Virus filling computer with junk

Computing.Net > Forums > Security and Virus > Virus filling computer with junk

Virus filling computer with junk

Original Message

Name: Judith
Date: May 18, 2002 at 11:48:28 Pacific
Subject: Virus filling computer with junk

Comment:

Hi, I have a very strange virus, and I cannot find information about it anywhere. On startup, it creates a folder in the windows\temp\ directory; it calls the folder "sys32". It then proceeds to rapidly fill this folder with junk files with an .exe extension. The names of the files are english as well as German,and they look like songs, games and videofiles. They multiply so fast that they take up about 50 mb a minute! It is so annoying, because every time I delete that folder, it creates itself again after I restart the computer. Norton antivirus does not detect it. Another antivirus programme (AVG) detects and removes the files, but they just come again. Can anybody help? I am desparate! Thanks
Judith

Report Offensive Message For Removal

Response Number 1

Name: WhitPhil
Date: May 18, 2002 at 12:47:54 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

If you are on Win98, do Start > Run > MSCONFIG > Startup Tab and look for "strange" entries.
UNselect them.
You also may have better luck if you do this after restarting to Safe mode.
BTW what is the name of the virus that AVG detects?

Report Offensive Follow Up For Removal

Response Number 2

Name: Judith
Date: May 18, 2002 at 13:27:49 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

The name of the virus that AVG detects is " .exe". It says that there is an .exe extension on these files. But it does not name the virus, it simply writes " .exe". It is notable that these junk files all have an exe extension, however, there is a long space between the file name and the extension, e.g. "A beautiful mind .exe".
Thanks for the advice on running msconfig. Unfortunately, I have run this already, but was unable to detect any suspicious components. But perhaps I should mention that I detected a Trojan named "openme.exe" in the system.ini file a couple of days ago, and after I had removed it, these problems began.
This might me a new, previously unidentified virus!!
Judith

Report Offensive Follow Up For Removal

Response Number 3

Name: Anony
Date: May 18, 2002 at 14:21:41 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

That's the same virus I have :( And I can't think of anything to get rid of it.. :( :(

Report Offensive Follow Up For Removal

Response Number 4

Name: Anony
Date: May 18, 2002 at 14:29:21 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

looks like this:
http://home.sailormoon.com/kalivala/image.jpg

Report Offensive Follow Up For Removal

Response Number 5

Name: Rajan Urs
Date: May 18, 2002 at 15:51:16 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

Right click on My Computer > Properties > Performance > File system > Trouble shooting and check on Disable System Restore.
Run the anti virus programs. You can get a free download at AVG http://www.grisoft.com/html/us_index.htm
Reboot and run the antivirus again to double check. Finally re-enable System Restore.
Sometimes you need a specific tool for a particular virus. Make a search in this forum and you will find plenty of info.
The reason why it comes back is when you delete a file it is still in the hard drive in a different directory till another deleted file or program file over writes it.

Report Offensive Follow Up For Removal


I have removed the virus!! Hotmail Block Sender is full Virus Filling up HDD virus? computer shuts down randomly Getting new viruses that wont leave	C:\WINDOWS\Temp Folder Fills Up Computer Virus Trouble ?? Need Help! Virus or Similar Problem Help with virus infested computer Computer Screen Virus Related?

Response Number 6

Name: Judith
Date: May 18, 2002 at 15:54:28 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

It's annoying, isn't it? They just multiply without stopping. I think I caught this virus when I downloaded a file from Kazaa. It ran an installation programme to access a porn site. Even though I deleted it, the openme.exe remained. When I deleted that too, the real problem started.
It really sucks, because there is no advice anywhere! Maybe this virus might become more popular, and then they will find a way to get rid of it!;) Judith

Report Offensive Follow Up For Removal

Response Number 7

Name: Judith
Date: May 18, 2002 at 16:59:08 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

I tried to find 'disable system restore' on the troubleshooting tab, but I don't have such an option! (Windows 98) Maybe it has another term in windows 98?
Judith

Report Offensive Follow Up For Removal

Response Number 8

Name: Anony
Date: May 18, 2002 at 17:04:01 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

was thinking the same thing... and yes, it does come from a Kazaa file.. i got mine when i downloaded a flash player.. i deleted the actualy exe, but the files still appear.. I've updated my definitions on my virus scanner, and it still hasnt been found.

Report Offensive Follow Up For Removal

Response Number 9

Name: WhitPhil
Date: May 18, 2002 at 18:34:34 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

Download and run StartUplog from http://home.earthlink.net/~rmbox/Reticulated/Toys.html
It creates a StartUp.log file on your desktop. Copy / Paste the contents back here.

Report Offensive Follow Up For Removal

Response Number 10

Name: Anony
Date: May 18, 2002 at 18:52:56 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

Copy and paste what the txt doc said? it's long, but here it is...

---------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 05-18-2002 9:47:17.72p
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.56) - Release Date 3/11/2002

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"Disc Detector"="C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Microsoft IntelliType Pro"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\speedkey.exe\""
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"LoadQM"="loadqm.exe"
"wcmdmgr"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
"SVAPlayer"="C:\\Program Files\\SVA Player\\SVAPLAYER.EXE"
"System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER.SCR"
"MediaLoads Installer"="\"C:\\Program Files\\DownloadWare\\dw.exe\" /H"
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~1.DLL,NewDotNetStartup"
"AvconsoleEXE"="C:\\Program Files\\Network Associates\\McAfee VirusScan\\avconsol.exe /minimize"
"Vshwin32EXE"="C:\\Program Files\\Network Associates\\McAfee VirusScan\\VSHWIN32.EXE"
"VsStatEXE"="C:\\Program Files\\Network Associates\\McAfee VirusScan\\VSSTAT.EXE"
"McAfeeWebScanX"="C:\\Program Files\\Network Associates\\McAfee VirusScan\\WEBSCANX.EXE"

==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"AIM"="D:\\AIM95\\aim.exe -cnetwait.odl"

==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Vshwin32EXE"="C:\\Program Files\\Network Associates\\McAfee VirusScan\\VSHWIN32.EXE"

==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.

These are the run and load lines in your WIN.INI file
run=
load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.

This is the shell line in your SYSTEM.INI file
shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)

These are your program startups and set paths in your autoexec.bat file

C:\PROGRA~1\NETWOR~1\MCAFEE~2\BOOTSCAN.EXE C:\
@IF ERRORLEVEL 1 PAUSE
@ECHO OFF
SET BLASTER=A220 I7 D1 H7 P330 T6
SET SBPCI=C:\SBPCI

PATH=%PATH%;d:\DAZZLE\BIN
REM Environment Settings For McAfee VirusScan
SET PATH=%PATH%;C:\PROGRA~1\NETWOR~1\MCAFEE~2

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.

These are the shortcuts located in your StartUp folder

*(No start-ups found)*

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.

These are the shortcuts located in your All Users StartUp folder

*(No start-ups found)*

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"Startup"="C:\\WINDOWS\\Profiles\\Mekare\\Start Menu\\Programs\\Startup"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
"Startup"="C:\\WINDOWS\\Profiles\\Mekare\\Start Menu\\Programs\\Startup"

.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders

.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types
@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)
@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)
@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)
@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)
@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)
@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]

-=========================-
HKU (.Default) Run - Registry
-=========================-

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]

-==============================-
HKU (.Default) RunOnce - Registry
-==============================-

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]

-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components

"OldStubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"StubPath"=""
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"

-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

C:\SBPCI\SBINIT

-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
(name) (type) (size)(modified)(time)
wininit bak 891 05-18-02 7:42p
-=================-

[rename]
NUL=C:\WINDOWS\TEMP\DELDIR0.EXE
NUL=C:\WINDOWS\TEMP\DELDIR1.EXE
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\_SETUP32.LIB
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\ISUTIL.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\ISSILENT.EXE
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\LICENSE.TXT
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\MCAFE1.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\MCAFE2.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\MCAFE3.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\NETA.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\SERNUM32.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\V98BK16.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\UNINST.EXE
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\UNPLUS.EXE
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\V98BKGND.BMP
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\WCMDRSIL.INI
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\2235D.DLL
NUL=C:\WINDOWS\TEMP\_ISTMP0.DIR\2235B.DLL
NUL=C:\WINDOWS\TEMP\_INS0432._MP
NUL=C:\WINDOWS\TEMP\_INZ0432._MP
NUL=C:\WINDOWS\TEMP\_WUTL95.DLL-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-

==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
COMSPEC=C:\WINDOWS\COMMAND.COM
SBPCI=C:\SBPCI
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;D:\DAZZLE\BIN;C:\PROGRA~1\NETWOR~1\MCAFEE~2
windir=C:\WINDOWS

File - c:\windows\Wininit.bak
File - c:\windows\deletefi.ini

==========================================================================
__________________________________________________________________________

- End -

Report Offensive Follow Up For Removal

Response Number 11

Name: WhitPhil
Date: May 18, 2002 at 19:46:29 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

From MSCONFIG UNselect
wcmdmgr - This is WildTangent Spyware
System-Service - This is your trojan
LoadQm - Part of MSN Explorer and not required
NewDotNet - More foistware - See this link to remove it
http://www.new.net/help_faq.tp#p4
After a reboot, delete Explorer.scr

Report Offensive Follow Up For Removal

Response Number 12

Name: WhitPhil
Date: May 18, 2002 at 19:53:44 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

This is "presuming" that you already know what the following items are.
MediaLoads Installer"="\"C:\\Program Files\\DownloadWare\\dw.exe\" /H"
BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"

Report Offensive Follow Up For Removal

Response Number 13

Name: ]SpIkE[
Date: May 18, 2002 at 22:16:59 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

seems in i think autoexec.bat
PATH=%PATH%;d:\DAZZLE\BIN
seems its given a direct hit in that folder.
look whats in there.
also for all who have trojan or virus problems.
please email me at: osp1keo@yahoo.com
and state your problem.
i want to solve as much as virus or trojan problems as possible. I am thinking of making a book on these, and it would really help to get as much as problems email to me as possible.
and this so called virus that makes junk, isnt a virus. seems to me just programmed to create millions of dummy files.
it looks like it has a main master file.
and is being started up at boot.
solution: uncheck all un-nessesary checks in mscong.
and in registry if you know what you doing.

Report Offensive Follow Up For Removal

Response Number 14

Name: Judith
Date: May 19, 2002 at 04:18:04 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

I did the startup log thing, and this is what it showed:
---------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 19/05/2002 12:16:14.26
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.56) - Release Date 3/11/2002

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"CountrySelection"="pctptt.exe"
"PE2CKFNT SE"="C:\\Program Files\\Ulead Systems\\Ulead Photo Express 2 SE\\ChkFont.exe"
"InCD"="C:\\Program Files\\ahead\\InCD\\InCD.exe"
"WinampAgent"="\"C:\\PROGRAM FILES\\WINAMP\\WINAMPa.exe\""
"System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER.SCR"
"AVG_CC"="C:\\PROGRA~1\\GRISOFT\\AVG6\\avgcc32.exe /STARTUP"
"PTSNOOP"="ptsnoop.exe"
"vptray"="C:\\PROGRA~1\\NORTON~1\\vptray.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"NSCheck"="C:\\WINDOWS\\SYSTEM\\NSCHECK.EXE /check"
"OSSProxy"="C:\\WINDOWS\\SYSTEM\\OSSPROXY.EXE"
"MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background"

==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SchedulingAgent"="mstask.exe"
"Avgserv9.exe"="C:\\PROGRA~1\\GRISOFT\\AVG6\\Avgserv9.exe"
"rtvscn95"="C:\\PROGRA~1\\NORTON~1\\rtvscn95.exe"
"defwatch"="C:\\PROGRA~1\\NORTON~1\\defwatch.exe"

==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.

These are the run and load lines in your WIN.INI file
run=
load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.

This is the shell line in your SYSTEM.INI file
shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)

These are your program startups and set paths in your autoexec.bat file

@C:\PROGRA~1\GRISOFT\AVG6\bootup.exe
rem - By Windows Setup - C:\WINDOWS\COMMAND\mscdex.exe /d:mscd001 /v
mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850
keyb uk,,C:\WINDOWS\COMMAND\keyboard.sys

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.

These are the shortcuts located in your StartUp folder

C:\WINDOWS\Start Menu\Programs\StartUp\ScanPanel.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\3D Browser Mouse.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Photo Express Calendar Checker SE.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\EPSON Status Monitor 3 Environment Check 2.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\WinZip Quick Pick.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Adobe Gamma Loader.lnk

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.

These are the shortcuts located in your All Users StartUp folder

*(No start-ups found)*

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders

.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types
@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)
@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)
@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)
@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)
@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)
@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]

-=========================-
HKU (.Default) Run - Registry
-=========================-

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"NSCheck"="C:\\WINDOWS\\SYSTEM\\NSCHECK.EXE /check"
"OSSProxy"="C:\\WINDOWS\\SYSTEM\\OSSPROXY.EXE"
"MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background"

-==============================-
HKU (.Default) RunOnce - Registry
-==============================-

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]

-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components

"OldStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"

-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

C:\WINDOWS\COMMAND\mscdex.exe /d:mscd001 /v

-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
(name) (type) (size)(modified)(time)
wininit bak 44 18/05/02 17:26
-=================-

[rename]
NUL=C:\WINDOWS\TEMP\_iu14D2N.tmp
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DTEXT~1.SCR

==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS

File - c:\windows\Wininit.bak
File - c:\windows\deletefi.ini

==========================================================================
__________________________________________________________________________

- End -

Could you tell me what is wrong, or if you can see a Trojan or anything else? Thanks!
Judith

Report Offensive Follow Up For Removal

Response Number 15

Name: WhitPhil
Date: May 19, 2002 at 07:32:19 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

If appears that you have the same trojan.
From MSCONFIG UNselect
System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER.SCR"
You can also unselect WinampAgent and Ossproxy as they are not required.
PTSNOOP "can" sometimes be a trojan but it is more likely related to your modem. Try UNselecting it and try your modem. If you have trouble, reselect it.
This site has a good list of startup apps
http://www.pacs-portal.co.uk/startup_pages/startup_full.htm

Report Offensive Follow Up For Removal

Response Number 16

Name: ]SpIkE[
Date: May 19, 2002 at 10:43:43 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

It's really hard to tell which one is a trojan since people rename trojan files to anything.
see how you have a AVg installed.
any trojan can be renamed to avgc.exe
and you wont be able to tell the difference.
its kind of a trick.
the best thing to do is, uncheck everything in msconfig
then reboot
update your scanner and then do a full scan.
then put back what you think is right.
basically do a research on every file you seein msconfig.
scanregister - this is what backsup your registry on every bootup. I believe you have to uncheck that. let me tell you why, if you have a trojan installed the registry is backed up with it. it's best to do a full scan first, with a virus scanner, and with a-aware and everything possible, like defrag,scandisk, and any other scanner you can get to make sure its fully in good state.
then go to start , run ,
and type
Scanregw.exe
this will automatically backup your registry and it will be clean.
also before typing Scanregw.exe go into registry and look here:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
make sure there is nothing here, this is only needed when installing a new software and it asks you to reboot.
also make sure these have nothing in them.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
sometimes trojans run in these places that I listed and it wont show in MSCONFIG!!!

===============================
Email me all your Virus/Trojan Problems.
I want to make a book and I will try hard to fix your problems also.
Email me at: osp1keo@yahoo.com
Email me your problem and all the strange activities that you have noticed.
=================================

Report Offensive Follow Up For Removal

Response Number 17

Name: Anony
Date: May 19, 2002 at 11:14:39 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

well the dazzle/bin thing isnt it, i've had that forever.. it's a video program. CFD.exe has been there as long as i can remember, but i'll try it anyway. I'll be sure to check back and tell u if it worked or not..

Report Offensive Follow Up For Removal

Response Number 18

Name: Anony
Date: May 19, 2002 at 11:21:07 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

it worked :) thank you guys :) :) :)

Report Offensive Follow Up For Removal

Response Number 19

Name: Tray Dann
Date: May 19, 2002 at 19:37:37 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

I had the same virus last night. I updated pc-Cillin from Trend Micro and that identified the virus as TROJ_HDDKILL.A
Trendmicro seems to be the only virus site to have recognized the virus.
The problem was then that as soon as the checker quarantined a file another had been written. It just kept going on. As I had just built the PC (and forgot the Virus checker)it was not too difficult a task to blow away the c drive and start again. Although I am not sure the checker would have found this with its one month old pattern as the virus is so new. My daughter had been using Kazaa earlier in the day - I am not sure what it was she downloaded.

Report Offensive Follow Up For Removal

Response Number 20

Name: Mark
Date: May 20, 2002 at 05:33:43 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

its called Kazoa and how doyou get ridof it

Report Offensive Follow Up For Removal

Response Number 21

Name: Saiku Koboto
Date: July 5, 2002 at 11:49:31 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

I have OSSPROXY,TRICKLER3103, and CHOKE, all through MSN messenger or hotmails I believe. I have heard that choke is almost impossible to get rid of, and I have unselected and tried to delete trickler3103 and choke, but everytime I try to unselect OSSPROXY or delete it, it always restarts and comes back when i restart my computer. My computer freezes eventually, can someone plz tell me how to get rid of OSSPROXY. Thx

Report Offensive Follow Up For Removal

Response Number 22

Name: RP Alcorn
Date: July 29, 2002 at 08:16:57 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

I'm having a very similar problem. My system is bogged down and I can't get rid of this thing. I have the CFD.EXE file trying to start up at the beginning, but I have it disabled in MSCONFIG. My system still drags. Trying to figure this out. My inital searches have come up with this file being associated with BROAD JUMP, who provides service for Prodigy/SBCGLOBAL, who is my DSL provider. This file shows to use 100% of my CPU in the process list. I'm running WIN XP on a 1.8GHz system with 512MB DDR. I know something is wrong if this is taking this much of my resources. If you can help me out on this one, I would appreciate it. Please feel free to email me. Thanks again.

Report Offensive Follow Up For Removal

Response Number 23

Name: RP Alcorn
Date: July 31, 2002 at 07:05:34 Pacific
Subject: Virus filling computer with junk

Reply: (edit)

I downloaded the AVG antivirus software and it found 2 viruses, the greetingcard.exe and another one without a name given. Fixed both and...walla....problem fixed. The best thing about this program is its free; it's also small. Took less time to run than my Norton as well.

Report Offensive Follow Up For Removal

Is it okay to delete this...

Web Browser Security

Use following form to reply to current message:

Name: From My Computing.Net Settings E-Mail: From My Computing.Net Settings Subject: Virus filling computer with junk

Comments:

  Homepage URL (*): 
Homepage Title (*): 
         Image URL:

How often do you use Computing.Net?

Poll Finishes In 3 Days.
Discuss in The Lounge

Another Clueless In Need of Help

VM Win Server 2003 Admin password

Connecting Vista to an XP network

XP won't let me log in

Internet Cuts Out Every Few Minutes

All Posts Awaiting Replies