|
#1
November 16th, 2001, 12:29 AM
|
|||
|
|||
|
Recovery From Virus
My computer was acting very stange last week.
Symptoms: Task bar locking up and some icons disappearing. Launch time for IE from desk top 30sec. Opening control panel from start menu 30sec. Strangely opening both from the Windows Explorer menu was immediate. Did a virus scan through Housecall. A Trojan Hybris was found with around 8 infected files. The Virus scanner allowed deletion of all the files except the Wsock32.dll file which I had to restore. Using Housecall's free scan plus a newly installed Norton anti-virus comes up virus free. However I still have all the symptoms plus more. Have to use Ctrl Alt DEl a lot which is also slow. Some lockups in IE. Last night I had to wait almost a minute to reset the clock which had changed to am. Have tried a lot of cures. Just read your "Dealing with trojan paralyzed systems" and I'm going to try the link with the Zip files for corrections. My computer is an HP Pavilion 366 with 64MB ramand a 6.4GB harddrive. Win98 with IE 5.5 Anyone with similar computer problems? 
|
|
#2
November 16th, 2001, 02:34 AM
|
||||
|
||||
|
Hi JohnD...welcome to CTH.
For the moment, the only file you need to download from that site is Startup Log. It generates a StartLog.txt file showing all known trojan startups. Copy and paste the contents here for analysis. You can delete the StubPath.txt file that is also generated.
__________________
Sign the ONE Declaration
|
|
#3
November 16th, 2001, 03:30 AM
|
|||
|
|||
|
Hi HKEd Thanks for the info. Here are the results for Startlog. The Exefix reported restored correct registry entry. JohnD
-------- C:\WINDOWS\desktop\StartUp.Log Start-Ups checked at 14/11/2001 22:14:08.08 __________________________________________________ ________________________ __________________________________________________ ________________________ StartUp Log for Windows 95/98 - Freeware by rmbox __________________________________________________ ________________________ __________________________________________________ ________________________ Comments: This is a log of all the programs on your computer that are starting automatically every time you start Windows. Using this log can be a quick way to spot trojans. StartUp Log (version 1.53) - Release Date 8/19/2001 __________________________________________________ ________________________ __________________________________________________ ________________________ StartUp Log Index 1. HKLM Run 2. HKCU Run 3. HKLM RunOnce 4. HKCU RunOnce 5. HKLM RunServices 6. HKLM RunServicesOnce 7. WIN.INI file 8. SYSTEM.INI file 9. AUTOEXEC.BAT file 10. StartUp folder 11. All Users StartUp 12. Misc. StartUp Configurations __________________________________________________ ________________________ __________________________________________________ ________________________ The following is a list of your current Start-Ups __________________________________________________ ________________________ __________________________________________________ ________________________ 1. HKLM Run - Registry [RegPath] "StartUp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "TaskMonitor"="c:\\windows\\taskmon.exe" "SystemTray"="SysTray.Exe" "AtiCwd32"="Aticwd32.exe" "hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe" "Keyboard Manager"="C:\\Program Files\\Netropa\\One-touch Multimedia Keyboard\\MMKeybd.exe" "RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER" "New.net Startup"="rundll32 C:\\WINDOWS\\NEWDOT~3.DLL,NewDotNetStartup" "webHancer Agent"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\"" "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" "ScanRegistry"="c:\\windows\\scanregw.exe /autorun" "HPScanPatch"="C:\\WINDOWS\\SYSTEM\\HPScanFix. exe" "EAPCISetup"="c:\\windows\\SYSTEM\\wizard.exe c:\\windows\\SYSTEM" "CC2KUI"="c:\\windows\\SYSTEM\\Comet\\Bin\\comet.e xe" "mgavrtclexe"="c:\\windows\\MCBin\\AV\\Rt\\mgavrtc l.exe" "NAV DefAlert"="C:\\PROGRA~1\\NORTON~1\\DEFALERT.EXE" "Norton Auto-Protect"="C:\\PROGRA~1\\NORTON~1\\NAVAPW32.EXE /LOADQUIET" "Norton eMail Protect"="C:\\Program Files\\Norton AntiVirus\\POPROXY.EXE" ================================================== ======================== __________________________________________________ ________________________ 2. HKCU Run - Registry [RegPath] "StartUp" [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run] "Taskbar Display Controls"="RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY" "Windows Version Check"="C:\\WINDOWS\\SYSTEM\\ver_chk.exe" "MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background" "msbb"="C:\\PROGRAM FILES\\N-CASE\\MSBB.EXE" ================================================== ======================== __________________________________________________ ________________________ 3. HKLM RunOnce - Registry [RegPath] "StartUp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce] ================================================== ======================== __________________________________________________ ________________________ 4. HKCU RunOnce - Registry [RegPath] "StartUp" [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce] ================================================== ======================== __________________________________________________ ________________________ 5. HKLM RunServices - Registry [RegPath] "StartUp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices] "EncMonitor"="C:\\Program Files\\Encompass\\Monitor.exe" "mgavrtclexe"="c:\\windows\\MCBin\\AV\\Rt\\mgavrte .exe" "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" "SchedulingAgent"="mstask.exe" "ScriptBlocking"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Script Blocking\\SBServ.exe\" -reg" ================================================== ======================== __________________________________________________ ________________________ 6. HKLM RunServicesOnce - Registry [RegPath] "StartUp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServicesOnce] ================================================== ======================== __________________________________________________ ________________________ 7. WIN.INI File - (c:\windows\win.ini) Your win.ini run/load lines should look like run= and load= exclusively. There should be nothing to the right of the equal signs. These are the run and load lines in your WIN.INI file run= load= ================================================== ======================== __________________________________________________ ________________________ 8. SYSTEM.INI File - (c:\windows\system.ini) Your system.ini shell line should look like shell=Explorer.exe exclusively. You should only see Explorer.exe following the equal sign. This is the shell line in your SYSTEM.INI file shell=Explorer.exe ================================================== ======================== __________________________________________________ ________________________ 9. AUTOEXEC.BAT File - (c:\autoexec.bat) (Some trojans have been known to start from this file) These are your program startups and set paths in your autoexec.bat file @echo off REM To make a DOS Boot Diskette; See the file C:\DOSBOOT\DOSBOOT.TXT path c:\windows;c:\windows\COMMAND mode con codepage prepare=((850) c:\windows\COMMAND\ega.cpi) mode con codepage select=850 keyb br,,c:\windows\COMMAND\keyboard.sys ================================================== ======================== __________________________________________________ ________________________ 10. StartUp Folder - (c:\windows\start menu\programs\startup) Shortcuts to any program will automatically start when placed here. These are the shortcuts located in your StartUp folder *(No start-ups found)* ================================================== ======================== __________________________________________________ ________________________ 11. All Users Folder - (c:\windows\all users\start menu\programs\startup) Shortcuts to any program will automatically start when placed here. These are the shortcuts located in your All Users StartUp folder *(No start-ups found)* ================================================== ======================== __________________________________________________ ________________________ 12. Miscellaneous StartUp Configurations -============================- Registry StartUp Directories -============================- Should show the Start Menu StartUp and All Users StartUp directories .................................................. ................... [1] HKCU - Shell Folders HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Shell Folders "Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp" .................................................. ................... [2] HKCU - User Shell Folders HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\User Shell Folders .................................................. ................... [3] HKLM - Shell Folders HKLM\Software\Microsoft\Windows\CurrentVersion\exp lorer\Shell Folders "Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp" .................................................. ................... [4] HKLM - User Shell Folders HKLM\Software\Microsoft\Windows\CurrentVersion\exp lorer\User Shell Folders .................................................. ................... -=======================- Registry Shell Spawning -=======================- Open Commands for Executable File Types @="\"%1\" %*" (.exe file - RegPath = HKCR\exefile\shell\open\command) @="\"%1\" %*" (.com file - RegPath = HKCR\comfile\shell\open\command) @="\"%1\" /S" (.scr file - RegPath = HKCR\scrfile\shell\open\command) @="\"%1\" %*" (.bat file - RegPath = HKCR\batfile\shell\open\command) @="\"%1\" %*" (.pif file - RegPath = HKCR\piffile\shell\open\command) @="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*" (.hta file - RegPath = HKCR\htafile\shell\open\command) -=========================- HKLM RunOnceEx - Registry -=========================- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnceEx] -====================- DOSSTART.BAT File - (c:\windows\dosstart.bat) -=================- @ECHO OFF REM TO MAKE A DOS BOOT DISKETTE; SEE THE FILE C:\DOSBOOT\DOSBOOT.TXT SET PATH=C:\WINDOWS\COMMAND C:\WINDOWS\SMARTDRV /Q LH C:\WINDOWS\COMMAND\MSCDEX /D:IDECD000 /L:M SET MOUSE=C:\IMOUSE C:\IMOUSE\IMOUSE SET PROMPT=$P$G SET TEMP=C:\WINDOWS\TEMP SET TMP=C:\WINDOWS\TEMP REM CONFIGURE THE SOUND CARD C: CD \WINDOWS\SYSTEM SET BLASTER=A220 I5 D1 T4 REM RIPUTIL /A220 /I5 /D1 /RI10 /UNMUTE CD \WINDOWS -=====================- Screen Saver Settings (Possible system.ini start-up) -=====================- ================================================== ======================== __________________________________________________ ________________________ - Supplemental Environment Information - TMP=c:\windows\TEMP TEMP=C:\windows\TEMP winbootdir=C:\WINDOWS COMSPEC=C:\WINDOWS\COMMAND.COM PATH=C:\WINDOWS;c:\windows;c:\windows\COMMAND;C:\W INDOWS;C:\WINDOWS\COMMAND windir=C:\WINDOWS ================================================== ======================== __________________________________________________ ________________________ - End -
