1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan

Discussion in 'Virus & Other Malware Removal' started by RBennett89, Nov 19, 2001.

Thread Status:
Not open for further replies.
Advertisement
  1. RBennett89

    RBennett89 Thread Starter

    Joined:
    Nov 15, 2001
    Messages:
    5
    I have virus' on both my home and work computer so I'll post 2 threads. First, my home pc. I've never been one to worry about virus' because I thought as long as I didn't download anything or open something from someone I didn't know, I was fine. Guess I was wrong. Anyway, I defrag my hard drive often, but the other day I went to defrag it and it wouldn't work. After reading a bunch of the posts here, I decided to do an online virus scan @mcafee. Sure enough it found a trojan (I forgot to write down the name of it) but it was just sitting in temp internet files, so I just did a disk clean up to get rid of it, was this a mistake? Then I went to Trend micro's site to do another scan, and it found 2 more virus' that mcafee didn't, I think they were old (I transplanted them from an old zip disk) but I just deleted them also, they were called WOW. Anyway, my harddrive still won't defrag unless I do it in safe mode, is this because I didn't get rid of the trojan and virus' properly? I know you like to look at startup logs so I'll copy that in. Let me know if you see anything that would be causing defrag not to run.



    ---------- C:\WINDOWS\desktop\StartUp.Log

    Start-Ups checked at 11-19-2001 1:12:47.89a
    __________________________________________________________________________
    __________________________________________________________________________

    StartUp Log for Windows 95/98 - Freeware by rmbox
    __________________________________________________________________________
    __________________________________________________________________________

    Comments:

    This is a log of all the programs on your computer that
    are starting automatically every time you start Windows.
    Using this log can be a quick way to spot trojans.

    StartUp Log (version 1.53) - Release Date 8/19/2001

    __________________________________________________________________________
    __________________________________________________________________________

    StartUp Log Index

    1. HKLM Run
    2. HKCU Run
    3. HKLM RunOnce
    4. HKCU RunOnce
    5. HKLM RunServices
    6. HKLM RunServicesOnce
    7. WIN.INI file
    8. SYSTEM.INI file
    9. AUTOEXEC.BAT file
    10. StartUp folder
    11. All Users StartUp
    12. Misc. StartUp Configurations

    __________________________________________________________________________
    __________________________________________________________________________

    The following is a list of your current Start-Ups
    __________________________________________________________________________
    __________________________________________________________________________

    1. HKLM Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
    "TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
    "SystemTray"="SysTray.Exe"
    "VsecomrEXE"="C:\\PROGRA~1\\PLUS!\\Viruscan\\VSECOMR.EXE"
    "LVComs"="C:\\WINDOWS\\SYSTEM\\LVComS.exe"
    "StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
    "LoadQM"="loadqm.exe"
    "Dcfssvc"="C:\\WINDOWS\\System32\\Drivers\\dcfssvc.exe"
    "SideWinderTrayV4"="C:\\PROGRA~1\\MICROS~1\\GAMECO~1\\COMMON\\SWTRAYV4.EXE"
    "RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
    "New.net Startup"="rundll32 C:\\WINDOWS\\NEWDOT~3.DLL,NewDotNetStartup"
    "sp"="regedit -s C:\\WINDOWS\\sp.dll"
    "Disc Detector"="C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe"
    "CTStartup"="C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE /run"
    "Jet Detection"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
    "webHancer Agent"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""
    "mgavrtclexe"="C:\\WINDOWS\\MCBin\\AV\\Rt\\mgavrtcl.exe"
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "Vshwin32EXE"="C:\\PROGRA~1\\PLUS!\\Viruscan\\VSHWIN32.EXE"


    ==========================================================================
    __________________________________________________________________________

    2. HKCU Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "Yahoo! Pager"="C:\\PROGRA~1\\YAHOO!\\MESSEN~1\\ypager.exe -quiet"
    "MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background"
    "TaskTray"="C:\\Program Files\\Creative\\SBAudigy\\Taskbar\\CTLTray.exe"
    "Taskbar"="C:\\Program Files\\Creative\\SBAudigy\\Taskbar\\CTLTask.exe"


    ==========================================================================
    __________________________________________________________________________

    3. HKLM RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    4. HKCU RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    5. HKLM RunServices - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "ICH Synth"="eusexe.exe"
    "mgavrtclexe"="C:\\WINDOWS\\MCBin\\AV\\Rt\\mgavrte.exe"
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "SchedulingAgent"="C:\\WINDOWS\\SYSTEM\\mstask.exe"
    "Vshwin32EXE"="C:\\PROGRA~1\\PLUS!\\Viruscan\\VSHWIN32.EXE /NoSplash"


    ==========================================================================
    __________________________________________________________________________

    6. HKLM RunServicesOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


    ==========================================================================
    __________________________________________________________________________

    7. WIN.INI File - (c:\windows\win.ini)

    Your win.ini run/load lines should look like run= and load= exclusively.
    There should be nothing to the right of the equal signs.


    These are the run and load lines in your WIN.INI file

    run=

    load=

    ==========================================================================
    __________________________________________________________________________

    8. SYSTEM.INI File - (c:\windows\system.ini)

    Your system.ini shell line should look like shell=Explorer.exe exclusively.
    You should only see Explorer.exe following the equal sign.


    This is the shell line in your SYSTEM.INI file

    shell=Explorer.exe

    ==========================================================================
    __________________________________________________________________________

    9. AUTOEXEC.BAT File - (c:\autoexec.bat)

    (Some trojans have been known to start from this file)


    These are your program startups and set paths in your autoexec.bat file


    ==========================================================================
    __________________________________________________________________________

    10. StartUp Folder - (c:\windows\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your StartUp folder

    *(No start-ups found)*

    ==========================================================================
    __________________________________________________________________________

    11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your All Users StartUp folder


    *(No start-ups found)*

    ==========================================================================
    __________________________________________________________________________

    12. Miscellaneous StartUp Configurations

    -============================-
    Registry StartUp Directories
    -============================-

    Should show the Start Menu StartUp and All Users StartUp directories

    .....................................................................

    [1] HKCU - Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

    "Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [2] HKCU - User Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


    .....................................................................

    [3] HKLM - Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

    "Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [4] HKLM - User Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


    .....................................................................

    -=======================-
    Registry Shell Spawning
    -=======================-

    Open Commands for Executable File Types

    @="\"%1\" %*"
    (.exe file - RegPath = HKCR\exefile\shell\open\command)

    @="\"%1\" %*"
    (.com file - RegPath = HKCR\comfile\shell\open\command)

    @="\"%1\" /S"
    (.scr file - RegPath = HKCR\scrfile\shell\open\command)

    @="\"%1\" %*"
    (.bat file - RegPath = HKCR\batfile\shell\open\command)

    @="\"%1\" %*"
    (.pif file - RegPath = HKCR\piffile\shell\open\command)

    @="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
    (.hta file - RegPath = HKCR\htafile\shell\open\command)

    -=========================-
    HKLM RunOnceEx - Registry
    -=========================-


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\CTStartup]
    "CTStartup"="\"C:\\PROGRAM FILES\\CREATIVE\\SBAUDIGY\\PROGRAM\\CTEaxSpl.EXE\" EAX.AVI"


    -====================-
    StubPaths - Registry (Partial Listing)
    -====================-

    (Please see the StubPath.txt on your desktop for complete listing)

    HKLM\Software\Microsoft\Active Setup\Installed Components


    "OldStubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
    "RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
    "StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
    "RealStubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
    "StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
    "StubPath"="\"C:\\Program Files\\Outlook Express\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
    "StubPath"=""
    "StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
    -=====================-
    Screen Saver Settings (Possible system.ini start-up)
    -=====================-

    scrnsave.exe=

    ==========================================================================
    __________________________________________________________________________

    - Supplemental Environment Information -

    TMP=C:\WINDOWS\TEMP
    TEMP=C:\WINDOWS\TEMP
    winbootdir=C:\WINDOWS
    PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    COMSPEC=C:\WINDOWS\COMMAND.COM
    windir=C:\WINDOWS

    File - c:\windows\deletefi.ini

    ==========================================================================
    __________________________________________________________________________

    - End -
     
  2. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Hi RBennett89

    There are 3 items starting up that can be identified as Spy- or other foistware:

    New.Net, SP.dll, and Webhancer.

    Uncheck those three in your Msconfig's startup tab (Start/Run/msconfig), and reboot.

    Download <A HREF="http://www.lavasoftusa.com/index.html">Ad-Aware</A> , have it check your drives and registry, check all found spyware files and keys, click 'Continue', and have them removed.

    Reboot again.

    As for New.Net, take a look here: http://forums.techguy.org/showthread.php?s=&threadid=58965&highlight=newdotnet

    And have you already tried to defrag in Safe Mode?

    Good luck,
     
  3. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    And this is what HKEd discovered about SP.dll:

    This has been popping up more and more recently. Sp.dll is not a DLL - it's a REG file in disguise. One expert in this field thinks it may be a variant of the JS_Seeker trojan. This "DLL" contains this:

    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
    "SearchURL"="http://www.jethomepage.com/ie/"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    "Default_Search_URL"="http://www.jethomepage.com/ie/"
    "Search Page"="http://www.jethomepage.com/ie/"
    "Search Bar"="http://www.jethomepage.com/ie/"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
    "SearchAssistant"="http://www.jethomepage.com/ie/"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
    "SearchAssistant"="http://www.jethomepage.com/ie/"
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer]
    "SearchURL"="http://www.jethomepage.com/ie/"
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Main]
    "Search Page"="http://www.jethomepage.com/ie/"
    "Default_Search_URL"="http://www.jethomepage.com/ie/"
    "Search Bar"="http://www.jethomepage.com/ie/"
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Search]
    "SearchAssistant"="http://www.jethomepage.com/ie/"


    So definitely worth getting rid of.

    Greetz,
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    In addition to what Tony has covered, whenever defrag has a problem (such as constant restarting) you should try disabling all programs running in the background by end-tasking all but Explorer and Systray. Some people always seem to need to run defrag in safe mode. But that is an indication that something is conflicting -- not necessarily a virus.

    You should take a look at all the files you have loading at startup to see if they are really necessary.

    For example, this one:

    http://www.google.com/search?q=cach...l.co.uk/startup_pages/d.htm+dcfssvc.exe&hl=en

    This is a good site for evaluating them, click on the alphnumeric index for other searches.
     
  5. RBennett89

    RBennett89 Thread Starter

    Joined:
    Nov 15, 2001
    Messages:
    5
    yes, it will run in safe mode, but I think I tried closing everything but explorer and running it, and it didn't work, but not sure, I'll try that again. my bigger concern was the fact that it used to run defrag no problem and I don't remember loading anything that should have affected that.
     
  6. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    36,048
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/59007

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice