Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TrojanHorse Startup page 19.J


  • Please log in to reply

#1
nconway

nconway

    Member

  • Member
  • PipPip
  • 11 posts
I went away on vacation to come home and find this virus on my computer. I have a feeling my teenage son went somewhere he shouldn't have been on the internet,, grrrrrrrrrrr :tazz:
Regardless I have the TrojanHorse startuppage.19.J virus,, I ran AVG, Spybot, Adaware. All come up clean, avg claims they healed the virus but it keeps coming up when I open any thing connected to the internet, it changed my start up page to a about blank, avg identifies the viruse each time I open internet explorer and I delete it each time or heal , neither works.
I have a friend who came and worked on it,, said he had the same virus and knew how to fix it,, he downloaded SpSeHjfix112 to my desktop, ran it and then rebooted, well it did get rid of the problem , however I can't open IE now,, I can open everything else, but IE,, Iam sending this via AOL cause I couldnt get IE to open.
I have the logs from SpSeHjfix112 if you need them, , so at this point Iam curious what happend that affected IE... can you help me???
I will wait to hear from you ,
Nancy

Edited by nconway, 16 May 2005 - 08:20 AM.

  • 0

Advertisements


#2
AlexR

AlexR

    Member

  • Member
  • PipPip
  • 80 posts
Hello Nancy, My name's Alex and i'm here to help. Welcome to Geeks To Go.

Please read this post and follow the instructions there. Once these steps have been carried out, please post a new HiJackThis log and we'll go from there :tazz:
  • 0

#3
nconway

nconway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
wow that was alot to do,, Took hours,, but I did everything requested,, not sure if I did it all correctly, I hope so,,
I still can not open IE.. SO , I will post my logs from HijackThis, Ewido security ,
Spsehjfix112 which seems to be what caused the problem with IE, it did get rid of the Trojan start page 19.J but caused a problem with my IE. I did download and ran winsock but it didnt seem to help. I also can not seem to figure out how to get the logs from adware or spybot,,
Nancy

HIJACKTHIS
ogfile of HijackThis v1.99.1
Scan saved at 9:53:45 PM, on 5/16/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
E:\America Online 7.0\aoltray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
E:\America Online 7.0\waol.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\UDKOVB6M\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = E:\America Online 7.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office10\EXCEL.EXE/3000
O9 - Extra button: Microsoft AntiSpyware helper - {42EF1E33-EF82-40E2-ABE0-019332A3A95C} - C:\WINNT\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {42EF1E33-EF82-40E2-ABE0-019332A3A95C} - C:\WINNT\System32\wldr.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {42EF1E33-EF82-40E2-ABE0-019332A3A95C} - C:\WINNT\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {42EF1E33-EF82-40E2-ABE0-019332A3A95C} - C:\WINNT\System32\wldr.dll (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuke...erInstaller.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensave.../sinstaller.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C339E33-9F2B-4421-8C45-0326E58B5A8B}: NameServer = 205.188.146.145
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe


EWIDO SECURITY
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:18:33 PM, 5/16/2005
+ Report-Checksum: BAF0C4A9

+ Date of database: 5/17/2005
+ Version of scan engine: v3.0

+ Duration: 14 min
+ Scanned Files: 17851
+ Speed: 20.30 Files/Second
+ Infected files: 1
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\

+ Scan result:
D:\Program Files\CxtPls\WinGenerics.dll -> Spyware.Apropos.f -> Cleaned with backup


::Report End


SPSEHIJIFIX112 LOGS , THIS WAS DOWNLOADED AND PUT ON MY DESK TOP , AND RAN,, IT GOT RID OF THE TROJAN START UP PROBLEM BUT AFTERWARDS I COULD NOT OPEN IE.. here are the logs

5:45:54 AM) SPSeHjFix started v1.1.2
(5/16/05 5:45:54 AM) OS: Win2000 Service Pack 3 (5.0.2195)
(5/16/05 5:45:54 AM) Language: english
(5/16/05 5:45:54 AM) Win-Path: C:\WINNT
(5/16/05 5:45:54 AM) System-Path: C:\WINNT\System32
(5/16/05 5:45:54 AM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(5/16/05 5:46:01 AM) Disinfection started
(5/16/05 5:46:01 AM) Bad-Dll(IEP): c:\docume~1\admini~1\locals~1\temp\se.dll
(5/16/05 5:46:01 AM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINNT\System32\ebki.dll
(5/16/05 5:46:01 AM) Searchassistant Uninstaller - Keys Deleted
(5/16/05 5:46:01 AM) UBF: 6 - UBB: 1 - UBR: 7
(5/16/05 5:46:01 AM) FilterKey: HKCR\text/html (deleted)
(5/16/05 5:46:01 AM) FilterKey: HKCR\CLSID\{33EC789E-57B4-481E-9671-E251BA0CCCB5} (deleted)
(5/16/05 5:46:01 AM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(5/16/05 5:46:01 AM) FilterKey: HKCR\text/plain (deleted)
(5/16/05 5:46:01 AM) FilterKey: HKCR\CLSID\{33EC789E-57B4-481E-9671-E251BA0CCCB5} (error while deleting)
(5/16/05 5:46:01 AM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(5/16/05 5:46:01 AM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FC1662F-DBDB-4896-9E0C-224DADF3CCEC} (deleted)
(5/16/05 5:46:01 AM) BHO-Key: HKCR\CLSID\{9FC1662F-DBDB-4896-9E0C-224DADF3CCEC} (deleted)
(5/16/05 5:46:01 AM) UBF: 4 - UBB: 0 - UBR: 7
(5/16/05 5:46:01 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\admini~1\locals~1\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\admini~1\locals~1\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(5/16/05 5:46:01 AM) Stealth-String not found
(5/16/05 5:46:01 AM) File added to delete: c:\winnt\system32\ebki.dll
(5/16/05 5:46:01 AM) Reboot

TDS LOGS

22:44:43 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
22:44:43 [Init] Started 16-05-05 22:44:43 US Mountain Standard Time (UTC: 7), Internet Time @1281.05
22:44:43 [Init] Loading TDS-3 Systems ...
22:44:43 [Init] Token successfully adjusted.
22:44:43 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
22:44:44 [Init] • Plugins : OK. Loaded 13
22:44:44 [Init] • Exec Protection : Not Installed
22:44:44 [Init] WARNING: Your Radius.TD3 database needs to be updated!
22:44:44 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
22:44:44 [Init] Licensed users can use the Update facility from the TDS menu
22:44:44 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
22:44:55 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
22:44:55 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
22:44:55 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
22:44:55 [Init] TDS-3 Ready. <Administrator@172.194.173.91, 192.168.0.4, 127.0.0.1 - United States>
22:44:55 [Tip Of The Day] Did you know? - TDS-3 is the only anti-trojan system that offers execution hooking
and protection. While other anti-trojan systems can detect trojans AFTER infection (when it's often too late),
TDS-3 can intercept file execution and block the execution of files that trigger alarms, preventing infection from occuring in the first place.
22:44:55 [TDS] Good evening Administrator.
22:45:03 [Mutex Memory Scan] Started...
22:45:04 [Mutex Memory Scan] Finished (no trojan mutexes found).
22:45:04 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.

Edited by nconway, 16 May 2005 - 11:51 PM.

  • 0

#4
AlexR

AlexR

    Member

  • Member
  • PipPip
  • 80 posts
Hi Nancy, what exactly is the problem with IE? Does it load ok, or can you not get any pages through on it?
  • 0

#5
nconway

nconway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
it doesnt load, when I click on it , nothing happens,, the cursor goes to a hour glas then just goes back to an arrow,, no response from it , does not load, doesn't do anything,,
I am able to open aol, yahoo, my mail everything is okay but IE.
  • 0

#6
AlexR

AlexR

    Member

  • Member
  • PipPip
  • 80 posts
Hi Nancy, before we sort out the IE issue, you will need to do a little bit of tidying up from the HiJackThis log you posted.

*** Removing HT Entries ***

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

The second line down in the log shows a URL of www.dcresearch.com. If you know and are OK with this site, please disregard it from the fix.

R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O9 - Extra button: Microsoft AntiSpyware helper - {42EF1E33-EF82-40E2-ABE0-019332A3A95C} - C:\WINNT\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {42EF1E33-EF82-40E2-ABE0-019332A3A95C} - C:\WINNT\System32\wldr.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {42EF1E33-EF82-40E2-ABE0-019332A3A95C} - C:\WINNT\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {42EF1E33-EF82-40E2-ABE0-019332A3A95C} - C:\WINNT\System32\wldr.dll (file missing) (HKCU)
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab? <---- Optional

Weatherbug
I see you have a link to WeatherBug. This is not malicious but some consider it to be spyware. If you decide not to remove the entry, please ignore it. If you do want to remove it, please follow the instructions below:

* Click Start
* Click Settings
* Click Control Panel
* Click Add/Remove Programs
* Find the entry for WeatherBug and remove it.


This will uninstall the program from your system.

*** Repairing Internet Explorer ***

You may have to repair Internet Explorer. Please follow the guide below for instructions on how to do this. You may need your Windows 2000 CD in the process.

Repairing Internet Explorer

* Click Start
* Click Settings
* Click Control Panel
* Double click Add/Remove Programs
* Select Microsoft Internet Explorer 6 and Internet Tools from the list and click Add/Remove
* Select Repair Internet Explorer, then click OK
* Click Yes on the next screen and again when it asks you to restart your computer.

Also, you will need to update to Windows 2000 SP4 by visiting the Windows update site at www.microsoft.com.
  • 0

#7
nconway

nconway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Alex , Ive been out of town, I will follow your last directions today or tomorrow and get back with you, please don't forget me :tazz:
Nancy
  • 0

#8
AlexR

AlexR

    Member

  • Member
  • PipPip
  • 80 posts
No worries, Nancy. Ready when you are!
  • 0

#9
nconway

nconway

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
:tazz: Thanks Alex, IE is operating and everything seems okay,,
I appreciate your help.
Nancy
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP