Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

jimbutt


  • Please log in to reply

#1
jharmon

jharmon

    Member

  • Member
  • PipPip
  • 17 posts
Please help! I think I have followed the instructions in the "start here" along with other spyware programs you didn't have listed. IE keeps popping up trying to load "jimbutt..." and I can't seem to kill it.

Also I get an "Error #317 Microsoft Security Warning" pop up that wants me to click and download AntiSpy but if you click OK it goes to "Jimbutt". I cannot change my homepage, it keeps going back to "Jimbutt".

I have had issues with "Hotoffers", WebPage Viewer (which I've deleted again and again, resides in C:\program files) and some kind of dialer when I startup trying to select a modem to connect with. The dialer seems to have gone away with the exception of popping an IE window up when I start up.

What a mess. Please help! Thanks. Attached File  hjt.txt   3.42KB   165 downloads
  • 0

Advertisements


#2
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
jharmon,

Welcome to the GTG Forums, I will be reviewing your HJT log.
Can you post a new HJT log by copying and pasting the entire contents of the log by using Add Reply

Thanks,
rstones12
  • 0

#3
jharmon

jharmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Sure! Thanks for the welcome and thanks for the good things you guys do! Lots of good info!

Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 7:24:55 AM, on 4/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\cisvc.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LOTUS\SAMETI~1\CONNECT.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\System32\cidaemon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\supply\prefs.js)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Sametime Connect] C:\PROGRA~1\LOTUS\SAMETI~1\CONNECT.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\PDF Converter 2.0\\RegistryController.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpySweeper] "\\desktop\C\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: Open PDF in Word (PDF Converter 2.0) - res://C:\Program Files\ScanSoft\PDF Converter 2.0\IEShellExt.dll /100
O16 - DPF: Sametime Meeting Room Client ST25DEV9 - http://indsmeeting01...gRoomClient.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\209005073.GESDOM1\Local Settings\Temporary Internet Files\Content.IE5\OH6J4P2N\cwshredder[1].exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe


Thanks again!
  • 0

#4
jharmon

jharmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Forgot to mention that I have tried to fix this part with HJT several times:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/
  • 0

#5
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
jharmon,

Thanks for the log.
From now on please don't fix anything else in HJT without having a trusted staff member look at it first.
Some of the entries within HJT are legitimate files that are needed for your system to remain stable.

Have you tried to fix any other items within HJT prior to submitting your log?

Thanks,
rstones12
  • 0

#6
jharmon

jharmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Only similar entries that were for "hotoffers" and "ISTsvc". They went away.

I downloaded and ran HJT before I ever got to you guys. That's how I ended up here. I did a search on some of the files that were listed on the log and found some of the posts from other members and signed up.

Thanks.
  • 0

#7
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
jharmon,

This one is a litte stubborn to remove.

Download SilentRunners
Unzip it to a permanent folder.
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
Copy and paste the contents of the .txt file you get afterwards in your next reply.

Thanks,
rstones12
  • 0

#8
jharmon

jharmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
OK, here's what I got:


"Silent Runners.vbs", revision 27, launched at: 17:29
Operating System: Windows 2000


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"SpySweeper" = ""\\desktop\C\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"Sametime Connect" = "C:\PROGRA~1\LOTUS\SAMETI~1\CONNECT.exe" ["Lotus Development Corporation"]
"vptray" = "C:\Program Files\NavNT\vptray.exe" ["Symantec Corporation"]
"SSBkgdUpdate" = ""C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot" ["Scansoft, Inc."]
"PDF Converter Registry Controller" = ""C:\Program Files\ScanSoft\PDF Converter 2.0\\RegistryController.exe"" ["ScanSoft, Inc."]
"CreateCD50" = ""C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r" ["Roxio"]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"WinPatrol" = "C:\SPYWAR~1\winpatrol.exe" ["BillP Studios"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINNT\inf\unregmp2.exe /ShowWMP" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{12345678-0000-0010-8000-00AAFF6D2EA4}" = "Sysctl Desktop Handler"
-> resolves to: {CLSID}\InprocServer32\(Default) = C:\WINNT\System32\systr.dll [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"Network.ConnectionTray" = "{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINNT\system32\NETSHELL.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINNT\System32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "stobject.dll" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Alerter, Alerter, "C:\WINNT\System32\services.exe" [MS]
Application Management, AppMgmt, "C:\WINNT\system32\services.exe" [MS]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Automatic Updates, wuauserv, "C:\WINNT\system32\svchost.exe -k wugroup" {"C:\WINNT\System32\wuauserv.dll" [MS]}
Background Intelligent Transfer Service, BITS, "C:\WINNT\System32\svchost.exe -k BITSgroup" {"C:\WINNT\System32\qmgr.dll" [MS]}
COM+ Event System, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [MS]}
Computer Browser, Browser, "C:\WINNT\System32\services.exe" [MS]
DefWatch, DefWatch, "C:\PROGRA~1\NavNT\DefWatch.exe" ["Symantec Corporation"]
DHCP Client, Dhcp, "C:\WINNT\System32\services.exe" [MS]
Distributed Link Tracking Client, TrkWks, "C:\WINNT\system32\services.exe" [MS]
DNS Client, Dnscache, "C:\WINNT\System32\services.exe" [MS]
Event Log, Eventlog, "C:\WINNT\system32\services.exe" [MS]
Indexing Service, cisvc, "C:\WINNT\System32\cisvc.exe" [MS]
Logical Disk Manager, dmserver, "C:\WINNT\System32\services.exe" [MS]
Messenger, Messenger, "C:\WINNT\System32\services.exe" [MS]
Net Logon, Netlogon, "C:\WINNT\System32\lsass.exe" [MS]
Network Connections, Netman, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\netman.dll" [MS]}
Plug and Play, PlugPlay, "C:\WINNT\system32\services.exe" [MS]
Print Spooler, Spooler, "C:\WINNT\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "C:\WINNT\system32\services.exe" [MS]
Remote Access Connection Manager, RasMan, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "C:\WINNT\system32\svchost -k rpcss" {"C:\WINNT\system32\rpcss.dll" [MS]}
Remote Registry Service, RemoteRegistry, "C:\WINNT\system32\regsvc.exe" [MS]
Removable Storage, NtmsSvc, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\NtmsSvc.dll" [MS]}
RunAs Service, seclogon, "C:\WINNT\system32\services.exe" [MS]
Security Accounts Manager, SamSs, "C:\WINNT\system32\lsass.exe" [MS]
Server, LanmanServer, "C:\WINNT\System32\services.exe" [MS]
Still Image Service, StiSvc, "C:\WINNT\system32\stisvc.exe" [MS]
Symantec AntiVirus Client, Norton AntiVirus Server, "C:\PROGRA~1\NavNT\Rtvscan.exe" ["Symantec Corporation"]
System Event Notification, SENS, "C:\WINNT\system32\svchost.exe -k netsvcs" {"C:\WINNT\system32\sens.dll" [MS]}
Task Scheduler, Schedule, "C:\WINNT\system32\MSTask.exe" [MS]
TCP/IP NetBIOS Helper Service, LmHosts, "C:\WINNT\System32\services.exe" [MS]
Telephony, TapiSrv, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\tapisrv.dll" [MS]}
Windows Management Instrumentation, WinMgmt, "C:\WINNT\System32\WBEM\WinMgmt.exe" [MS]
Windows Management Instrumentation Driver Extensions, Wmi, "C:\WINNT\system32\Services.exe" [MS]
Windows Time, W32Time, "C:\WINNT\System32\services.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINNT\System32\mspmspsv.exe" [MS]
Workstation, lanmanworkstation, "C:\WINNT\System32\services.exe" [MS]

Thanks!
  • 0

#9
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
jharmon,

OK a couple of things we need to do. Please read all of the instructions carefully before proceeding:
You may want to print these out as reference:

Please Download CleanUp
Install the program, dont run it yet, we will later.

Next:

Download Killbox
Click killbox.exe
Select the option "Delete on reboot".
In the field "Full Path of File to Delete" copy and paste next:

C:\WINDOWS\System32\systr.dll

Choose the option: "unregister dll before deleting"
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Open notepad and copy and paste next in it:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12345678-0000-0010-8000-00AAFF6D2EA4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{12345678-0000-0010-8000-00AAFF6D2EA4}"=-

Save this as fix.reg,
Choose to save as *all files and place it on your desktop.
Doubleclick on fix.reg and answer Yes when prompted to add the contents to the registry.

Scan with HJT and place a checkmark next to the following item:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/


Close all browsers and open windows except HJT then click Fix Checked

Start CleanUp
When CleanUp starts go to the Options button (right side of CleanUp screen)
Uncheck cookies
This is optional, if you leave the box checked it will remove all of your cookies.
Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select No
Close CleanUp

Now reboot your system and post back a new HJT log by using Add Reply

Thanks,
rstones12
  • 0

#10
jharmon

jharmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
downloaded and installed Cleanup.

but can't do this:

"Choose the option: 'unregister dll before deleting'" it's disabled, can't check it. What should I do?

Thanks.
jharmon
  • 0

Advertisements


#11
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
jharmon,

Just go ahead and continue on with the directions as posted. Just skip that one "unregister dll" and proceed with the killbox intructions.

rstones12
  • 0

#12
jharmon

jharmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
OK, here is the new HJT log after those steps:

Logfile of HijackThis v1.99.1
Scan saved at 8:19:20 AM, on 4/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\cisvc.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LOTUS\SAMETI~1\CONNECT.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\SPYWAR~1\winpatrol.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\supply\prefs.js)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Sametime Connect] C:\PROGRA~1\LOTUS\SAMETI~1\CONNECT.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\PDF Converter 2.0\\RegistryController.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinPatrol] C:\SPYWAR~1\winpatrol.exe
O4 - HKCU\..\Run: [SpySweeper] "\\desktop\C\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: Open PDF in Word (PDF Converter 2.0) - res://C:\Program Files\ScanSoft\PDF Converter 2.0\IEShellExt.dll /100
O16 - DPF: Sametime Meeting Room Client ST25DEV9 - http://indsmeeting01...gRoomClient.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\209005073.GESDOM1\Local Settings\Temporary Internet Files\Content.IE5\OH6J4P2N\cwshredder[1].exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe

Thanks.
  • 0

#13
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
jharmon,
OK we have to do this a different way.

Print out these instructions, and then close all browsers and open windows.

Go to Start | Run and then type this in the dialog box:

regsrv32 /u C:\WINDOWS\System32\systr.dll

Click killbox.exe
Select the option "Delete on reboot".
In the field "Full Path of File to Delete" type this text exactly as it appears:

C:\WINDOWS\System32\systr.dll

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

When your system starts up begin tapping the F8 key and go into Safe Mode


Doubleclick on fix.reg and answer Yes when prompted to add the contents to the registry.

Scan with HJT and place a checkmark next to the following item:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/


With only HJT open click Fix Checked

Start CleanUp
When CleanUp starts go to the Options button (right side of CleanUp screen)
Uncheck cookies
This is optional, if you leave the box checked it will remove all of your cookies.
Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select No
Close CleanUp

Now reboot your system and post back a new HJT log by using Add Reply

Thanks,
rstones12
  • 0

#14
jharmon

jharmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
It did not find "regsrv32" when I put "regsrv32 /u C:\WINDOWS\System32\systr.dll" in the "Start/Run" box. I left it in there and went through the rest of the steps anyway and it looks like "butt" is still there. Anyway here's the log. Thanks.


Logfile of HijackThis v1.99.1
Scan saved at 2:57:49 PM, on 4/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\cisvc.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LOTUS\SAMETI~1\CONNECT.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\SPYWAR~1\winpatrol.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\supply\prefs.js)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Sametime Connect] C:\PROGRA~1\LOTUS\SAMETI~1\CONNECT.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\PDF Converter 2.0\\RegistryController.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinPatrol] C:\SPYWAR~1\winpatrol.exe
O4 - HKCU\..\Run: [SpySweeper] "\\desktop\C\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: Open PDF in Word (PDF Converter 2.0) - res://C:\Program Files\ScanSoft\PDF Converter 2.0\IEShellExt.dll /100
O16 - DPF: Sametime Meeting Room Client ST25DEV9 - http://indsmeeting01...gRoomClient.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\209005073.GESDOM1\Local Settings\Temporary Internet Files\Content.IE5\OH6J4P2N\cwshredder[1].exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
  • 0

#15
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
jharmon,

This is stubborn, we are going to need to update your Silent Runners app.

First remove the previous version then do this:

Download and run SilentRunners.vbs from HERE
When your antivirus is giving an alert, do not block this. Allow the script.
It will generate a log, please post the information back in this thread
Copy and paste the contents of the .txt file you get afterwards in your next reply.


Thanks,
rstones12
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP