1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Possible virus

Discussion in 'Virus & Other Malware Removal' started by alamal, Jan 13, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. alamal

    alamal Thread Starter

    Joined:
    Sep 15, 2000
    Messages:
    834
    My neighbor's pc may have a virus. He's been online without antivirus and now I am trying to download Panda antivirus. As I get to the end of the download it gives me a window that says the download couldn't be completed so I had to start all over again. Same thing happened. Isn't this a characteristic of a virus...not being able to run a scan?

    He has a Dell with Windows ME PIII.

    How can I identify the virus or even the presence of one if I can't scan his system?
    Thanks for the help,
    Peter
     
  2. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
    HI alamal - do this on his machine


    If you post your startup list we may be able to spot something

    Please post your startup list by doing the following :-

    Please go here and download startuplist 1.5 :-

    http://www.lurkhere.com/~nicefiles/startuplist15.zip

    Download to any folder or your desktop
    Unzip the zipfile
    Double click the exe file
    go to Edit - select all - copy - and paste the results in a new post here


    steam
     
  3. alamal

    alamal Thread Starter

    Joined:
    Sep 15, 2000
    Messages:
    834
    Here what he's running Steam and hey, thanks!!!


    StartupList report, 1/13/2003, 11:17:19 AM
    StartupList version: 1.50
    Started from : C:\WINDOWS\TEMP\TD_0001.DIR\STARTUPLIST.EXE
    Detected: Windows ME (Win9x 4.90.3000)
    Detected: Internet Explorer v5.50 SP1 (5.50.4522.1800)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\WINKHWN.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\MSNDELL\MSNCOREFILES\MSN6.EXE
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\TEMP\TD_0001.DIR\STARTUPLIST.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\STARTUP]
    EPSON BACKGROUND MONITOR.LNK = C:\ESM2\STMS.EXE

    User shell folders Startup:
    [C:\WINDOWS\STARTUP]
    EPSON BACKGROUND MONITOR.LNK = C:\ESM2\STMS.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Winkhwn = C:\WINDOWS\SYSTEM\Winkhwn.exe
    MSConfigReminder = C:\WINDOWS\SYSTEM\msconfig.exe /reminder

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    MSMSGS = "C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE" /background

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{89820200-ECBD-11cf-8B85-00AA005B4395}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [>PerUser_MSN_Clean] *
    StubPath = C:\WINDOWS\msnmgsr1.exe

    [PerUser_LinkBar_URLs] *
    StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

    [^RNA] *
    StubPath = rundll rnasetup.dll,installoptionalcomponent rna

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 12/1/2003, 16:58:58)

    [Rename]
    NUL=C:\WINDOWS\TEMP\VCCLEA~1.EXE

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET CLASSPATH=C:\Program Files\PhotoDeluxe 2.0\AdobeConnectables
    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;"C:\Program Files\Dell\Resolution Assistant\Common\bin"
    SET PROMPT=$p$g
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP

    --------------------------------------------------

    C:\WINDOWS\WINSTART.BAT listing:

    @C:\WINDOWS\tmpcpyis.bat

    --------------------------------------------------

    C:\WINDOWS\DOSSTART.BAT listing:

    @echo off
    REM
    REM
    LH C:\PROGRA~1\MICROS~8\MOUSE\MOUSE.EXE

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - c:\windows\downloaded program files\googletoolbar_en_1.1.66-deleon.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Maintenance-Defragment programs.job
    Maintenance-ScanDisk.job
    Maintenance-Disk cleanup.job
    PCHealth Scheduler for Data Collection.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [{2C38A62E-D257-40E8-8BB7-5624E38FEB0A}]
    CODEBASE = http://62.52.93.252/bigbozo8912/access.cab

    [{11111111-1111-1111-1111-111111111111}]
    CODEBASE = http://usa-download.nocreditcard.com/download/newdial-erp/2936/dialer.exe

    [MSN Money Charting]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\INV12.OCX
    CODEBASE = http://fdl.msn.com/public/investor/v12/invinstl.exe

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
    CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

    --------------------------------------------------
    End of report, 6,506 bytes
    Report generated in 1.301 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
    Hi alamal

    It's the KLEZ virus - hang around while I or someone else finds the removal tool for you

    Once you have got rid of the virus you will need to run spybot - I see other problems in your startup

    steam
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Except for your Klez infection:

    Winkhwn = C:\WINDOWS\SYSTEM\Winkhwn.exe

    ... it looks like a pretty clean startup, of couse we don't know what is Unchecked in msconfig; so when you get Klez removed, you should re-enable what is there and post another startuplog.

    Here is a removal tool from Symantec; it is supposed to detect and remove most versions. It MUST be run in Safe Mode. Be sure to follow the instructions appropriate for WinME. System Restore must be disabled before running.

    http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html
     
  6. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    And go back to Msconfig > Startup, and RE-check "Scan Registry".

    You need the Scanregw tool to back up a good and working Registry at startup.
     
  7. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
    This is what I meant by other problem

    You need to get rid of this

    [{11111111-1111-1111-1111-111111111111}]
    CODEBASE = h**p://usa-download.nocreditcard.co...2936/dialer.exe
     
  8. alamal

    alamal Thread Starter

    Joined:
    Sep 15, 2000
    Messages:
    834
    Ok guys, I'm gonna start with removing Klez. The rest of the stuff in the registry is probably beyond me so if I may ask for your assistance I'd surely appreciate it.

    Here goes!

    Thanks and I'll post back.
    Peter
     
  9. alamal

    alamal Thread Starter

    Joined:
    Sep 15, 2000
    Messages:
    834
    Ok, I ran the Klez tool unsuccessfully. It said my System Restore was enabled. But it's not. Then it said it isn't. In the beginning of the tool run it'll say it's not disabled then at the end it says it was unsuccessfull because it WAS enabled. Arrrggggggggggg!!!

    I did everything I was supposed to to disable it.

    Please help.
    Thanks,
    Peter
     
  10. alamal

    alamal Thread Starter

    Joined:
    Sep 15, 2000
    Messages:
    834
    I was finally able to rid the virus using the tool.

    Now, Steam mentioned getting rid of the CODEBASE.

    How do I do this? What other things do I need to correct or fix in order to get this pc back up to snuff?

    I want to thank you guys for all the help you've provided thus far.

    God bless,

    Peter
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Alamal, if you go to Internet Options > Settings > View Objects, in that folder you will find:

    [{11111111-1111-1111-1111-111111111111}]
    CODEBASE = h**p://usa-download.nocreditcard.co...2936/dialer.exe

    Just right click on it and select "remove"
     
  12. alamal

    alamal Thread Starter

    Joined:
    Sep 15, 2000
    Messages:
    834
    Ok, is that all there is to it? I am finished with everything?

    I just want to say again how grateful I am for helping me out today and in the past.

    You folks really are great and provide a fantastic service to those who can't otherwise afford to take their pc in for service.

    Take care and may God bless all those who help others!

    Peter
     
  13. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    What I'd suggest is that you reenable your normal startups in msconfig and give us another post of the startup list. Certain things like scanregistry and statemgr must be left enabled for full WinME functionality.
     
  14. alamal

    alamal Thread Starter

    Joined:
    Sep 15, 2000
    Messages:
    834
    Ok, Rollin'. I'll post back tomorrow with the results.

    One funny thing though. I can't reenable System Restore. In fact, it was always disabled. Every time I went to enable it I found that the disable button was always checked after a restart.

    Peter
     
  15. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It may be because statemgr is unchecked in msconfig > startups. PChealth, should be enabled as well I believe, but statemgr is essential to System Restore.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/113025

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice