Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

XP Pro after Krepper.X

Started by glf01 , Jun 02 2005 04:55 PM

Please log in to reply

#1
glf01

Posted 02 June 2005 - 04:55 PM

New Member

Member
8 posts

Since I'm an un-employed mid-range systems programmer, my son assumed I can fix his PC problems. HA!

Win XP Pro, SP2, running on a Compaq Presario (5000 Series).

The problem seemed to start about 2 weeks ago when he started getting error messages (I have now forgotten the exact text) that Google'd to "Trojan-Spy.HTML.Smitfraud.C", and lost his wallpaper. I found a "Smitfraud.reg" download which seemed to fix that, but I also found his web browser (IE6) had been hijacked by "letgohome". I again found a general description on how to remove that. However, now, when he tries to start a program, for instance Spyhunter he gets:

"exec.exe - Application Error" "The application failed to initialize properly (0xc0000005). Click on OK to terminate the application".

I installed AVG 7.0 trial (with some difficulty), and it immediately flagged tons of garbage.dll's, indicating an infection by "Trojan Horse Krepper.X". I let it run, and it healed 5579 .dll's.

There is also a problem with his internal modem. It now shows as an unknown device (PCI Modem) and we cannot get the drivers loaded properly. When I finally decided to delete it and let it autodetect at reboot, the process fails with:

"RUNDLL - error loading newdev.dll - Invalid access to memory location."

That message shows up almost every time we re-boot, but it may take 10 to 20 minutes after re-boot.

Finally, I took the advice given in some of your posts and installed and ran HijackThis. The output log of the first scan follows below:

Logfile of HijackThis v1.99.1
Scan saved at 35941 PM, on 622005
Platform Windows XP SP1 (WinNT 5.01.2600)
MSIE Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes
CWINDOWSSystem32smss.exe
CWINDOWSsystem32winlogon.exe
CWINDOWSsystem32services.exe
CWINDOWSsystem32lsass.exe
CWINDOWSsystem32svchost.exe
CWINDOWSsystem32svchost.exe
CWINDOWSExplorer.EXE
CHJTHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page =
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page =
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - CWINDOWSSystem32W8C6S4~1.DLL
O3 - Toolbar &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - CWINDOWSSystem32msdxm.ocx
O3 - Toolbar ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - CProgram FilesNetZeroToolbar.dll
O4 - HKLM..Run [MSConfig] CWINDOWSPCHealthHelpCtrBinariesMSConfig.exe auto
O9 - Extra button Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - CWINDOWSwebrelated.htm
O9 - Extra 'Tools' menuitem Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - CWINDOWSwebrelated.htm
O9 - Extra button Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - CProgram FilesMessengerMSMSGS.EXE
O9 - Extra 'Tools' menuitem Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - CProgram FilesMessengerMSMSGS.EXE
O16 - DPF {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - httpby101fd.bay101.hotmail.msn.comresourcesMsnPUpld.cab
O16 - DPF {705D72AC-552A-77DA-2EF9-06741F0DA678} - http69.50.182.941gdnUS1862.exe
O16 - DPF {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - httpdownload.games.yahoo.comgamespopcapzumapopcaploader_v5.cab
O20 - AppInit_DLLs if6iurstt5.dll
O23 - Service AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - CPROGRA~1GrisoftAVG7avgamsvr.exe
O23 - Service AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - CPROGRA~1GrisoftAVG7avgupsvc.exe
O23 - Service PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - CWINDOWSsystem32pctspk.exe

Any help would be appreciated.
Thanks!

#2
Metallica

Posted 07 June 2005 - 02:52 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Download and run CWShredder from:
http://www.intermute...r_download.html
Use the Fix button.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R3 - Default URLSearchHook is missing
O2 - BHO (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - CWINDOWSSystem32W8C6S4~1.DLL

O4 - HKLM..Run [MSConfig] CWINDOWSPCHealthHelpCtrBinariesMSConfig.exe auto
O9 - Extra button Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - CWINDOWSwebrelated.htm
O9 - Extra 'Tools' menuitem Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - CWINDOWSwebrelated.htm

O16 - DPF {705D72AC-552A-77DA-2EF9-06741F0DA678} - http69.50.182.941gdnUS1862.exe

O20 - AppInit_DLLs if6iurstt5.dll

Try if you can reboot to normal mode then.

I think the AppInit_DLLs entry is the main reason why you can't now.

Regards,

#3
glf01

Posted 07 June 2005 - 07:18 AM

New Member

Topic Starter
Member
8 posts

Pieter, Thanks for the reply. I have made some attempts to clean things up on my son’s XP machine since my original post, with some success, but am still having problems. I will tell you some of the things that have changed so you won’t be chasing things that are gone:

First, I turned off System Restore and have left it off. I think that was what allowed AVG to help me get rid of Krepper.X. I am also using Safe Mode most of the time in trying to fix things.

I took a chance with HJT and removed some of the entries that seemed to be causing problems:

I uninstalled NetZero, and used HJT to remove any related entries,
I removed what I thought were non-essentials (like MSN Photo Upload, Yahoo Games, and MSMSGs), as well as the IP address entry for 69.50.182.94.
I also was successful in removing entries found by HJT that seemed to be related to Krepper.X’s random name generation, including the AppInit_DLLs entry, as well as using AVG to either heal or delete the junk .DLL’s it generated.

Next, this is what I did in reply to your post:

I downloaded CWShredder (the Stand Alone download) from the link you provided and copied it to the XP machine after booting to Safe Mode and selecting “Administrator”. When I tried to run CWShredder, I got “Application failed to initialize properly (0xc0000005)”, twice. I then ran HJT, saved the log, checked the R3 SearchHook and the two O9 entries you suggested, then re-booted again into Safe Mode, and ran and saved another HJT log. Both the Before and After logs follow here…

Before suggested changes…

Logfile of HijackThis v1.99.1
Scan saved at 7:45:59 AM, on 6/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

After suggested changes…

Logfile of HijackThis v1.99.1
Scan saved at 8:01:08 AM, on 6/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

Instead of dumping the details of the other problems I am experiencing on the XP box, I will just mention the following:

Almost everything I try to run (except AVG and HJT) results in the Application Failed (0xc0000005) errors.
I cannot get the internal modem (PCTEL Platinum V.90) defined correctly.
Some few minutes after re-booting (Safe or normal), the message “RUNDLL Error loading newdev.dll Invalid access to memory location” pops up (related to the modem?)
IE6 Temp Inet Files folder space is set at 0 – any change results in “Select a value between 1 and 0” and has to be cancelled.

I don’t know if these errors are the result of the original Smitfraud and Kreppex infections, or my bumbling attempts to fix them. I have shot myself in the foot so many times before, I only have three toes left.

Thanks so much for the suggestions, Pieter. I will keep an eye on my email and check back in when you get a chance to look at this.

Gary

#4
Metallica

Posted 07 June 2005 - 07:31 AM

Spyware Veteran

GeekU Moderator
33,101 posts

newdev.dll is the file that gets called when new hardware is found that is not properly installed. So it makes sense to assume that is the modem.

I do have the feeling several files have gone haywire or missing on that computer.

Can you try if you can manage to Slipstream SP2 on that box:
http://www.winsupers..._slipstream.asp

That should replace/renew any outdated/damaged/missing files and drivers.

So it would cure a lot of problems at once if it worked.

Let me know,

#5
glf01

Posted 12 June 2005 - 10:10 PM

New Member

Topic Starter
Member
8 posts

Sorry for the long delay in responding, I have been tied up with other things, and my son's PC had to go on the back burner...

I printed out the Slip-stream SP2 procedure, but I have a problem. I think it requires the XP install CD, and so far he hasn't been able to find it. The PC came with Win ME, and he can't find that CD either. Right now, he is trying to contact his friend who installed XP for him.

In the meantime, I have been trying to get any of the other anti-virus or cleaner apps to run, by re-downloading and re-installing them, but the only ones I can get started are HJT and AVG. All the others fail with the "application failed to initialize properly (0xc0000005)." messages. Do you suspect these errors are due to damaged files, for instance DLL files, or is there any way to tell? I had hoped I might be able to clean up traces of trojans/viruses etc. that might still be causing this problem.

Do you have any suggestions along those lines, or should I just hope he can get in contact with his friend?

Thanks in advance,
Gary

#6
Metallica

Posted 13 June 2005 - 01:16 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Can you try if you get this one to work:
Download L2mfix from one of these two locations:
http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Close any programs you have open since this step requires a reboot.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Regards,

#7
Metallica

Posted 13 June 2005 - 03:35 AM

Spyware Veteran

GeekU Moderator
33,101 posts

One more thing that could be the cause:

Surf to http://virusscan.jotti.org/ and have this file scanned:

C:\WINDOWS\system32\wininet.dll

Let me know the results.

Regards,

#8
glf01

Posted 14 June 2005 - 04:06 PM

New Member

Topic Starter
Member
8 posts

Pieter, I was able to download the L2MFIX.exe, copy it to the desktop of my son's XP PC, and got a log, which I will post below, along with a new HJT log:

L2Mfix 1.03

Running From:
C:\Documents and Settings\Jeff\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Jeff\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Jeff\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1368 'explorer.exe'
Killing PID 1368 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (164 bytes security) (deflated 2%)
adding: echo.reg (164 bytes security) (deflated 8%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 71%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: test.txt (164 bytes security) (stored 0%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 5:18:27 PM, on 6/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Eraser\eraser.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {E7AA6110-3C3E-493C-9E1F-ED35EC04F9F3} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E7AA6110-3C3E-493C-9E1F-ED35EC04F9F3} - (no file) (HKCU)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

#9
glf01

Posted 14 June 2005 - 06:09 PM

New Member

Topic Starter
Member
8 posts

Pieter, Since I can't get a modem defined correctly (newdev.dll errors - Invalid access to memory location) I copied wininet.dll from his PC to a floppy, loaded it in my Win'98 PC, and scanned it on the Jotti website scanner. The (negative) results were:

Dr. Web - Found Trojan.DownLoader.2636
Fortinet - Found Nsag.A
Kaspersky Anti-Virus - Found Virus.Win32.Nsag.a
NOD32 - Found Win32/Olel0a.A

So, it looks like that might be a problem also. Out of curiosity, I also copied wininet.dll from an XP laptop I have and scanned it in the same manner. It resulted in finding no errors. I compared the two wininet.dll files, and they are the same size on disk (588,288 bytes) and are the same release (6.00.2800.1405). The only difference appears to be the Date Modified: the bad one is dated Friday, February 06, 2004 7:05:06 PM, while the "good" one has the same date, but the time modified on it is 6:05:06 PM.

Does it make any sense to try replacing the infected DLL file with the clean one? I don't know enough about the DLL libraries and files to guess as to whether that would work. Are these modules registered somewhere in the system?

Let me know what you think.

Thanks for the help,
Gary

#10
Metallica

Posted 15 June 2005 - 12:23 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Hi Gary,

Replacing wininet.dll with a copy of your choice is not easy.
But to our luck itisn't necessary either.
Rename the infected wininet.dll to wininet.old and a new copy will be taken from your dll cache to replace it.

From what we have found about this Nsag.a is that it only infects the file in the System(32) folder, so that should help.

Reboot and try everything that didn''t work before for improvements.
We have seen some curious errors due to this infection.

Regards,

#11
glf01

Posted 15 June 2005 - 08:27 AM

New Member

Topic Starter
Member
8 posts

Pieter,

Some success, but only partial. I re-named C:\Windows\System32\wininet.dll to wininet.old, then re-booted. On restart, probably due to Windows Messenger startup, I got the message:

"CRTCIMSService: MSMMSGS.exe - Unable to locate component. This application has failed to start because WININET.dll was not found. Re-installing the application may fix this problem".

I got the same error on the installed Ad-Aware program. I then used Add/Remove Programs to un-install the programs I had installed before - Ad-Aware and SpyBot S&D, then again rebooted after the uninstalls. I then re-installed Ad-Aware SE Personal, and it installed with no complaint. However, I let it start automatically at the end of the install, and it complained about not finding component "wininet.dll" when it tried to start the newly installed program. I realize using explorer "Search" may not locate all modules with a certain name, but searching advanced including hidden files reveals only one WININET.dll, and that is in the folder C:\Windows\ServicePackFiles\i386.

Is there a process or function I need to perform to cause WININET.DLL to be recalled from cache, or does this indicate the cache copy is also missing/corrupt?

Also, just for information, the trial copy of AVG still seems to be working. I performed a couple of complete system scans, and they did finish saying no errors were found.

Thanks,
Gary

#12
Metallica

Posted 15 June 2005 - 08:38 AM

Spyware Veteran

GeekU Moderator
33,101 posts

You can copy & paste the wininet.dll from the i386 folder.
The size on disk will probably be smaller and the name written in blue, because it is compressed. That shouldn't matter.

I would prefer however, if possible that you get this update:
http://www.microsoft...n/MS05-020.mspx

That will give you the latest veriosn of wininet.dll

Keep us posted. I'm glad to see some movement in the right direction. :tazz:

Regards,

#13
glf01

Posted 18 June 2005 - 06:32 AM

New Member

Topic Starter
Member
8 posts

Pieter,

Sir, you have the Wisdom of Solomon, the Patience of Job, and now, the Gratitude of Gary... XP works! (Well, you know, as well as it did before.)

A brief synopsis of how things went:

I downloaded IE6_MS05-020 on my PC and copied it ot the XP box, but after extraction it failed to install because Crypto wouldn't start (error 126: specified module not found).

I copied wininet.dll from \i386 to \System32. Much activity ensued on the HDD for 3 minutes or more, and when it subsided, I started Windows Explorer, and the format looked different - and, Rover appeared where he was not present before. I re-booted, and there was no error about a bad wininet.dll from MSMMSGS like I had been getting. Also, when I checked Services, Crypto was running.

I then installed IE6_MS05-020 successfully. After re-booting, I removed/re-installed Ad-Aware and it started with no errors. Ad-Aware found the following (which I had it remove):

Coolweb Search - 35
Security iGuard - 3
Alexa - 3
Tracking cookie - 52
Possible Browser hijack attempt - 1

AVG scan came out clean.

SpyBot S&D found (and removed):

Alexa related - 1
Cool WWW Search.Control - 12
Webtrends Live - 1

The only problem remaining was trying to get the modem defined correctly. I had stopped seeing the random newdev.dll invalid access errors, so I tried uninstalling the device in dev manager, as well as physically. My memory begins to get foggy here - the modem was fighting fiercly to not work. I was getting "Error 50: the request is not supported" when I tried to connect to my ISP and NetZeroHS, which is what my son uses.

I think the final resolution had to do with a 3-Com 10/100 Fast Ethernet card. It had been installed in order for his friend to Ghost install XP. When I first started working on it, I removed it physically but could not remove the device(s) from dev manager - it kept telling me it might be needed to boot the machine. I have had problems with performance on my '98 PC when I installed a LAN card, but fixed it by disabling the device, so I had tried the same with his XP system, but I suppose the broken DLL's prevented that from working correctly.

Anyway, after a few rounds of wrestling with the LAN card definitions, when I tried to re-enable the dev manager devices, they slowly, with a few re-boots thrown in for good measure, disappeared and the modem finally started working correctly.

Since I brought his PC to my house to work on it over a week ago, we took it back to his apartment to finish things. I turned System Restore back on (that caused a few heart-stopping minutes when the next re-boot froze on a black screen with no response for over 5 minutes, but a power/off-on and a quick trip to safe mode seemed to satisfy it), turned on MicroSoft Update Manager (and will instruct him on how to install at least critical fixes), and left him with a brief overview on how to run, and KEEP UPDATED, the following:

Ad-Aware
AVG Free
SpyBot S&D (I told it to play nice with Spy Hunter...)
Spy Hunter

So, Pieter, I think this saga is nearing an end. I quite literally could not have fixed things to this point without you. A resource like Geeks to Go Forums, manned by knowledge people like you, is an invaluable resource in trying to keep the wolves and other nasties at bay. It is even more amazing that it is a free resource. While I am still looking for a job (retirement at half-pension is not going to keep the fridge stocked), an immediate donation, however small, can't be made, but if there is a way to help support this site, please include the information.

Again, many thanks,
Gary