Anybody know what this is? Should I delete it? I have the CoolWebSearch trojan--ran CWShredder and SpyBot and it didn't fix it.
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.exe
and
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.exe
Thanks.
Did a quick Google on sysstartup.exe
Take a look at this link, seems to have fixed it:
CLICK HEREDerek.W
Thanks but it didn't work. I ran HJT again and deleted a line from registry ending in YER6032.DLL and its corresponding files from my system folder, then deleted 3 backups it made to my start menu. That didn't work either.
Here are a couple of lines from HJT that I don't know what they are. Could they have something to do with it?
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
I'll be honest, it's the blind leading the blind on this. Searching Google with the CLSID's (long numbers) revealed this:
Tick the first one for deletion, this one:
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLLIt's apparently some sort of nasty.
The second entry you gave appears valid (Radio Toolbar).
Take a trip around Google because it may be necessary to do more than tick the HiJack Log entry. Google will often give hits on the file names too.
If you can't sort it out post on the Security & Virus forum because they are the best folk to help you.
Hope this moves you forward a bit, best I can do.
Derek.W
Some more info, this clsid stays the same
A9A674BF-771F-42E5-A440-D20DDA85A862
related link to your problem
> http://www.wilderssecurity.com
Word of warning. Don't do the stupid thing that I did!
If you go to the the link in Abnormal's posting, don't click on the active link within the 2nd posting there (it's obviously to a dodgy site).
I should have known better, fortunately it was blocked in my "Restricted Sites" - yours may not be....
Derek.W
Abnormal, what do you mean by the clsid stays the same?
I found the file sysstartup.exe in my system folder. Just to be sure, is he saying that I should delete it?
-drops sysstartup.exe in the system/system32 folder
-accompanied with a randomly named BHO dll but STATIC clsid! :
Always the same letters and numbers.
{A9A674BF-771F-42E5-A440-D20DDA85A862}The (BHO) Browser helper object should
come with your problem.
Do you have that in your hijackthis log?This is new, I only know what I can find
in a search.Post your log, lets see what you have.
I can't post the HFT log. Tried a few times and kept getting an illegal operation message. What's going on?
I do not know, see if you can get anything
from this.Blind helping to a problem I have never
seen is not easy.
Thanks for the link. I tried running CWShredder and Window Washer in safe mode but the problem is still there. I fixed the start page hijack, the only problem now is that I'm still getting the CoolWebSearch page when I go to a particular website. Could it be the website that's the problem instead of my computer? It's a site for the Sims game.
"Could it be the website that's the problem instead of my computer?"
You need to update to prevent it.
http://www.microsoft.com/technet/security/bulletin/MS03-011.mspxThe Microsoft VM is a virtual machine for the Win32operating environment. The Microsoft VM is shipped in most versions of Windows and in most versions of Microsoft Internet Explorer. A new security vulnerability has been reported that affects the ByteCode Verifier component of the Microsoft VM.
It occurs because the ByteCode verifier does not correctly look for certain malicious code when a Java applet is being loaded. The attack vector for this new security issue would likely involve an attacker creating a malicious Java applet and inserting it into a Web page that would exploit this vulnerability when it was opened. An attacker could then host this malicious Web page on a Web site or could send it to a user in e-mail.
The present Microsoft VM has been updated to include a fix for this newly reported security vulnerability. This version of VM includes all previously released fixes to the VM.
To download the patch to update existing installations of the Microsoft VM, visit the Microsoft Windows Update Web site. Windows Update detects what version of Windows you are running and offers the appropriate patch. To locate the update, visit the "Critical Updates" section of the Microsoft Windows Update Web site:
I understand MS have ceased support for W95.
I cannot be sure but perhaps that's the reason for the blank page. I downloaded mine (W98) from the corporate update page. I've just checked and they don't give the option of W95 OS.
This post is getting a bit ancient now. Maybe you would get more attention if you posted it again (on the S&V forum I would have thought). A few fresh ideas might help.
Derek.W
 |
|
| « problems with the new har... | Problems with Computer. V... » |
Get Solutions to your Hi-Tech Issues Now!
TOM'S GUIDE AROUND THE WORLD | |
| United States | France |
| Germany | Italy |
| United Kingdom | Ireland |
