Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojanhorse startpage 19.an and j [RESOLVED]


  • This topic is locked This topic is locked

#16
shell38

shell38

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 119 posts
Hi

Thanks once again :tazz: Well it prompted me to download something from microsoft web page so i did it. This is the log you asked for. Im glad someone has the brains as this to me is something off the next planet laffs.

Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"internat.exe" = "internat.exe" [MS]
"Adaptec DirectCD" = "C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE" ["Adaptec"]
"EnsoniqMixer" = "starter.exe" ["ENSONIQ Corp."]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]
"LoadQM" = "loadqm.exe" [MS]
"Motive SmartBridge" = "C:\PROGRA~1\NTL\BROADB~1\SMARTB~1\MotiveSB.exe" ["Motive Communications, Inc."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"SetIcon" = "C:\Program Files\Icons\Seticon.exe" ["Standard Microsystems Corp."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"Machine Debug Manager" = "C:\WINDOWS\SYSTEM\MDM.EXE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec Directcd Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\CD-Writer Plus\DirectCD\shellex.dll" ["Adaptec"]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ILLUSTRATE\DBPOWERAMP\DBSHELL.DLL" ["$"]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ILLUSTRATE\DBPOWERAMP\DMCSHELL.DLL" ["$"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" = "Internet Shortcut" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "shdocvw.dll" [MS]
INFECTION WARNING! "{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SSHOOK.DLL" ["InterMute, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\TDS3SHL.DLL" ["("]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TDS-3\(Default) = "{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\TDS3SHL.DLL" ["("]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\SHARON\shells photos\Hear no evil,speak no evil,see no evil.jpg"


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"EPSON Background Monitor" -> shortcut to: "C:\ESM2\Stms.exe" ["SEIKO EPSON CORPORATION"]
"broadband medic" -> shortcut to: "C:\Program Files\ntl\broadband medic\bin\matcli.exe -boot" ["Motive Communications, Inc."]
"SpySubtract" -> shortcut to: "C:\Program Files\interMute\SpySubtract\SpySub.exe -autostart" ["InterMute, Inc."]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 34 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 32 seconds.
---------- (total run time: 171 seconds)
Thanks
Shell
  • 0

Advertisements


#17
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I apologize for the wait. Excal is having problems with his Internet and he asked me to take over for him. Will you post a new HiJackThis log into this topic for me and tell me exactly what the problems are you are still having?
  • 0

#18
shell38

shell38

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 119 posts
Hi

Thats ok it sometimes takes me a few days to check my pc anyway.
Well the problem im getting is that sometimes im still getting AGV come up with a virus detected saying trojan horse 19 it says heal but i dont think it is. Also when i start the computer up it comes up with Mad had caused an illegal operation and will close ect sometimes another grey warning box with something like Moviemaker has caused an illegal operation. when i click ok it does not seem to do anything with the computer and i do not understand what these programs are anyway.

All these do not seem to be making a major problem with the computer. The only major thing is that when i go to some web sites the writing on them are so small and i have very good eyesight i can not see it, its also distorted. I dont understand why this has started to do it.

Well here is my new hijack log and i cant see that much wrong

Logfile of HijackThis v1.99.1
Scan saved at 23:39:12, on 09/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NTL\BROADBAND MEDIC\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\ICONS\SETICON.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NTL\BROADBAND MEDIC\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINMX\WINMX.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Openworld
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NTL\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\Seticon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab

Manythanks
Shell :tazz:
  • 0

#19
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, thank you :tazz:

Let's see if we can find those startpage files:

Download the following file:

http://castlecops.co.../FindIt9xME.zip

and unzip the contents to a folder. When it has been unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.
  • 0

#20
shell38

shell38

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 119 posts
Hi Many thanks for your help. Just a quick question about the unzip of folder as im not really sure about this. I did have winzip once but for somereason could not get it working then it said it expired so just wondered does it do it automatically or do i have to have a program for it.

Many thanks
Shell
  • 0

#21
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Shell ;)


You can download a copy of WInrar here http://www.tucows.com/preview/194276
(a unzip program)

:tazz:

Excal
  • 0

#22
shell38

shell38

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 119 posts
Hi Excel

So sorry not got back to you before now but i have had major probs with my computer so much so that i can not even get on it. I am using a new computer and have moved the other one upstairs.

This is what happened i could not turn the computer off at all even if i just turned it off from the on off button. So i had to use the reset button at the back. then it would not load in the end i got it to load into safe mode but that is all its doing. It will only load in safe mode now.. If it was not for my daughter i would chuck it out of the window. But i want her and my other children to have a computer and not to go on this one as i do not want the same thing happening with this.

On this computer im running windows xp media centre edition. on the other one it is still windows 98se.

If i try to do a log with hijackthis on the old one i take it that i can, and that i will have to put it on a cd (this has no floppy) and try and work from that. But if you think this is a lost cause i will give up (trys to laugh)

Many thanks for your time and patience
Shell :tazz:
  • 0

#23
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Shell,


Sorry to hear about your problems :tazz:

Can you get that program that Bannanafo gave you the link for and run it?


Thanks,


Excal
  • 0

#24
shell38

shell38

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 119 posts
Hi

I dont think i can, as i dont think i downloaded the program before it went right down and now in safe mode, not connected to the internet.

One way i guess but not sure if it would work is that i download the program on here put it on cd and then copy it to the old computer. But i dont think that would work would it, as this is xp for one and the other is only 98.

So what do u suggest thanks
Shell
  • 0

#25
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
That will work. Just copy and download it on a CD. It doesn't matter that there is diffrent OPerating Systems.


Thanks,

Excal
  • 0

Advertisements


#26
shell38

shell38

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 119 posts
Thanks once again now all got to do is learn how to use this cd writer on the new one as not used it yet laffs but im sure it will be ok fingers crossed.

One other thing while the old computer loads it comes up with this i have tried to write it down as best as i can as it goes off so quick. It might be relevent

set path C= windows:/ system Wbem (mc? not sure if this is in it) /windows comand c

There might be abit more but have u seen this before

Thanks
Well here goes see if i can get this all sorted
  • 0

#27
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
To be honest, I am not sure. Could you get a some more of the error next time please.


Thanks,

Excal
  • 0

#28
shell38

shell38

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 119 posts
Hi

I will try to get the complete one error as soon as i can.

Well i think i got it sorted i hope this is what you wanted not lot on it so not sure if it is right.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C is SYSTEM
Volume Serial Number is 2E38-19F3
Directory of C:\WINDOWS\SYSTEM

19,619.63 MB free

------- Hidden Files in System Directory -------


Volume in drive C is SYSTEM
Volume Serial Number is 2E38-19F3
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 04-20-05 6:54p folder.htt
DESKTOP INI 266 04-20-05 6:54p desktop.ini
2 file(s) 13,388 bytes
0 dir(s) 19,619.61 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"BTOW"="IEAK"

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------




Many thanks
Shell
  • 0

#29
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Ok that didn't show a thing. Lets start over here and see if we can get to the bottom of this. Tell me exactly whats going on with your computer and post me a new HiJackthis log.


Thanks,

:tazz:

Excal
  • 0

#30
shell38

shell38

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 119 posts
Thanks for getting back to me. well here is so far

The computer started to not respon to shut down. not even if u reset or switched it off from the front the only way could get it to shut down was by the switch there is on the back.
It worked for a while then all of a sudden it would not load properly kept saying that windows had not finished running and that it would start up in safe mode.
Now that is all that it will do.

When u try to click on normal mode it just starts in safe so for some reason it is stuck in that. as i said earlier there is a command thing that comes up but it is so quick it gives u no chance to enter anything. i will try to get the correct one but have to keep turning it off and on to get it.

I will do a hijack log for you it might not be tonight but if cant will post it tom.

Right here i go to try it out

Thanks
Shell
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP