Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hi, I have a very strange virus, and I cannot find information about it anywhere. On startup, it creates a folder in the windows\temp\ directory; it calls the folder "sys32". It then proceeds to rapidly fill this folder with junk files with an .exe extension. The names of the files are english as well as German,and they look like songs, games and videofiles. They multiply so fast that they take up about 50 mb a minute! It is so annoying, because every time I delete that folder, it creates itself again after I restart the computer. Norton antivirus does not detect it. Another antivirus programme (AVG) detects and removes the files, but they just come again. Can anybody help? I am desparate! Thanks
Judith
If you are on Win98, do Start > Run > MSCONFIG > Startup Tab and look for "strange" entries.
UNselect them.You also may have better luck if you do this after restarting to Safe mode.
BTW what is the name of the virus that AVG detects?
0 
The name of the virus that AVG detects is " .exe". It says that there is an .exe extension on these files. But it does not name the virus, it simply writes " .exe". It is notable that these junk files all have an exe extension, however, there is a long space between the file name and the extension, e.g. "A beautiful mind .exe".
Thanks for the advice on running msconfig. Unfortunately, I have run this already, but was unable to detect any suspicious components. But perhaps I should mention that I detected a Trojan named "openme.exe" in the system.ini file a couple of days ago, and after I had removed it, these problems began.
This might me a new, previously unidentified virus!!
Judith
0
Right click on My Computer > Properties > Performance > File system > Trouble shooting and check on Disable System Restore.
Run the anti virus programs. You can get a free download at AVG http://www.grisoft.com/html/us_index.htm
Reboot and run the antivirus again to double check. Finally re-enable System Restore.
Sometimes you need a specific tool for a particular virus. Make a search in this forum and you will find plenty of info.
The reason why it comes back is when you delete a file it is still in the hard drive in a different directory till another deleted file or program file over writes it.
0
It's annoying, isn't it? They just multiply without stopping. I think I caught this virus when I downloaded a file from Kazaa. It ran an installation programme to access a porn site. Even though I deleted it, the openme.exe remained. When I deleted that too, the real problem started.
It really sucks, because there is no advice anywhere! Maybe this virus might become more popular, and then they will find a way to get rid of it!;) Judith
0
I tried to find 'disable system restore' on the troubleshooting tab, but I don't have such an option! (Windows 98) Maybe it has another term in windows 98?
Judith
0
was thinking the same thing... and yes, it does come from a Kazaa file.. i got mine when i downloaded a flash player.. i deleted the actualy exe, but the files still appear.. I've updated my definitions on my virus scanner, and it still hasnt been found.
0
Download and run StartUplog from http://home.earthlink.net/~rmbox/Reticulated/Toys.html
It creates a StartUp.log file on your desktop. Copy / Paste the contents back here.
0
Copy and paste what the txt doc said? it's long, but here it is...
---------- C:\WINDOWS\desktop\StartUp.Log
Start-Ups checked at 05-18-2002 9:47:17.72p
__________________________________________________________________________
__________________________________________________________________________
StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________
Comments:
This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.
StartUp Log (version 1.56) - Release Date 3/11/2002
__________________________________________________________________________
__________________________________________________________________________
StartUp Log Index
1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations
__________________________________________________________________________
__________________________________________________________________________
The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________
1. HKLM Run - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"Disc Detector"="C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Microsoft IntelliType Pro"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\speedkey.exe\""
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"LoadQM"="loadqm.exe"
"wcmdmgr"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
"SVAPlayer"="C:\\Program Files\\SVA Player\\SVAPLAYER.exe"
"System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER.SCR"
"MediaLoads Installer"="\"C:\\Program Files\\DownloadWare\\dw.exe\" /H"
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~1.DLL,NewDotNetStartup"
"AvconsoleEXE"="C:\\Program Files\\Network Associates\\McAfee VirusScan\\avconsol.exe /minimize"
"Vshwin32EXE"="C:\\Program Files\\Network Associates\\McAfee VirusScan\\VSHWIN32.exe"
"VsStatEXE"="C:\\Program Files\\Network Associates\\McAfee VirusScan\\VSSTAT.exe"
"McAfeeWebScanX"="C:\\Program Files\\Network Associates\\McAfee VirusScan\\WEBSCANX.exe"
==========================================================================
__________________________________________________________________________
2. HKCU Run - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"AIM"="D:\\AIM95\\aim.exe -cnetwait.odl"
==========================================================================
__________________________________________________________________________
3. HKLM RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
__________________________________________________________________________
4. HKCU RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
__________________________________________________________________________
5. HKLM RunServices - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Vshwin32EXE"="C:\\Program Files\\Network Associates\\McAfee VirusScan\\VSHWIN32.exe"
==========================================================================
__________________________________________________________________________
6. HKLM RunServicesOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
==========================================================================
__________________________________________________________________________
7. WIN.INI File - (c:\windows\win.ini)
Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.
These are the run and load lines in your WIN.INI filerun=
load=
==========================================================================
__________________________________________________________________________
8. SYSTEM.INI File - (c:\windows\system.ini)
Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.
This is the shell line in your SYSTEM.INI fileshell=Explorer.exe
==========================================================================
__________________________________________________________________________
9. AUTOEXEC.BAT File - (c:\autoexec.bat)
(Some trojans have been known to start from this file)
These are your program startups and set paths in your autoexec.bat file
C:\PROGRA~1\NETWOR~1\MCAFEE~2\BOOTSCAN.exe C:\
@IF ERRORLEVEL 1 PAUSE
@ECHO OFF
SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\SBPCI
PATH=%PATH%;d:\DAZZLE\BINREM Environment Settings For McAfee VirusScan
SET PATH=%PATH%;C:\PROGRA~1\NETWOR~1\MCAFEE~2
==========================================================================
__________________________________________________________________________
10. StartUp Folder - (c:\windows\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your StartUp folder
*(No start-ups found)*
==========================================================================
__________________________________________________________________________
11. All Users Folder - (c:\windows\all users\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your All Users StartUp folder
*(No start-ups found)*
==========================================================================
__________________________________________________________________________
12. Miscellaneous StartUp Configurations
-============================-
Registry StartUp Directories
-============================-
Should show the Start Menu StartUp and All Users StartUp directories
.....................................................................
[1] HKCU - Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"Startup"="C:\\WINDOWS\\Profiles\\Mekare\\Start Menu\\Programs\\Startup"
.....................................................................
[2] HKCU - User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"Startup"="C:\\WINDOWS\\Profiles\\Mekare\\Start Menu\\Programs\\Startup"
.....................................................................
[3] HKLM - Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"
.....................................................................
[4] HKLM - User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
.....................................................................
-=======================-
Registry Shell Spawning
-=======================-
Open Commands for Executable File Types@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)@="C:\\WINDOWS\\SYSTEM\\MSHTA.exe \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)
-=========================-
HKLM RunOnceEx - Registry
-=========================-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
-=========================-
HKU (.Default) Run - Registry
-=========================-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
-==============================-
HKU (.Default) RunOnce - Registry
-==============================-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]
-================================-
StubPaths - Registry (Partial Listing)
-================================-
(Please see the StubPath.txt on your desktop for complete listing)
HKLM\Software\Microsoft\Active Setup\Installed Components
"OldStubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.exe"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"StubPath"=""
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-
C:\SBPCI\SBINIT
-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
(name) (type) (size)(modified)(time)
wininit bak 891 05-18-02 7:42p
-=================-
[rename]
NUL=C:\WINDOWS\TEMP\DELDIR0.exe
NUL=C:\WINDOWS\TEMP\DELDIR1.exeNUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\_SETUP32.LIB
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\ISUTIL.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\ISSILENT.exe
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\LICENSE.TXT
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\MCAFE1.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\MCAFE2.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\MCAFE3.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\NETA.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\SERNUM32.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\V98BK16.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\UNINST.exe
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\UNPLUS.exe
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\V98BKGND.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\WCMDRSIL.INI
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\2235D.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\2235B.DLL
NUL=C:\WINDOWS\TEMP\_INS0432._MP
NUL=C:\WINDOWS\TEMP\_INZ0432._MP
NUL=C:\WINDOWS\TEMP\_WUTL95.DLL-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-
==========================================================================
__________________________________________________________________________
- Supplemental Environment Information -
TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
COMSPEC=C:\WINDOWS\COMMAND.COM
SBPCI=C:\SBPCI
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;D:\DAZZLE\BIN;C:\PROGRA~1\NETWOR~1\MCAFEE~2
windir=C:\WINDOWS
File - c:\windows\Wininit.bak
File - c:\windows\deletefi.ini
==========================================================================
__________________________________________________________________________
- End -
0
From MSCONFIG UNselect
wcmdmgr - This is WildTangent Spyware
System-Service - This is your trojan
LoadQm - Part of MSN Explorer and not required
NewDotNet - More foistware - See this link to remove it
http://www.new.net/help_faq.tp#p4After a reboot, delete Explorer.scr
0
This is "presuming" that you already know what the following items are.
