Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Evil Aurora and More? [CLOSED]


  • This topic is locked This topic is locked

#16
Wahine

Wahine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
All righty, slowly but surely, I think things are starting to get straightened out. I tried everything you said to do. When I ran noscript, it said t hat Scripting was already enabled. So I ran silentrunner, but it gave me the same message that it gave me yesterday. I deleted all those files, so they're gone, and I ran CCleaner and FxIstBar, so something must be squeaky clean.

I just wonder why Search still doesn't work and why I am unable to run certain things like silentrunner. Did these last fixes get rid of those 11 "viruses" we found on Mwav?

I sure do appreciate your help. I have not heard of most of these things before!
  • 0

Advertisements


#17
Wahine

Wahine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Oh, and this is juicy. Just now I closed Microsoft Explorer, then I tried to bring it back up and instead of going to my homepage (msn.com), it had "about:blank" in the address bar. Obviously, I was still able to get online though. This had not happened before.
  • 0

#18
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Those 11 files were not viruses. Most were ok to leave alone. I just asked you to clean out those junk entries in the registry there and delete the few that were bad files.

OK, give me this log. Let's see if it will tell us anything:

Download StartDreck http://www.greyknigh.../StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.
  • 0

#19
Wahine

Wahine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here you go...

StartDreck (build 2.1.7 public stable) - 2005-07-24 @ 18:45:42 (GMT -04:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Lindsay Kirby at ATHENA

»Registry
»Run Keys
»Current User
»Run
*ctfmon.exe=C:\WINDOWS\System32\ctfmon.exe
*MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*00THotkey=C:\WINDOWS\System32\00THotkey.exe
*000StTHK=000StTHK.exe
*NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
*TFNF5=TFNF5.exe
*SigmaTel StacMon=C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
*LtMoh=C:\Program Files\ltmoh\Ltmoh.exe
*AGRSMMSG=AGRSMMSG.exe
*SynTPLpr=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
*TouchED=C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
*TPSMain=TPSMain.exe
*ezShieldProtector for Px=C:\WINDOWS\System32\ezSP_Px.exe
*TFncKy=TFncKy.exe
*Pinger=c:\toshiba\ivp\ism\pinger.exe /run
*EPSON Stylus CX6600 Series=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB002" /M "Stylus CX6600"
*AOL Spyware Protection="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Windows Messenger/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
+Fax/{8b15971b-5355-4c82-8c07-7e181ea07608}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
»Browser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\System32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://msn.com/
+SearchUrl
*provider=
»Default User
*Start Page=about:blank
»Local Machine
*Default_Page_URL=http://www.toshiba.com
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=%SystemRoot%\system32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Lindsay Kirby\Start Menu\Programs\Startup\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
`Set tmp=c:\temp
`Set temp=c:\temp
*C:\WINDOWS\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\WINDOWS\wininit.ini
`[Rename]
`NUL=m
*C:\WINDOWS\System32\drivers\etc\hosts
`127.0.0.1 localhost
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\System32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\System32\TASKMGR.COM
*C:\WINDOWS\System32\taskmgr.exe
+C:\WINDOWS\System32\notepad.exe
*C:\WINDOWS\NOTEPAD.EXE
+C:\WINDOWS\System32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
+C:\WINDOWS\REGEDIT.COM
*C:\WINDOWS\regedit.exe
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+752=\SystemRoot\System32\smss.exe
+804=\??\C:\WINDOWS\system32\csrss.exe
+828=\??\C:\WINDOWS\system32\winlogon.exe
+872=C:\WINDOWS\system32\services.exe
+884=C:\WINDOWS\system32\lsass.exe
+1048=C:\WINDOWS\system32\svchost.exe
+1072=C:\WINDOWS\System32\svchost.exe
+1340=C:\WINDOWS\System32\svchost.exe
+1384=C:\WINDOWS\System32\svchost.exe
+1616=C:\WINDOWS\Explorer.EXE
+1796=C:\WINDOWS\system32\spoolsv.exe
+1888=C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
+1944=C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
+1964=C:\WINDOWS\System32\DVDRAMSV.exe
+1996=C:\Program Files\ewido\security suite\ewidoctrl.exe
+2024=C:\WINDOWS\System32\nvsvc32.exe
+192=C:\WINDOWS\System32\svchost.exe
+276=C:\WINDOWS\wanmpsvc.exe
+584=C:\WINDOWS\System32\00THotkey.exe
+616=C:\WINDOWS\System32\TFNF5.exe
+624=C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
+632=C:\Program Files\ltmoh\Ltmoh.exe
+640=C:\WINDOWS\AGRSMMSG.exe
+648=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
+660=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
+692=C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
+712=C:\WINDOWS\System32\TPSMain.exe
+732=C:\WINDOWS\System32\ezSP_Px.exe
+108=C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
+808=C:\toshiba\ivp\ism\pinger.exe
+988=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE
+1096=C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
+1136=C:\WINDOWS\System32\ctfmon.exe
+1156=C:\Program Files\Messenger\msmsgs.exe
+1184=C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
+1444=C:\WINDOWS\system32\RAMASST.exe
+1476=C:\WINDOWS\System32\TPSBattM.exe
+2352=C:\Program Files\Internet Explorer\iexplore.exe
+3444=C:\WINDOWS\System32\wuauclt.exe
+3800=C:\WINDOWS\System32\wuauclt.exe
+2300=C:\Documents and Settings\Lindsay Kirby\Desktop\StartDreck\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User
  • 0

#20
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go to C:\WINDOWS\ and double click on wininit.ini to open it in Notepad. Delete this line:

`NUL=m


Save the file and close it.

Run StartDreck with the same options checked like before. Click on each of the following and hit the Delete button in the program:

*Start Page=about:blank

To make it easier, I suggest doing a search for the above line (in the forum here) so that you have a rough idea of where it's located in the StartDreck program.

How's everything now?
  • 0

#21
Wahine

Wahine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Well, I have the correct internet homepage now. All I see is the problem using Search, and the inability running scripts (like with silentrunner) and online virus scans (like pandasoftware and even my McAfee CD).
  • 0

#22
Wahine

Wahine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I also notice that if I go to a web site, aol for example, via internet explorer, I am unable to access the login page. The same thing happened with another web site that requires a log in. I don't know if this is random, or if this rings a bell somehow.
  • 0

#23
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
For the search problem, take a look here. I'm not sure if it applies in your case also.

For the login page problem, go to Start->Run and type in regsvr32 softpub.dll and hit OK. See if that fixes it.

Any other problems?
  • 0

#24
Wahine

Wahine

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hey, neither one of those fixes worked. I have run more scans using the tools like SpyBot and AdAware to see if anything comes up, and a couple of times I have seen WildTangent files. This is an infection of some kind isn't it? I wonder if this is somewhere and just keeps copying itself, and maybe it is why I can't do online or computer-based virus scans too. What do you think? Thanks so much for all your help. This is such a pesky problem.
  • 0

#25
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
WildTangent probably won't cause this problem. See if it's listed in the Add/Remove panel. Uninstall it from there if it's found.

I'm not sure if this is related to malware anymore. Please post the search problem and login problem in the Windows XP forum instead. You should get better assistance there.

If there are no more questions/problems related to spyware, I will close this topic.
  • 0

Advertisements


#26
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP