Macafee still finds and disinfects the startpage trojan in a randomly names win/systems folder. Here are the two logs:
"Silent Runners.vbs", revision 37,
http://www.silentrunners.org/Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"McAfee QuickClean Imonitor" = "C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START" ["McAfee, Inc."]
"MSKAGENTEXE" = "C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE" ["McAfee Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HPDJ Taskbar Utility" = "C:\WINDOWS\SYSTEM\hpztsb10.exe" ["HP"]
"LTWinModem1" = "ltmsg.exe 9" ["LUCENT TECHNOLOGIES"]
"MULTIMEDIA KEYBOARD" = "C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" ["Netropa Corp."]
"NvColorInit" = "RUNDLL32.EXE NVQTWK.DLL,NvColorInit" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
"SystemTray" = "SysTray.Exe" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"AHQInit" = "C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe" ["Creative Technology Ltd"]
"CreateCD50" = ""C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r" ["Roxio"]
"DIAGENT" = "C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup" ["Creative Technology Ltd"]
"Disc Detector" = "C:\Program Files\Creative\ShareDLL\CtNotify.exe" ["Creative Technology Ltd."]
"Hidserv" = "Hidserv.exe run" [MS]
"VSOCheckTask" = ""C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask" ["McAfee, Inc."]
"VirusScan Online" = ""C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"" ["McAfee, Inc."]
"MCAgentExe" = "C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE" ["McAfee, Inc"]
"MPSExe" = "C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding" ["McAfee, Inc"]
"MSKServerExe" = "C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe" ["McAfee Inc."]
"MSKAGENTEXE" = "C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE" ["McAfee Inc."]
"MSKDetectorExe" = "C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup" ["McAfee, Inc."]
"MPFExe" = "C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE" ["McAfee Security"]
"devldr16.exe" = "C:\WINDOWS\SYSTEM\devldr16.exe" ["Creative Technology Ltd."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"Machine Debug Manager" = "C:\WINDOWS\SYSTEM\MDM.EXE" [MS]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"McVsRte" = "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding" ["McAfee, Inc"]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\UPNPUI.DLL" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ADAPTEC\EASYCD~1\DIRECTCD\SHELLEX.DLL" ["Roxio"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Exchange"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\msohev.dll" [MS]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
Enabled Active Desktop and Wallpaper:
-------------------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
WIN.INI & SYSTEM.INI launch points:
-----------------------------------
SYSTEM.INI
[boot]
"SCRNSAVE.EXE=" [file not found]
Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------
C:\WINDOWS\Start Menu\Programs\StartUp
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"OSA9" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE" [MS]
Enabled Scheduled Tasks:
------------------------
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
"Tune-up Application Start" -> launches: "walign" [MS]
"McAfee.com Update Check 05122005104440" -> launches: "C:\PROGRA~1\MCAFEE.COM\AGENT\mcupdate.exe /Schedule" ["McAfee, Inc"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\SYSTEM\mclsp.dll ["Networks Associates Technology, Inc"], 01 - 06, 13
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 07
C:\WINDOWS\SYSTEM\msafd.dll [MS], 08 - 10
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 11 - 12
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}"
-> {CLSID}\(Default) = "McAfee VirusScan"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL" ["McAfee, Inc."]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{9455301C-CF6B-11D3-A266-00C04F689C50}\
-> {CLSID}\(Default) = "Encarta &Researcher"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKCU\Software\Microsoft\Internet Explorer\Extensions\
{EE117DAA-A30B-40FC-945C-38AE1B80C1FA}\
"ButtonText" = "Dell Home"
"Exec" = "
http://www.euro.dell...en/default.htm" [file not found]
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{9455301C-CF6B-11D3-A266-00C04F689C50}\
"ButtonText" = "Researcher"
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL" [MS]
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL" [MS]
HOSTS file
----------
C:\WINDOWS\HOSTS
maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
"
________________________________________________
954 items found: 954 files, 0 directories.
Total of file sizes: 197,847,185 bytes 188.68 M
--------------------End log---------------------
Thanks again.