This topic is lockedI want a copy of the files that Kapersky can't disinfect. Copy and paste them here.
About blank...? [RESOLVED]
Started by
billywhizz
, Apr 26 2005 12:32 PM
#46
Posted 15 June 2005 - 05:28 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
I want a copy of the files that Kapersky can't disinfect. Copy and paste them here.
#47
Posted 16 June 2005 - 02:06 PM
billywhizz
- Topic Starter
-
- Member
-
- 70 posts
Member
No it was the full version that caused the conflict, sorry. Here is the logfile from the online scan:
-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Thursday, June 16, 2005 21:02:32
Operating System: Microsoft Windows Millennium Edition
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/06/2005
Kaspersky Anti-Virus database records: 126586
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
a:\
c:\
d:\
e:\
Scan Statistics:
Total number of scanned objects: 27488
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 3251 sec
Infected Object Name - Virus Name
c:\_RESTORE\TEMP\A0000370.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS1.CAB/A0000023.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS1.CAB Infected: Trojan.Win32.StartPage.vr
Scan process completed.
-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Thursday, June 16, 2005 21:02:32
Operating System: Microsoft Windows Millennium Edition
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/06/2005
Kaspersky Anti-Virus database records: 126586
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
a:\
c:\
d:\
e:\
Scan Statistics:
Total number of scanned objects: 27488
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 3251 sec
Infected Object Name - Virus Name
c:\_RESTORE\TEMP\A0000370.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS1.CAB/A0000023.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS1.CAB Infected: Trojan.Win32.StartPage.vr
Scan process completed.
#48
Posted 16 June 2005 - 04:08 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
You shouldn't run two antivirus programs on the same computer. That might have been the problem.
We're basically all done here. Make sure to disable system restore (and then restart and enable it) to get rid of the remaining junk.
Your log is clean.
Go to Start->Settings->Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Restart your computer and uncheck the same box to enable System Restore.
Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.
To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.
Are there any problems now? If not, you should be set to go.
We're basically all done here. Make sure to disable system restore (and then restart and enable it) to get rid of the remaining junk.
Your log is clean.
Go to Start->Settings->Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Restart your computer and uncheck the same box to enable System Restore.
Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.
To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.
Are there any problems now? If not, you should be set to go.
#49
Posted 20 June 2005 - 07:54 AM
billywhizz
- Topic Starter
-
- Member
-
- 70 posts
Member
I took off KAV before installing Macafee so there was only 1 AV running at one time. Really appreciate your help but the trojan still gets detected on IE logon..... 
#50
Posted 20 June 2005 - 08:05 AM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
Trojan Startpage you mean? Did you disable system restore and then enable it?
#51
Posted 21 June 2005 - 10:35 AM
billywhizz
- Topic Starter
-
- Member
-
- 70 posts
Member
Yes, same on "StartPage-DU.dll.dr". I've disabled and re-enabled system restore and it still comes back.
One thing, I've now tried running with Mozilla Firefox as a browser and it hasn't come back yet....
One thing, I've now tried running with Mozilla Firefox as a browser and it hasn't come back yet....
#52
Posted 21 June 2005 - 08:03 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
That's not right. We have to remove it.
Download CWShredder http://www.greyknigh.../CWShredder.exe
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. OK, before we go on, I want you to take note of this first. This program will wipe out all files in your Temporary folders, any file extensions that have a tilde (~) in it, .bak files, .chk files, .tmp files and index.dat files. Most of you should be ok with this, but there may be some who need these files. If you are one of them, do not follow this step. Post back a reply telling us about this. So if that's ok, then download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.
Right click a blank part of your desktop & select New->Folder. Call it SPFix. Go to http://www.derbilk.de/404.html and download SpSeHjfix. Get the one that's specified for your Operating System. So if you have Windows 98, get the one that's listed for Windows 98.
Disconnect from the net and close all programs.
Boot into Safe Mode.
Run SpSeHjfix and click on 'Start Disinfection'. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.
If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.
Now run the CWShredder and hit the Fix button.
Run CleanUp! and click on CleanUp! button. Once it's done, you may click the Close button. When asked if you want to logoff, choose No.
Reboot and post a fresh HijackThis log and the log that was created by SpSeHjfix.
See if IE still triggers that Startpage trojan.
Download CWShredder http://www.greyknigh.../CWShredder.exe
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. OK, before we go on, I want you to take note of this first. This program will wipe out all files in your Temporary folders, any file extensions that have a tilde (~) in it, .bak files, .chk files, .tmp files and index.dat files. Most of you should be ok with this, but there may be some who need these files. If you are one of them, do not follow this step. Post back a reply telling us about this. So if that's ok, then download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.
Right click a blank part of your desktop & select New->Folder. Call it SPFix. Go to http://www.derbilk.de/404.html and download SpSeHjfix. Get the one that's specified for your Operating System. So if you have Windows 98, get the one that's listed for Windows 98.
Disconnect from the net and close all programs.
Boot into Safe Mode.
Run SpSeHjfix and click on 'Start Disinfection'. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.
If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.
Now run the CWShredder and hit the Fix button.
Run CleanUp! and click on CleanUp! button. Once it's done, you may click the Close button. When asked if you want to logoff, choose No.
Reboot and post a fresh HijackThis log and the log that was created by SpSeHjfix.
See if IE still triggers that Startpage trojan.
#53
Posted 22 June 2005 - 07:44 AM
billywhizz
- Topic Starter
-
- Member
-
- 70 posts
Member
All done, logs following:
(6/22/05 14:21:28) SPSeHjFix started v1.09
(6/22/05 14:21:28) OS: WinME (4.90.73010104)
(6/22/05 14:21:28) Language: english
(6/22/05 14:21:30) Disinfect started
(6/22/05 14:21:30) Bad-Dll(IEP): (not found)
(6/22/05 14:21:30) Bad-Dll(IEP) in BHO: (not found)
(6/22/05 14:21:30) UBF: 4
(6/22/05 14:21:30) UBB: 3
(6/22/05 14:21:30) UBR: 36
(6/22/05 14:21:30) Bad IE-pages:
(6/22/05 14:21:30) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/22/05 14:21:30) File added to delete: c:\windows\faultllg.txt
(6/22/05 14:21:30) Reboot
(6/22/05 14:22:24) SPSeHjFix 2nd Step
(6/22/05 14:22:24) RunServicesOnce-Key: (alex)
(6/22/05 14:22:28) Cleaned
Logfile of HijackThis v1.99.1
Scan saved at 14:36:30, on 22/06/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\WINDOWS\SYSTEM\LTMSG.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\MCAFEE.COM\MPS\MSCIFAPP.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE2K\CREATIVE DIAGNOSTICS 2.0\DIAGENT.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKSRVR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE QUICKCLEAN\PLGUNI.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\MY DOWNLOADS\VIRUS SPYWARE FIXES SEE GEEKS TO GO WEB SITE\HJT REG FIX\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - C:\PROGRAM FILES\MCAFEE.COM\MPS\MCBRHLPR.DLL
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - C:\PROGRAM FILES\MCAFEE.COM\MPS\POPUPKILLER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NvColorInit] RUNDLL32.EXE NVQTWK.DLL,NvColorInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MSKServerExe] C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [MPSExe] C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: OSA9.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.euro.dell...gen/default.htm (file missing) (HKCU)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
Thanks.
Startpage not found this time....
(6/22/05 14:21:28) SPSeHjFix started v1.09
(6/22/05 14:21:28) OS: WinME (4.90.73010104)
(6/22/05 14:21:28) Language: english
(6/22/05 14:21:30) Disinfect started
(6/22/05 14:21:30) Bad-Dll(IEP): (not found)
(6/22/05 14:21:30) Bad-Dll(IEP) in BHO: (not found)
(6/22/05 14:21:30) UBF: 4
(6/22/05 14:21:30) UBB: 3
(6/22/05 14:21:30) UBR: 36
(6/22/05 14:21:30) Bad IE-pages:
(6/22/05 14:21:30) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/22/05 14:21:30) File added to delete: c:\windows\faultllg.txt
(6/22/05 14:21:30) Reboot
(6/22/05 14:22:24) SPSeHjFix 2nd Step
(6/22/05 14:22:24) RunServicesOnce-Key: (alex)
(6/22/05 14:22:28) Cleaned
Logfile of HijackThis v1.99.1
Scan saved at 14:36:30, on 22/06/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\WINDOWS\SYSTEM\LTMSG.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\MCAFEE.COM\MPS\MSCIFAPP.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE2K\CREATIVE DIAGNOSTICS 2.0\DIAGENT.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKSRVR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE QUICKCLEAN\PLGUNI.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\MY DOWNLOADS\VIRUS SPYWARE FIXES SEE GEEKS TO GO WEB SITE\HJT REG FIX\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - C:\PROGRAM FILES\MCAFEE.COM\MPS\MCBRHLPR.DLL
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - C:\PROGRAM FILES\MCAFEE.COM\MPS\POPUPKILLER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NvColorInit] RUNDLL32.EXE NVQTWK.DLL,NvColorInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MSKServerExe] C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [MPSExe] C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: OSA9.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.euro.dell...gen/default.htm (file missing) (HKCU)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
Thanks.
Startpage not found this time....
#54
Posted 22 June 2005 - 01:46 PM
billywhizz
- Topic Starter
-
- Member
-
- 70 posts
Member
...has just come back again when using IE to log on. Exactly the same startpage trojan in random name file in win/sys folder. The infected file doesn't actually exist after Macafee has disinfected.
#55
Posted 22 June 2005 - 02:38 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
OK, if it comes back again, can you run SpSeHjFix and post the log here?
Do this also:
Right click on http://www.silentrun...ent Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.
Download DllCompare http://www.greyknigh.../DllCompare.exe and run it. Click on the 'Locate.com' button. Wait a few seconds and then click on the 'Compare' button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare.
Do this also:
Right click on http://www.silentrun...ent Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.
Download DllCompare http://www.greyknigh.../DllCompare.exe and run it. Click on the 'Locate.com' button. Wait a few seconds and then click on the 'Compare' button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare.
#56
Posted 23 June 2005 - 02:40 PM
billywhizz
- Topic Starter
-
- Member
-
- 70 posts
Member
Yes it came right back.
SpSeHjFixalways finds a stealth string in C:\WINDOWS\FAULTLLG.TXT and implies that it will delete this, but it is always still there when I check. However, this time another file appeared in the SpSeHjFixfolder called bad-dll.txt whcih contains the line C:\WINDOWS\FAULTLLG.TXT. This file has now been removed from the windows folder - maybe it didn't work before or am I trying to be smart
Here are the logs:
(6/23/05 21:18:26) SPSeHjFix started v1.09
(6/23/05 21:18:26) OS: WinME (4.90.73010104)
(6/23/05 21:18:26) Language: english
(6/23/05 21:18:28) Disinfect started
(6/23/05 21:18:28) Bad-Dll(IEP): (not found)
(6/23/05 21:18:28) Bad-Dll(IEP) in BHO: (not found)
(6/23/05 21:18:28) UBF: 4
(6/23/05 21:18:28) UBB: 3
(6/23/05 21:18:28) UBR: 37
(6/23/05 21:18:28) Bad IE-pages:
(6/23/05 21:18:28) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/23/05 21:18:28) File added to delete: c:\windows\faultllg.txt
(6/23/05 21:18:28) Reboot
From bad-dll.txt file:
C:\WINDOWS\FAULTLLG.TXT
"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"McAfee QuickClean Imonitor" = "C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START" ["McAfee, Inc."]
"MSKAGENTEXE" = "C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE" ["McAfee Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HPDJ Taskbar Utility" = "C:\WINDOWS\SYSTEM\hpztsb10.exe" ["HP"]
"LTWinModem1" = "ltmsg.exe 9" ["LUCENT TECHNOLOGIES"]
"MULTIMEDIA KEYBOARD" = "C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" ["Netropa Corp."]
"NvColorInit" = "RUNDLL32.EXE NVQTWK.DLL,NvColorInit" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
"SystemTray" = "SysTray.Exe" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"AHQInit" = "C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe" ["Creative Technology Ltd"]
"CreateCD50" = ""C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r" ["Roxio"]
"DIAGENT" = "C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup" ["Creative Technology Ltd"]
"Disc Detector" = "C:\Program Files\Creative\ShareDLL\CtNotify.exe" ["Creative Technology Ltd."]
"Hidserv" = "Hidserv.exe run" [MS]
"VSOCheckTask" = ""C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask" ["McAfee, Inc."]
"VirusScan Online" = ""C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"" ["McAfee, Inc."]
"MCAgentExe" = "C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE" ["McAfee, Inc"]
"MSKServerExe" = "C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe" ["McAfee Inc."]
"MSKAGENTEXE" = "C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE" ["McAfee Inc."]
"MSKDetectorExe" = "C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup" ["McAfee, Inc."]
"MPFExe" = "C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE" ["McAfee Security"]
"MPSExe" = "C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding" ["McAfee, Inc"]
"devldr16.exe" = "C:\WINDOWS\SYSTEM\devldr16.exe" ["Creative Technology Ltd."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"Machine Debug Manager" = "C:\WINDOWS\SYSTEM\MDM.EXE" [MS]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"McVsRte" = "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding" ["McAfee, Inc"]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]
{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}\(Default) = "McBrwHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MCAFEE.COM\MPS\MCBRHLPR.DLL" ["McAfee, Inc"]
{3EC8255F-E043-4cae-8B3B-B191550C2A22}\(Default) = "McAfee PopupKiller"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MCAFEE.COM\MPS\POPUPKILLER.DLL" ["McAfee, Inc"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL" ["Adobe Systems Incorporated"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\UPNPUI.DLL" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ADAPTEC\EASYCD~1\DIRECTCD\SHELLEX.DLL" ["Roxio"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Exchange"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\msohev.dll" [MS]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
Enabled Active Desktop and Wallpaper:
-------------------------------------
Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\My Documents\sue and bill.jpg"
Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------
C:\WINDOWS\Start Menu\Programs\StartUp
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"OSA9" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE" [MS]
Enabled Scheduled Tasks:
------------------------
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
"Tune-up Application Start" -> launches: "walign" [MS]
"McAfee.com Update Check 05232005184653" -> launches: "C:\PROGRA~1\MCAFEE.COM\AGENT\mcupdate.exe /Schedule" ["McAfee, Inc"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\SYSTEM\mclsp.dll ["Networks Associates Technology, Inc"], 01 - 06, 13
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 07
C:\WINDOWS\SYSTEM\msafd.dll [MS], 08 - 10
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 11 - 12
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}"
-> {CLSID}\(Default) = "McAfee VirusScan"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL" ["McAfee, Inc."]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{9455301C-CF6B-11D3-A266-00C04F689C50}\
-> {CLSID}\(Default) = "Encarta &Researcher"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKCU\Software\Microsoft\Internet Explorer\Extensions\
{EE117DAA-A30B-40FC-945C-38AE1B80C1FA}\
"ButtonText" = "Dell Home"
"Exec" = "http://www.euro.dell...en/default.htm" [file not found]
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{9455301C-CF6B-11D3-A266-00C04F689C50}\
"ButtonText" = "Researcher"
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL" [MS]
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL" [MS]
HOSTS file
----------
C:\WINDOWS\HOSTS
maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
DLL COMPARE:
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
"
________________________________________________
955 items found: 955 files, 0 directories.
Total of file sizes: 197,858,961 bytes 188.69 M
--------------------End log---------------------
One more thing - I am now able to change my background from blue which I haven't been able to since this started?
Thanks.
Ian.
SpSeHjFixalways finds a stealth string in C:\WINDOWS\FAULTLLG.TXT and implies that it will delete this, but it is always still there when I check. However, this time another file appeared in the SpSeHjFixfolder called bad-dll.txt whcih contains the line C:\WINDOWS\FAULTLLG.TXT. This file has now been removed from the windows folder - maybe it didn't work before or am I trying to be smart
Here are the logs:
(6/23/05 21:18:26) SPSeHjFix started v1.09
(6/23/05 21:18:26) OS: WinME (4.90.73010104)
(6/23/05 21:18:26) Language: english
(6/23/05 21:18:28) Disinfect started
(6/23/05 21:18:28) Bad-Dll(IEP): (not found)
(6/23/05 21:18:28) Bad-Dll(IEP) in BHO: (not found)
(6/23/05 21:18:28) UBF: 4
(6/23/05 21:18:28) UBB: 3
(6/23/05 21:18:28) UBR: 37
(6/23/05 21:18:28) Bad IE-pages:
(6/23/05 21:18:28) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/23/05 21:18:28) File added to delete: c:\windows\faultllg.txt
(6/23/05 21:18:28) Reboot
From bad-dll.txt file:
C:\WINDOWS\FAULTLLG.TXT
"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"McAfee QuickClean Imonitor" = "C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START" ["McAfee, Inc."]
"MSKAGENTEXE" = "C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE" ["McAfee Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HPDJ Taskbar Utility" = "C:\WINDOWS\SYSTEM\hpztsb10.exe" ["HP"]
"LTWinModem1" = "ltmsg.exe 9" ["LUCENT TECHNOLOGIES"]
"MULTIMEDIA KEYBOARD" = "C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" ["Netropa Corp."]
"NvColorInit" = "RUNDLL32.EXE NVQTWK.DLL,NvColorInit" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
"SystemTray" = "SysTray.Exe" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"AHQInit" = "C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe" ["Creative Technology Ltd"]
"CreateCD50" = ""C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r" ["Roxio"]
"DIAGENT" = "C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup" ["Creative Technology Ltd"]
"Disc Detector" = "C:\Program Files\Creative\ShareDLL\CtNotify.exe" ["Creative Technology Ltd."]
"Hidserv" = "Hidserv.exe run" [MS]
"VSOCheckTask" = ""C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask" ["McAfee, Inc."]
"VirusScan Online" = ""C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"" ["McAfee, Inc."]
"MCAgentExe" = "C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE" ["McAfee, Inc"]
"MSKServerExe" = "C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe" ["McAfee Inc."]
"MSKAGENTEXE" = "C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE" ["McAfee Inc."]
"MSKDetectorExe" = "C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup" ["McAfee, Inc."]
"MPFExe" = "C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE" ["McAfee Security"]
"MPSExe" = "C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding" ["McAfee, Inc"]
"devldr16.exe" = "C:\WINDOWS\SYSTEM\devldr16.exe" ["Creative Technology Ltd."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"Machine Debug Manager" = "C:\WINDOWS\SYSTEM\MDM.EXE" [MS]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"McVsRte" = "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding" ["McAfee, Inc"]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]
{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}\(Default) = "McBrwHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MCAFEE.COM\MPS\MCBRHLPR.DLL" ["McAfee, Inc"]
{3EC8255F-E043-4cae-8B3B-B191550C2A22}\(Default) = "McAfee PopupKiller"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MCAFEE.COM\MPS\POPUPKILLER.DLL" ["McAfee, Inc"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL" ["Adobe Systems Incorporated"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\UPNPUI.DLL" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ADAPTEC\EASYCD~1\DIRECTCD\SHELLEX.DLL" ["Roxio"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Exchange"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\msohev.dll" [MS]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
Enabled Active Desktop and Wallpaper:
-------------------------------------
Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\My Documents\sue and bill.jpg"
Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------
C:\WINDOWS\Start Menu\Programs\StartUp
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"OSA9" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE" [MS]
Enabled Scheduled Tasks:
------------------------
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
"Tune-up Application Start" -> launches: "walign" [MS]
"McAfee.com Update Check 05232005184653" -> launches: "C:\PROGRA~1\MCAFEE.COM\AGENT\mcupdate.exe /Schedule" ["McAfee, Inc"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\SYSTEM\mclsp.dll ["Networks Associates Technology, Inc"], 01 - 06, 13
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 07
C:\WINDOWS\SYSTEM\msafd.dll [MS], 08 - 10
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 11 - 12
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}"
-> {CLSID}\(Default) = "McAfee VirusScan"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL" ["McAfee, Inc."]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{9455301C-CF6B-11D3-A266-00C04F689C50}\
-> {CLSID}\(Default) = "Encarta &Researcher"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKCU\Software\Microsoft\Internet Explorer\Extensions\
{EE117DAA-A30B-40FC-945C-38AE1B80C1FA}\
"ButtonText" = "Dell Home"
"Exec" = "http://www.euro.dell...en/default.htm" [file not found]
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{9455301C-CF6B-11D3-A266-00C04F689C50}\
"ButtonText" = "Researcher"
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL" [MS]
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL" [MS]
HOSTS file
----------
C:\WINDOWS\HOSTS
maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
DLL COMPARE:
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
"________________________________________________
955 items found: 955 files, 0 directories.
Total of file sizes: 197,858,961 bytes 188.69 M
--------------------End log---------------------
One more thing - I am now able to change my background from blue which I haven't been able to since this started?
Thanks.
Ian.
#57
Posted 23 June 2005 - 03:52 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
If you still see C:\WINDOWS\FAULTLLG.TXT, do this:
Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:
C:\WINDOWS\FAULTLLG.TXT
Run SpSeHjFix again and see if the Startpage trojan still reoccurs.
Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:
C:\WINDOWS\FAULTLLG.TXT
Run SpSeHjFix again and see if the Startpage trojan still reoccurs.
#58
Posted 25 June 2005 - 02:11 AM
billywhizz
- Topic Starter
-
- Member
-
- 70 posts
Member
Can't see C:\WINDOWS\FAULTLLG.TXT anywhere and have done a full search with no trace. But SPFIX still tries to fix it!
Log:
(6/25/05 08:46:23) SPSeHjFix started v1.09
(6/25/05 08:46:23) OS: WinME (4.90.73010104)
(6/25/05 08:46:23) Language: english
(6/25/05 08:46:26) Disinfect started
(6/25/05 08:46:26) Bad-Dll(IEP): (not found)
(6/25/05 08:46:26) Bad-Dll(IEP) in BHO: (not found)
(6/25/05 08:46:26) UBF: 4
(6/25/05 08:46:26) UBB: 3
(6/25/05 08:46:26) UBR: 37
(6/25/05 08:46:26) Bad IE-pages:
(6/25/05 08:46:26) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/25/05 08:46:26) File added to delete: c:\windows\faultllg.txt
(6/25/05 08:46:26) Reboot
(6/25/05 08:47:29) SPSeHjFix 2nd Step
(6/25/05 08:47:30) RunServicesOnce-Key: (alex)
(6/25/05 08:47:36) Cleaned
(6/25/05 08:52:09) SPSeHjFix started v1.09
(6/25/05 08:52:09) OS: WinME (4.90.73010104)
(6/25/05 08:52:09) Language: english
(6/25/05 08:52:10) Disinfect started
(6/25/05 08:52:10) Bad-Dll(IEP): (not found)
(6/25/05 08:52:10) Bad-Dll(IEP) in BHO: (not found)
(6/25/05 08:52:10) UBF: 4
(6/25/05 08:52:10) UBB: 3
(6/25/05 08:52:10) UBR: 37
(6/25/05 08:52:10) Bad IE-pages:
(6/25/05 08:52:10) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/25/05 08:52:10) File added to delete: c:\windows\faultllg.txt
(6/25/05 08:52:10) Reboot
(6/25/05 08:53:14) SPSeHjFix 2nd Step
(6/25/05 08:53:14) RunServicesOnce-Key: (alex)
(6/25/05 08:53:42) Cleaned
(6/25/05 08:58:35) SPSeHjFix started v1.09
(6/25/05 08:58:35) OS: WinME (4.90.73010104)
(6/25/05 08:58:35) Language: english
(6/25/05 08:58:37) Disinfect started
(6/25/05 08:58:37) Bad-Dll(IEP): (not found)
(6/25/05 08:58:37) Bad-Dll(IEP) in BHO: (not found)
(6/25/05 08:58:37) UBF: 4
(6/25/05 08:58:37) UBB: 3
(6/25/05 08:58:37) UBR: 37
(6/25/05 08:58:37) Bad IE-pages:
(6/25/05 08:58:37) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/25/05 08:58:37) File added to delete: c:\windows\faultllg.txt
(6/25/05 08:58:37) Reboot
(6/25/05 09:00:13) SPSeHjFix 2nd Step
(6/25/05 09:00:14) RunServicesOnce-Key: (alex)
(6/25/05 09:00:26) Cleaned
And the same Trojan appeared again today....
Log:
(6/25/05 08:46:23) SPSeHjFix started v1.09
(6/25/05 08:46:23) OS: WinME (4.90.73010104)
(6/25/05 08:46:23) Language: english
(6/25/05 08:46:26) Disinfect started
(6/25/05 08:46:26) Bad-Dll(IEP): (not found)
(6/25/05 08:46:26) Bad-Dll(IEP) in BHO: (not found)
(6/25/05 08:46:26) UBF: 4
(6/25/05 08:46:26) UBB: 3
(6/25/05 08:46:26) UBR: 37
(6/25/05 08:46:26) Bad IE-pages:
(6/25/05 08:46:26) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/25/05 08:46:26) File added to delete: c:\windows\faultllg.txt
(6/25/05 08:46:26) Reboot
(6/25/05 08:47:29) SPSeHjFix 2nd Step
(6/25/05 08:47:30) RunServicesOnce-Key: (alex)
(6/25/05 08:47:36) Cleaned
(6/25/05 08:52:09) SPSeHjFix started v1.09
(6/25/05 08:52:09) OS: WinME (4.90.73010104)
(6/25/05 08:52:09) Language: english
(6/25/05 08:52:10) Disinfect started
(6/25/05 08:52:10) Bad-Dll(IEP): (not found)
(6/25/05 08:52:10) Bad-Dll(IEP) in BHO: (not found)
(6/25/05 08:52:10) UBF: 4
(6/25/05 08:52:10) UBB: 3
(6/25/05 08:52:10) UBR: 37
(6/25/05 08:52:10) Bad IE-pages:
(6/25/05 08:52:10) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/25/05 08:52:10) File added to delete: c:\windows\faultllg.txt
(6/25/05 08:52:10) Reboot
(6/25/05 08:53:14) SPSeHjFix 2nd Step
(6/25/05 08:53:14) RunServicesOnce-Key: (alex)
(6/25/05 08:53:42) Cleaned
(6/25/05 08:58:35) SPSeHjFix started v1.09
(6/25/05 08:58:35) OS: WinME (4.90.73010104)
(6/25/05 08:58:35) Language: english
(6/25/05 08:58:37) Disinfect started
(6/25/05 08:58:37) Bad-Dll(IEP): (not found)
(6/25/05 08:58:37) Bad-Dll(IEP) in BHO: (not found)
(6/25/05 08:58:37) UBF: 4
(6/25/05 08:58:37) UBB: 3
(6/25/05 08:58:37) UBR: 37
(6/25/05 08:58:37) Bad IE-pages:
(6/25/05 08:58:37) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/25/05 08:58:37) File added to delete: c:\windows\faultllg.txt
(6/25/05 08:58:37) Reboot
(6/25/05 09:00:13) SPSeHjFix 2nd Step
(6/25/05 09:00:14) RunServicesOnce-Key: (alex)
(6/25/05 09:00:26) Cleaned
And the same Trojan appeared again today....
#59
Posted 25 June 2005 - 01:42 PM
greyknight17
-
- Visiting Consultant
-
- 16,560 posts
Malware Expert
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box and Uncheck Resident.
Click Allow Change box.
Look at the right hand corner of the screen to see it the icon for Spybot resident is still there. If it is, click it and choose exit.
Then reset Teatimer to default
Provided Tea Timer and SpyBot are closed/off:
Download ResetTeaTimer.bat
http://forums.net-in...=post&id=141095
to your desktop, now run ResetTeaTimer.bat.
Then since it will not be needed again delete ResetTeaTimer.bat.
Download SpHjfix http://www.greyknigh...spy/SpHjfix.exe and boot into Safe Mode to run it.
Run the SpSeHjFix tool also. Save log.
Restart and post the SpSeHjFix log here.
Still detected now?
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box and Uncheck Resident.
Click Allow Change box.
Look at the right hand corner of the screen to see it the icon for Spybot resident is still there. If it is, click it and choose exit.
Then reset Teatimer to default
Provided Tea Timer and SpyBot are closed/off:
Download ResetTeaTimer.bat
http://forums.net-in...=post&id=141095
to your desktop, now run ResetTeaTimer.bat.
Then since it will not be needed again delete ResetTeaTimer.bat.
Download SpHjfix http://www.greyknigh...spy/SpHjfix.exe and boot into Safe Mode to run it.
Run the SpSeHjFix tool also. Save log.
Restart and post the SpSeHjFix log here.
Still detected now?
#60
Posted 26 June 2005 - 02:15 AM
billywhizz
- Topic Starter
-
- Member
-
- 70 posts
Member
Hi,
TeaTimer.bat link not found at this location. Is there another path to this?
Thanks.
TeaTimer.bat link not found at this location. Is there another path to this?
Thanks.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
