PDA

View Full Version : As requested, my HJT log



kaylasdad99
2005-11-30, 10:00
In this thread, (http://forums.spybot.info/showthread.php?t=598) I was advised to follow the instructions in the malware removal page. Accordingly, I downloaded and ran a scan on BitDefender. FWIW, the scan failed to successfully disinfect any file, and it failed to delete one (C:\\WINDOWS\SYSTEM\ibm00008.dll, if it makes any difference).

Anyway, I continued by running HiJackThis, and here is the resultant logfile:

Logfile of HijackThis v1.99.1
Scan saved at 11:46:29 PM, on 11/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\CIJ3P2PS.EXE
C:\PROGRAM FILES\COMMON FILES\ROXIO SHARED\PROJECT SELECTOR\PROJSELECTOR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/channel/START
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [CIJ3P2PSERVER] CIJ3P2PS.EXE
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

So, does it look like anything else needs to be taken care of? And is taking care of it likely to result in spybot being able to complete a scan in less than 48 hours?

I do appreciate your assistance.

:bigthumb:

LonnyRJones
2005-11-30, 10:35
Hi

Go here and submit that file
Submit a file--VirusTotal: http://www.virustotal.com/flash/index_en.html
C:\\WINDOWS\SYSTEM\ibm00008.dll
And report back with the findings

kaylasdad99
2005-11-30, 19:01
Thank you. I shall do so when I get home from work.

kaylasdad99
2005-12-01, 06:03
Hi

Go here and submit that file
Submit a file--VirusTotal: http://www.virustotal.com/flash/index_en.html
C:\\WINDOWS\SYSTEM\ibm00008.dll
And report back with the findings
Okey dokey, here it is. It won't let me link to the results, I see on preview, so I will C & P.

This is a report processed by VirusTotal on 12/01/2005 at 04:45:33 (CET) after scanning the file "ibm00008.dll" file.
Antivirus Version Update Result
AntiVir 6.32.0.6 11.30.2005 TR/Spy.Torpig.E.1.B
Avast 4.6.695.0 11.29.2005 no virus found
AVG 718 11.29.2005 no virus found
Avira 6.32.0.6 11.30.2005 TR/Spy.Torpig.E.1.B
BitDefender 7.2 12.01.2005 Trojan.Spy.Small.B
CAT-QuickHeal 8.00 11.30.2005 no virus found
ClamAV devel-20051108 11.29.2005 no virus found
DrWeb 4.33 11.30.2005 Trojan.PWS.Gamma
eTrust-Iris 7.1.194.0 12.01.2005 no virus found
eTrust-Vet 11.9.1.0 11.30.2005 no virus found
Fortinet 2.48.0.0 12.01.2005 no virus found
F-Prot 3.16c 11.30.2005 no virus found
Ikarus 0.2.59.0 11.30.2005 no virus found
Kaspersky 4.0.2.24 12.01.2005 Trojan-Spy.Win32.Small.dg
McAfee 4640 11.30.2005 PWS-JA
NOD32v2 1.1309 11.30.2005 no virus found
Norman 5.70.10 11.30.2005 no virus found
Panda 8.02.00 11.30.2005 no virus found
Sophos 4.00.0 12.01.2005 no virus found
Symantec 8.0 12.01.2005 no virus found
TheHacker 5.9.1.046 11.29.2005 no virus found
VBA32 3.10.5 11.30.2005 no virus found



VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.> Go to: Home Contact En español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004,05 :: e-mail info@virustotal.com

Well, I don't know what it means. I hope it means something to you. And thanks again.

LonnyRJones
2005-12-01, 10:25
Hi

Manualy delete that file.
Are there any other problems ?

kaylasdad99
2005-12-02, 06:02
Hi

Manualy delete that file.
Are there any other problems ?Thank you. I have manually deleted it.

As to problems, not really. But yesterday, and today, when I booted my system, I got a dialog box with the following message:

Cannot find the file ibm00007.exe (or one of its components). Make sure the path and filename are correct and that all required libraries are available.I note that this filename differs from the infected one by one character and a filename extension. This did not prevent the computer from booting normally. When I went to Windows Explorer to delete ibm00008.dll, I found ibm00007.dll* right next to it in C:\WINDOWS\SYSTEM. But a search for ibm00007.exe yields nothing.

Is this something I should be concerned about? If so, is there a site that might make the file available for download? Not that I'm too lazy to hunt for my installation disk, but I am kinda lazy. :D

Thanks in advance.

*.dll , that must be the required library the dialog box was talking about, right? Don't spare my feelings if I'm off the mark; this is pure speculation.

LonnyRJones
2005-12-02, 06:15
Lets check
Download rand1038's registry search tool
http://tomcoyote.org/rand1038/vbscript/RegScan.zip
Extract the file run RegScan.vbs paste in the bolded below(to avoid mistakes dont type), wait for a text to open and post the results

ibm00007.exe,ibm00008.dll,ibm0000

Wait for a text to open
Note: Your antivirus script protection might interfear, its safe, please allow it to run.

kaylasdad99
2005-12-02, 08:27
No matches to your search terms: "ibm00007.exe,ibm00008.dll,ibm0000" were found.The search took 10 seconds.

Also, I got an error message: Regedit has performed an illegal operation and must be shut down. The details were:

REGEDIT caused an invalid page fault in
module REGEDIT.EXE at 0167:00405c5e.
Registers:
EAX=00000001 CS=0167 EIP=00405c5e EFLGS=00010246
EBX=81971065 SS=016f ESP=0065fde0 EBP=61746144
ECX=c159b430 DS=016f ESI=00000000 FS=1c9f
EDX=bffc9490 ES=016f EDI=00000000 GS=0000
Bytes at CS:EIP:
8e 46 06 26 ff 75 12 26 8a 45 14 2a e4 50 e8 1b
Stack dump:
00000000 00000000 0040b9d5 00000000 00000000 81971065 00000000 0065fe38 00000000 81971274 00550000 0040b77c 00000000 81971274 00550000 0065ff78 And the antivirus script protection didn't have anything to say about it.

LonnyRJones
2005-12-02, 08:34
Check this folder and let us know the contents

C:\Program Files\Common Files\Microsoft Shared\Web Folders\

kaylasdad99
2005-12-02, 09:16
Two items:

Msonsext.dll
Ragent.dll

And at this point, I will be retiring for the evening. Thank you for your efforts of this evening, and I look forward to seeing your response when I get in to work tomorrow.

LonnyRJones
2005-12-02, 13:15
Good , those are fine.

Let us know of any problems or if you see that (cannot find) error again.

kaylasdad99
2005-12-02, 17:41
Will do. Thank you once again.

:bigthumb:

kaylasdad99
2005-12-03, 20:32
I haven't encountered anything that seems to be a problem (I haven't yet tried to perform a task and been refused access to it, that is), but I do still get the "cannot find file" notification for ibm00007 every time I start the computer.

For clarity's sake, I might as well mention that I shut down the computer after each day's use. And my internet connection is dialup.

:confused:

LonnyRJones
2005-12-04, 02:45
Lets get a silent runners report

Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it. Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.

kaylasdad99
2005-12-04, 07:50
Hmm. It told me that it couldn't recognize my OS and invited me to email the author with the information that my WINVER.EXE file version was 4.0.0.1111 (even though it's really 4.00.1111). When I did I got an email back with the following:
Hello,

You're using a Windows version, Windows 95 SR2 (OEM), that was never
available in stores. To get my script to run, use this version:

http://www.aaronoff.com/misc_files/Silent%20Runners%20R42D00.vbs

regards, Andy

On Sun 04 Dec 2005 at 01:51 +0100 (Paris time), you wrote:
> WINVER.EXE file version = 4.0.0.1111I hit the link, and it downloaded another version of the application, which in turn, requires me to download Windows Management Instrumentation (WMI) CORE 1.5 (Windows 95/98) from this site. (http://www.microsoft.com/downloads/thankyou.aspx?familyId=98A4C5BA-337B-4E92-8C18-A63847760EA5&displayLang=en&oRef=) As I'm typing this post, I am in the process of downloading the latest offering.

Any idea why my system tells me that it's WIN98, and the WINVER.EXE file is telling total strangers that it's WIN95? I'm beginning to think I may be getting in over my head. You haven't steered me wrong yet, though, so I'm going to proceed with this next download and hope for the best.

kaylasdad99
2005-12-04, 07:57
On second thought: I just tried to start the installation wizard for the Windows Management Instrumentation (WMI) download. The first thing it told me was that if I install it, I won't be able to remove it.

So before I do, I'd like your opinion on whether this is a safe path for me to embark upon. I'm particularly concerned with the issue of why my OS identifies itself as WIN98, but carries a WINVER.EXE file supposedly identifying it as a mutant form of WIN95.

Thank you for your continued assistance.

LonnyRJones
2005-12-04, 09:02
Hi
Was your PC originaly win 95 ?

Yes continue with the MS wmi installation, might need another (small) install to, the script will inform you if its needed.

Afterwards Id try the original silentrunners.vbs to see if it will run, if not use the other he suggested.

kaylasdad99
2005-12-04, 19:59
No, it still insisted on running the modified version.

That said, here is the result of the operation:
"Silent Runners.vbs", revision 42D00, http://www.silentrunners.org/
Operating System: Windows 95 SR2 (OEM)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]
"CompaqPrinTray" = "PrinTray.exe" ["Lexmark"]
"CIJ3P2PSERVER" = "CIJ3P2PS.EXE" [","]
"projselector" = ""C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r" ["Roxio"]
"RoxioEngineUtility" = ""C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"" ["Roxio"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Exchange"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Windows Messaging\mlshext.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\olkfstub.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\My Documents\My Pictures\Brown Family.bmp"


WIN.INI & SYSTEM.INI launch points:
-----------------------------------

SYSTEM.INI
[boot]
INFECTION WARNING! "shell=explorer.exe ibm00007.exe" [MS], [file not found]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\FLYING~1.SCR" (Flying Windows.scr) [MS]


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Office Startup" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA.EXE -b" [MS]
"Microsoft Find Fast" -> shortcut to: "C:\Program Files\Microsoft Office\Office\FINDFAST.EXE" [MS]
INFECTION WARNING! "PowerReg Scheduler.exe" ["4"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Compaq IJ300 LanguageMonitor\Driver = "cij3lgmn.dll" ["Compaq Computer Corp. "]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 19 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 17 seconds.
---------- (total run time: 63 seconds)Anything useful?

LonnyRJones
2005-12-05, 02:38
Hi

Copy this file to your desktop as a backup
c:\windows\SYSTEM.INI
right-click and rename the one in the windows folder to system.ini.txt
Open it and remove Only "ibm00007.exe"
exit and save , now rename it back to normal >> "system.ini"

That should solve the problem

kaylasdad99
2005-12-05, 06:11
And so it did. Thank you once again for a marvelous job, LonnyRJones.
:bigthumb: :crowned: :angel: :D
Now it's off to see if spybot will complete a scan in under a week. I hope my next login is tovisit one of the social forums to chew the fat. :)

kaylasdad99
2005-12-05, 19:55
No such luck, though. I downloaded the latest Spybot updates and attempted to run Spybot S & D again. It zipped past AdGoblin much faster than in the past, but hung up again for several hours in the CoolWWWSearch section of the scan.

Should I post another HJT log, or would I be better off initiating another thread in the Spybot S & D forum?

Regards,

kaylasdad99

LonnyRJones
2005-12-06, 01:38
Hi kaylasdad99

Have hijackthis fix these resource hogs>
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
==========
Install update and run a good antivirus program

Dont make the common mistake of installing more than one anti virus or firewall
AVG Anti-Virus-Free: http://www.grisoft.com/us/us_dwnl_free.php
AntiVir Personal Edition: http://www.free-av.com/
avast! 4 Home - Free antivirus software :
http://www.asw.cz/eng/free_virus_protectio.html

tashi
2005-12-10, 13:36
This topic will now be archived.
If you need the thread reopened please pm me. Cheers.