MediaLoads Installer"="\"C:\\Program Files\\DownloadWare\\dw.exe\" /H"
BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
0
seems in i think autoexec.bat
PATH=%PATH%;d:\DAZZLE\BINseems its given a direct hit in that folder.
look whats in there.also for all who have trojan or virus problems.
please email me at: osp1keo@yahoo.com
and state your problem.
i want to solve as much as virus or trojan problems as possible. I am thinking of making a book on these, and it would really help to get as much as problems email to me as possible.and this so called virus that makes junk, isnt a virus. seems to me just programmed to create millions of dummy files.
it looks like it has a main master file.
and is being started up at boot.solution: uncheck all un-nessesary checks in mscong.
and in registry if you know what you doing.
0
I did the startup log thing, and this is what it showed:
---------- C:\WINDOWS\desktop\StartUp.Log
Start-Ups checked at 19/05/2002 12:16:14.26
__________________________________________________________________________
__________________________________________________________________________
StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________
Comments:
This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.
StartUp Log (version 1.56) - Release Date 3/11/2002
__________________________________________________________________________
__________________________________________________________________________
StartUp Log Index
1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations
__________________________________________________________________________
__________________________________________________________________________
The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________
1. HKLM Run - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"CountrySelection"="pctptt.exe"
"PE2CKFNT SE"="C:\\Program Files\\Ulead Systems\\Ulead Photo Express 2 SE\\ChkFont.exe"
"InCD"="C:\\Program Files\\ahead\\InCD\\InCD.exe"
"WinampAgent"="\"C:\\PROGRAM FILES\\WINAMP\\WINAMPa.exe\""
"System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER.SCR"
"AVG_CC"="C:\\PROGRA~1\\GRISOFT\\AVG6\\avgcc32.exe /STARTUP"
"PTSNOOP"="ptsnoop.exe"
"vptray"="C:\\PROGRA~1\\NORTON~1\\vptray.exe"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
==========================================================================
__________________________________________________________________________
2. HKCU Run - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"NSCheck"="C:\\WINDOWS\\SYSTEM\\NSCHECK.exe /check"
"OSSProxy"="C:\\WINDOWS\\SYSTEM\\OSSPROXY.exe"
"MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background"
==========================================================================
__________________________________________________________________________
3. HKLM RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
__________________________________________________________________________
4. HKCU RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
__________________________________________________________________________
5. HKLM RunServices - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SchedulingAgent"="mstask.exe"
"Avgserv9.exe"="C:\\PROGRA~1\\GRISOFT\\AVG6\\Avgserv9.exe"
"rtvscn95"="C:\\PROGRA~1\\NORTON~1\\rtvscn95.exe"
"defwatch"="C:\\PROGRA~1\\NORTON~1\\defwatch.exe"
==========================================================================
__________________________________________________________________________
6. HKLM RunServicesOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
==========================================================================
__________________________________________________________________________
7. WIN.INI File - (c:\windows\win.ini)
Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.
These are the run and load lines in your WIN.INI filerun=
load=
==========================================================================
__________________________________________________________________________
8. SYSTEM.INI File - (c:\windows\system.ini)
Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.
This is the shell line in your SYSTEM.INI fileshell=Explorer.exe
==========================================================================
__________________________________________________________________________
9. AUTOEXEC.BAT File - (c:\autoexec.bat)
(Some trojans have been known to start from this file)
These are your program startups and set paths in your autoexec.bat file
@C:\PROGRA~1\GRISOFT\AVG6\bootup.exe
rem - By Windows Setup - C:\WINDOWS\COMMAND\mscdex.exe /d:mscd001 /v
mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850
keyb uk,,C:\WINDOWS\COMMAND\keyboard.sys
==========================================================================
__________________________________________________________________________
10. StartUp Folder - (c:\windows\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your StartUp folder
C:\WINDOWS\Start Menu\Programs\StartUp\ScanPanel.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\3D Browser Mouse.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Photo Express Calendar Checker SE.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\EPSON Status Monitor 3 Environment Check 2.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\WinZip Quick Pick.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Adobe Gamma Loader.lnk
==========================================================================
__________________________________________________________________________
11. All Users Folder - (c:\windows\all users\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your All Users StartUp folder
*(No start-ups found)*
==========================================================================
__________________________________________________________________________
12. Miscellaneous StartUp Configurations
-============================-
Registry StartUp Directories
-============================-
Should show the Start Menu StartUp and All Users StartUp directories
.....................................................................
[1] HKCU - Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"
.....................................................................
[2] HKCU - User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
.....................................................................
[3] HKLM - Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"
.....................................................................
[4] HKLM - User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
.....................................................................
-=======================-
Registry Shell Spawning
-=======================-
Open Commands for Executable File Types@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)@="C:\\WINDOWS\\SYSTEM\\MSHTA.exe \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)
-=========================-
HKLM RunOnceEx - Registry
-=========================-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
-=========================-
HKU (.Default) Run - Registry
-=========================-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"NSCheck"="C:\\WINDOWS\\SYSTEM\\NSCHECK.exe /check"
"OSSProxy"="C:\\WINDOWS\\SYSTEM\\OSSPROXY.exe"
"MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background"
-==============================-
HKU (.Default) RunOnce - Registry
-==============================-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]
-================================-
StubPaths - Registry (Partial Listing)
-================================-
(Please see the StubPath.txt on your desktop for complete listing)
HKLM\Software\Microsoft\Active Setup\Installed Components
"OldStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.exe"
"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.exe"
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-
C:\WINDOWS\COMMAND\mscdex.exe /d:mscd001 /v
-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
(name) (type) (size)(modified)(time)
wininit bak 44 18/05/02 17:26
-=================-
[rename]
NUL=C:\WINDOWS\TEMP\_iu14D2N.tmp
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DTEXT~1.SCR
==========================================================================
__________________________________________________________________________
- Supplemental Environment Information -
TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS
File - c:\windows\Wininit.bak
File - c:\windows\deletefi.ini
==========================================================================
__________________________________________________________________________
- End -
Could you tell me what is wrong, or if you can see a Trojan or anything else? Thanks!
Judith
0
If appears that you have the same trojan.
From MSCONFIG UNselect
System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER.SCR"You can also unselect WinampAgent and Ossproxy as they are not required.
PTSNOOP "can" sometimes be a trojan but it is more likely related to your modem. Try UNselecting it and try your modem. If you have trouble, reselect it.
This site has a good list of startup apps
http://www.pacs-portal.co.uk/startup_pages/startup_full.htm
0
It's really hard to tell which one is a trojan since people rename trojan files to anything.
see how you have a AVg installed.
any trojan can be renamed to avgc.exe
and you wont be able to tell the difference.
its kind of a trick.
the best thing to do is, uncheck everything in msconfigthen reboot
update your scanner and then do a full scan.
then put back what you think is right.
basically do a research on every file you seein msconfig.scanregister - this is what backsup your registry on every bootup. I believe you have to uncheck that. let me tell you why, if you have a trojan installed the registry is backed up with it. it's best to do a full scan first, with a virus scanner, and with a-aware and everything possible, like defrag,scandisk, and any other scanner you can get to make sure its fully in good state.
then go to start , run ,
and type
Scanregw.exe
this will automatically backup your registry and it will be clean.also before typing Scanregw.exe go into registry and look here:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
make sure there is nothing here, this is only needed when installing a new software and it asks you to reboot.also make sure these have nothing in them.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
sometimes trojans run in these places that I listed and it wont show in MSCONFIG!!!
===============================
Email me all your Virus/Trojan Problems.
I want to make a book and I will try hard to fix your problems also.
Email me at: osp1keo@yahoo.comEmail me your problem and all the strange activities that you have noticed.
=================================
0
well the dazzle/bin thing isnt it, i've had that forever.. it's a video program. CFD.exe has been there as long as i can remember, but i'll try it anyway. I'll be sure to check back and tell u if it worked or not..
0
I had the same virus last night. I updated pc-Cillin from Trend Micro and that identified the virus as TROJ_HDDKILL.A
Trendmicro seems to be the only virus site to have recognized the virus.The problem was then that as soon as the checker quarantined a file another had been written. It just kept going on. As I had just built the PC (and forgot the Virus checker)it was not too difficult a task to blow away the c drive and start again. Although I am not sure the checker would have found this with its one month old pattern as the virus is so new. My daughter had been using Kazaa earlier in the day - I am not sure what it was she downloaded.
0
I have OSSPROXY,TRICKLER3103, and CHOKE, all through MSN messenger or hotmails I believe. I have heard that choke is almost impossible to get rid of, and I have unselected and tried to delete trickler3103 and choke, but everytime I try to unselect OSSPROXY or delete it, it always restarts and comes back when i restart my computer. My computer freezes eventually, can someone plz tell me how to get rid of OSSPROXY. Thx
0
I'm having a very similar problem. My system is bogged down and I can't get rid of this thing. I have the CFD.exe file trying to start up at the beginning, but I have it disabled in MSCONFIG. My system still drags. Trying to figure this out. My inital searches have come up with this file being associated with BROAD JUMP, who provides service for Prodigy/SBCGLOBAL, who is my DSL provider. This file shows to use 100% of my CPU in the process list. I'm running WIN XP on a 1.8GHz system with 512MB DDR. I know something is wrong if this is taking this much of my resources. If you can help me out on this one, I would appreciate it. Please feel free to email me. Thanks again.
0
I downloaded the AVG antivirus software and it found 2 viruses, the greetingcard.exe and another one without a name given. Fixed both and...walla....problem fixed. The best thing about this program is its free; it's also small. Took less time to run than my Norton as well.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
