RBennett89
Thread Starter
- Joined
- Nov 15, 2001
- Messages
- 5
Now for my work pc. Since I now realize I'm not invulnerable to virus', I decided to scan my work computer. This time I found the Nimda.htm virus, it too was just sitting quietly in Temp Internet files. I have not yet deleted it because of the things I read about it, but I also don't see the "load.exe -dontrunold" in the system.ini file on the startup log, which brings me to my next question, can you have a virus that is not yet "activated". Forgive me if this sounds like a rediculous question, but I am no computer expert when it comes to viruses. Starup log is below and let me know if I need to purchase an antivirus software to get rid of it, and if so, which do you think is best.
---------- C:\WINDOWS\desktop\StartUp.Log
Start-Ups checked at 11-19-2001 11:20:05.19a
__________________________________________________________________________
__________________________________________________________________________
StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________
Comments:
This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.
StartUp Log (version 1.53) - Release Date 8/19/2001
__________________________________________________________________________
__________________________________________________________________________
StartUp Log Index
1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations
__________________________________________________________________________
__________________________________________________________________________
The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________
1. HKLM Run - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"mdac_runonce"="C:\\WINDOWS\\SYSTEM\\runonce.exe"
"Dcfssvc"="C:\\WINDOWS\\System32\\Drivers\\dcfssvc.exe"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"DXM6Patch_981116"="C:\\WINDOWS\\p_981116.exe /Q:A"
"LVComs"="C:\\WINDOWS\\SYSTEM\\LVComS.exe"
"MSWheel"=""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe SYSTEMBOOTHIDEPLAYER"
"New.net Startup"="rundll32 C:\\WINDOWS\\NEWDOT~3.DLL,NewDotNetStartup"
"LoadQM"="loadqm.exe"
"SBMX"="C:\\WINDOWS\\SYSTEM\\sbmx.exe"
"Welcome"="C:\\WINDOWS\\Welcome.exe /R"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"webHancer Agent"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""
"mgavrtclexe"="C:\\WINDOWS\\MCBin\\AV\\Rt\\mgavrtcl.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
==========================================================================
__________________________________________________________________________
2. HKCU Run - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\PROGRAM FILES\\NETSCAPE\\COMMUNICATOR\\PROGRAM\\AIM\\aim.exe -cnetwait.odl"
"Yahoo! Pager"="C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\ypager.exe -quiet"
"MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background"
==========================================================================
__________________________________________________________________________
3. HKLM RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
__________________________________________________________________________
4. HKCU RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
__________________________________________________________________________
5. HKLM RunServices - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"ICH Synth"="eusexe.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="mstask.exe"
"mgavrtclexe"="C:\\WINDOWS\\MCBin\\AV\\Rt\\mgavrte.exe"
==========================================================================
__________________________________________________________________________
6. HKLM RunServicesOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
==========================================================================
__________________________________________________________________________
7. WIN.INI File - (c:\windows\win.ini)
Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.
These are the run and load lines in your WIN.INI file
Run=hpfsched
load=
==========================================================================
__________________________________________________________________________
8. SYSTEM.INI File - (c:\windows\system.ini)
Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.
This is the shell line in your SYSTEM.INI file
shell=Explorer.exe
==========================================================================
__________________________________________________________________________
9. AUTOEXEC.BAT File - (c:\autoexec.bat)
(Some trojans have been known to start from this file)
These are your program startups and set paths in your autoexec.bat file
==========================================================================
__________________________________________________________________________
10. StartUp Folder - (c:\windows\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your StartUp folder
*(No start-ups found)*
==========================================================================
__________________________________________________________________________
11. All Users Folder - (c:\windows\all users\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your All Users StartUp folder
*(No start-ups found)*
==========================================================================
__________________________________________________________________________
12. Miscellaneous StartUp Configurations
-============================-
Registry StartUp Directories
-============================-
Should show the Start Menu StartUp and All Users StartUp directories
.....................................................................
[1] HKCU - Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"
.....................................................................
[2] HKCU - User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
.....................................................................
[3] HKLM - Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"
.....................................................................
[4] HKLM - User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
.....................................................................
-=======================-
Registry Shell Spawning
-=======================-
Open Commands for Executable File Types
@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)
@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)
@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)
@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)
@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)
@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)
-=========================-
HKLM RunOnceEx - Registry
-=========================-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
-====================-
StubPaths - Registry (Partial Listing)
-====================-
(Please see the StubPath.txt on your desktop for complete listing)
HKLM\Software\Microsoft\Active Setup\Installed Components
"StubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /install"
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-
SCRNSAVE.EXE=C:\WINDOWS\MATRIX~1.SCR
==========================================================================
__________________________________________________________________________
- Supplemental Environment Information -
TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS
File - c:\windows\deletefi.ini
==========================================================================
__________________________________________________________________________
- End -
---------- C:\WINDOWS\desktop\StartUp.Log
Start-Ups checked at 11-19-2001 11:20:05.19a
__________________________________________________________________________
__________________________________________________________________________
StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________
Comments:
This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.
StartUp Log (version 1.53) - Release Date 8/19/2001
__________________________________________________________________________
__________________________________________________________________________
StartUp Log Index
1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations
__________________________________________________________________________
__________________________________________________________________________
The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________
1. HKLM Run - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"mdac_runonce"="C:\\WINDOWS\\SYSTEM\\runonce.exe"
"Dcfssvc"="C:\\WINDOWS\\System32\\Drivers\\dcfssvc.exe"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"DXM6Patch_981116"="C:\\WINDOWS\\p_981116.exe /Q:A"
"LVComs"="C:\\WINDOWS\\SYSTEM\\LVComS.exe"
"MSWheel"=""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe SYSTEMBOOTHIDEPLAYER"
"New.net Startup"="rundll32 C:\\WINDOWS\\NEWDOT~3.DLL,NewDotNetStartup"
"LoadQM"="loadqm.exe"
"SBMX"="C:\\WINDOWS\\SYSTEM\\sbmx.exe"
"Welcome"="C:\\WINDOWS\\Welcome.exe /R"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"webHancer Agent"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""
"mgavrtclexe"="C:\\WINDOWS\\MCBin\\AV\\Rt\\mgavrtcl.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
==========================================================================
__________________________________________________________________________
2. HKCU Run - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\PROGRAM FILES\\NETSCAPE\\COMMUNICATOR\\PROGRAM\\AIM\\aim.exe -cnetwait.odl"
"Yahoo! Pager"="C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\ypager.exe -quiet"
"MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background"
==========================================================================
__________________________________________________________________________
3. HKLM RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
__________________________________________________________________________
4. HKCU RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
__________________________________________________________________________
5. HKLM RunServices - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"ICH Synth"="eusexe.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="mstask.exe"
"mgavrtclexe"="C:\\WINDOWS\\MCBin\\AV\\Rt\\mgavrte.exe"
==========================================================================
__________________________________________________________________________
6. HKLM RunServicesOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
==========================================================================
__________________________________________________________________________
7. WIN.INI File - (c:\windows\win.ini)
Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.
These are the run and load lines in your WIN.INI file
Run=hpfsched
load=
==========================================================================
__________________________________________________________________________
8. SYSTEM.INI File - (c:\windows\system.ini)
Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.
This is the shell line in your SYSTEM.INI file
shell=Explorer.exe
==========================================================================
__________________________________________________________________________
9. AUTOEXEC.BAT File - (c:\autoexec.bat)
(Some trojans have been known to start from this file)
These are your program startups and set paths in your autoexec.bat file
==========================================================================
__________________________________________________________________________
10. StartUp Folder - (c:\windows\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your StartUp folder
*(No start-ups found)*
==========================================================================
__________________________________________________________________________
11. All Users Folder - (c:\windows\all users\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your All Users StartUp folder
*(No start-ups found)*
==========================================================================
__________________________________________________________________________
12. Miscellaneous StartUp Configurations
-============================-
Registry StartUp Directories
-============================-
Should show the Start Menu StartUp and All Users StartUp directories
.....................................................................
[1] HKCU - Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"
.....................................................................
[2] HKCU - User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
.....................................................................
[3] HKLM - Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"
.....................................................................
[4] HKLM - User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
.....................................................................
-=======================-
Registry Shell Spawning
-=======================-
Open Commands for Executable File Types
@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)
@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)
@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)
@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)
@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)
@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)
-=========================-
HKLM RunOnceEx - Registry
-=========================-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
-====================-
StubPaths - Registry (Partial Listing)
-====================-
(Please see the StubPath.txt on your desktop for complete listing)
HKLM\Software\Microsoft\Active Setup\Installed Components
"StubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /install"
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-
SCRNSAVE.EXE=C:\WINDOWS\MATRIX~1.SCR
==========================================================================
__________________________________________________________________________
- Supplemental Environment Information -
TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS
File - c:\windows\deletefi.ini
==========================================================================
__________________________________________________________________________
- End -