|
|
#4
November 16th, 2001, 04:11 AM
|
||||
|
||||
|
JohnD...there's no trojan startup there, but there is a lot of spyware:
"New.net Startup"="rundll32 C:\\WINDOWS\\NEWDOT~3.DLL,NewDotNetStartup" A truly nasty piece of "foistware" that piggybacks other programs such as Kazaa and is installed without your knowledge or consent. More info HERE. "webHancer Agent"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\"" Yuck. Modifies the Windows sockets configuration. Read THIS. "CC2KUI"="c:\\windows\\SYSTEM\\Comet\\Bin\\comet.e xe" More yuck. This is probably where WebHancer came from. "msbb"="C:\\PROGRAM FILES\\N-CASE\\MSBB.EXE" Another nasty. Have a look HERE. WebHancer, New.Net and MSBB all hook themselves ito Windows files in ways that make them very difficult to remove for the average computer user. You could easily lose internet connectivity with a wrong move. What I suggest you do is disable them from starting. Go to Start > Run > type msconfig and OK it. Click on the Startup tab and uncheck the four programs I highlighted. Reboot. Any improvement? BTW, there should have been a StubPath section in the StartLog. Did you edit it out? I need to see that also to be sure. It's the stubpath.txt file that is unnecessary, not the stubpath part of StartLog. Have a good read of the links I posted and let us know if you're experienced enough to go through the uninstall procedures outlines.
__________________
Sign the ONE Declaration
|
|
#5
November 19th, 2001, 03:27 AM
|
|||
|
|||
|
Finally got my computer back on the mend.
Reading through a lot of posts and tips in this forum it appeared that the Start Up registry could be my problem. Unchecked all the entries except for System Tray, Scan registry, and keyboard. Rebooted and I was back in business. Rechecked my antivirus. Thanks to all.
|
|
#6
November 19th, 2001, 03:49 AM
|
|||
|
|||
|
Hi HKed Just saw your reply after I posted that I had my computer back. Didn't realize the problem with those piggy backs that came along with Kazaa although I did have ezulamain unchecked in the Start Up. I will check out the links you gave me. Yes I did edit out the Stubpath. My misunderstanding. JohnD
|
|
#7
November 19th, 2001, 05:12 AM
|
|||
|
|||
|
Hello again HKed I downloaded "ad-aware" and removed those "foistwares". Adding the Stub
Path for your viewing. Thanks so much. Noticed your last post was dated Nov15 but I didn't see it til Nov18. Maybe I wasn't logged in/out properly. JohnD
|
|
#8
November 19th, 2001, 08:39 AM
|
||||
|
||||
|
Hi again JohnD...I was wondering why we hadn't heard back from you. Good move with using msconfig to disable as many startups as possible. Strange you didn't see my post from nearly three days ago.
Did AdAware deal with New.Net? There are conflicting opinions posted around the net as to whether or not it can deal with it. One recent thing I read indicated that the Lavasoft people were now satisfied that New.Net had cleaned up its act and no longer regarded it as spyware. But there are still many computers "infected" with the old New.Net foistware. Anyway, just taking these buggers out of the startup group should help. I doubt there's anything malicious in the StubPath portion of StartLog, but there's no harm in having a look. Ermmmm...you forgot to post it. 
__________________
Sign the ONE Declaration
|
|
#9
November 19th, 2001, 10:52 PM
|
|||
|
|||
|
Hi EKed I deleted new.net using Add/Remove program as Ad-aware wasn't mentioned til your next link. It certainly did a job on the others. Sorry about the Stub-path post. It was around mid-night last eve when I was replying and I should have been getting ready for bed. Have to have some excuse!
I'll post it here. Thanks JohnD StubPaths - Registry (Partial Listing) -====================- (Please see the StubPath.txt on your desktop for complete listing) HKLM\Software\Microsoft\Active Setup\Installed Components "RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT. EXE" "StubPath"="c:\\windows\\COMMAND\\sulfnbk.exe /L" "RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50. exe\" /APP:OE /CALLER:IE50 /user /install" "StubPath"="" "StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\ " /APP:WAB /CALLER:IE50 /user /install" "StubPath"="C:\\Progra~1\\Online~1\\MSN\\msnmig.ex e" -=================-
|
|
#10
November 20th, 2001, 09:07 AM
|
||||
|
||||
|
Nothing abnormal in the stubpaths, JohnD. All looks clean now.
__________________
Sign the ONE Declaration
|
 |
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
All times are GMT +1. The time now is 09:39 PM.
[
RSS ]
