Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log: pcar and the downloader problem


  • Please log in to reply
13 replies to this topic

#1 pcar

pcar

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 AM

Posted 24 July 2005 - 01:28 PM

Hi Folks and thanks for the Help,
______________________________________________________________
Background post at :http://www.bleepingcomputer.com/forums/index.php?showtopic=25636&st=0&#entry145697

Please see the note about my 2 Windows-2000 Professional boot choices. Specifically...

Would the HJT log look different in the "partition" I actually use? They both access the same file system but The SP level on that "partition" is SP4 with the same build number. That boot choice appears identical but won't let me run in safe-mode with the error as follows:

STOP: <intentionally omitted hex numbers>
IRQL_NOT_LESS_OR_EQUAL
Address 80464079 base at 80400000, Datestamp 42258bd8 - ntoskrnl.exe
______________________________________________________________
Excellent progress (found bad things) but I'm still fighting the downloader problem. Here's what I did...

1. Reinstalled, updated and ran Ad-awareSE in safe-mode per John's (jgweed's) instructions. I had uninstalled it long ago after installing Spybot thinking that they were redundant. I'll run both in Safe-Mode regularly from now on.
Result: Sixteen objects were found and deleted

2. I regularly ran Spybot S&D nearly every day but never in safe-Mode. This safe-mode scan turned up 5 additional problems. They were deleted (fixed).
Results:
- Alexa Related: Replace File
- DSO Exploit: Registry change (x2)
- Windows Media Player: Registry change (x2)

3. Rebooted in normal mode to download AVG updates. I didn't run the browser because while I was downloading the latest AVG update, the Trojan "Downloader.Small.15.BS in SSK3_B5 Seeding4.exe" was found by the resident AVG application. I shut down immediately and rebooted in normal mode without the internet connection and ran AVG

4. AVG showed that the "Downloader.Small.15.BS in SSK3_B5 Seeding4.exe" had been deleted. Nothing else was found.

5. Rebooted to safe-mode and ran both Ad-aware and Spybot S&D (safe mode).

6. Ran HJT in safe-mode
_______________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 1:20:27 PM, on 7/24/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\HighjackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pca.org/ozk
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{7307E03C-8036-43BF-84DB-8ED25D02E5F1}: NameServer = 68.51.0.6,68.51.0.5
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Tiny Personal Firewall (PersFw) - Tiny Software - C:\Program Files\Tiny Personal Firewall\persfw.exe
________________________________________________________________

Thanks in advance! Ron

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:26 AM

Posted 25 July 2005 - 10:44 AM

Your saying that the different boot options, use the same windows directory, yet show different service pack levels?

Download Silentrunners.zip from:

http://www.silentrunners.org/

Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

When it has finished it will produce a Startup Programs text file. Copy and paste that text file here in your next reply.

#3 pcar

pcar
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 AM

Posted 25 July 2005 - 12:58 PM

Hi Grinler and thanks,
I am obviously not a Win2000 expert so please excuse dumb questions but here are the boot option facts as I see them.

Top boot option (not safe-mode capable): Computer name [LITTLEDOG], SP4
Bottom boot option (safe-mode capable): Computer name [TIGERPAW], SP2

1. I reinstalled Win2000 Pro (last December?) after having the computer so full of trojans that I was spending too much time on it (This computer is my wife's and the kid's machine.) I am sure that's when this happened. When I installed Win2000 the last time I simply chose the first (top / default) "partition" in which to build the WIN2000 environment and never tried the other one in my rush to get finished.

2. The boot options are indeed different in their SP levels and the one that will boot in safe mode doesn't have most of my applications or drivers for the hardware either. I really don't know how that happened except that
3. I use the word "partition" carefully here since technically I shouldn't be able to see the same Directory/File system from a different partition.

4. I don't know how to delete the un-used option but if it weren't for that I would not have a safe-mode at all.
_________________________________________
Here is the log from Silentrunners on LITTLEDOG.

NOTE: About Tsl2.exe... I know this file is a problem file but there is nothing that I can see in the C:\Program Files\Common Files\tsa directory. To test if I have a "root" problem I installed a Cerebrus FTP server on LITTLEDOG.

When logged-in from another computer with CoreFTP I can't see anything in the C:\Program Files\Common Files\tsa directory even with all rights granted to the remote user. To be fair I don't actually know how to diagnose a "root" problem but I thought it was worth a shot. Now on to the Silent Runners log...


