Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

About blank...? [RESOLVED]


  • This topic is locked This topic is locked

#46
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Was this the online Kapersky scan? It shouldn't have caused any conflicts. If it did, then disable McAfee for the time being. Enable it back after you are finished with the scan.

I want a copy of the files that Kapersky can't disinfect. Copy and paste them here.
  • 0

Advertisements


#47
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
No it was the full version that caused the conflict, sorry. Here is the logfile from the online scan:


-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Thursday, June 16, 2005 21:02:32
Operating System: Microsoft Windows Millennium Edition
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/06/2005
Kaspersky Anti-Virus database records: 126586
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\
e:\

Scan Statistics:
Total number of scanned objects: 27488
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 3251 sec

Infected Object Name - Virus Name
c:\_RESTORE\TEMP\A0000370.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS1.CAB/A0000023.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\ARCHIVE\FS1.CAB Infected: Trojan.Win32.StartPage.vr

Scan process completed.
  • 0

#48
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You shouldn't run two antivirus programs on the same computer. That might have been the problem.

We're basically all done here. Make sure to disable system restore (and then restart and enable it) to get rid of the remaining junk.

Your log is clean.

Go to Start->Settings->Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#49
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
I took off KAV before installing Macafee so there was only 1 AV running at one time. Really appreciate your help but the trojan still gets detected on IE logon..... :tazz:
  • 0

#50
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Trojan Startpage you mean? Did you disable system restore and then enable it?
  • 0

#51
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Yes, same on "StartPage-DU.dll.dr". I've disabled and re-enabled system restore and it still comes back.

One thing, I've now tried running with Mozilla Firefox as a browser and it hasn't come back yet....
  • 0

#52
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
That's not right. We have to remove it.

Download CWShredder http://www.greyknigh.../CWShredder.exe

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. OK, before we go on, I want you to take note of this first. This program will wipe out all files in your Temporary folders, any file extensions that have a tilde (~) in it, .bak files, .chk files, .tmp files and index.dat files. Most of you should be ok with this, but there may be some who need these files. If you are one of them, do not follow this step. Post back a reply telling us about this. So if that's ok, then download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Right click a blank part of your desktop & select New->Folder. Call it SPFix. Go to http://www.derbilk.de/404.html and download SpSeHjfix. Get the one that's specified for your Operating System. So if you have Windows 98, get the one that's listed for Windows 98.

Disconnect from the net and close all programs.

Boot into Safe Mode.

Run SpSeHjfix and click on 'Start Disinfection'. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Now run the CWShredder and hit the Fix button.

Run CleanUp! and click on CleanUp! button. Once it's done, you may click the Close button. When asked if you want to logoff, choose No.

Reboot and post a fresh HijackThis log and the log that was created by SpSeHjfix.

See if IE still triggers that Startpage trojan.
  • 0

#53
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
All done, logs following:


(6/22/05 14:21:28) SPSeHjFix started v1.09
(6/22/05 14:21:28) OS: WinME (4.90.73010104)
(6/22/05 14:21:28) Language: english
(6/22/05 14:21:30) Disinfect started
(6/22/05 14:21:30) Bad-Dll(IEP): (not found)
(6/22/05 14:21:30) Bad-Dll(IEP) in BHO: (not found)
(6/22/05 14:21:30) UBF: 4
(6/22/05 14:21:30) UBB: 3
(6/22/05 14:21:30) UBR: 36
(6/22/05 14:21:30) Bad IE-pages:
(6/22/05 14:21:30) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/22/05 14:21:30) File added to delete: c:\windows\faultllg.txt
(6/22/05 14:21:30) Reboot
(6/22/05 14:22:24) SPSeHjFix 2nd Step
(6/22/05 14:22:24) RunServicesOnce-Key: (alex)
(6/22/05 14:22:28) Cleaned

Logfile of HijackThis v1.99.1
Scan saved at 14:36:30, on 22/06/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\WINDOWS\SYSTEM\LTMSG.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\MCAFEE.COM\MPS\MSCIFAPP.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE2K\CREATIVE DIAGNOSTICS 2.0\DIAGENT.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKSRVR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE QUICKCLEAN\PLGUNI.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\MY DOWNLOADS\VIRUS SPYWARE FIXES SEE GEEKS TO GO WEB SITE\HJT REG FIX\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - C:\PROGRAM FILES\MCAFEE.COM\MPS\MCBRHLPR.DLL
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - C:\PROGRAM FILES\MCAFEE.COM\MPS\POPUPKILLER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NvColorInit] RUNDLL32.EXE NVQTWK.DLL,NvColorInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MSKServerExe] C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [MPSExe] C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: OSA9.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.euro.dell...gen/default.htm (file missing) (HKCU)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

Thanks.

Startpage not found this time....
  • 0

#54
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
...has just come back again when using IE to log on. Exactly the same startpage trojan in random name file in win/sys folder. The infected file doesn't actually exist after Macafee has disinfected.
  • 0

#55
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, if it comes back again, can you run SpSeHjFix and post the log here?

Do this also:

Right click on http://www.silentrun...ent Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.

Download DllCompare http://www.greyknigh.../DllCompare.exe and run it. Click on the 'Locate.com' button. Wait a few seconds and then click on the 'Compare' button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare.
  • 0

Advertisements


#56
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Yes it came right back.

SpSeHjFixalways finds a stealth string in C:\WINDOWS\FAULTLLG.TXT and implies that it will delete this, but it is always still there when I check. However, this time another file appeared in the SpSeHjFixfolder called bad-dll.txt whcih contains the line C:\WINDOWS\FAULTLLG.TXT. This file has now been removed from the windows folder - maybe it didn't work before or am I trying to be smart :tazz:

Here are the logs:


(6/23/05 21:18:26) SPSeHjFix started v1.09
(6/23/05 21:18:26) OS: WinME (4.90.73010104)
(6/23/05 21:18:26) Language: english
(6/23/05 21:18:28) Disinfect started
(6/23/05 21:18:28) Bad-Dll(IEP): (not found)
(6/23/05 21:18:28) Bad-Dll(IEP) in BHO: (not found)
(6/23/05 21:18:28) UBF: 4
(6/23/05 21:18:28) UBB: 3
(6/23/05 21:18:28) UBR: 37
(6/23/05 21:18:28) Bad IE-pages:
(6/23/05 21:18:28) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/23/05 21:18:28) File added to delete: c:\windows\faultllg.txt
(6/23/05 21:18:28) Reboot

From bad-dll.txt file:
C:\WINDOWS\FAULTLLG.TXT


"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"McAfee QuickClean Imonitor" = "C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START" ["McAfee, Inc."]
"MSKAGENTEXE" = "C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE" ["McAfee Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HPDJ Taskbar Utility" = "C:\WINDOWS\SYSTEM\hpztsb10.exe" ["HP"]
"LTWinModem1" = "ltmsg.exe 9" ["LUCENT TECHNOLOGIES"]
"MULTIMEDIA KEYBOARD" = "C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" ["Netropa Corp."]
"NvColorInit" = "RUNDLL32.EXE NVQTWK.DLL,NvColorInit" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
"SystemTray" = "SysTray.Exe" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"AHQInit" = "C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe" ["Creative Technology Ltd"]
"CreateCD50" = ""C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r" ["Roxio"]
"DIAGENT" = "C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup" ["Creative Technology Ltd"]
"Disc Detector" = "C:\Program Files\Creative\ShareDLL\CtNotify.exe" ["Creative Technology Ltd."]
"Hidserv" = "Hidserv.exe run" [MS]
"VSOCheckTask" = ""C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask" ["McAfee, Inc."]
"VirusScan Online" = ""C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"" ["McAfee, Inc."]
"MCAgentExe" = "C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE" ["McAfee, Inc"]
"MSKServerExe" = "C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe" ["McAfee Inc."]
"MSKAGENTEXE" = "C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE" ["McAfee Inc."]
"MSKDetectorExe" = "C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup" ["McAfee, Inc."]
"MPFExe" = "C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE" ["McAfee Security"]
"MPSExe" = "C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding" ["McAfee, Inc"]
"devldr16.exe" = "C:\WINDOWS\SYSTEM\devldr16.exe" ["Creative Technology Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"Machine Debug Manager" = "C:\WINDOWS\SYSTEM\MDM.EXE" [MS]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"McVsRte" = "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding" ["McAfee, Inc"]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]
{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}\(Default) = "McBrwHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MCAFEE.COM\MPS\MCBRHLPR.DLL" ["McAfee, Inc"]
{3EC8255F-E043-4cae-8B3B-B191550C2A22}\(Default) = "McAfee PopupKiller"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MCAFEE.COM\MPS\POPUPKILLER.DLL" ["McAfee, Inc"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\UPNPUI.DLL" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ADAPTEC\EASYCD~1\DIRECTCD\SHELLEX.DLL" ["Roxio"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Exchange"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\msohev.dll" [MS]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL" ["NVIDIA Corporation"]


Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\My Documents\sue and bill.jpg"


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"OSA9" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE" [MS]


Enabled Scheduled Tasks:
------------------------

"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
"Tune-up Application Start" -> launches: "walign" [MS]
"McAfee.com Update Check 05232005184653" -> launches: "C:\PROGRA~1\MCAFEE.COM\AGENT\mcupdate.exe /Schedule" ["McAfee, Inc"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\SYSTEM\mclsp.dll ["Networks Associates Technology, Inc"], 01 - 06, 13
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 07
C:\WINDOWS\SYSTEM\msafd.dll [MS], 08 - 10
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 11 - 12


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}"
-> {CLSID}\(Default) = "McAfee VirusScan"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL" ["McAfee, Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{9455301C-CF6B-11D3-A266-00C04F689C50}\
-> {CLSID}\(Default) = "Encarta &Researcher"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{EE117DAA-A30B-40FC-945C-38AE1B80C1FA}\
"ButtonText" = "Dell Home"
"Exec" = "http://www.euro.dell...en/default.htm" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{9455301C-CF6B-11D3-A266-00C04F689C50}\
"ButtonText" = "Researcher"

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\INETREPL.DLL" [MS]


HOSTS file
----------

C:\WINDOWS\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

DLL COMPARE:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found ;)"
________________________________________________

955 items found: 955 files, 0 directories.
Total of file sizes: 197,858,961 bytes 188.69 M

--------------------End log---------------------


One more thing - I am now able to change my background from blue which I haven't been able to since this started?

Thanks.

Ian.
  • 0

#57
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
If you still see C:\WINDOWS\FAULTLLG.TXT, do this:

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:

C:\WINDOWS\FAULTLLG.TXT

Run SpSeHjFix again and see if the Startpage trojan still reoccurs.
  • 0

#58
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Can't see C:\WINDOWS\FAULTLLG.TXT anywhere and have done a full search with no trace. But SPFIX still tries to fix it!

Log:


(6/25/05 08:46:23) SPSeHjFix started v1.09
(6/25/05 08:46:23) OS: WinME (4.90.73010104)
(6/25/05 08:46:23) Language: english
(6/25/05 08:46:26) Disinfect started
(6/25/05 08:46:26) Bad-Dll(IEP): (not found)
(6/25/05 08:46:26) Bad-Dll(IEP) in BHO: (not found)
(6/25/05 08:46:26) UBF: 4
(6/25/05 08:46:26) UBB: 3
(6/25/05 08:46:26) UBR: 37
(6/25/05 08:46:26) Bad IE-pages:
(6/25/05 08:46:26) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/25/05 08:46:26) File added to delete: c:\windows\faultllg.txt
(6/25/05 08:46:26) Reboot
(6/25/05 08:47:29) SPSeHjFix 2nd Step
(6/25/05 08:47:30) RunServicesOnce-Key: (alex)
(6/25/05 08:47:36) Cleaned


(6/25/05 08:52:09) SPSeHjFix started v1.09
(6/25/05 08:52:09) OS: WinME (4.90.73010104)
(6/25/05 08:52:09) Language: english
(6/25/05 08:52:10) Disinfect started
(6/25/05 08:52:10) Bad-Dll(IEP): (not found)
(6/25/05 08:52:10) Bad-Dll(IEP) in BHO: (not found)
(6/25/05 08:52:10) UBF: 4
(6/25/05 08:52:10) UBB: 3
(6/25/05 08:52:10) UBR: 37
(6/25/05 08:52:10) Bad IE-pages:
(6/25/05 08:52:10) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/25/05 08:52:10) File added to delete: c:\windows\faultllg.txt
(6/25/05 08:52:10) Reboot
(6/25/05 08:53:14) SPSeHjFix 2nd Step
(6/25/05 08:53:14) RunServicesOnce-Key: (alex)
(6/25/05 08:53:42) Cleaned


(6/25/05 08:58:35) SPSeHjFix started v1.09
(6/25/05 08:58:35) OS: WinME (4.90.73010104)
(6/25/05 08:58:35) Language: english
(6/25/05 08:58:37) Disinfect started
(6/25/05 08:58:37) Bad-Dll(IEP): (not found)
(6/25/05 08:58:37) Bad-Dll(IEP) in BHO: (not found)
(6/25/05 08:58:37) UBF: 4
(6/25/05 08:58:37) UBB: 3
(6/25/05 08:58:37) UBR: 37
(6/25/05 08:58:37) Bad IE-pages:
(6/25/05 08:58:37) Stealth-String found: C:\WINDOWS\FAULTLLG.TXT
(6/25/05 08:58:37) File added to delete: c:\windows\faultllg.txt
(6/25/05 08:58:37) Reboot
(6/25/05 09:00:13) SPSeHjFix 2nd Step
(6/25/05 09:00:14) RunServicesOnce-Key: (alex)
(6/25/05 09:00:26) Cleaned

And the same Trojan appeared again today....
  • 0

#59
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box and Uncheck Resident.
Click Allow Change box.
Look at the right hand corner of the screen to see it the icon for Spybot resident is still there. If it is, click it and choose exit.

Then reset Teatimer to default
Provided Tea Timer and SpyBot are closed/off:
Download ResetTeaTimer.bat
http://forums.net-in...=post&id=141095
to your desktop, now run ResetTeaTimer.bat.
Then since it will not be needed again delete ResetTeaTimer.bat.

Download SpHjfix http://www.greyknigh...spy/SpHjfix.exe and boot into Safe Mode to run it.

Run the SpSeHjFix tool also. Save log.

Restart and post the SpSeHjFix log here.

Still detected now?
  • 0

#60
billywhizz

billywhizz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Hi,

TeaTimer.bat link not found at this location. Is there another path to this?

Thanks.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP