Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

jimbutt


  • Please log in to reply

#16
jharmon

jharmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
rstones12,

I tried the link and it opened a huge text page. Nothing to download that I could see. Did I miss something?

Thanks,
jharmon
  • 0

Advertisements


#17
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
jharmon,
Sorry about that, make sure to use the .zip file and save it to a permanent folder.

Download and run Silent Runners.vbs from HERE

It generates a log, please post the information back in this thread

rstones12
  • 0

#18
jharmon

jharmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I deleted the old one. Downloaded the new by "saving the target as", and this is what I got:

"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpySweeper" = ""\\desktop\C\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"Sametime Connect" = "C:\PROGRA~1\LOTUS\SAMETI~1\CONNECT.exe" ["Lotus Development Corporation"]
"vptray" = "C:\Program Files\NavNT\vptray.exe" ["Symantec Corporation"]
"SSBkgdUpdate" = ""C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot" ["Scansoft, Inc."]
"PDF Converter Registry Controller" = ""C:\Program Files\ScanSoft\PDF Converter 2.0\\RegistryController.exe"" ["ScanSoft, Inc."]
"CreateCD50" = ""C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r" ["Roxio"]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"WinPatrol" = "C:\SPYWAR~1\winpatrol.exe" ["BillP Studios"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{F880B6ED-582C-4750-BDEB-907CE61ABA64}" = "ScanSoft PDF Converter 2.0 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ScanSoft\PDF Converter 2.0\\ShellExt.dll" ["ScanSoft, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{12345678-0000-0010-8000-00AAFF6D2EA4}" = "Sysctl Desktop Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\systr.dll" [null data]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\system32\sstext3d.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is enabled.

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

"{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4}"
-> {CLSID}\(Default) = "JunoBar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Juno\toolbar.dll" [file not found]

"{FAA356E4-D317-42A6-AB41-A3021C6E7D52}"
-> {CLSID}\(Default) = "ISTbar"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ISTbar\istbarcm.dll" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
DefWatch, DefWatch, "C:\PROGRA~1\NavNT\DefWatch.exe" ["Symantec Corporation"]
Symantec AntiVirus Client, Norton AntiVirus Server, "C:\PROGRA~1\NavNT\Rtvscan.exe" ["Symantec Corporation"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.

Thanks.


----------
  • 0

#19
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
jharmon,

OK, after doing some research on this lets do the following.

Please disable WinPatrol just for the remainder of the fix. You can re-enable this once we have ridded you of JimButt. WinPatrol can sometimes interfere with fixing items in HJT.
Some of this may look familiar :tazz:

Once you have disabled WinPatrol please do the following:

Click killbox.exe
Select the option "Delete on reboot".
In the field "Full Path of File to Delete" copy and paste next:

C:\WINDOWS\System32\systr.dll

Choose the option: "unregister dll before deleting"
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Open notepad and copy and paste next in it:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12345678-0000-0010-8000-00AAFF6D2EA4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{12345678-0000-0010-8000-00AAFF6D2EA4}"=-

Save this as fix.reg,
Choose to save as *all files and place it on your desktop.
Doubleclick on fix.reg and answer Yes when prompted to add the contents to the registry.

Scan with HJT and place a checkmark next to the following item:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/


Close all browsers and open windows except HJT then click Fix Checked

Next with Windows Explorer remove the following folders/files if found:

C:\Program Files\ISTbar <-- Folder

Start CleanUp
When CleanUp starts go to the Options button (right side of CleanUp screen)
Uncheck cookies
This is optional, if you leave the box checked it will remove all of your cookies.
Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select No
Close CleanUp

Reboot and post back a new HJT log by using Add Reply

Thanks,
rstones12
  • 0

#20
jharmon

jharmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I did a search on C: and didn't find the ISTbar folder. Here is the latest:

Logfile of HijackThis v1.99.1
Scan saved at 8:51:25 AM, on 4/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\cisvc.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LOTUS\SAMETI~1\CONNECT.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\supply\prefs.js)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Sametime Connect] C:\PROGRA~1\LOTUS\SAMETI~1\CONNECT.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\PDF Converter 2.0\\RegistryController.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinPatrol] C:\SPYWAR~1\winpatrol.exe
O4 - HKCU\..\Run: [SpySweeper] "\\desktop\C\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: Open PDF in Word (PDF Converter 2.0) - res://C:\Program Files\ScanSoft\PDF Converter 2.0\IEShellExt.dll /100
O16 - DPF: Sametime Meeting Room Client ST25DEV9 - http://indsmeeting01...gRoomClient.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\209005073.GESDOM1\Local Settings\Temporary Internet Files\Content.IE5\OH6J4P2N\cwshredder[1].exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe

Thanks!
  • 0

#21
jharmon

jharmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
As I said in my email, just so the folks who read the forum can see, it seems to pop up IE and warnings about spyware viruses even while in safe mode.

Don't know if this helps but this is what AdAware keeps reporting (it's the only critical objects that it it finds):

IEHijacker.Hotoffers Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{12345678-0000-0010-8000-00aaff6d2ea4}

IEHijacker.Hotoffers Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "{12345678-0000-0010-8000-00AAFF6D2EA4}"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
Value : {12345678-0000-0010-8000-00AAFF6D2EA4}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 2

Looks like the Hotoffers thing is still getting me. Are all of these things all related?

Thanks.
  • 0

#22
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
jharmon, let's see if these logs will show us anything:

1. Download FindQoologic-Narrator.zip at http://forums.net-in...=post&id=134981 and save it to your Desktop. Create a new folder on your desktop (right click and select New->Folder) and call it FindQoologic. Now unzip the file contents of that zip file into that folder. Locate and double-click the Find-Qoologic.bat file to run it. Wait until a text file opens and post that in your next reply.

2. Download DllCompare http://www.greyknigh.../DllCompare.exe and run it. Click on the 'Locate.com' button. Wait a few seconds and then click on the 'Compare' button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare.

3. Download StartDreck http://www.greyknigh.../StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.
  • 0

#23
jharmon

jharmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here is the FindQoologic log, I'll post each log as I run them. Thanks!

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85ba9

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..

User Startup:
C:\Documents and Settings\209005073.GESDOM1\Start Menu\Programs\Startup
.
..

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 13:51
Operating System: Windows 2000


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINNT\inf\unregmp2.exe /ShowWMP" [MS]
  • 0

#24
jharmon

jharmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here is the DllCompare log:

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\dellsys.dll Fri Jul 19 2002 11:22:08a A..HR 53,248 52.00 K
________________________________________________

1,215 items found: 1,215 files (1 H/S), 0 directories.
Total of file sizes: 237,967,729 bytes 226.94 M

Administrator Account = True

--------------------End log---------------------
  • 0

#25
jharmon

jharmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
And last but not least:

StartDreck (build 2.1.7 public stable) - 2005-04-27 @ 14:09:42 (GMT -04:00)
Platform: Windows 2000 (Win NT 5.0.2195 Service Pack 4)
Internet Explorer: 6.0.2800.1106
Logged in as 209005073 at GE-XFH00H0NGG1B

»Registry
»Run Keys
»Current User
»Run
*SpySweeper="\\desktop\C\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
»RunOnce
»Default User
»Run
»RunOnce
*^SetupICWDesktop=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
»Local Machine
»Run
*SynTPLpr=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
*Sametime Connect=C:\PROGRA~1\LOTUS\SAMETI~1\CONNECT.exe
*vptray=C:\Program Files\NavNT\vptray.exe
*SSBkgdUpdate="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
*PDF Converter Registry Controller="C:\Program Files\ScanSoft\PDF Converter 2.0\\RegistryController.exe"
*CreateCD50="C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
*AdaptecDirectCD="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
*Synchronization Manager=mobsync.exe /logon
*WinPatrol=C:\SPYWAR~1\winpatrol.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Spyware Removal Tools\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINNT\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=C:\WINNT\system32\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINNT\system32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINNT\system32\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINNT\system32\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINNT\system32\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINNT\system32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer Access/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath="C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express Access/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath="C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+EnableRevocation/{6A5110B5-E14B-4268-A065-EF89FF33C325}
*StubPath=regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub
+Address Book 5/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\System32\ie4uinit.exe
+CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
*StubPath=%SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl
»Browser Helper Objects (LM)
»Internet Explorer
»Current User
*Local Page=C:\WINNT\system32\blank.htm
*Search Bar=http://www.google.com/ie
*Search Page=http://www.google.com
*Start Page=http://www.jimbutt.com/stuffs/
+SearchUrl
*=http://www.google.com/keyword/%s
*provider=
»Default User
»Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=
*Local Page=%SystemRoot%\system32\blank.htm
*Search Page=
*Start Page=about:blank
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://www.google.com/ie
»ShellServiceObjectDelayLoad (LM)
*Network.ConnectionTray={7007ACCF-3202-11D1-AAD2-00805FC1270E}
`InprocServer32=C:\WINNT\system32\NETSHELL.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINNT\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
»Default User
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect
`C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows 2000 Recovery Console" /cmdcons
*C:\msdos.sys
*C:\config.sys
*C:\WINNT\system32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`FILES=100
`BUFFERS=65
`FCBS=16
*C:\autoexec.bat
*C:\WINNT\system32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
*C:\WINNT\system32\drivers\etc\hosts
`127.0.0.1 localhost
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINNT\system32\win.com
*C:\WINNT\explorer.exe
»%PATH% Companion Files
+C:\PATCH.EXE
*C:\WINNT\PATCH.EXE
+C:\WINNT\system32\notepad.exe
*C:\WINNT\NOTEPAD.EXE
+C:\WINNT\system32\taskman.exe
*C:\WINNT\TASKMAN.EXE
+C:\WINNT\system32\winhlp32.exe
*C:\WINNT\winhlp32.exe
»System/Drivers
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User


thank you.
  • 0

Advertisements


#26
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Could you find param32.dll in the c:\windows\system32\ folder?
  • 0

#27
jharmon

jharmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
It's not there from what I can tell. Searched WINNT\System32 to no avail.
  • 0

#28
jharmon

jharmon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
OK. I think I got this thing! I was looking at another thread called "Jimbutt resolved" and saw where the guy had found some "favorites" that were added to his IE favorites. There were some on mine that were created the night that I got this Jimbutt thing. I deleted those. I also noticed that when I was killboxing the C:\WINDOWS\System32.systr.dll, I should have been typing "C:\WINNT...". That enabled the "unregister dll before deleting" option and everything just seemed to fall in place after that.
I followed all of the directions I got from the last post from rstones12 again,
rebooted, changed my homepage, ran HJT and here is what I got:

Logfile of HijackThis v1.99.1
Scan saved at 10:21:21 PM, on 4/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\cisvc.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\SPYWAR~1\winpatrol.exe
\desktop\C\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\cidaemon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ge.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ge.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\supply\prefs.js)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Sametime Connect] C:\PROGRA~1\LOTUS\SAMETI~1\CONNECT.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\PDF Converter 2.0\\RegistryController.exe"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinPatrol] C:\SPYWAR~1\winpatrol.exe
O4 - HKCU\..\Run: [SpySweeper] "\\desktop\C\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: Open PDF in Word (PDF Converter 2.0) - res://C:\Program Files\ScanSoft\PDF Converter 2.0\IEShellExt.dll /100
O16 - DPF: Sametime Meeting Room Client ST25DEV9 - http://indsmeeting01...gRoomClient.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\209005073.GESDOM1\Local Settings\Temporary Internet Files\Content.IE5\OH6J4P2N\cwshredder[1].exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe

I may not know what all of that stuff means, but I do know that the "jimbutt" thing is gone! So far, no pop-ups, no hijacks, homepage is staying.

Let me know if you see any scary stuff up there, but according to the spyware programs I have ran since, it seems that there are no more threats.

I want to thank the staff, rstones12, greyknight17, and member "Iamconfuzzled" for the excellent advice and service that you have provided. This an awesome site!

Thank you soooo much!


jharmon
  • 0

#29
rstones12

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
jharmon,
What a relief, I was begining to wonder somewhat. ;)

My apologies for not giving you the WINNT folder... :tazz:

Your log is looking good.
I would make a suggestion that you upgrade your Netscape Browser, it looks like you are using Version 4.

Also run CleanUp in SafeMode just to make sure that you remove all of the leftover stuff from the fix.


Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera is OK as well.
Be sure to also keep up with Windows and IE updates.

Windows security and critical updates.
http://v4.windowsupd.../en/default.asp

Internet Explorer security and critical updates.
http://www.microsoft.../ie/default.asp

And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.

Thanks,
rstones12
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP