Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

About blank...? [RESOLVED]


  • This topic is locked This topic is locked

#31
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go to C:\WINDOWS\ and double click on wininit.ini to open it. Delete this line:

`nul=C:\WINDOWS\TEMP\mcuA1B2.TMP\mskf.cfu


Save the file and close it.

Then go to C:\WINDOWS\ and open up wininit.bak in Notepad. Delete this line:

`NUL=c:\WINDOWS\JPnjqantxgNw


Save the file and close it.

Delete this if found:

c:\WINDOWS\JPnjqantxgNw

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Run CleanUp! and click on CleanUp! button. Once it's done, you may click the Close button. When asked if you want to logoff, choose Yes.

Right click on this file (C:\WINDOWS\SYSTEM\devldr16.exe) and go to Properties. Was this file created recently?
  • 0

Advertisements


#32
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Hi,

No file named wininit.ini on my drive. There are wininit files with the extensions .bak, .err, .sav and .txt
  • 0

#33
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. Continue on.

Scratch off that devldr16.exe. No need to upload it to that site. It's related to your Creative soundcard :tazz:
  • 0

#34
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Hi,

The only entries in winit.bak are:

[Rename]
nul=C:\WINDOWS\TEMP\mcu8053.TMP\mskf.cfu


None of the other lines or files exist as far as I can see.

Thanks.
  • 0

#35
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, delete that line and save the file. Finish the remaining fixes there.

Restart and see if anything is still detected. If so, then do the following also:

Right click on http://www.silentrun...ent Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.

Download DllCompare http://www.greyknigh.../DllCompare.exe and run it. Click on the 'Locate.com' button. Wait a few seconds and then click on the 'Compare' button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare.
  • 0

#36
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Macafee still finds and disinfects the startpage trojan in a randomly names win/systems folder. Here are the two logs:

"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"McAfee QuickClean Imonitor" = "C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START" ["McAfee, Inc."]
"MSKAGENTEXE" = "C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE" ["McAfee Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HPDJ Taskbar Utility" = "C:\WINDOWS\SYSTEM\hpztsb10.exe" ["HP"]
"LTWinModem1" = "ltmsg.exe 9" ["LUCENT TECHNOLOGIES"]
"MULTIMEDIA KEYBOARD" = "C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" ["Netropa Corp."]
"NvColorInit" = "RUNDLL32.EXE NVQTWK.DLL,NvColorInit" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
"SystemTray" = "SysTray.Exe" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"AHQInit" = "C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe" ["Creative Technology Ltd"]
"CreateCD50" = ""C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r" ["Roxio"]
"DIAGENT" = "C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup" ["Creative Technology Ltd"]
"Disc Detector" = "C:\Program Files\Creative\ShareDLL\CtNotify.exe" ["Creative Technology Ltd."]
"Hidserv" = "Hidserv.exe run" [MS]
"VSOCheckTask" = ""C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask" ["McAfee, Inc."]
"VirusScan Online" = ""C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"" ["McAfee, Inc."]
"MCAgentExe" = "C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE" ["McAfee, Inc"]
"MPSExe" = "C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding" ["McAfee, Inc"]
"MSKServerExe" = "C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe" ["McAfee Inc."]
"MSKAGENTEXE" = "C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE" ["McAfee Inc."]
"MSKDetectorExe" = "C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup" ["McAfee, Inc."]
"MPFExe" = "C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE" ["McAfee Security"]
"devldr16.exe" = "C:\WINDOWS\SYSTEM\devldr16.exe" ["Creative Technology Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"Machine Debug Manager" = "C:\WINDOWS\SYSTEM\MDM.EXE" [MS]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"McVsRte" = "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding" ["McAfee, Inc"]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\UPNPUI.DLL" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ADAPTEC\EASYCD~1\DIRECTCD\SHELLEX.DLL" ["Roxio"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Exchange"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\msohev.dll" [MS]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]


Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


WIN.INI & SYSTEM.INI launch points:
-----------------------------------

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=" [file not found]


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"OSA9" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE" [MS]


Enabled Scheduled Tasks:
------------------------

"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
"Tune-up Application Start" -> launches: "walign" [MS]
"McAfee.com Update Check 05122005104440" -> launches: "C:\PROGRA~1\MCAFEE.COM\AGENT\mcupdate.exe /Schedule" ["McAfee, Inc"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\SYSTEM\mclsp.dll ["Networks Associates Technology, Inc"], 01 - 06, 13
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 07
C:\WINDOWS\SYSTEM\msafd.dll [MS], 08 - 10
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 11 - 12


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}"
-> {CLSID}\(Default) = "McAfee VirusScan"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL" ["McAfee, Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{9455301C-CF6B-11D3-A266-00C04F689C50}\
-> {CLSID}\(Default) = "Encarta &Researcher"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{EE117DAA-A30B-40FC-945C-38AE1B80C1FA}\
"ButtonText" = "Dell Home"
"Exec" = "http://www.euro.dell...en/default.htm" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{9455301C-CF6B-11D3-A266-00C04F689C50}\
"ButtonText" = "Researcher"

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL" [MS]


HOSTS file
----------

C:\WINDOWS\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------



* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :tazz:"
________________________________________________

954 items found: 954 files, 0 directories.
Total of file sizes: 197,847,185 bytes 188.68 M

--------------------End log---------------------

Thanks again.
  • 0

#37
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, I wanted to avoid doing this, but let's try this:

Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready):

Please download the following programs required for the removal process:

Kill2Me http://www.greyknigh...spy/Kill2Me.exe
VX2Finder9x http://www.downloads...VX2Finder9x.exe
Hoster http://www.greyknigh.../spy/Hoster.exe
CleanUp! http://cleanup.stevengould.org/ or http://www.greyknigh...spy/CleanUp.exe
KillBox http://www.greyknigh...spy/KillBox.exe
DllCompare http://www.greyknigh.../DllCompare.exe

Please follow the steps below:

1. Download/run the following uninstallers:

Look2Me Uninstaller http://www.look2me.c...bin/UnInstaller
IGN Keyword Uninstaller http://www.greyknigh...LNUninstall.zip
ClearSearch Uninstaller http://www.greyknigh...chUninstall.zip

2. Run Kill2Me.

3. Run VX2Finder9x and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum.

4. Run DllCompare now and click on the Locate.com button. Wait a few seconds and then click on the Compare button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit ...), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now run DllCompare.

5. Go to C:\WINDOWS\SYSTEM\ and sort the files by date. Look for more recent created files and post them here. They are usually random named DLL files.

We also need a list of files in the following folders:

C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here.
C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious.

Post all of the logs in your next post. We need them all to get a fix for this infection.
  • 0

#38
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
OK,

I may be some time doing this as I'm working away for a lot of this week. I'll leave it until I can leave the PC on overnight.

Thanks for your patience with this one. :tazz:
  • 0

#39
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
OK here goes:

VX2 FINDER......

Log for VX2.BetterInternet File Finder

Files Found---


User Agent String---
VNIE55 IEAKVirginNet


Dll compare....

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :tazz:"
________________________________________________

954 items found: 954 files, 0 directories.
Total of file sizes: 197,847,185 bytes 188.68 M

--------------------End log---------------------



Win / sys time sorted files since the start of year attached as screen dump.

Downloaded prog files also attached.

Both of these attachments are screen dumps in MS word, hope you can see these OK.

I will leave the PC running until I hear back.

Thanks.
  • 0

#40
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
OK here goes:

VX2 FINDER......

Log for VX2.BetterInternet File Finder

Files Found---


User Agent String---
VNIE55 IEAKVirginNet


Dll compare....

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :tazz:"
________________________________________________

954 items found: 954 files, 0 directories.
Total of file sizes: 197,847,185 bytes 188.68 M

--------------------End log---------------------



Win / sys time sorted files since the start of year attached as screen dump.

Downloaded prog files also attached.

Both of these attachments are screen dumps in MS word, hope you can see these OK.

Attached File  win_sys_and_downloaded_p_files_screen_dump.doc   220.75KB   15 downloads

I will leave the PC running until I hear back.

Thanks.
  • 0

Advertisements


#41
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Just a quick update - the trojan full name is "StartPage-DU.dll.dr" and it gets disinfected as soon as it's found when accessing the net. But it stays in the restore folder which can't be got at unless the restore facility is turned off.
  • 0

#42
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Nothing in those logs either.

I can't open up your attachment for some reason. Something about an invalid path. That's ok.

Run a virus scan at Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.
  • 0

#43
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Can't get this to run - get a "runtime error do you wish to debug" message then it does nothing.
  • 0

#44
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Are you using Internet Explorer to do this?

How about Kapersky:
http://www.kaspersky...oduct=161744315

Does that scan work?
  • 0

#45
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Kaspersky was the AV I used to run which didn't disinfect anything. I'm not too keen on using this again as it conflicted with Macafee.

If there's no other option I'll go with it but I'm not too keen....

Yes I'm running IE 5

Edited by billywhizz, 15 June 2005 - 03:37 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP