[cosmidnight]

Hello all, I hope someone can help me as I am stumped at this stage

My Internet Explorer started generating an error message(which varies occasionally in text) like the one posted below and on the next boot, my entire system started up fine but before my AV Guard started up it seems to have rendered all my desktop files inoperable and the Start Menu won't do anything(the cursor turns to the hourglass).

I ran scans in Safe Mode and Ad-Aware & AV both picked up on a couple of infections, I found a couple of suspect entries on Hijack This(I have some limited knowledge and it's all backed up!) but even in Safe Mode the Internet Explorer error message comes up and it still won't do anything in normal mode(and explorer.exe won't close comes up when I shut down from normal mode) unless I use task manager without Browsing(I have run everything again using the Command Paths this way and they can't see anything!!!).

As you can see I am stumped and in dire need of help, my log file is below. Thanks in advance

Logfile of HijackThis v1.99.1
Scan saved at 14:56:21, on 03/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Colm's AV Files\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe


Just as an extra note to this when I was trying to track this problem down I came across a definition of Worm/Deborm.R.3 in my AV Definition library which sounded like a variant on my problem, I did find two copies of iexplore.exe in different folders and replaced one with the other but I also found two copies of explorer.exe. I don't know if this is supposed to be the case but I'm worried about using HJT to delete this in case it renders the system completely inoperable!!

Attached Thumbnails

• 

Edited by cosmidnight, 04 July 2005 - 03:45 PM.

[Advertisements]

* Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

[coachwife6]

* Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

[cosmidnight]

Will do, thanks!

Please be patient as I am running to and from Internet Cafes to do this and given that my computer is about half an hour drive from any Internet Cafe it's a bit time consuming!!

Does it have to be run during normal mode or is it ok in safe mode? (I'm going to assume normal mode anyway but I just wanted to be sure you understand. I know you guys are busy and I don't want to be wasting your time!!

Back ASAP

Edited by cosmidnight, 09 July 2005 - 04:27 AM.

[coachwife6]

I know you only have short pockets of time, so I want to make sure we cover everything.

Are you running AVG (Grisoft) and AntiVir? You only need one anti-viral program. It doesn't appear that either one is functioning. Please remove one.

Also, iexplore.exe is a valid program, if in the correct folder. I would hold off on deleting anything as of now.

If you have longer than 30 minutes at the cafe, please let's do some things to make good use of your time.

1. Run the silent runners (shouldn't take long).

2. Download, install, and update Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be a big E icon on your desktop, double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.
After the updates are installed:

[*]Run Ewido
[*]Click on scanner
[*]Click Complete System Scan
[*]Let the program scan the machine
[/list]While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop
• Exit Ewido

Reboot into normal mode.

Let's just start with those two and we'll go from there. I am in and out all the time, so no rush. Enjoy your weekend and don't let the problems with your computer ruin it.

[coachwife6]

Also, was not sure if you weren't getting an Internet explorer connection or not. If not,

Please Download LSPFix from http://www.cexx.org/lspfix.htm and Run the Program. Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and remove all traces of [file]. Reboot.


Good luck

This was the wrong advice. Please disregard.

Edited by coachwife6, 12 July 2005 - 09:26 AM.

[cosmidnight]

Hi,

Thanks for the advice, I will follow your steps and get back to you asap although I'm not sure if Ewido was installed on the system before(bought it second hand ). As for the system I am running AntiVir but the Guard hasn't been activating on Start-Up since this problem began! Do I have other AV Software on the system? And if I buy Ewido do I have to get rid of AntiVir?

The Internet Connection isn't showing in Safe Mode and I can't check in Normal Mode due to Explorer being crippled so I'm assuming no and will run LSPFix aswell... The reason I asked about iexplore.exe is because there seems to be two separate sets of IE Files and the trojan I was reading about replaced that and then denied access to the Internet(which was why I thought there might be a connection)...
This unfortunately means i won't be able to update ewido either!

Anyway I will let you know,
Thanks for the patience!

Edited by cosmidnight, 11 July 2005 - 06:19 AM.

[cosmidnight]

Me again, thanks to the good graces of my boss!!

Here is the logfile

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Microsoft Works Portfolio" = "C:\Program Files\Microsoft Works\WksSb.exe /AllUsers" ["Microsoft® Corporation"]
"Microsoft Works Update Detection" = "C:\Program Files\Microsoft Works\WkDetect.exe" ["Microsoft® Corporation"]
"AVGCtrl" = ""C:\Program Files\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"]
"Synchronization Manager" = "mobsync.exe /logon" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cskbq.exe" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\system32\sstext3d.scr" [MS]


Startup items in "O'Sullivan" & "All Users" startup folders:
------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir Service, AntiVirService, ""C:\Program Files\AVPersonal\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"]
AntiVir Update, AVWUpSrv, ""C:\Program Files\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 49 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 26 seconds.
---------- (total run time: 137 seconds)

[coachwife6]

Sorry, I'm on vacation and only have short pockets of time to work on the computer.

Search your computer for this executable.

cskbq.exe Right-click on it and tell me it's properties.

If you can't find it through windows explorer (make sure all files are showing - HERE

If you can't find it through Explorer, go to start>>run and type in regedit and navigate to:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

See if

cskbq.exe

is present.

Tell me it's properties.

Also, your Internet Explorer is way out of date. Is there any way you can update it? Can you get an internet connection? Can you connect to windows updates?

[cosmidnight]

Me again, don't worry about the time packets, I understand entirely and you're doing me a huge favour anyway!!

I couldn't find that file using either of the methods you gave me, I had noticed this in the Silent Runners logfile and there is an entry in regedit called Ststem although I don't know how to call up properties there so I ran a search for system and in C:\WINNT\system32\config there is a file called "system" and an ALT file called "SYSTEM.ALT" if this is any help as there is no data attached to the entry in regedit, sorry!?

When I ran the search for cskbq.exe I came across two versions of csrss.exe and CSRSS.exe in different folders(can you sense me grasping at straws?!
As for my browser, I had planned on getting Firefox once my new Broadband Connection up and running but of course I'm regretting it now!!

In normal mode I cannot use my Start menu or point & click anything on my Desktop(It also changes the icons for My Documents, My Computer, Internet Explorer & Outlook to the generic file icon) ! The only way I can run anything in Normal mode is by using task manager and typing the pathway, even if I try to browse through this then it will freeze as well!

I don't know how to access dial-up this way so I can't run any updates(incidentally the previous owner had used ewido and used up the free trial so if anyone can answer the question about AntiVir it would be appreciated!!) for anything at all ... Assuming I get out of this what Operating system would you recommend?

Many, many thanks again
Colm

Edited by cosmidnight, 12 July 2005 - 10:56 AM.

[coachwife6]

Antivir is running.

Can you run a panda scan and post the results?

http://www.pandasoft...n_principal.htm

[coachwife6]

http://support.micro...b;EN-US;Q303728

read this

[cosmidnight]

Hi again,

I can't run the Panda scan at the moment because IE is the only web browser installed, hopefully I can get one and the Internet Connection will still be there!

As for the article, it certainly sounds similar to my problem (although I can't even highlight an icon on my desktop, an error message would be progress really) but according to their steps my problem isn't being caused by incompatible/damaged software and I don't seem to have any of the programs listed anyway...

Will let you know if I am successful with the browser,

Thanks again
Colm

[coachwife6]

I am asking the experts at GTG to look at this post. I know it must be dreadful to run back and forth to the cafe to fix it, so I want to resolve this as quickly and painlessly as possible.

[cosmidnight]

Hi again,

Thanks a lot, hey it's your holiday surely you're the one who is suffering from the royal pain I'm proving to be!!

I have managed to install Firefox on the system but dial-up isn't automatic, do you know of a way to use the RUN function to activate a dial-up profile as I'm drawing a blank(again)

If I can get this to work then at least I can run an online scan and run updates on the system...

Thanks again, you're a star
Colm

[coachwife6]

banananfanafo is a stud and she suggested this:

I did find two copies of iexplore.exe in different folders and replaced one with the other.

Out of curiosity what were the locations of iexplore.exe... And can you find out the locations of these, please:

csrss.exe and CSRSS.exe

Also, give me a
rkfiles log.

bananafanafo found evidence of Wareout in:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cskbq.exe" [null data]

Here is LonnyRJones fix (modified slightly because your start button is not working):

Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.

Open Task Manager and click "New Task". Type Control *NOTE*: the control panel should open up please let me know if it doesn't before continuing! . Double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the "Network" tab and Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be available one some systems.

Open Task Manager, click "new task" - type:

cmd

hit OK

type:

ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)[/CODE]