LOG from LITTLEDOG:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"cgjsfgdb.exe" = "C:\WINNT\system\cgjsfgdb.exe" [file not found]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"M05ERQZmR" = "licocm.exe" [file not found]
"CasStub" = "C:\Program Files\CasStub\casstub.exe -run" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"HPDJ Taskbar Utility" = "C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe" ["HP"]
"HPHUPD05" = "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" ["Hewlett-Packard"]
"HP Software Update" = ""C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"" ["Hewlett-Packard"]
"HPHmon05" = "C:\WINNT\system32\hphmon05.exe" ["Hewlett-Packard"]
"SMSERIAL" = "sm56hlpr.exe" ["Motorola Inc."]
"WinFaxAppPortStarter" = "wfxsnt40.exe" [MS]
"SNPSTD2" = "C:\WINNT\vsnpstd2.exe" [empty string]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" ["Ahead Software AG"]
"cfgmgr52" = "RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun" [MS]
"Tsl2" = "C:\PROGRA~1\COMMON~1\tsa\tsl2.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0019C3E2-DD48-4A6D-ABCD-8D32436323D9}\(Default) = "CExtension Object" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\cfgmgr52.dll" ["TODO: <Company name>"]
{0549E6CB-9985-42F6-8FD6-4EC017E6AAE1}\(Default) = "PopThis BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SurfApps.com\PopThis! Pro\PopThisPro.dll" ["www.surfapps.com"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [null data]
{98BB4F26-D0B6-DD45-9809-DEC81E8A7C94}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\jjdnt.dll" [file not found]
{999A06FF-10EF-4A29-8640-69E99882C26B}\(Default) = "ohb"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nsh2D.dll" [file not found]
{9ADE0443-2AB2-4B23-A3F8-AC520773DE12}\(Default) = "ohb"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nsx20.dll" [empty string]
{9DBB4F25-D0C6-D945-980F-DEC86F8F7CE7}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\jjdnt.dll" [file not found]
{AD967F26-FD85-E871-B539-EEE52EBA51A4}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\jjdnt.dll" [file not found]
{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\(Default) = "ADP UrlCatcher Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\msbe.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Ahead Software AG"]
"{73612AA2-A474-4EEB-B9C1-1718447308DA}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\dpquery.dll" [null data]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
qfyxksfn\(Default) = "{fe5fcabc-0ad7-4ae6-81a9-750ec466f628}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nuksv.dll" [file not found]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\administrator.LITTLEDOG\My Documents\My Pictures\PhotoImpression4.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\system32\PHOTOI~1.SCR" (PhotoImpression Screen Saver.scr) ["ArcSoft Inc."]


Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------

E:\
INFECTION WARNING! E:\AUTORUN.INF -> "open=JDSecure\Windows\JDSecure20.exe" ["Lexar Media, Inc."]


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\administrator.LITTLEDOG\Start Menu\Programs\Startup
"Wireless-G PCI Monitor" -> shortcut to: "C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe" ["Cisco Linksys Corporation"]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]


Enabled Scheduled Tasks:
------------------------

"Stop HP Product Survey Program Participation" -> launches: "C:\PROGRA~1\HP\HPCORE~1\soln\HPOSM.exe /optout PTCE_MR_1.7" ["Hewlett-Packard Company"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{1C7D7C4D-945C-4BB7-B1B9-B25F0A967710}" = "PopThis! Pop-Up Blocker" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SurfApps.com\PopThis! Pro\PopThisPro.dll" ["www.surfapps.com"]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{1C7D7C4D-945C-4BB7-B1B9-B25F0A967710}" = "PopThis! Pop-Up Blocker" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SurfApps.com\PopThis! Pro\PopThisPro.dll" ["www.surfapps.com"]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" [file not found]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{91663649-416A-42A5-8E54-B63C1ECA0548}\
"MenuText" = "PopThis! Options..."
"CLSIDExtension" = "{91663649-416A-42A5-8E54-B63C1ECA0548}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SurfApps.com\PopThis! Pro\PopThisPro.dll" ["www.surfapps.com"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Ahead Software AG"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINNT\system32\HPZipm12.exe" ["HP"]
Tiny Personal Firewall, PersFw, "C:\Program Files\Tiny Personal Firewall\persfw.exe" ["Tiny Software"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 20 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 16 seconds.
---------- (total run time: 101 seconds)

I'll wait to hear from you and thanks again. Ron

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:26 AM

Posted 25 July 2005 - 01:46 PM

Was this run from the same boot up option as the previous log? I see a lot of bleep that has to go.

From whatever boot up you used, download the attached fix.bat and run it. Then reboot back to that same option and delete the following files or directories:

C:\WINNT\system\cgjsfgdb.exe
c:\winnt\system32\licocm.exe
C:\Program Files\CasStub\
C:\WINNT\cfgmgr52.dll
C:\PROGRAM FILES\COMMON FILES\tsa\
C:\WINNT\system32\jjdnt.dll
C:\WINNT\system32\nsh2D.dll
C:\WINNT\system32\nsx20.dll
C:\WINNT\system32\jjdnt.dll
C:\WINNT\system32\jjdnt.dll
C:\WINNT\system32\msbe.dll

Reboot again and then from the same boot option post a new hijackthis log

Attached Files

  • Attached File  fix.bat   1.1KB   6 downloads


#5 pcar

pcar
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 AM

Posted 25 July 2005 - 08:50 PM

Hi Grinler,
The former HJT log was in the unused boot option because my instructions were to do it in safe-mode. I now understand that the registry was a different one.

This HJT log was run in the SP4 boot option in normal-mode, not in safe-mode which this boot option will not do. This is the boot option we have always used.

I had to manually execute the FIX.BAT code since it was only partially effective. I did a registry search to verify that it had worked. Some of the keys were persistent until after most were deleted and the machine was rebooted. Then they were either gone or "deletable".

I removed the object numbers (displayed in FIX.BAT) from other registry entrys as well and found a whole bunch of bigtrafficnetwork (btnetw) entries as well with some of these keys and filenames in them.

Directories and files you indicated are deleted now as well.

I have not started the MS-IE browser yet in case there is more I should do in preparation.

__________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 8:23:19 PM, on 7/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINNT\system32\hphmon05.exe
C:\WINNT\sm56hlpr.exe
C:\WINNT\system32\wfxsnt40.exe
C:\WINNT\vsnpstd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
C:\HighjackThis\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pca.org/ozk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\SurfApps.com\PopThis! Pro\PopThisPro.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: PopThis! Pop-Up Blocker - {1C7D7C4D-945C-4BB7-B1B9-B25F0A967710} - C:\Program Files\SurfApps.com\PopThis! Pro\PopThisPro.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\system32\hphmon05.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SNPSTD2] C:\WINNT\vsnpstd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - Startup: Wireless-G PCI Monitor.lnk = C:\Program Files\WMPCI54G WLAN Monitor\WMP54G.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\SurfApps.com\PopThis! Pro\PopThisPro.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\SurfApps.com\PopThis! Pro\PopThisPro.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E274C42E-E21A-4152-A284-307705C96661}: NameServer = 68.87.66.196,68.87.64.196
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6166570-81AE-4F9C-BBBF-232E70E23973}: NameServer = 68.51.0.6,68.51.0.5
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Tiny Personal Firewall (PersFw) - Tiny Software - C:\Program Files\Tiny Personal Firewall\persfw.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
_________________________________

Thanks, Ron

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:26 AM

Posted 25 July 2005 - 09:16 PM

OK this log looks more complete than the last one :thumbsup:

Fix this in HJT and then try IE.

R3 - Default URLSearchHook is missing

#7 pcar

pcar
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 AM

Posted 27 July 2005 - 07:39 AM

Hi Grinler,
You're a guru. I fixed the entry in HJT and everything runs fine now under the Administrator user account. Then I logged in as the other users of the machine.

There much to clean up in those as well including r?gsvr32.exe and a downloader virus in Ventura5.exe. I thought that would have been cleaned up under the administrator account but it was not.

A search on ventu* resulted in finding three suspicious applications in c:WINNTsystem32:
1. 97_Ventura4_4_0_3_7 (Installation exe)
2. btnetw3_venturahot_246765 and
3. weirdontheweb_ventura

These files are quarantined now but I think it's possible that the last two may be when my problems started (both on June 16th of this year).

I ran Silent Runners, HJT, and both Ad-aware and Spybot S&D and went hunting with Regedit for the stuff you pointed me to.

To keep this from happening again...
Peer-to-Peer networks are forbidden in this house but can you point me to real security/infection risk info on Xanga and Myspace. And what's dangerous in Yahoo and AIM installations? This are where the kids want to be but I don't know whether to lock those sites out or not. Again I don't want to use your bandwidth when I can research it for myself.

Now I seem to have a clean machine. Time will tell but Thanks much! Ron

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:26 AM

Posted 27 July 2005 - 11:56 AM

Yeah, cleaning one profile, does not clean all the profiles. Each profile has their own portion of the registry assigned to them, and malware can get installed into this private portion (HKEY_CURRENT_USER)

Looking at Xanga, it appears to be a blogging community. That seems to be fairly harmless so I dont see anything wrong there. Myspace also seems fairly innocuous. The most you have to worry about these types of sites are they show ads that may require you to give email addresses when you visit them. These email addresses may lead you to get spam, but I do not see anything that would install spyware.

Yahoo and Aim are also fairly harmless. AIM installs do install a piece of software called WildTangent that supposedly sends data back to their home base, but thats open for debate. You can also not choose to have that installed when you install AIM.

The only concern about instant messaging is that there are worms out there that spread by sending messages to users giving a download link to a virus. As long as your kids have a good understanding on not clicking on links to files from strangers, they should be ok.

Below are some tips to help prevent this crapware from getting installed on your computer:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

#9 pcar

pcar
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 AM

Posted 27 July 2005 - 01:04 PM

Thanks Grinler,
I do run both ME and XP on my home (IP only) network but have few problems with them since I'm usually the only user. I chose 2000 Pro for the kids because I thought it more stable than both ME and XP at the time.

I appreciate the post-mortem. You very definitely helped and I have tools now and a better understanding of how 2000 works (got the Little Black Book on the Windows 2000 Registry).

One remaining question: Will there ever be a time that not being able to get into safe-mode will bite me? Or should I prepare and build up the boot option that can get into safe-mode and migrate out of this one. I have not done any of what we just went through in that option.

That'll polish-off this topic. I'll keep you in mind for other stuff as well, like why my darned Outlook suddenly stopped replicating with my Palm (ME machine). You folks don't do that kind of thing do you? Bleeping irritating!

Hope your 2005 goes well... Ron

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:26 AM

Posted 27 July 2005 - 02:10 PM

We support everything (i dont, but others here can help). When you say its wont boot into safe mode, what exactly do you mean?

#11 pcar

pcar
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 AM

Posted 27 July 2005 - 06:00 PM

Here are my boot options:
_________________________________________
Please Choose the Operating system to Start:

Microsoft Windows 2000 Professional (note: This is the one I use)
Microsoft Windows 2000 Professional (note: I don't use this one)

Choose....
Number of seconds until the Operating System will start automatically: 10
_________________________________________
1. If I choose the top option all is well and that's where I operate daily. But if I use F8 with it, then I get the "Windows Advanced Options Menu" where I choose "Safe Mode".

2. Then it appears "Windows is Starting" with the progress bar across the bottom of the screen.

3. After about 17 seconds I get a blue screen with the following Stop-error:
________________________________________

*** STOP: 0x0000000A (0xED515354, 0X000000ff, 0X00000001, 0X80464079)
IRQL_NOT_LESS_OR_EQUAL

*** Address 80464079 base at 80400000, Datestamp 42258bd8 - ntoskrnl.exe

If this is the first ...
... Refer to your Getting Started manual for more information about troubleshooting Stop errors.
_________________________________________

The computer has to be cold booted at that point. I think it wants hardware drivers since during a normal boot of the LOWER option I get the hardware wizard asking for driver locations. Only it doesn't display whether it's asking for the network card, or a video card, or what.

Frankly I'd like to delete that LOWER boot option but I don't know how or what the implications are. I thought a boot.ini file drove that option-menu, but there is no boot.ini (that I can find). Perhaps getting rid of it will fix the safe-mode issue. I just don't know and it's not in anything I've read yet.

From a "cleanliness" point of view this is frustrating but doesn't rob me of much disk space that I know of and I can use the other one till our sun goes nova unless I run into a situation where I would really need safe-mode.

Any ideas?

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:26 AM

Posted 27 July 2005 - 10:10 PM

Those error messges are indicitive of a hardware driver issue...safe mode should not have those issues per se but you may want to see if there are newer drivers available.

The boot.ini is probably hidden. Enable seeing all files and then you should be able to see it in the c:\ drive.

#13 pcar

pcar
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:26 AM

Posted 29 July 2005 - 05:51 AM

I see.
The boot.ini shows that the top (default) option (with the safe-mode problem) boots from C:WINNT and the other boots from C:WINDOWS in the same partition.

I discovered that adding "/sos" switch and using safe-mode shows the Stop error occurs right after the c:>WINNTsystem32DRIVERSamd751.sys.

Question: Is it hanging on this one or on the file after this one?

I don't know which driver is next in line since on a normal boot in that option the screen flashes by too fast.

Question: Is there, or can I create a log of each boot even if it hangs?

Thanks

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:26 AM

Posted 29 July 2005 - 04:33 PM

Its probably that driver causing the problem. I think the switch for making the log is /bootlog

Also you may want to read this:

http://forums.windrivers.com/vb/archive/index.php/t-10757




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users