Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hotoffers

Started by spikeydean , Apr 10 2005 12:17 PM

  • This topic is locked This topic is locked

#16
Trevuren
Posted 11 April 2005 - 04:50 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi spikeydean,

Hrere is the prooof that it is still there:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{12345678-0000-0010-8000-00AAFF6D2EA4}" = "Sysctl Desktop Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\systr.dll" [null data]

So,

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

1.Download the Pocket KillBox from Here

2.Unzip the file to your desktop.

3.Open TheKillbox.

4.Select the Delete on reboot option.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:

C:\WINDOWS\System32\systr.dll

When given the option to reboot select yes.

After the reboot, run HijackThis, with all windows closed other than HijackThis, click on Scan and place a check mark beside the following entries, then close all browser and explorer windows, and hit the Fix checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/187/

5. REBOOT your system

6. Rerun Silent Runners and produce a fresh HJT log

7. Please post both logs from silentrunners and HJT

Regards,

Trevuren
  • 0

Advertisements

#17
spikeydean
Posted 12 April 2005 - 12:49 AM

spikeydean

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi thanks for getting back to me.

here are the two logs:

"Silent Runners.vbs", revision 34, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Opware12" = ""C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"" ["ScanSoft, Inc."]
"OmniPage Pro 12.0 Registration Reminder" = ""C:\Program Files\ScanSoft\OmniPagePro12.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPagePro12.0\EregEng\Ereg.ini"" ["ScanSoft, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"Advanced Tools Check" = "C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" ["Symantec Corporation"]
"EPSON Stylus CX3200" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O5 "LPT1:" /M "Stylus CX3200"" ["SEIKO EPSON CORPORATION"]
"DSLSTATEXE" = "C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon" ["GlobespanVirata, Inc."]
"DSLAGENTEXE" = "C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe" [null data]
"rdspclips.exe" = "rdspclips.exe" [null data]
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{DD347791-2E0C-4B38-81B9-262B7F2F7FB1}\(Default) = "Name" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\msqlj.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{12345678-0000-0010-8000-00AAFF6D2EA4}" = "Sysctl Desktop Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\systr.dll" [file not found]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is enabled.


Enabled Scheduled Tasks:
------------------------

"Ad-Aware SE Personal" -> launches: "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" ["Lavasoft Sweden"]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{06ABAA2D-34AB-4902-A326-409BD9B9A7A5}"
-> {CLSID}\(Default) = "FreshBar"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\iesp2.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}\
(Default) = "&Discuss"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
EpsonBidirectionalService, EpsonBidirectionalService, "C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe" [null data]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, ""C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
SymWMI Service, SymWSC, ""C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------




Logfile of HijackThis v1.99.1
Scan saved at 07:45:33, on 12/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [OmniPage Pro 12.0 Registration Reminder] "C:\Program Files\ScanSoft\OmniPagePro12.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPagePro12.0\EregEng\Ereg.ini"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O5 "LPT1:" /M "Stylus CX3200"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3A0BB7C-1EBA-413D-B45C-60AE5C9DF13A}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: OmniForm Printer - Unknown owner - C:\WINDOWS\system32\ofps.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Kind regards

spikeydean
  • 0

#18
Trevuren
Posted 12 April 2005 - 01:07 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi spikeydean,

It looks as if it needed to be kiled twice. We got it. Good work

Congratulations, your new log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
1. Right-click "My Computer", and then left click "Properties".
2. Left click on "System Restore Tab"
3. Check box beside "Turn Off System Restore"
4. Left click on "Apply"

TO ENABLE SYSTEM RESTORE
1.Remove check mark from "Turn Off System Restore"
2.Click on "Apply"

2. Another cleanup that will help is to go to Start>Programs>Acccessories>System Tools> Disk Cleanup and put a check mark beside all the entries in the disk cleanup window that ask you what you want to clean. Clean all hard drives and all files. This will get rid of any malware that is hiding in the temporary folders.

3. Make sure that all are gone, by checking the folders that the Temporary Internet Files and Temp files are stored in. To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties). Click Delete Files on the General Tab - place a check in the Delete all offline content box, then 'Clear History' and then press OK (or go direct to the C:\Documents and Settings\userprofilename\Local Settings\Temp\ folder) and
C:\Documents and Settings\userprofilename\Local Settings\Temporary Internet Files\)

4. Empty your Recycle Bin

5. Double Check the following folders to make sure they are empty:
C:\WINDOWS\Profiles\your account\Temporary Internet Files
Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder (or go direct to the C:\Documents and Settings\userprofilename\Local Settings\Temp\ folder) and C:\Documents and Settings\userprofilename\Local Settings\Temporary Internet Files\)

6. You may find that you have to repeat the steps a couple of times.

7.Finally, Re-hide your System Files and Folders to prevent any future accidents.


Here are some tips to reduce the potential for spyware infection in the future:

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)


Regards,


Trevuren
  • 0

#19
Trevuren
Posted 12 April 2005 - 01:07 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
TO ADMINISTRATION

This topic is resolved and has been closed. Should the original poster need it reopened, please contact a staff member.

Trevuren
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP