Jump to content


Photo

Bad error on reboot after manual removal of cws


  • Please log in to reply
32 replies to this topic

#1 NICU46

NICU46

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 26 May 2004 - 08:10 PM

Well, I've been trying for about a week and a half to fix up my parents'
computer, which was FULL of all kinds of spyware last monday. I've removed most
of the stuff with the latest versions of Ad-Aware, Spybot SD, CWShredder, latest windows updates, Norton Antivirus 2004 updated, etc., but i still have what seems to be the Coolwebsearch Searchx/Realyellowpage variant or whatever you'd call it that comes back and changes my home page to an about:Blank search with popup ads several hours after I remove it with all of those other programs. I've been researching this heavily regarding Windows XP, and I've tried just about every method that has already been suggested, including the one that seems to work best for everyone, which is editing AppInit_DLLs with Reglite and deleting the random .dll. Only problem is, every time I do that and reboot, before XP can fully load -- the startup screen appears, it goes to what should be the desktop and a mouse cursor appears, but before it can do anything else or turn into a mouse cursor with an hourglass -- i get a "blue screen of death" error concerning a file called iesprt.sys and "attempts to write to read-only data." I have NO clue what this file is, and i've only been able to find one English web site concerning someone with the same problem, although on there it doesn't seem to have anything to do with AppInit_DLLs, and it doesn't appear that anyone solved anything (sorry if there's a slicker way to get this on here but all i know is cut and paste):

http://www.techspot....ad/t-12784.html

iesprt.sys

Technical information:


STOP: 0x000000BE (0x804FBD60, 0x004FB121 0xF93D1BA4, Ox0000000B)

iesprt.sys - Address F8975443 base at F8975000 DATESTAMP 408eb71a


Whenever I do this, I must use System Restore to get back to a point where I
hadn't altered anything (don't know if that's the best idea but it seems to
work), and of course the coolwebsearch stuff is still there. I've tried altering the reg key with regedit, Reglite and dllfix, and each time it gives me that scary error. I am not a computer expert by any means, but I've tried all the common methods, which seem like they would work fine, and all I get is this. I'm also aware that the problem might be deeper than the malware itself, and this particular error doesnt exactly appear to be spyware-related per se, but the only time it comes up is when i mess with the appinit_dlls part of the registry to remove cws. Here's my hijackthis log, after running Ad-Aware, Spybot, CWShredder:

Logfile of HijackThis v1.97.7
Scan saved at 9:03:14 PM, on 5/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ronna Weinstein\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [esentprf] C:\WINDOWS\System32\esentprf.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

Other info of note, relevant or not I am not sure but it hasn't affected the comp's performance as much as CWS:
- I installed the googletoolbar to protect against popups in the future.
- Whenever I run Spybot, I almost always get 2 things that cannot be removed: a DSO Exploit (my understanding is this isn't such a big deal) and a WebDialer (some registry keys that always come back too.. is this related?)
- Whenever the comp boots up, an Internet Explorer window opens trying to run that esentprf.exe program but it gives a "Page cannot be displayed" error. I don't know what that is, should I just fix it in Hijackthis?

I think that about sums it all up. Please let me know if there's any more info i can provide.. this has been quite a mouthful. Based on all the research I've done, you guys are by far the best and I am looking forward to your help!!

#2 NICU46

NICU46

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 02 June 2004 - 08:53 AM

Not trying to be a bugger here but it's been about a week and I haven't received anything.. I went into the IRC chat yesterday and someone (Dave38) suggested I fix the esentprf.exe, delete it and reboot, and then try the registry stuff? Any other input on that? I'm pretty close to just reformatting, and that might be the only solution anyway if stuff is damaged beyond repair. Even if that's the only solution, i'd appreciate any help! Thanks!

#3 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 02 June 2004 - 09:07 AM

KeIE: \??\C:\WINNT\System32\iesprt.sys

Is a driver (service).

Can you go to start/run/type:
services.msc

Look through the list and see if located.
When/if located, DoubleClick and check what the startup is set for. (manual/automatic, etc)
Don't make any changes there for now!

Also, try to find the file itself, RightClick and post it's exact properties.

Whichever changes you made in reglite, were reverted by using system restore, hopefully...

Next, Download and Install: >>Find-All.exe (Win2K/XP only!)<<

Run the Find-All\"Find-All.Cmd" file, wait for the log and post it here.

*Note: It is rather important to hold
off on making any registry altrerations, from this point on!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 02 June 2004 - 09:43 AM

I am very interested to learn the origin of
the iesprt.sys driver.
I work at Microsoft analyzing system crashes received
via Windows Error Reporting, and we've noticed
this same crash being  reported by other customers.
We want to contact the company that produced this driver, but
don't know who it is. I would appreciate any
help or pointers you can provide.

Vince Orgovan
Microsoft Windows system crash analysis
-------------------------------------------------------
it appears that the driver belongs to Intel,
more accurate:82845g
I have this same problem after reintalling
XP and it told me that video config was wrong.
I downloaded the last version of the driver, installed it and after
rebbot, Blue Screen of Death told me
that this file is causing problems....

Seems like a known problem.
Depending on your individual PC specs, you need
to check your confgs in device manager, services , and
locate your main board manufacture for probable
updated drivers, as well as video card.
(whether onboard PCI, , etc)

That has nothing to do with cws issue, though may
contribute to various conflicts.

As and when you'd be able to provide
the log requested above, we can proceed with
the best course of action.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 NICU46

NICU46

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 02 June 2004 - 11:03 AM

Man, thanks a lot for the quick response and the additional info! I couldn't seem to find iesprt.sys anywhere in Services, nor can I find it in device manager anywhere. Bizarre. Is there anything further I can do to locate it? The info is just that it's a system file that opens with an unknown application, size 8.56 kb and size on disk 12 kb, Created and Modified on August 29, 2002 at 7 am (same time as most other files that came with the computer, so its not really suspicious..)

Here's the log you requested:

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION 8.8 -6/01 @@@***==--


Wed Jun 02 11:28:10 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (70B8:3B0B) - FS:NTFS clusters:4k
Total: 41 068 822 528 [38G] - Free: 31 247 785 984 [29G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q330994;Q824145;Q832894;Q837009;Q831167;

»»Google:
2.0.111.0 C:\Program Files\google\googletoolbar1.dll
-ra-- W32i DLL ENU 2.0.111.0 shp 770,048 05-19-2004 googletoolbar1.dll

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 8.0.0.4490 shp 520,192 04-11-2003 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:

»»NotePad(s) version(s)... added Tnx to shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-29-2002 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-29-2002 regedt32.exe


»»PC uptime:
11:28am up 0 days, 0:08

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\WINJOP.DLL +++ File read error
\\?\C:\WINDOWS\System32\WINJOP.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
540 SMSS.EXE
604 CSRSS.EXE Title:
628 WINLOGON.EXE Title: NetDDE Agent
692 SERVICES.EXE Svcs: Eventlog,PlugPlay
704 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
948 SVCHOST.EXE Svcs: RpcSs
1056 SVCHOST.EXE Svcs: AudioSrv,BITS,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibi
ity,helpsvc,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,S
NS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,uploadmgr,w32tim
,winmgmt,wua
1212 SVCHOST.EXE Svcs: Dnscache
1276 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1424 ccSetMgr.exe Svcs: ccSetMgr
1456 ccEvtMgr.exe Svcs: ccEvtMgr
1636 SPOOLSV.EXE Svcs: Spooler
1864 EXPLORER.EXE Title: Program Manager
180 Support.exe Title: Support
148 ccApp.exe Title: Norton AntiVirus
304 NotifyAlert.exe Title: WindowsFormsParkingWindow
440 acsd.exe Svcs: AOL ACS
500 NAVAPSVC.EXE Svcs: navapsvc
608 SAVScan.exe Svcs: SAVScan
1240 symlcsvc.exe Svcs: Symantec Core LC
1336 wanmpsvc.exe Svcs: WANMiniportService
3864 CMD.EXE Title: C:\WINDOWS\System32\cmd.exe
3956 NTVDM.EXE
316 MSMSGS.EXE Title:
3044 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="300"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF945ED3-E828-4CAA-8C87-9100EC114CF0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{22749810-10CD-452A-AFA4-999DDCA3787F}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{22749810-10CD-452A-AFA4-999DDCA3787F}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Defaults *450)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Group/user settings:


User: [D6KF6341\Ronna Weinstein], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group D6KF6341\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
D6KF6341\Ronna Weinstein:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Users:(CI)(special access:)
FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA


ERROR: There are no more files.

»»Contents of file(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Wed Jun 02 11:28:44 2004 -- ++Find-All backups created:
A C:\Find-All\Find-All\winBackup.hiv
A C:\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows


What next? I'm making sure to not mess with the registry until notified.

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 02 June 2004 - 11:48 AM

Re: iesprt.sys , where did you find that info?
The file should be located in either System32
folder and/or System32\drivers.

As noted, it's probably some Intel gizmo, and
any hardware related issues you might have , would have
to be resolved on your end according to PC specs,
MOBO specs, Vid card model etc.

If you are able to find that file, Click on
the 'Submit' tab in my signature and attach it there.

I suggest you look up your Vid card exact model in
Device manager, and according to specs/drivers--contact
Intel directly or look up the site.
http://www.intel.com/


-As for CWS issue(s):
Since you have reglite, open it to the same Windows Key:
DoubleClick on 'AppInit_DLLs' and post the
contents of these fields:

-Size
-Value

Then RightClick on 'Windows' -hilited as purple
folder>properties, post here the contents of this field:

-Bytes in Values.

Lastly, this is the probable culprit:
C:\WINDOWS\System32\WINJOP.DLL

Run a search on your drive and post
back whether it is found anywhere.

Are both logs after recent system restore?
There is a glitch in the size of the data retrieved
from your Windows key.
It almost seems as if the 'AppInit' is empty (450)
And this is odd...
"TransmissionRetryTimeout"="300"
Ususally set as ="90" :scratchhead:

So something else you have there is using the key,
and/or it's a glitch caused by
your own sequence of events.


Find this file as well:
C:\FindallwinBackup.hiv
And submit in on the same tab in my signature
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 NICU46

NICU46

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 02 June 2004 - 12:31 PM

Re iesprt: I got that info by right-clicking the file in System32, but i'll submit it also. I'm still trying to find the video card info and i'll try to update the driver myself if its still a problem...

As for the rest of the stuff, here's the info for that key:
Size: 31
Value: C:\WINDOWS\System32\winjop.dll

Windows>Properties
Bytes in values: 20 in this key only; 20 including all subkeys

winjop.dll wasn't found when I searched for it.

The first log was after a system restore last week, the second one was not (i havent restored since posting).

Now to post those 2 files as requested. Thanks again!!!

#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 02 June 2004 - 01:42 PM

Ok...
Your file managed to *f00l* the bytes sizes in reglite.

Usually, this is the key info, :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

»»Size of 'Windows' key: (Defaults *450)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448


Yours a bit 'off' on 2 counts.
If the value is clean, it's 450!
If *infected- 448
If doesn't exist (deleted): -398

And in reglite/bytes per values it should be 19...
(the file *fakes it by decreasing the bytes)

While I wait for the files, and considering your
sequence of events there, I suggest you proceed
with the following for now:

1.) In hijackthis (as per last log) fix checked:

*O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
*O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
*O4 - HKCU\..\Run: [esentprf] C:\WINDOWS\System32\esentprf.exe

Reboot and delete the 'esentprf.exe' from Windows!

2.) Follow steps here to -> Install the Recovery Console on Your Computer

The procedure is rather simple. 'install the Recovery
Console as a startup option'
When the CD is in the drive,
Start/Run, Copy and paste to the run box:
D:\i386\winnt32.exe /cmdcons
Where D: is the CD-ROM drive letter, and then press Enter.

Follow instructions , restart when done and confirm
Recovery Console is in the list of 'available operating systems'

Edited by freeatlast, 02 June 2004 - 03:45 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 NICU46

NICU46

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 03 June 2004 - 02:40 AM

Sorry it took so long to get back on this.. I tried to post before I left home this afternoon but the board was being weird. And it will be a few hours before I get back again. But thanks again for your help and I hope it continues!

That's crazy about fooling the byte size. Who comes UP with this stuff??

So, I fixed those three items in hijackthis and rebooted. esentprf.exe was not found when I rebooted so I couldn't/didn't need to(?) delete it.

In addition, I've installed the Recovery Console, and have confirmed it as an option after rebooting. Only thing you should know is I installed it from c:\i386, not the CD ROM, as the Microsoft page said was OK, so I'm hoping that it was, and it IS there on startup, but let me know if not.

Thats about all. Again, THANK you for your help with this specific case. I anticipate the day that i am, in fact, "free at last" from this nightmare.

I hope my horrible pun does not deter your further assistance.

#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 03 June 2004 - 09:43 AM

Recovery console is it! :D

Let's give it a shot since it'll be the cleanest way!

Just try it once first, to get familiar with it and get
information about the file...

Grab a pen and piece of paper...
Print these steps first!

Restart in recovery console. Follow instructions on the screen.
First, you'd be asked which windows insallation to enter, type:
1
For your default C:\windows
Next, for Admin password: hit enter if blank,
or type it if set.

Next prompt is:
C:\windows>
navigate to system 32 by typing: (always one space between words..)
cd system32 (hit enter)
From: C:\windows\system32> type:

dir winjop*
(hit enter)

**Watch the results:
First 2 lines starting with "volume.." are drive
info and can be ignored.
Next is :
"Directory of.... \System32\winjop..."
Right under there should be 2 lines with the file info!
Be sure to write them both down!
(last line with xxxxx free bytes can be ignored)
type
exit
On the prompt to return back to windows!
Post a fresh hijackthis log, and the contents
of the lines you wrote off recovery console!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#11 NICU46

NICU46

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 03 June 2004 - 08:54 PM

OK, I did that. Here's the file info:

4/26/04 06:34p -ar----- 57344 winjop.dll
1 file(s) 57344 bytes

Awaiting next instruction.

#12 NICU46

NICU46

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 03 June 2004 - 09:40 PM

Oh yeah, this also (i forgot the first time, sorry!):

Logfile of HijackThis v1.97.7
Scan saved at 10:39:06 PM, on 6/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Ronna Weinstein\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

#13 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 03 June 2004 - 10:18 PM

OK, I did that. Here's the file info:

4/26/04  06:34p  -ar----- 57344  winjop.dll
1 file(s)  57344 bytes

Awaiting next instruction.

Wonderful! :D
We are going to get rid of the problem painlessly! ;)

Next, you are going to rename the file in
recovery console, and delete it later in windows!

Steps:
-Restart recovery console
-Type 1 to enter Windows Installation
-Type password (or enter if blank)
From C:\windows> type:

cd system32 (hit enter)

From: C:\windows\system32> type:

ren winjop.dll winjop.111

(hit enter)

From the C:\Windows\system32> type:
exit
To return to Windows!

Lastly, do 'find-files' for: 'winjop.111'< delete.
Open reglite into the same Windows key,
DoubleClick 'AppInit_Dlls' value, Delete:
"C:\WINDOWS\System32\winjop.dll" from
the 'value' field in data editor!
hit 'apply' and 'ok' to set.

Run CWShredder, ad-Aware, Spybot again
to clean all remnants left,
Consider problem solved! ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#14 NICU46

NICU46

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 04 June 2004 - 08:54 AM

Painlessly I wish :techsupport:

As soon as I reboot after renaming the .dll to winjop.111 and select Windows XP, I'm still getting the iesprt.sys stop error. I don't know what to do about it.. I tried updating the video card drivers on the intel site (there was an update). But it hasn't fixed it, which might mean the problem is unrelated to video drivers?

At least it seems we have determined that the problem doesn't appear to be only editing the registry as much as changing (renaming or deleting) the hidden .dll file, because in the method you suggested, I didn't even get up to this step:

Lastly, do 'find-files' for: 'winjop.111'< delete.
Open reglite into the same Windows key,
DoubleClick 'AppInit_Dlls' value, Delete:
"C:\WINDOWS\System32\winjop.dll" from
the 'value' field in data editor!
hit 'apply' and 'ok' to set.


I rebooted, renamed the file BACK to winjop.dll, and there was no iesprt.sys stop error and everything loaded up fine. What does it all mean?? Is there anything else I can do to help figure out just how the hell this spyware .dll is in ANY way connected to this random .sys file? Can i do anything to the .sys file, like rename it?

Thanks again for your continued help.

#15 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 04 June 2004 - 11:43 AM

I assume you renamed it back to original in recovery console?

As for the error, the file definitely did
something to your 'Windows' key, or you have some
gizmo installed there that creates conflict..
or...
This has to do with something you did before on your own!

This is indeed puzzling.
Almost looks as it that file hooked the 'iesprt.sys' somehow.
And I'm not sure what to make of it.

This will take some time to figure out, if you're willing.

To start with, you never mailed me the requested files!

I need both files:
1.) 'iesprt.sys'
2.) 'FindallwinBackup.hiv' located in C:\
Thats a backup of your Windows key.
-Click on the 'submit' tab in my signature, it'll open
your email client, browse and attach both files and send!

And I need to see list of your services.

Download: "StartDreck" from:
http://www.niksoft.a.../startdreck.htm
-Unzip
-Run 'StartDreck.exe'
-Hit 'config' tab
-hit 'Unmark' all

-Check these only:

-Under 'System/Drivers':
*NT Services
*NT Kernel and FS drivers
hit 'ok;
-Use the 'save' tab, save it and post the log!
(Saved by Default in StartDreck folder;'StartDreck.log')

*One more thing:
Copy the file in recovery console this way:
Start RC... Same steps as before:
Type 1 to enter Windows installation
Password...
From C:\Windows> type
cd system32
(enter)
From C:\Windows\system32> type:

copy winjop.dll winjop.111

You should see: "1 file(s) copied"..

Type
exit
to return to Windows, find and mail me
the winjop.111 file as well.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#16 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 04 June 2004 - 02:12 PM

Just confirming, recieved both:
-'iesprt.sys'
-'FindallwinBackup.hiv'

Try to follow up on the other steps.(previous page)
e.g list of services/drivers via tool above, and produce a copy of
winjop.111 via recovery console and mail.

You should have no trouble copying it and it should have
no side effects, as winjop.dll will remain active and
winjop.111 is just a 'dead' copy.

EDIT:
Here we go....
iesprt.sys is no Intel related, but appear to
be bad news.

Here are the strings inside, which are typical to 'downloader':

Editt
lsd_f3.dll
window:
GET /data10.php?info=%s&user=%s HTTP/1.1
User-Agent: A-311
Host: www.%s
Connection: Keep-Alive

lsd_f3.dll Details: :ph34r:
http://fr.trendmicro...ANKER.W&VSect=T

The sonner you'll be able to post list of services, the better.

Meanwhile, run a search for 'lsd_f3.dll' and mail me as well, if found!

*Don't delete any files for now!
P.S: http://www.kaspersky.com/scanforvirus
..................................................................
Scanned file: iesprt.sys

iesprt.sys - infected by TrojanDownloader.Win32.Small.ip
:techsupport:

Edited by freeatlast, 04 June 2004 - 02:34 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#17 NICU46

NICU46

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 04 June 2004 - 04:29 PM

Yikes. Not nice at all.

Here's this info:

StartDreck (build 2.1.5 public BETA) - 2004-06-04 @ 17:26:27
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)

»Registry
»Files
»System/Drivers
»NT Services
*Alerter Alerter - on demand
*Application Layer Gateway Service ALG - on demand
*AOL Connectivity Service AOL ACS running auto
*Application Management AppMgmt - disabled
*ASP.NET State Service aspnet_state - on demand
*Windows Audio AudioSrv running auto
*Background Intelligent Transfer Service BITS running on demand
*Computer Browser Browser running auto
*Symantec Event Manager ccEvtMgr running auto
*Symantec Password Validation ccPwdSvc - on demand
*Symantec Settings Manager ccSetMgr running auto
*Indexing Service CiSvc - on demand
*ClipBook ClipSrv - on demand
*COM+ System Application COMSysApp - on demand
*Cryptographic Services CryptSvc running auto
*DHCP Client Dhcp running auto
*Logical Disk Manager Administrative Service dmadmin - on demand
*Logical Disk Manager dmserver - on demand
*DNS Client Dnscache running auto
*Error Reporting Service ERSvc running auto
*Event Log Eventlog running auto
*COM+ Event System EventSystem running on demand
*Fast User Switching Compatibility FastUserSwitchingCom running on demand
*Fax Fax - auto
*Help and Support helpsvc running auto
*Human Interface Device Access HidServ - disabled
*IMAPI CD-Burning COM Service ImapiService - on demand
*Server lanmanserver running auto
*Workstation lanmanworkstation running auto
*TCP/IP NetBIOS Helper LmHosts running auto
*Messenger Messenger - disabled
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Norton AntiVirus Auto Protect Service navapsvc running auto
*Network DDE NetDDE - on demand
*Network DDE DSDM NetDDEdsdm - on demand
*Net Logon Netlogon - on demand
*Network Connections Netman running on demand
*Network Location Awareness (NLA) Nla running on demand
*NT LM Security Support Provider NtLmSsp - on demand
*Removable Storage NtmsSvc - on demand
*Plug and Play PlugPlay running auto
*IPSEC Services PolicyAgent running auto
*Protected Storage ProtectedStorage running auto
*Remote Access Auto Connection Manager RasAuto - on demand
*Remote Access Connection Manager RasMan running on demand
*Remote Desktop Help Session Manager RDSessMgr - on demand
*Routing and Remote Access RemoteAccess - disabled
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
*Remote Procedure Call (RPC) RpcSs running auto
*QoS RSVP RSVP - on demand
*Security Accounts Manager SamSs running auto
*SAVScan SAVScan running auto
*ScriptBlocking Service SBService - auto
*Smart Card Helper SCardDrv - on demand
*Smart Card SCardSvr - on demand
*Task Scheduler Schedule running auto
*Secondary Logon seclogon running auto
*System Event Notification SENS running auto
*Internet Connection Firewall (ICF) / Internet C SharedAccess - on demand
`onnection Sharing (ICS)
*Shell Hardware Detection ShellHWDetection running auto
*Print Spooler Spooler running auto
*System Restore Service srservice running auto
*SSDP Discovery Service SSDPSRV running on demand
*Windows Image Acquisition (WIA) stisvc - on demand
*MS Software Shadow Copy Provider SwPrv - on demand
*Symantec Core LC Symantec Core LC running auto
*Performance Logs and Alerts SysmonLog - on demand
*Telephony TapiSrv running on demand
*Terminal Services TermService running on demand
*Themes Themes running auto
*Distributed Link Tracking Client TrkWks running auto
*Upload Manager uploadmgr running auto
*Universal Plug and Play Device Host upnphost - on demand
*Uninterruptible Power Supply UPS - on demand
*Volume Shadow Copy VSS - on demand
*Windows Time w32time running auto
*WAN Miniport (ATW) Service WANMiniportService running auto
*WebClient WebClient running auto
*Windows Management Instrumentation winmgmt running auto
*Portable Media Serial Number Service WmdmPmSN - on demand
*WMI Performance Adapter WmiApSrv - on demand
*Automatic Updates wuauserv running auto
*Wireless Zero Configuration WZCSVC running auto
»NT Kernel- and FS-drivers
*Abiosdsk Abiosdsk - disabled
*abp480n5 abp480n5 - disabled
*Microsoft ACPI Driver ACPI running boot
*ACPIEC ACPIEC - disabled
*adpu160m adpu160m - disabled
*aeaudio aeaudio running on demand
*Microsoft Kernel Acoustic Echo Canceller aec - on demand
*AFD Networking Support Environment AFD running auto
*Intel AGP Bus Filter agp440 - disabled
*Compaq AGP Bus Filter agpCPQ - disabled
*Aha154x Aha154x - disabled
*aic78u2 aic78u2 - disabled
*aic78xx aic78xx - disabled
*AliIde AliIde - disabled
*ALI AGP Bus Filter alim1541 - disabled
*AMD AGP Bus Filter Driver amdagp - disabled
*amsint amsint - disabled
*asc asc - disabled
*asc3350p asc3350p - disabled
*asc3550 asc3550 - disabled
*RAS Asynchronous Media Driver AsyncMac - on demand
*Standard IDE/ESDI Hard Disk Controller atapi running boot
*Atdisk Atdisk - disabled
*ATM ARP Client Protocol Atmarpc - on demand
*Audio Stub Driver audstub running on demand
*Broadcom 440x 10/100 Integrated Controller XP D bcm4sbxp running on demand
`river
*BCM V.92 56K Modem BCMModem running on demand
*Beep Beep running system
*bvrp_pci bvrp_pci - on demand
*cbidf cbidf - disabled
*cbidf2k cbidf2k - disabled
*cd20xrnt cd20xrnt - disabled
*Cdaudio Cdaudio - system
*Cdfs Cdfs running disabled
*CD-ROM Driver Cdrom running system
*Changer Changer - system
*CmdIde CmdIde - disabled
*Cpqarray Cpqarray - disabled
*dac2w2k dac2w2k - disabled
*dac960nt dac960nt - disabled
*Disk Driver Disk running boot
*dmboot dmboot - disabled
*dmio dmio - disabled
*dmload dmload - disabled
*Microsoft Kernel DLS Syntheiszer DMusic - on demand
*dpti2o dpti2o - disabled
*Microsoft Kernel DRM Audio Descrambler drmkaud - on demand
*drvmcdb drvmcdb running boot
*drvnddm drvnddm running auto
*3Com EtherLink XL 90XB/C Adapter Driver EL90XBC - on demand
*Fastfat Fastfat running disabled
*Floppy Disk Controller Driver Fdc running on demand
*Fips Fips running system
*Floppy Disk Driver Flpydisk running on demand
*Volume Manager Driver Ftdisk running boot
*Generic Packet Classifier Gpc running on demand
*HPFECP16 HPFECP16 - auto
*hpn hpn - disabled
*i2omgmt i2omgmt running system
*i2omp i2omp - disabled
*i8042 Keyboard and PS/2 Mouse Port Driver i8042prt running system
*i81x i81x - on demand
*iAimFP0 iAimFP0 - on demand
*iAimFP1 iAimFP1 - on demand
*iAimFP2 iAimFP2 - on demand
*iAimFP3 iAimFP3 - on demand
*iAimFP4 iAimFP4 - on demand
*iAimTV0 iAimTV0 - on demand
*iAimTV1 iAimTV1 - on demand
*iAimTV2 iAimTV2 - on demand
*iAimTV3 iAimTV3 - on demand
*iAimTV4 iAimTV4 - on demand
*ialm ialm running on demand
*KeIE iesprt running system
*CD-Burning Filter Driver Imapi running system
*ini910u ini910u - disabled
*IntelIde IntelIde - disabled
*IP Traffic Filter Driver IpFilterDriver - on demand
*IP in IP Tunnel Driver IpInIp - on demand
*IP Network Address Translator IpNat - on demand
*IPSEC driver IPSec running system
*IR Enumerator Service IRENUM - on demand
*PnP ISA/EISA Bus Driver isapnp running boot
*Keyboard Class Driver Kbdclass running system
*Microsoft Kernel Wave Audio Mixer kmixer running on demand
*KSecDD KSecDD running boot
*lbrtfdc lbrtfdc - system
*mnmdd mnmdd running system
*Modem Modem running on demand
*Unimodem Streaming Filter Device MODEMCSA - on demand
*Mouse Class Driver Mouclass running system
*MountMgr MountMgr running boot
*mraid35x mraid35x - disabled
*WebDav Client Redirector MRxDAV running on demand
*MRxSmb MRxSmb running system
*Msfs Msfs running system
*Microsoft Streaming Service Proxy MSKSSRV - on demand
*Microsoft Streaming Clock Proxy MSPCLOCK - on demand
*Microsoft Streaming Quality Manager Proxy MSPQM - on demand
*Mup Mup running boot
*MxlW2k MxlW2k running on demand
*NAVENG NAVENG running on demand
*NAVEX15 NAVEX15 running on demand
*NDIS System Driver NDIS running boot
*Remote Access NDIS TAPI Driver NdisTapi running on demand
*NDIS Usermode I/O Protocol Ndisuio running on demand
*Remote Access NDIS WAN Driver NdisWan running on demand
*NDIS Proxy NDProxy running on demand
*NetBIOS Interface NetBIOS running system
*NetBT NetBT running system
*Npfs Npfs running system
*Ntfs Ntfs running disabled
*Null Null running system
*nv nv - on demand
*IPX Traffic Filter Driver NwlnkFlt - on demand
*IPX Traffic Forwarder Driver NwlnkFwd - on demand
*OMCI WDM Device Driver omci running system
*Intel PentiumIII Processor Driver P3 - system
*Parallel port driver Parport running on demand
*PartMgr PartMgr running boot
*ParVdm ParVdm running auto
*PCI Bus Driver PCI running boot
*PCIDump PCIDump - system
*PCIIde PCIIde running boot
*Pcmcia Pcmcia - disabled
*PDCOMP PDCOMP - on demand
*PDFRAME PDFRAME - on demand
*PDRELI PDRELI - on demand
*PDRFRAME PDRFRAME - on demand
*perc2 perc2 - disabled
*perc2hib perc2hib - disabled
*WAN Miniport (PPTP) PptpMiniport running on demand
*Processor Driver Processor running system
*QoS Packet Scheduler PSched running on demand
*Direct Parallel Link Driver Ptilink running on demand
*PxHelp20 PxHelp20 running boot
*ql1080 ql1080 - disabled
*Ql10wnt Ql10wnt - disabled
*ql12160 ql12160 - disabled
*ql1240 ql1240 - disabled
*ql1280 ql1280 - disabled
*Remote Access Auto Connection Driver RasAcd running system
*WAN Miniport (L2TP) Rasl2tp running on demand
*Remote Access PPPOE Driver RasPppoe running on demand
*Direct Parallel Raspti running on demand
*Rdbss Rdbss running system
*RDPCDD RDPCDD running system
*Terminal Server Device Redirector Driver rdpdr - on demand
*RDPWD RDPWD - on demand
*Digital CD Audio Playback Filter Driver redbook running system
*SAVRT SAVRT running system
*SAVRTPEL SAVRTPEL running system
*Secdrv Secdrv - on demand
*Serenum Filter Driver serenum running on demand
*Serial port driver Serial running system
*Sfloppy Sfloppy - system
*Simbad Simbad - disabled
*SIS AGP Bus Filter sisagp - disabled
*smwdm smwdm running on demand
*Sparrow Sparrow - disabled
*Microsoft Kernel Audio Splitter splitter - on demand
*System Restore Filter Driver sr running boot
*Srv Srv running on demand
*sscdbhk5 sscdbhk5 running system
*ssrtln ssrtln running system
*Software Bus Driver swenum running on demand
*Microsoft Kernel GS Wavetable Synthesizer swmidi - on demand
*symc810 symc810 - disabled
*symc8xx symc8xx - disabled
*SymEvent SymEvent running on demand
*symlcbrd symlcbrd running auto
*SYMREDRV SYMREDRV running on demand
*SYMTDI SYMTDI running auto
*sym_hi sym_hi - disabled
*sym_u3 sym_u3 - disabled
*Microsoft Kernel System Audio Device sysaudio running on demand
*TCP/IP Protocol Driver Tcpip running system
*TDPIPE TDPIPE - on demand
*TDTCP TDTCP - on demand
*Terminal Device Driver TermDD running system
*tfsnboio tfsnboio running auto
*tfsncofs tfsncofs running auto
*tfsndrct tfsndrct running auto
*tfsndres tfsndres running auto
*tfsnifs tfsnifs running auto
*tfsnopio tfsnopio running auto
*tfsnpool tfsnpool running auto
*tfsnudf tfsnudf running auto
*tfsnudfa tfsnudfa running auto
*TosIde TosIde - disabled
*Udfs Udfs - disabled
*ultra ultra - disabled
*Microcode Update Driver Update running on demand
*Microsoft USB 2.0 Enhanced Host Controller Mini usbehci running on demand
`port Driver
*USB2 Enabled Hub usbhub running on demand
*Microsoft USB Universal Host Controller Minipor usbuhci running on demand
`t Driver
*VgaSave VgaSave running system
*VIA AGP Bus Filter viaagp - disabled
*ViaIde ViaIde - disabled
*VolSnap VolSnap running boot
*Remote Access IP ARP Driver Wanarp running on demand
*WAN Miniport (ATW) wanatw running on demand
*WDICA WDICA - on demand
*Microsoft WINMM WDM Audio Compatibility Driver wdmaud running on demand
*Intel® Graphics Platform (SoftBIOS) Driver {6080A529-897E-4629- - on demand
*Intel® Graphics Chipset (KCH) Driver {D31A0762-0CEB-444e- - on demand
»Application specific

I'll send you the .111 right now too. Also, in regards to your question, yes, I did rename it back to .dll in Recovery Console and then rebooted to XP (but have since copied it in RC).

#18 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 04 June 2004 - 04:55 PM

Well, you did great so far in recovery console.
That's a big bonus as we can use it to work our
way up and possibly around the problem.

I'm still looking into it, but identified the
cuplrit so far, as suspected it's system driver:

StartDreck ................
..............
»NT Kernel- and FS-drivers
...........
*KeIE iesprt running system

Was the blue screen only in regular mode?
Do you recall if you were always able to
restart in safe mode after making some of the
previous changes?

That's important to know!

If we disable the driver or anything else, it would be
easier to have system access in safe mode.

I'll wait for the other file .

Were you able to locate the 'lsd_f3.dll' I mentioned before?
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#19 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 04 June 2004 - 05:56 PM

Ok...
we need to run some tests now.
I suspect the files are not related to one another, but the
latter (iesprt)
may be related to the pest you fixed in hijackthis.

Here are next steps:

*1.) Search for 'lsd_f3.dll' , mail as well if found.

*2.) Restart in recovery console and try
renaming 'iesprt.sys' (only), instead.

cd system32

ren iesprt.sys iesprt.old


exit
restart

Post back whether you are able to restart in
-normal mode, -safe mode, or -none!

And of course rename it back to original,
if that's the case!

*3.) Download this small tool to identify drivers:
http://freehost14.we...s/serviwin.html
Unzip, run, set>view>drivers:
Search in the list, under "i", or "k", in the "name" column:
-iesprt
-KeIE

When found, click once to select.
Top menu>file>save selected items>save> post the results!

*4.) Download 'RegSrch.zip' from
the 'Find-all page' link in my signature.

Unzip. Run RegSrch.vbs file
Enter: iesprt.sys as the string to search!
It will run for a while, silently, and subsequently generate small report.
Post it here!
*Note: If you have Norton blotware
script blocking installed, disable it or that tool won't work!

Lots of work, awaiting the progress! :wave:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#20 NICU46

NICU46

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 05 June 2004 - 12:42 PM

OK! Here's the latest. Sorry it takes such a long time to get back sometimes, but I did everythng you said.

First of all, you should know that yes, when I got the blue screen error, i was able to reboot into safe mode (that's how I could use System Restore), but not normal mode.

Next, i've emailed you everything i think. Let me know if you're still waiting for any.

And now for the real instructions...

I renamed iesprt.sys to iesprt.old and, after rebooting, it WAS still able to boot into normal mode. I named it back to .sys after booting back into recovery console, however, for the sake of keeping things straight. Let me know if I should change it again.

Serviwin info reads as follows:
Under "iesprt":
==================================================
Name : iesprt
Display Name : KeIE
Status : Started
Startup Type : System
Group :
File Description :
File Version :
Company :
Product Name :
Description :
Filename : C:\WINDOWS\System32\iesprt.sys
==================================================

There was no KeIE, only iesprt.

And finally, the regsrch info:
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "iesprt.sys" 6/5/2004 1:20:53 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"f"="C:\\WINDOWS\\SYSTEM32\\iesprt.sys"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\sys]
"a"="C:\\WINDOWS\\SYSTEM32\\iesprt.sys"

I hope that's everything I need at this point.

#21 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 05 June 2004 - 01:20 PM

So far so good!

You missed this:

*Search for 'lsd_f3.dll' , mail as well if found.(confirm if exist!)

If you are able to start in safe mode, that's good news!

I'm a bit concerned about the registry search results!
They only list your Search history!
Can you run the 'Regsrch.vbs' again on these 'keywords':

iesprt
---------------
KeIE
--------------
lsd_f3.dll
--------------

*One at a time, Save all text results and post them here!

Now, continue:
Run StartDreck.exe again:
Config>unmark all
*Check only: System/Drivers>*NT Kernel and FS drivers
'ok' it.

Find this line on the list: (you can use the search tab)
*KeIE iesprt running system

On the lower tab, hit the 'stop' tab.
When/if no loger marked as 'running', hit the 'edit' tab!
>Change Startup tab to> 'Disabled' and ok it!

Watch the results, try refreshing once!

Then in Windows (no need to use RC) rename
iesprt.sys iesprt.old and leave it that way. (Don't delete!)

Restart and test the system, also run
StartDreck again, find the same line and
confirm it remained disabled!
(If no go reverse the process in Safe mode)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#22 NICU46

NICU46

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 05 June 2004 - 01:54 PM

Allll right. I found the lsd_f3.dll and sent it a few hours ago, did you get that?

I'm not sure i totally understand what you meant by the registry search results only listing search history. Nevertheless, I searched again like you said (maybe the problem was, the first time we searched for 'iesprt.sys' and this time only 'iesprt') and there's more results, plus results for the others. Here they are:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "iesprt" 6/5/2004 2:44:01 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IESPRT]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IESPRT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IESPRT\0000]
"Service"="iesprt"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IESPRT\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IESPRT\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IESPRT\0000\Control]
"ActiveService"="iesprt"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iesprt]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iesprt\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iesprt\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iesprt\Enum]
"0"="Root\\LEGACY_IESPRT\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_IESPRT]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_IESPRT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_IESPRT\0000]
"Service"="iesprt"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_IESPRT\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\iesprt]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\iesprt\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IESPRT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IESPRT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IESPRT\0000]
"Service"="iesprt"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IESPRT\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IESPRT\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IESPRT\0000\Control]
"ActiveService"="iesprt"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iesprt]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iesprt\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iesprt\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iesprt\Enum]
"0"="Root\\LEGACY_IESPRT\\0000"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List]
"File1"="C:\\Documents and Settings\\Ronna Weinstein\\Desktop\\Spyware removal\\regsearch\\iesprtregsearch.txt"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"e"="C:\\Documents and Settings\\Ronna Weinstein\\Desktop\\Spyware removal\\iesprt.txt"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"f"="C:\\WINDOWS\\SYSTEM32\\iesprt.sys"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"j"="C:\\Documents and Settings\\Ronna Weinstein\\Desktop\\Spyware removal\\regsearch\\iesprtregsearch.txt"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\sys]
"a"="C:\\WINDOWS\\SYSTEM32\\iesprt.sys"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt]
"a"="C:\\Documents and Settings\\Ronna Weinstein\\Desktop\\Spyware removal\\iesprt.txt"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt]
"b"="C:\\Documents and Settings\\Ronna Weinstein\\Desktop\\Spyware removal\\regsearch\\iesprtregsearch.txt"

---
Those .txt files were created by myself to save search results from regsrch and serviwin.

KeIE search results:
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "KeIE" 6/5/2004 2:45:29 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IESPRT\0000]
"DeviceDesc"="KeIE"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\iesprt]
"DisplayName"="KeIE"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_IESPRT\0000]
"DeviceDesc"="KeIE"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\iesprt]
"DisplayName"="KeIE"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IESPRT\0000]
"DeviceDesc"="KeIE"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iesprt]
"DisplayName"="KeIE"

---
And finally, the lsd_f3 search:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "lsd_f3" 6/5/2004 2:46:20 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\f3dsl]
"Startup"="LSD_F3"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="lsd_f3.dll"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"a"="C:\\WINDOWS\\SYSTEM32\\lsd_f3.dll"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll]
"a"="C:\\WINDOWS\\SYSTEM32\\lsd_f3.dll"


Now i'm going to follow the rest of the directions in your last post and I'll post again with the results! This is all so appreciated, thanks again.

#23 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 05 June 2004 - 02:07 PM

Here is the next step , follow up regardless of success in previous steps:

Run reglite:

Copy and paste this key to the address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Hit the 'go' tab!
Under 'notify' Subfolder hilited in purple, find this:
f3dsl< rightClick it and delete!

Rename: lsd_f3.dll as lsd_f3.old

Restart and confirm the process by running
reglite again, confirming that
subfolder is gone and the file is renamed as .old
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#24 NICU46

NICU46

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 05 June 2004 - 02:41 PM

OK, it looks like we're making some progress! Spectacular.

First, regarding 2 posts back, the iesprt.sys wasn't really stopping (i gave it 2 minutes, then 4 and then picked quit) but it changed from "Running" to "stopping..." So I changed the startup tab to "Disabled," renamed the file as per request and rebooted. It's confirmed as still being disabled, everything appears to be running OK and it's still renamed. :thumbsup:

I've also taken the steps in the most recent post. I deleted the f3dsl folder, renamed the lsd_f3.dll (had to do it in RC because windows said it was still in use or something, but after doing that it worked no problem AND after rebooting, i've confirmed it's still named .old). I've also confirmed that the folder is still gone! :thumbsup: :thumbsup:

Annnnd now?

#25 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 05 June 2004 - 03:01 PM

Wonderful! :thumbsup:

Next, restart in safe mode:

-Run reglite, copy and paste each one of the keys in black one at a time,
to the address bar, hit go:
Each one of the Subfolders hilited in red,
should be deleted!

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
LEGACY_IESPRT< delete!

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root
LEGACY_IESPRT <delete

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root
LEGACY_IESPRT <delete

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
iesprt <delete

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
iesprt<delete

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services
iesprt< delete!

If you don't find all, that's ok.
I just included them but some are
mirrors of the others (and service has been succesfully disabled)

-Make a new folder in System32 folder, name it: "junkfiles"
Move all 3 to the 'junkfiles' folder for now (whichever you kept)

-iesprt.old
-lsd_f3.old
-winjop.111

Run the RegSrch tool again on these, one at a time:
lsd_f3
iesprt
f3dsl

Save and post the results!

I believe we are getting closer! :D
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#26 NICU46

NICU46

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 05 June 2004 - 03:38 PM

Well, I'm posting from safe mode right now (with networking) and here's the update.

I wasn't able to delete any of the LEGACY_IESPRT folders. Each time I tried, it said "ACCESS DENIED." hmmm.

I did delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
iesprt and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services
iesprt .

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
iesprt wasn't there.

I backed up all 6 of those keys before I did anything, just in case something went wrong. I just want to know if this is all OK before I move the files, so let me know.

#27 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 05 June 2004 - 04:16 PM

Good move by backing up the keys.
As for the 'legacy_' keys, they are part of system services.
Don't worry about them.
You might be able to delete than later directly in
regedit (reglite might have some security restrictions)
once all the parts are gone.

Go ahead and move the files to the 'junkfiles' subfolder.

Also post the results of the last (3 files) in the Regsrch.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#28 NICU46

NICU46

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 05 June 2004 - 04:46 PM

All righty, i made that folder and moved those 3 files. Remember though, winjop.dll is still part of the AppInit_dlls part of the registry.. should I try to edit that yet or wait for the instructions? I have absolute, total confidence that you're on top of this, because you've been an incredible help so far. I just figured I'd bring it up because it always helps to be as thorough as possible :) Sorry if i'm jumping the gun!

Here's the regsrch results:

lsd_f3:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "lsd_f3" 6/5/2004 5:27:09 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="lsd_f3.*"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Search Assistant\ACMru\5603]
"001"="lsd_f3.dll"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Search Assistant\ACMru\5604]
"000"="lsd_f3"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List]
"File1"="C:\\Documents and Settings\\Ronna Weinstein\\Desktop\\Spyware removal\\regsearch\\lsd_f3search.txt"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"a"="C:\\WINDOWS\\SYSTEM32\\lsd_f3.dll"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"h"="C:\\Documents and Settings\\Ronna Weinstein\\Desktop\\Spyware removal\\regsearch\\lsd_f3search.txt"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dll]
"a"="C:\\WINDOWS\\SYSTEM32\\lsd_f3.dll"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt]
"e"="C:\\Documents and Settings\\Ronna Weinstein\\Desktop\\Spyware removal\\regsearch\\lsd_f3search.txt"
---

iesprt:
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "iesprt" 6/5/2004 5:29:26 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IESPRT]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IESPRT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IESPRT\0000]
"Service"="iesprt"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IESPRT\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_IESPRT]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_IESPRT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_IESPRT\0000]
"Service"="iesprt"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_IESPRT\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IESPRT]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IESPRT\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IESPRT\0000]
"Service"="iesprt"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IESPRT\0000\LogConf]

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"e"="C:\\Documents and Settings\\Ronna Weinstein\\Desktop\\Spyware removal\\iesprt.txt"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"f"="C:\\Documents and Settings\\Ronna Weinstein\\Desktop\\Spyware removal\\regsearch\\iesprtregsearch2.txt"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"j"="C:\\Documents and Settings\\Ronna Weinstein\\Desktop\\Spyware removal\\regsearch\\iesprtregsearch.txt"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\sys]
"a"="C:\\WINDOWS\\SYSTEM32\\iesprt.sys"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt]
"a"="C:\\Documents and Settings\\Ronna Weinstein\\Desktop\\Spyware removal\\iesprt.txt"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt]
"b"="C:\\Documents and Settings\\Ronna Weinstein\\Desktop\\Spyware removal\\regsearch\\iesprtregsearch.txt"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt]
"c"="C:\\Documents and Settings\\Ronna Weinstein\\Desktop\\Spyware removal\\regsearch\\iesprtregsearch2.txt"

[HKEY_USERS\S-1-5-21-3403664767-394532533-788976878-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"g"="c:\\windows\\system32\\ren iesprt.sys iesprt.old\\1"

---

And there were no results for f3dsl :D

#29 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 05 June 2004 - 05:07 PM

Ok....

These 3 are still there.
At any point in the future, you may try deleting the
subfolders again, but directly in regedit!
If you still get access denied, RightClick the subfolder, security/permissions/advanced and be sure you
have privileges (As par of the Admin group)

*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_IESPRT

*HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\
LEGACY_IESPRT

*HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\
LEGACY_IESPRT


There is no real need to worry since they
no longer appear in 'services'.

Everything else seems to be cleaned up nicely! :)
All other registry refs are just search history records!

Let's try with the *original steps again and
rename the villain!

-Start Recovery console...
-cd system 32
-ren winjop.dll winjop.old
-exit... :whistle:

If all goes well, open reglite and delete
the data (value) in the 'AppInit_Dlls'
value and move 'winjop.old' to the 'junkfiles' subfolder in system32!

If not... post back exact details... (and rename the file back)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#30 NICU46

NICU46

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 05 June 2004 - 05:26 PM

Ohhh man, it looks like everything has worked out!! I renamed the file and it not only rebooted, it allowed me to edit appinit_dlls, and when I rebooted after that, everything still seems to be working!

Should i now run ad-aware, spybot, cws, and then Norton Antivirus, and then I will post the hijackthis log. Good plan?

#31 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 05 June 2004 - 05:32 PM

:thumbsup: I knew it! :bounce:

It was the 'other' pest you had in the notify\Subkey that created the conflict!

Well done!
Run any and all avaivable tools now!
CWShredder, ad-aweare, Spybot, update
Norton defs and run full internal scan!

*Feel free to send the *entire 'junkfiles' subfolder to the bin!

P.S. Don't worry about the 'Legacy_' Subkeys, I just
checked some of mine and the system keeps
records of deleted 'services' but only as read only.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#32 NICU46

NICU46

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 05 June 2004 - 07:28 PM

Well, this should probably be my last post (famous last words i'm sure, but things really do look good :D )

I ran Ad-Aware, and it found a few remnants of CWS and whatnot and removed them. I then ran CWShredder and it found nothing! I then ran Spybot and it found a cookie, the DSO exploit, and a Webdialer, which it couldn't completely remove until rebooting. I then did a full scan with Norton Antivirus, and it actually came up with a few files in local settings\temp folders, not sure how much of a threat those are but I followed Symantec's own instructions to remove them (I'll post back here if there's any problems). After removing those files, I rebooted, allowed Spybot to run its course, and all it found now is the DSO Exploit, which I understand isn't really a threat? Let me know if i should worry about that. I ran ad-aware and it found nothing!! Wooooooo!

What's more, IE seems to be running a little smoother, and the homepage hasn't changed. *MASSIVE SIGH OF RELIEF*

As a final thought, is there anything else i should do? Would you recommend I change any particularly important passwords or PIN numbers or whatever to protect against whatever's already out there? That I can do on my own, i think :cool:

As far as working with you is concerned, it has been a pleasure. Let me know if you need anything, like maybe my first-born son, because that's kind of what I feel like I owe. Hehe, just kidding, but my family does appreciate the help!!!

#33 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 05 June 2004 - 10:15 PM

Ewwwww, thanks for the kind words and all pests( in junkmail)..
More fire to play with... :weee:

Re: Spybot results, nothing to worry about.
The expl0it pertains to Defaults IE security zones
that spybot is trying to 'tighten', and can't!
That's a known issue, (along with the 'alleged' webdialer)
sort of a 'bug', should be fixed in next update(s).

Re: *passwords, yeahhhh.
*Some of these pests were/are keyloggers! :ph34r:
Change persaonal *info as much as possible!

Re: Temp files/folder(s) .Clear them all via
Docs &Settings folder\*Accounts\Local Settings\temp.
Empty entire temp folder(s) contents in each account!

Was great survival trip, keep on smiling ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button