Wireless Desktop\LgWDskTp.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Update] ssms.exe
O4 - HKLM\..\RunServices: [Windows Update] ssms.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Windows Video Drivers] C:\RECYCLER\S-1-5-21-6848331846-7521309728-658496242-3212\winlogon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Remocon Driver.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\sony\giga pocket\shwserv.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe (file missing)
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Service Controle - Unknown owner - C:\Documents and Settings\Susan\Application Data\system\SbCtr.exe (file missing)
O23 - Service: Service Controler Installer - Unknown owner - C:\WINDOWS\system32\drivers\SCtri.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\giga pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\giga pocket\RM_SV.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media music server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\giga pocket\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe

--
End of file - 8246 bytes
Image

Let there be respect for the earth,
Peace for its people,
Love in our lives,
Delight in the good,
Forgiveness for past wrongs,
And from now on a new start.
~PJ~
Black Belt 5th Degree
Black Belt 5th Degree
 
Posts: 5791
Joined: Fri Apr 11, 2003 5:59 pm
Location: Leeds, UK

Postby ~PJ~ » Mon Feb 02, 2009 3:15 am

Update - think I've sorted my computer. Stopped SCtri running as a service by using msconfig, and got my internet back. Various things showed up in Spybot, but nothing in PCtools.

Had a heads up from a google search that AVG deals with it - so uninstalled PCtools, installed the latest AVG, and sure enough found and vaulted SCtri. Think it must be a new one [or new variant] because there was very little about it [apart from Geeks2go, and they insisted I closed this thread before they would help me!!! How's that for taking professional jealousy to ridiculous extremes?]

Have emailed support at PCtools querying this particular thing - haven't heard back yet.

Also waiting for client to bring me her disks, so as I seem to have stuff safely backed up I'm not even going to start her computer until I'm ready to completely wipe and reinstall. Assume I need to do a full zero fill rather than just a system restore?

One quick query, though - and I don't know if it's got anything to do with it. I isolated my computer from the rest of the network as soon as I realised what was happening - but now it's back on, none of the other computers will print from the network. Keep asking for a password to this machine [which it doesn't have]. Any ideas?
Image

Let there be respect for the earth,
Peace for its people,
Love in our lives,
Delight in the good,
Forgiveness for past wrongs,
And from now on a new start.
~PJ~
Black Belt 5th Degree
Black Belt 5th Degree
 
Posts: 5791
Joined: Fri Apr 11, 2003 5:59 pm
Location: Leeds, UK

Postby Mr T » Mon Feb 02, 2009 4:21 am

Download SUPERantispyware and Antimalware - both free... Install and update them, delete all your IE cookies and history etc... Boot into SAFE MODE and run them both... See what turns up..
I have been programming on computers since the ZX81.
I am an apprentice trained Electronics Engineer with qualifications to back it up.
I have been repairing computers since 1996.
Yet to some people I still know nothing...
Mr T
Enlightened Master
Enlightened Master
 
Posts: 17085
Joined: Fri Jun 14, 2002 1:03 am
Location: England

Postby ~PJ~ » Mon Feb 02, 2009 11:20 am

I may try that... I have now got a massive list of things to do from G2G - but although I ran the first ones [came up clear] I'm going to have hang fire on the Kaspersky, because it's going to take about 24 hours and I can't afford to have this computer off line for that long...
Image

Let there be respect for the earth,
Peace for its people,
Love in our lives,
Delight in the good,
Forgiveness for past wrongs,
And from now on a new start.
~PJ~
Black Belt 5th Degree
Black Belt 5th Degree
 
Posts: 5791
Joined: Fri Apr 11, 2003 5:59 pm
Location: Leeds, UK

Postby Mr T » Mon Feb 02, 2009 11:22 am

~PJ~ wrote:I may try that... I have now got a massive list of things to do from G2G - but although I ran the first ones [came up clear] I'm going to have hang fire on the Kaspersky, because it's going to take about 24 hours and I can't afford to have this computer off line for that long...
Its a lot quicker in SAFE MODE... Thats what I always run mine in now...
I have been programming on computers since the ZX81.
I am an apprentice trained Electronics Engineer with qualifications to back it up.
I have been repairing computers since 1996.
Yet to some people I still know nothing...
Mr T
Enlightened Master
Enlightened Master
 
Posts: 17085
Joined: Fri Jun 14, 2002 1:03 am
Location: England

Postby Copper » Mon Feb 02, 2009 11:40 am

you got a real nasty one there

http://www.prevx.com/filenames/12335024 ... 2EEXE.html

i would wipe the harddrive and re-install everything
"Only two thing are infinite, the universe and human stupidity,and Im not sure about the former." Albert Einstein (1879 - 1955)
Copper
Black Belt 5th Degree
Black Belt 5th Degree
 
Posts: 8640
Joined: Mon Jul 14, 2003 12:38 pm
Location: Midlands UK

Postby ~PJ~ » Mon Feb 02, 2009 11:57 am

Mr T wrote:
~PJ~ wrote:I may try that... I have now got a massive list of things to do from G2G - but although I ran the first ones [came up clear] I'm going to have hang fire on the Kaspersky, because it's going to take about 24 hours and I can't afford to have this computer off line for that long...
Its a lot quicker in SAFE MODE... Thats what I always run mine in now...


It WAS in safe mode...
Image

Let there be respect for the earth,
Peace for its people,
Love in our lives,
Delight in the good,
Forgiveness for past wrongs,
And from now on a new start.
~PJ~
Black Belt 5th Degree
Black Belt 5th Degree
 
Posts: 5791
Joined: Fri Apr 11, 2003 5:59 pm
Location: Leeds, UK

Postby ~PJ~ » Mon Feb 02, 2009 12:04 pm

Copper wrote:you got a real nasty one there

http://www.prevx.com/filenames/12335024 ... 2EEXE.html

i would wipe the harddrive and re-install everything


Thereby lies the rub...
I have about 350Gb of data on two hard drives... so until I'm sure it's all clean there's no point.
I notice it says first seen in UK today - that's actually wrong. It was on the client's machine a good week before that - by which time it had done all those things and completely messed up.
So I'm concentrating on getting my machine clean first, then I'll wipe hers.

Thing is... I've done this manouvre several times in the past. I use my computer because it's locked up tighter than the proverbial, and I've never had any problems before with viruses etc. Maybe I've just been lucky...

I assume that scan is one of those that scans beautifully and you then have to pay a fortune to actually get rid of the junk?
Image

Let there be respect for the earth,
Peace for its people,
Love in our lives,
Delight in the good,
Forgiveness for past wrongs,
And from now on a new start.
~PJ~
Black Belt 5th Degree
Black Belt 5th Degree
 
Posts: 5791
Joined: Fri Apr 11, 2003 5:59 pm
Location: Leeds, UK

Postby biguglyman » Fri Feb 06, 2009 5:27 am

I got one of those usb adapters so when I run into a real problem system like yours, I just pull the hd and hook it up usb to my "work" computer and scan from there. Usually cleans it up enough to get it running/updated.
"A veteran... is someone who... wrote a blank check made payable to the United States of America for an amount “up to and including my life”. That is honor, and there are way too many people in this country who no longer understand it." - Unknown
biguglyman
Anti-Static Strap
Anti-Static Strap
 
Posts: 482
Joined: Fri Jan 28, 2005 5:34 pm

Next

Return to Virus/Spyware/Security

Who is online

Users browsing this forum: No registered users and 1 guest