In safe mode...
I started with removing the backdoor.agent.b with a tool I found at http://securityresponse.symantec.com/avcen...er/FxAgentB.exe.
Then got rid of the "R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/" and "error #317 from antiSPY".
Reboot in safe mode click ie for web I get an internal error msg about mshtml.dll
With a full reboot and log into windows the system loads and the explorer.exe error message starts over and over, filling up the task manager.
Any help would be most appreciated, thx.
Logfile of HijackThis v1.99.1
Scan saved at 11:25:08 PM, on 5/9/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\bos\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: winlogin.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
Full Version: Explorer.exe error messages
Suggest A Fix PC Support Forums > Security > Malicious Code: Viruses, Trojans, Spyware and Browser HiJacking
Welcome to SAF, jglynch.
There's usually a hidden file that loads this hijack. We'll get to that later.
Fix this line in HijackThis:
O4 - Global Startup: winlogin.exe
You should be able to locate and delete Winlogin.exe (Randex worm). Does that get you to normal mode without the Explorer errors?
You may have to make all files and folders visible to locate the file:
Let us know how that goes. If you can get to normal mode, generate a fresh log and post it.
Once your system is clean, you should go to Windows Updates and install what's available. Unpatched systems are wide open to infections.
There's usually a hidden file that loads this hijack. We'll get to that later.
Fix this line in HijackThis:
O4 - Global Startup: winlogin.exe
You should be able to locate and delete Winlogin.exe (Randex worm). Does that get you to normal mode without the Explorer errors?
You may have to make all files and folders visible to locate the file:
| QUOTE |
| * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View Tab. * Under the Hidden files and folders heading select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm. * Click OK. |
Let us know how that goes. If you can get to normal mode, generate a fresh log and post it.
Once your system is clean, you should go to Windows Updates and install what's available. Unpatched systems are wide open to infections.
Please clarify if the error involves Explorer.exe, Iexplore.exe or Iexplorer.exe. You've mentioned two so far (one in topic title). 
It gets better...HJT was unable to delete the file, it's in use. The task manager was unable to stop the file, it's a critical system process.
Made sure the files and folders are all showing. Also searched for the file winlogin.exe, the only listing of the file is in the HJT backups folder.
Sorry about that...good catch the error message is explorer.exe
thx,
j
Made sure the files and folders are all showing. Also searched for the file winlogin.exe, the only listing of the file is in the HJT backups folder.
Sorry about that...good catch the error message is explorer.exe
thx,
j
| QUOTE |
| HJT was unable to delete the file, it's in use. |
| QUOTE |
| Also searched for the file winlogin.exe |
I'm confused - what file would not delete?
Download RKFiles. Make a new folder for it on the desktop and unzip it to the new folder. Click on RKFiles.bat and wait for it to generate a log. This can take 10 minutes or more, so be patient.
NB - RKFiles must only be run in safe mode.
Post back with the log.
I was using HJT to fix O4 - Global Startup: winlogin.exe, the msg was it could not delete the file. It also told me to try and stop it with the task manager, then come back to HJT to fix it. The task manager couln't stop it. I thought from your previous msg I was trying to locate and delet the file? "You should be able to locate and delete Winlogin.exe (Randex worm). Does that get you to normal mode without the Explorer errors?"
First off thanks again for your help! I'm not sure what your work schedual is like, but it's @ 2:40am. Time to call it a night, I just wanted to get you the log first.
Here's the log:
C:\Documents and Settings\bos\Desktop\New Folder
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\aunzip32.dll: UPX!
C:\WINNT\system32\azip32.dll: UPX!
C:\WINNT\system32\dmsadmins.exe: UPX!
C:\WINNT\system32\dumpsprep.exe: UPX!
C:\WINNT\system32\ipdnssec6.exe: UPX!
C:\WINNT\system32\micefix.exe: UPX!
C:\WINNT\system32\mqspbkup.exe: UPX!
C:\WINNT\system32\qwinnta.exe: UPX!
C:\WINNT\system32\sesmgr.exe: UPX!
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINNT\proxya.exe: UPX!
Finished
bye
First off thanks again for your help! I'm not sure what your work schedual is like, but it's @ 2:40am. Time to call it a night, I just wanted to get you the log first.
Here's the log:
C:\Documents and Settings\bos\Desktop\New Folder
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\aunzip32.dll: UPX!
C:\WINNT\system32\azip32.dll: UPX!
C:\WINNT\system32\dmsadmins.exe: UPX!
C:\WINNT\system32\dumpsprep.exe: UPX!
C:\WINNT\system32\ipdnssec6.exe: UPX!
C:\WINNT\system32\micefix.exe: UPX!
C:\WINNT\system32\mqspbkup.exe: UPX!
C:\WINNT\system32\qwinnta.exe: UPX!
C:\WINNT\system32\sesmgr.exe: UPX!
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINNT\proxya.exe: UPX!
Finished
bye
OK...this new version of HJT tries to delete the file while fixing the startup call. I thought you were in safe mode already, working from another computer. Winlogin.exe would indeed have been 'in use'. You should be able to delete it in safe mode.
It's afternoon here in Hong Kong, so I'll let you catch some sleep. I'll post the next step later.
It's afternoon here in Hong Kong, so I'll let you catch some sleep. I'll post the next step later.
Next step is to download Killbox. Unzip it to the desktop. Click on 'Delete on Reboot', then copy/paste the following lines one-by-one into the 'Full Path of File to Delete' box. After each, click on the red icon with the while X. You'll be prompted to reboot after each one, but don't accept the invitation until the last line has been pasted in:
C:\WINNT\system32\dmsadmins.exe
C:\WINNT\system32\dumpsprep.exe
C:\WINNT\system32\ipdnssec6.exe
C:\WINNT\system32\micefix.exe
C:\WINNT\system32\mqspbkup.exe
C:\WINNT\system32\qwinnta.exe
C:\WINNT\system32\sesmgr.exe
C:\WINNT\proxya.exe
Note - I haven't tried this new version of Killbox yet. I believe you can copy/paste all of the lines at once, so here's what you paste to the box:
C:\WINNT\system32\dmsadmins.exe
C:\WINNT\system32\dumpsprep.exe
C:\WINNT\system32\ipdnssec6.exe
C:\WINNT\system32\micefix.exe
C:\WINNT\system32\mqspbkup.exe
C:\WINNT\system32\qwinnta.exe
C:\WINNT\system32\sesmgr.exe
C:\WINNT\proxya.exe
When it reboots, boot to safe mode and run RKFiles again to generate a new log. While in safe mode, look for Winlogin.exe and see if you can delete it. If it still protests, note the location of the file and type the file name and path into Killbox to get it on the next reboot.
Back in normal mode, run another HJT scan and post a fresh log.
Another note - notice that Killbox has an 'End Explorer Shell While Killing File' option, as well as "Replace on Reboot' > 'Use Dummy'. If any of the files are hooked into Explorer.exe, you may have to use those options. But we'll keep it simple for the moment.
C:\WINNT\system32\dmsadmins.exe
C:\WINNT\system32\dumpsprep.exe
C:\WINNT\system32\ipdnssec6.exe
C:\WINNT\system32\micefix.exe
C:\WINNT\system32\mqspbkup.exe
C:\WINNT\system32\qwinnta.exe
C:\WINNT\system32\sesmgr.exe
C:\WINNT\proxya.exe
Note - I haven't tried this new version of Killbox yet. I believe you can copy/paste all of the lines at once, so here's what you paste to the box:
C:\WINNT\system32\dmsadmins.exe
C:\WINNT\system32\dumpsprep.exe
C:\WINNT\system32\ipdnssec6.exe
C:\WINNT\system32\micefix.exe
C:\WINNT\system32\mqspbkup.exe
C:\WINNT\system32\qwinnta.exe
C:\WINNT\system32\sesmgr.exe
C:\WINNT\proxya.exe
When it reboots, boot to safe mode and run RKFiles again to generate a new log. While in safe mode, look for Winlogin.exe and see if you can delete it. If it still protests, note the location of the file and type the file name and path into Killbox to get it on the next reboot.
Back in normal mode, run another HJT scan and post a fresh log.
Another note - notice that Killbox has an 'End Explorer Shell While Killing File' option, as well as "Replace on Reboot' > 'Use Dummy'. If any of the files are hooked into Explorer.exe, you may have to use those options. But we'll keep it simple for the moment.
I used Killbox to stop the list you sent. I wasn't able to copy/paste them all in, so I put them all in one at a time. Good to go~
Here's the latest RKFiles log while in safe mode:
C:\Documents and Settings\bos\Desktop\New Folder
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\aunzip32.dll: UPX!
C:\WINNT\system32\azip32.dll: UPX!
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye
Now I'm looking for the winlogin.exe file. The only file(s) even close to that are winlogon.exe (and there's 2 of them)? One in all caps in folder C:\WINNT\system32 and the other all lower case in folder C:\WINNT\$NtUninstallSP2SRP1$
The infected computer is a my old work computer an IBM A20 laptop (about 5 years old, with all kinds of coporate novell security stuff). I've been using my old desktop and a data stick to get everything back and forth....![banghead[1].gif](http://www.suggestafix.com/html/emoticons/banghead[1].gif)
Even in safe mode I can't stop the "O4 - Global Startup: winlogin.exe" in HJT. I can't even find it on the hard drive to get the correct path into Killbox.
Not that I'm giving up all hope but I just had a thought...
A fresh clean install of windows 2000 sounds good at this point (first have to get a copy)! Then I can get rid of the old coporate stuff, and start from the beginning. As long as I keep a copy of the current drivers....What do you think?
Here's the latest RKFiles log while in safe mode:
C:\Documents and Settings\bos\Desktop\New Folder
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\aunzip32.dll: UPX!
C:\WINNT\system32\azip32.dll: UPX!
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye
Now I'm looking for the winlogin.exe file. The only file(s) even close to that are winlogon.exe (and there's 2 of them)? One in all caps in folder C:\WINNT\system32 and the other all lower case in folder C:\WINNT\$NtUninstallSP2SRP1$
The infected computer is a my old work computer an IBM A20 laptop (about 5 years old, with all kinds of coporate novell security stuff). I've been using my old desktop and a data stick to get everything back and forth....
Even in safe mode I can't stop the "O4 - Global Startup: winlogin.exe" in HJT. I can't even find it on the hard drive to get the correct path into Killbox.
Not that I'm giving up all hope but I just had a thought...
A fresh clean install of windows 2000 sounds good at this point (first have to get a copy)! Then I can get rid of the old coporate stuff, and start from the beginning. As long as I keep a copy of the current drivers....What do you think?
Is there a way to correct the title of this post or move it? It's confusing because I put the wrong problem in the title...
Iexplore.exe instead of Explorer.exe
Iexplore.exe instead of Explorer.exe
WinlogOn.exe is OK. It's a Microsoft file.
The 04 is a startup call from the registry. It doesn't necessarily mean the file is on the system, and the 'Global Startup' can be problematic in HJT. It often has to be deleted manually.
I would not advise an overinstall of Win2000 if that's what you're suggesting. The system has been corrupted, and it may make things worse. Format and reinstall, yes, but only as a last resort. The driver issue is minor. There are free programs that can backup drivers.
Next step is to run SilentRunners. It's a VBS file and Norton may protest at running it. You may have to disable Norton, otherwise run it in safe mode. It will show if Winlogin.exe is actually on the system.
The 04 is a startup call from the registry. It doesn't necessarily mean the file is on the system, and the 'Global Startup' can be problematic in HJT. It often has to be deleted manually.
I would not advise an overinstall of Win2000 if that's what you're suggesting. The system has been corrupted, and it may make things worse. Format and reinstall, yes, but only as a last resort. The driver issue is minor. There are free programs that can backup drivers.
Next step is to run SilentRunners. It's a VBS file and Norton may protest at running it. You may have to disable Norton, otherwise run it in safe mode. It will show if Winlogin.exe is actually on the system.
| QUOTE (jglynch @ May 11 2005, 02:25 PM) |
| Is there a way to correct the title of this post or move it? It's confusing because I put the wrong problem in the title... Iexplore.exe instead of Explorer.exe |
It's actually Iexpolorer.exe.
I'll see what I can do.
You'll keep seeing a reference to "bos" that's my profile name. When the laptop starts up there's a security policy window. Once you click ok to agree you have to select a profile to get in, "bos" is the administrators profile. Not sure if any of this matters just letting you know.
How much of the log should I post. It's pretty big?
Startup items in "bos" & "All Users" startup folders:
-----------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
INFECTION WARNING! "winlogin.exe" [null data]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]
How much of the log should I post. It's pretty big?
Startup items in "bos" & "All Users" startup folders:
-----------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
INFECTION WARNING! "winlogin.exe" [null data]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]
Here's the full log:
"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Spyware Doctor" = "C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q" ["PCTools"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"TPTRAY" = "C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE" ["IBM Corp."]
"NWTRAY" = "NWTRAY.EXE" ["Novell, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = "PCTools Site Guard" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = "PCTools Browser Monitor" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" = "ShimLayer Property Page"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\apppatch\slayerui.dll" [empty string]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]
"{AF8DE18D-9065-4102-BC40-EB294A95BB07}" = "Novell Connections"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nwshlxnt.dll" ["Novell, Inc."]
"{04c23aa0-3d34-11d2-b788-008029605ac7}" = "NDPS Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "ndpsprop.dll" [empty string]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{0AC6C6C5-F7A8-11D2-BEF4-00C04F990001}" = "Allaire FTP & RDS"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\CFSHEL~1.DLL" ["Allaire Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> {CLSID}\InProcServer32\(Default) = "stobject.dll" [file not found]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "GinaDLL" = "NWGINA.DLL" ["Novell, Inc."]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINNT\System32\NavLogon.dll" [null data]
Enabled Wallpaper and Active Desktop:
-------------------------------------
Active Desktop is enabled.
Startup items in "bos" & "All Users" startup folders:
-----------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
INFECTION WARNING! "winlogin.exe" [null data]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\system32\netware\NWWS2NDS.DLL" ["Novell, Inc."]
000000000004\LibraryPath = "%SystemRoot%\system32\netware\NWWS2SAP.DLL" ["Novell, Inc."]
000000000005\LibraryPath = "%SystemRoot%\system32\netware\NWWS2SLP.DLL" ["Novell, Inc."]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 04, 07 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]
All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
DefWatch, DefWatch, "C:\Program Files\NavNT\defwatch.exe" ["Symantec Corporation"]
IBM PM Service, IBMPMSVC, "C:\WINNT\System32\ibmpmsvc.exe" [null data]
Logical Disk Manager Administrative Service, dmadmin, "C:\WINNT\System32\dmadmin.exe /com" ["VERITAS Software Corp."]
Network DDE DSDM, NetDDEdsdm, "C:\WINNT\system32\netdde.exe" [MS]
Norton AntiVirus Client, Norton AntiVirus Server, "C:\Program Files\NavNT\rtvscan.exe" ["Symantec Corporation"]
Novell Application Launcher, NALNTSERVICE, "C:\WINNT\System32\NALNTSRV.EXE" ["Novell, Inc."]
Novell Workstation Manager, WM, "C:\WINNT\System32\wm.exe" ["Novell, Inc."]
Remote management, Novell WUser Agent, "C:\NOVELL\ZENRC\wuser32.exe" ["Novell, Inc."]
WUOLservice, WUOLService, "C:\NOVELL\ZENRC\WUOLService.exe" ["Novell, Inc."]
Keyboard Driver Filters:
------------------------
HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "kblock" ["Novell, Inc."]
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Spyware Doctor" = "C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q" ["PCTools"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"TPTRAY" = "C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE" ["IBM Corp."]
"NWTRAY" = "NWTRAY.EXE" ["Novell, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = "PCTools Site Guard" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = "PCTools Browser Monitor" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" = "ShimLayer Property Page"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\apppatch\slayerui.dll" [empty string]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]
"{AF8DE18D-9065-4102-BC40-EB294A95BB07}" = "Novell Connections"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\nwshlxnt.dll" ["Novell, Inc."]
"{04c23aa0-3d34-11d2-b788-008029605ac7}" = "NDPS Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "ndpsprop.dll" [empty string]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{0AC6C6C5-F7A8-11D2-BEF4-00C04F990001}" = "Allaire FTP & RDS"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\CFSHEL~1.DLL" ["Allaire Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> {CLSID}\InProcServer32\(Default) = "stobject.dll" [file not found]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "GinaDLL" = "NWGINA.DLL" ["Novell, Inc."]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINNT\System32\NavLogon.dll" [null data]
Enabled Wallpaper and Active Desktop:
-------------------------------------
Active Desktop is enabled.
Startup items in "bos" & "All Users" startup folders:
-----------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
INFECTION WARNING! "winlogin.exe" [null data]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\system32\netware\NWWS2NDS.DLL" ["Novell, Inc."]
000000000004\LibraryPath = "%SystemRoot%\system32\netware\NWWS2SAP.DLL" ["Novell, Inc."]
000000000005\LibraryPath = "%SystemRoot%\system32\netware\NWWS2SLP.DLL" ["Novell, Inc."]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 04, 07 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]
All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
DefWatch, DefWatch, "C:\Program Files\NavNT\defwatch.exe" ["Symantec Corporation"]
IBM PM Service, IBMPMSVC, "C:\WINNT\System32\ibmpmsvc.exe" [null data]
Logical Disk Manager Administrative Service, dmadmin, "C:\WINNT\System32\dmadmin.exe /com" ["VERITAS Software Corp."]
Network DDE DSDM, NetDDEdsdm, "C:\WINNT\system32\netdde.exe" [MS]
Norton AntiVirus Client, Norton AntiVirus Server, "C:\Program Files\NavNT\rtvscan.exe" ["Symantec Corporation"]
Novell Application Launcher, NALNTSERVICE, "C:\WINNT\System32\NALNTSRV.EXE" ["Novell, Inc."]
Novell Workstation Manager, WM, "C:\WINNT\System32\wm.exe" ["Novell, Inc."]
Remote management, Novell WUser Agent, "C:\NOVELL\ZENRC\wuser32.exe" ["Novell, Inc."]
WUOLservice, WUOLService, "C:\NOVELL\ZENRC\WUOLService.exe" ["Novell, Inc."]
Keyboard Driver Filters:
------------------------
HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "kblock" ["Novell, Inc."]
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
The startup call is in this location:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
If you can locate the shortcut, right-click on it and select Properties. You should be able to see the location of the file. The typical way to deal with this would be to delete the shortcut, boot to safe mode and delete the file.
It's strange you can't locate it. Are all files and folders visible as per previous instructions?
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
If you can locate the shortcut, right-click on it and select Properties. You should be able to see the location of the file. The typical way to deal with this would be to delete the shortcut, boot to safe mode and delete the file.
It's strange you can't locate it. Are all files and folders visible as per previous instructions?
Yes that option is selected, I'll re-check it and apply the settings. I'll let you know.
thx,
j
thx,
j
I've re-applied the setting here's what's there. There's 2 shortcuts in this folder
Adobe Gamma Loader
WinZip Quick Pick
Adobe Gamma Loader
WinZip Quick Pick
You can see from Silent Runners that the other is there as well:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
INFECTION WARNING! "winlogin.exe" [null data]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]
Make sure you've applied this:
You can also use Killbox on the shortcut:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
INFECTION WARNING! "winlogin.exe" [null data]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]
Make sure you've applied this:
| QUOTE |
| Uncheck the Hide protected operating system files (recommended) option. |
You can also use Killbox on the shortcut:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
OK, the file was deleted. I still couldn't see the actual file, but putting in the full path still worked. I then did a full reboot an the same looping error message begings. So I had to go back to safe mode to run HJT. The "O4 - Global Startup: winlogin.exe" did not show up in the HJT log...a good thing!!
Where to go from here? It's almost 6am now going to get some sleep, I'll check back tomorrow in the afternoon.
thx,
j
Where to go from here? It's almost 6am now going to get some sleep, I'll check back tomorrow in the afternoon.
thx,
j
That "error #317 from antiSPY" is unknown in the Googleverse, J. Is that the message you still get?
I think there's no way you can get around that unless you install the updates I mentioned. They are the best way of fixing the 'holes' that malware exploits are designed to attack.
Run another HJT log by me from normal mode.
I think there's no way you can get around that unless you install the updates I mentioned. They are the best way of fixing the 'holes' that malware exploits are designed to attack.
Run another HJT log by me from normal mode.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.