Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Calling All Cyber-Altruists!


  • This topic is locked This topic is locked

#16
Sardonicus

Sardonicus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Well, the file that Adaware picked up, (on my previous post) is present, and it's sub folder contains this guy: ’ŽrtńĺȲ$Ó] . I believe all of the other files are legit, (Config Flags, Legacy Driver, etc.) The fix did not work, however, and I'm wondering whether or not I could just move the required files, and delete the bugger althogether. At any rate, here's the StartDreck log.

StartDreck (build 2.1.7 public stable) - 2005-05-04 @ 21:19:38 (GMT -07:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Brian at TALIWHACKER

»Registry
»Run Keys
»Current User
»Run
*PopUpStopperFreeEdition="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
*EPSON Stylus C40 Series=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C40 Series" /O6 "USB001" /M "Stylus C40"
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*IgfxTray=C:\WINDOWS\System32\igfxtray.exe
*HotKeysCmds=C:\WINDOWS\System32\hkcmd.exe
*BCMSMMSG=BCMSMMSG.exe
*MCAgentExe=c:\PROGRA~1\mcafee.com\agent\mcagent.exe
*MCUpdateExe=C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
*AdaptecDirectCD="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
*VirusScan Online="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
*DwlClient=C:\Program Files\Common Files\Dell\EUSW\Support.exe
*VSOCheckTask="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
*Bart Station=C:\Program Files\ISP50\hta\station.sbrt
*Microsoft Works Update Detection=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*Ink Monitor=C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
*SunJavaUpdateSched=C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
*gcasServ="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
*CleanUp=C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278}
*StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
+Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
+Fax/{8b15971b-5355-4c82-8c07-7e181ea07608}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser
+Fax Provider/{94de52c8-2d59-4f1b-883e-79663d2d9a8c}
*StubPath=rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider
»Browser Helper Objects (LM)
»Internet Explorer
»Current User
*First Home Page=http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1
*Local Page=C:\WINDOWS\SYSTEM32\blank.htm
*Search Bar=http://home.peoplepc.com/search/
*Search Page=http://www.google.com
*Start Page=http://www.google.com
+SearchUrl
*provider=
»Default User
*Default_Page_URL=http://www.dellnet.com
*First Home Page=http://www.dellnet.com
*Start Page=http://www.dellnet.com
»Local Machine
*Default_Page_URL=http://www.google.com
*Default_Search_URL=http://www.google.com
*Local Page=%SystemRoot%\system32\blank.htm
*Search Page=http://www.google.com
*Start Page=http://www.google.com
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Brian\Start Menu\Programs\Startup\DESKTOP.INI
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\DESKTOP.INI
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\system32\config.nt
*C:\autoexec.bat
*C:\WINDOWS\system32\autoexec.nt
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+552=\SystemRoot\System32\smss.exe
+616=\??\C:\WINDOWS\system32\csrss.exe
+640=\??\C:\WINDOWS\system32\winlogon.exe
+684=C:\WINDOWS\system32\services.exe
+696=C:\WINDOWS\system32\lsass.exe
+840=C:\WINDOWS\system32\svchost.exe
+908=C:\WINDOWS\system32\svchost.exe
+944=C:\WINDOWS\System32\svchost.exe
+1000=C:\WINDOWS\System32\svchost.exe
+1084=C:\WINDOWS\System32\svchost.exe
+1316=C:\WINDOWS\Explorer.EXE
+1344=C:\WINDOWS\system32\spoolsv.exe
+1476=C:\WINDOWS\system32\cisvc.exe
+1704=C:\WINDOWS\system32\wdfmgr.exe
+1772=C:\WINDOWS\system32\svchost.exe
+184=C:\WINDOWS\System32\alg.exe
+224=C:\WINDOWS\System32\hkcmd.exe
+232=C:\WINDOWS\BCMSMMSG.exe
+244=C:\PROGRA~1\mcafee.com\agent\mcagent.exe
+272=C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
+108=C:\Program Files\Common Files\Dell\EUSW\Support.exe
+408=C:\Program Files\ISP50\bin\bartshel.exe
+416=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
+424=C:\Program Files\QuickTime\qttask.exe
+436=c:\progra~1\mcafee.com\vso\mcvsescn.exe
+460=C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
+484=C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
+496=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
+596=C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
+1168=C:\Program Files\Digital Line Detect\DLG.exe
+1220=C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
+2056=C:\PROGRA~1\ISP50\bin\ppshared.exe
+2288=C:\WINDOWS\System32\wbem\wmiapsrv.exe
+1120=C:\WINDOWS\system32\cidaemon.exe
+1392=C:\WINDOWS\system32\cidaemon.exe
+792=C:\Program Files\ISP50\bin\bartshel.exe
+1856=C:\PROGRA~1\ISP50\Dialer\Dialer.exe
+2348=C:\MozillaFirebird\MozillaFirebird.exe
+3040=c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
+2992=c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
+3144=c:\PROGRA~1\mcafee.com\vso\mcshield.exe
+3708=C:\Documents and Settings\Brian\My Documents\startdreck217\StartDreck.exe
»NT Services
*Alerter Alerter - disabled
*Application Layer Gateway Service ALG running on demand
*Application Management AppMgmt - on demand
*ASP.NET State Service aspnet_state - on demand
*Windows Audio AudioSrv running auto
*Background Intelligent Transfer Service BITS running on demand
*Computer Browser Browser - auto
*Indexing Service CiSvc running auto
*ClipBook ClipSrv - disabled
*COM+ System Application COMSysApp - on demand
*Cryptographic Services CryptSvc running auto
*DCOM Server Process Launcher DcomLaunch running auto
*DHCP Client Dhcp running auto
*Logical Disk Manager Administrative Service dmadmin - on demand
*Logical Disk Manager dmserver - on demand
*DNS Client Dnscache running auto
*Error Reporting Service ERSvc running auto
*Event Log Eventlog running auto
*COM+ Event System EventSystem running on demand
*Fast User Switching Compatibility FastUserSwitchingCom - on demand
*Help and Support helpsvc running auto
*Human Interface Device Access HidServ - disabled
*HTTP SSL HTTPFilter - on demand
*IMAPI CD-Burning COM Service ImapiService - on demand
*Server lanmanserver running auto
*Workstation lanmanworkstation running auto
*TCP/IP NetBIOS Helper LmHosts running auto
*McAfee.com McShield McShield running on demand
*McAfee SecurityCenter Update Manager mcupdmgr.exe - on demand
*McAfee.com VirusScan Online Realtime Engine MCVSRte running auto
*Messenger Messenger - disabled
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Network DDE NetDDE - disabled
*Network DDE DSDM NetDDEdsdm - disabled
*Net Logon Netlogon - on demand
*Network Connections Netman running on demand
*Network Location Awareness (NLA) Nla running on demand
*NT LM Security Support Provider NtLmSsp - on demand
*Removable Storage NtmsSvc - on demand
*Plug and Play PlugPlay running auto
*IPSEC Services PolicyAgent running auto
*Protected Storage ProtectedStorage running auto
*Remote Access Auto Connection Manager RasAuto - on demand
*Remote Access Connection Manager RasMan running on demand
*Remote Desktop Help Session Manager RDSessMgr - on demand
*Routing and Remote Access RemoteAccess - disabled
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
*Remote Procedure Call (RPC) RpcSs running auto
*QoS RSVP RSVP - on demand
*Security Accounts Manager SamSs running auto
*Smart Card SCardSvr - on demand
*Task Scheduler Schedule running auto
*Secondary Logon seclogon running auto
*System Event Notification SENS running auto
*Windows Firewall/Internet Connection Sharing (I SharedAccess running auto
`CS)
*Shell Hardware Detection ShellHWDetection running auto
*Print Spooler Spooler running auto
*System Restore Service srservice - auto
*SSDP Discovery Service SSDPSRV - on demand
*Windows Image Acquisition (WIA) stisvc - on demand
*MS Software Shadow Copy Provider SwPrv - on demand
*Performance Logs and Alerts SysmonLog - on demand
*Telephony TapiSrv running on demand
*Terminal Services TermService running on demand
*Themes Themes running auto
*Distributed Link Tracking Client TrkWks running auto
*Windows User Mode Driver Framework UMWdf running auto
*Universal Plug and Play Device Host upnphost - on demand
*Uninterruptible Power Supply UPS - on demand
*Volume Shadow Copy VSS - on demand
*Windows Time w32time running auto
*WebClient WebClient running auto
*Windows Management Instrumentation winmgmt running auto
*Portable Media Serial Number Service WmdmPmSN - on demand
*WMI Performance Adapter WmiApSrv running on demand
*Security Center wscsvc running auto
*Automatic Updates wuauserv running auto
*Wireless Zero Configuration WZCSVC running auto
*Network Provisioning Service xmlprov - on demand
»Application specific
  • 0

Advertisements


#17
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
Hi Sardonicus. Well, that file might be there on your system but it is not active if it is. It might have been left over from an infection that you had and was not deleted. I would go ahead and just delete it. It is obviously not a valid windows file.

After you delete it run another AdAware scan and see what you come up with.

Cheers.

OT

Edited by OldTimer, 05 May 2005 - 02:31 PM.

  • 0

#18
Sardonicus

Sardonicus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Would you believe that I can't delete it?! I get a message window claiming that there was an error in the deletion process. CRAP!

Sardonicus

Edited by Sardonicus, 06 May 2005 - 11:50 AM.

  • 0

#19
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
Hi Sardonicus. Let's try this. Start Killbox and click ont he folder icon next to the 'Full path of file to delete' box and navigate to where the folder is with that file in it. Select that file and then click the Kill button (red circle with the white 'x' in it).

If that does'nt work then repeat those steps and choose the option to Delete on Reboot. Let the computer reboot and see if it's gone.

Cheers.

OT
  • 0

#20
Sardonicus

Sardonicus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Bloody H E L L! The beast won't die! Kill Box claimed that the file didn't exsist when I tried to delete it on the spot, and attempting to do it upon rebooting didn't work either. I'm not sure whether or not it matters, but I pasted the file path in Kill Box, rather than finding it manually because, quite frankly, I'm not sure where to look for legacy keys other than in the regedit.

Edited by Sardonicus, 08 May 2005 - 04:39 PM.

  • 0

#21
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
Hi Sardonicus. Give me the full path to this file so I van write a batch to see if it really exists. As I said previously, it is not active and there is no service that is showing up so I don't think there is a problem here.

Also, have you ever looked in the registry to see if there are actually any registry there? If not, then do this:

Download Registrar Lite and install it.

Start the program and then copy/paste the line below into the address bar and then press the Enter key:HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root
Look in the right-hand pane for legacy_o?*001e*2019*017drt*00f1*00e5*00c8*00b2$*000e*00d3 and if it is there click on it and then click the 'X' in the toolbar to delete it.

Post back here with the path to this file and whether the key above exists and if you could delete it.

Cheers.

OT
  • 0

#22
Sardonicus

Sardonicus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Well, finally some good news! Registrar Lite did, in fact, succeed in deleting the file, and so far, many of the symptoms have subsided. I have connected and disconnected from the internet multiple times in order to ensure that most, if not all of the beast is really dead. Here's the current status:

-I haven't received any error messages regarding scripts or my smart dialer yet.
-Although the PeoplePC window reappears for a moment after disconnecting, the title does not change to 'About:Blank' any longer, (not too sure whether or not that window should temporarily reappear anyway.)
-None of the spyware/virus scans have detected anything EXCEPT RAV and McAffee, and they both report the same infection; namely the lovely ODBC.INI:fimbx file, (RAV also adds the previously mentioned setup log infection as well.)
-Also, the Hijack This config menu continues to show 'About: Blank' as the default homepage, even though the Hijack This scan itself does not, (weird!)

This brings me to my next question.
Despite seemingly good results, should I (can I) delete and reinstall the ODBC.INI registry file just to be safe? What about the setup log? Is it possible that these viruses are running under the guise of windows components and thus escaping detection? I have read up on the ODBC file a bit, but I'm not quite savvy enough to discern whether I could momentarily delete it, (and find a site to restore it.) Any thoughts?

P.S. - Sorry, I forgot to get the file path before deleting the bugger.
  • 0

#23
Sardonicus

Sardonicus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
CRUD! Spoke too soon! The dreaded About:Blank returned to the disconnecting window after some 15 or so trials. We may have wounded it, but the battle rages on...and on...and on....
  • 0

#24
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
The about:blank is not necessrily a bad thing. It is the default for when a page is not found or a setting is not explicitly made. If all of the scans are coming up clean then I would not be concerned that teh about blank page is showing (unless it is changing an explicit setting for your home page or search page that you did not set as such).

As for the warnings regarding odbc.ini I would not worry about those. I believe it's just a quirk in the scanners. I will get a warning from time to time from a sccanner also but if is throwing up a warning about a common text file then I don't get to excited. There aren't any macros or hidden code that can be executed from text files.

Cheers.

OT
  • 0

#25
Sardonicus

Sardonicus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hhhhmmmmm...Maybe the whole dialer issue has been a product of the ISP all along. Although, the error messages have ceased since I deleted the beast... Not to waste your time arguing semantics, but I always thought that malware used text docs to run scripts. I guess I'm still a little paranoid about the infection, but if you don't see those files as any possible threat, I'll leave it be. One last question for ya, if you don't mind. Do you know of any way to crack uninstall shields? I downloaded the netscape radio a while back, and I've been unable to completely dismantle it.
Thanks for all your help. I'll try to shoot ya some duckets come payday.

Sardonicus
  • 0

Advertisements


#26
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
Hey Sardonicus. I believe to get rid of the Netscape Radio you have to completely uninstall Netwscape. It takes over alomost all of your media settings and there's no backing out. I couldn't find anything anywhere on how to get rid of it in any other way.

OT
  • 0

#27
Sardonicus

Sardonicus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Funny thing is, I don't even have netscape, just the radio shennanigans. Ah well, I've dimantled most of the files already. At any rate, thanks for all the help Old Timer, it's appreciated!

-Sardonicus
  • 0

#28
OldTimer

OldTimer

    Global Moderator

  • Global Moderator
  • 3,272 posts
You're very welcome Sardonicus. I'm glad that we could help.

Now that your issues have been resolved I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT B)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP