I recieved a virus called js.ie/start. I've followed norton's removal instructions. I got the virus deleted, but I can't keep my default home page and search engine. I've gone into internet tools, tried putting in and ust it as current. As soon as I reboot it resets to a pornographic page, the one I got from the virus. Then it sends alot of pop ups at once tryng to freeze the computer. I found in the regedit it changed my start and search page and next to default, under data it shows '"'. I've tried modifing the pages through regedit, but again, as soon as I reboot it changes the prefrences back to that web page. How can I get my home page and search page back to normal? Thanks for any help you may be able to give me.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
ie virus changed my home page
- Thread starter keyla0405
- Start date
So you deleted the infected files? Run another scan and see if it's back. If you have 98 or ME you could restore the registry (scanreg /restore from dos) to the day before the infection if it was within the last 5 days of startups. If you have ME you could run system restore.
If you have 95, 98 or ME download Startlog.com from this link and run it. It'll create two text files on your desktop. Copy and paste the contents of Startlog to your reply here. It might show something relevant.
If you have 95, 98 or ME download Startlog.com from this link and run it. It'll create two text files on your desktop. Copy and paste the contents of Startlog to your reply here. It might show something relevant.
- Thread starter
- #3
Kento,
I couldn't do the restore. I'm thinking I got the virus in March. It took a while for my virus scan to pick it up. Did you want me to copy and paste the startlog.com files here? Thanks in advance for all your help. It's really appreciated.
I couldn't do the restore. I'm thinking I got the virus in March. It took a while for my virus scan to pick it up. Did you want me to copy and paste the startlog.com files here? Thanks in advance for all your help. It's really appreciated.
- Thread starter
- #5
Here is the start up log and stub path txt
---------- C:\WINDOWS\desktop\StartUp.Log
Start-Ups checked at 05-04-2002 11:42:06.80p
__________________________________________________________________________
__________________________________________________________________________
StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________
Comments:
This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.
StartUp Log (version 1.56) - Release Date 3/11/2002
__________________________________________________________________________
__________________________________________________________________________
StartUp Log Index
1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations
__________________________________________________________________________
__________________________________________________________________________
The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________
1. HKLM Run - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Digital Dashboard"="C:\\Program Files\\Compaq\\Digital Dashboard\\DevGulp.exe"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"Service Connection"="c:\\cpqs\\bwtools\\sccenter.exe"
"SystemTray"="SysTray.Exe"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NORTON~1\\NAVAPW32.EXE"
"NPROTECT"="C:\\Program Files\\Norton SystemWorks\\Norton Utilities\\nprotect.exe"
"QD FastAndSafe"=""
"MSConfigReminder"="C:\\WINDOWS\\SYSTEM\\msconfig.exe /reminder"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
==========================================================================
__________________________________________________________________________
2. HKCU Run - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
==========================================================================
__________________________________________________________________________
3. HKLM RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
__________________________________________________________________________
4. HKCU RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"QRIA"=dword:00000000
==========================================================================
__________________________________________________________________________
5. HKLM RunServices - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CSINJECT.EXE"="C:\\Program Files\\Norton SystemWorks\\Norton CleanSweep\\CSINJECT.EXE"
"NPROTECT"="C:\\Program Files\\Norton SystemWorks\\Norton Utilities\\nprotect.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\SymTray.exe \"Norton SystemWorks\""
"GoBack Polling Service"="C:\\Program Files\\Roxio\\GoBack\\GBPoll.exe"
==========================================================================
__________________________________________________________________________
6. HKLM RunServicesOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
==========================================================================
__________________________________________________________________________
7. WIN.INI File - (c:\windows\win.ini)
Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.
These are the run and load lines in your WIN.INI file
run=
load=
==========================================================================
__________________________________________________________________________
8. SYSTEM.INI File - (c:\windows\system.ini)
Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.
This is the shell line in your SYSTEM.INI file
shell=Explorer.exe
==========================================================================
__________________________________________________________________________
9. AUTOEXEC.BAT File - (c:\autoexec.bat)
(Some trojans have been known to start from this file)
These are your program startups and set paths in your autoexec.bat file
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
==========================================================================
__________________________________________________________________________
10. StartUp Folder - (c:\windows\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your StartUp folder
C:\WINDOWS\Start Menu\Programs\StartUp\Compaq Knowledge Center.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Watch.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Norton Disk Doctor.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\CleanSweep Smart Sweep-Internet Sweep.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Norton System Doctor.lnk
==========================================================================
__________________________________________________________________________
11. All Users Folder - (c:\windows\all users\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your All Users StartUp folder
C:\WINDOWS\All Users\Start Menu\Programs\StartUp\GoBack.lnk
==========================================================================
__________________________________________________________________________
12. Miscellaneous StartUp Configurations
-============================-
Registry StartUp Directories
-============================-
Should show the Start Menu StartUp and All Users StartUp directories
.....................................................................
[1] HKCU - Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"
.....................................................................
[2] HKCU - User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
.....................................................................
[3] HKLM - Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"
.....................................................................
[4] HKLM - User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
.....................................................................
-=======================-
Registry Shell Spawning
-=======================-
Open Commands for Executable File Types
@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)
@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)
@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)
@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)
@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)
@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)
-=========================-
HKLM RunOnceEx - Registry
-=========================-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
-=========================-
HKU (.Default) Run - Registry
-=========================-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
-==============================-
HKU (.Default) RunOnce - Registry
-==============================-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"QRIA"=dword:00000000
-================================-
StubPaths - Registry (Partial Listing)
-================================-
(Please see the StubPath.txt on your desktop for complete listing)
HKLM\Software\Microsoft\Active Setup\Installed Components
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"StubPath"=""
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
"StubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
-=================-
WINSTART.BAT File - (c:\windows\winstart.bat)
-=================-
@C:\WINDOWS\tmpcpyis.bat
-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-
@echo off
-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
(name) (type) (size)(modified)(time)
wininit bak 80 05-04-02 4:36p
-=================-
[rename]
NUL=C:\WINDOWS\SYSTEM\EAREMOVE.EXE
NUL=C:\WINDOWS\SYSTEM\EAEXEC.EXE
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-
==========================================================================
__________________________________________________________________________
- Supplemental Environment Information -
COMSPEC=C:\WINDOWS\COMMAND.COM
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
windir=C:\WINDOWS
File - c:\windows\Wininit.bak
File - c:\windows\deletefi.ini
==========================================================================
__________________________________________________________________________
- End -
---------- StubPath.txt
=========================================================
StartUp Log Full StubPath List - 05-04-2002 11:42:58.98p
=========================================================
Comments:
The application referenced by a StubPath entry is only run once
when Windows is started.
At that time a corresponding entry is automatically placed in the
HKCU\...Active Setup\Installed Components section of the registry.
This added entry tells Windows to ignore that particular StubPath
in all future start-ups.
Removing the added HKCU entry will make the StubPath active again.
A New User logging into Windows can also activate it.
This StubPath list is separate from StartUp.Log due to the large
number of registry StubPaths that are found on some computers.
-=====================-
Stub Paths - Registry
-=====================-
[1] HKLM\Software\Microsoft\Active Setup\Installed Components
[2] These are "all" of the StubPath start-ups in your registry:
[3]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\\WINDOWS\\INF\\setupc.inf"
[4]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\\WINDOWS\\INF\\applets.inf"
[5]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\\WINDOWS\\INF\\applets1.inf"
[6]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection FontsPerUser 64 C:\\WINDOWS\\INF\\fonts.inf"
[7]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_HNW_Inis 64 C:\\WINDOWS\\INF\\ICS.inf"
[8]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\\WINDOWS\\INF\\icw97.inf"
[9]"StubPath"="RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP"
[10]"StubPath"="regsvr32.exe /s /n /i:U shell32.dll"
[11]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_moviemaker 64 C:\\WINDOWS\\INF\\moviemk.inf"
[12]"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
[13]"StubPath"="RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf"
[14]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\\WINDOWS\\INF\\msinfo.inf"
[15]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\\WINDOWS\\INF\\msinfo.inf"
[16]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\\WINDOWS\\INF\\motown.inf"
[17]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\\WINDOWS\\INF\\motown.inf"
[18]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Base 64 C:\\WINDOWS\\INF\\msmail.inf"
[19]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection SamplerPerUser 64 C:\\WINDOWS\\INF\\sampler.inf"
[20]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection ShellPerUser 64 C:\\WINDOWS\\INF\\shell.inf"
[21]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\\WINDOWS\\INF\\shell2.inf"
[22]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\\WINDOWS\\INF\\subase.inf"
[23]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\\WINDOWS\\INF\\subase.inf"
[24]"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
[25]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection TapiPerUser 64 C:\\WINDOWS\\INF\\tapi.inf"
[26]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\\WINDOWS\\INF\\wordpad.inf"
[27]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\\WINDOWS\\INF\\appletpp.inf"
[28]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\\WINDOWS\\INF\\mmopt.inf"
[29]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\\WINDOWS\\INF\\mmopt.inf"
[30]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection OlsPerUser 64 C:\\WINDOWS\\INF\\ols.inf"
[31]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\\WINDOWS\\INF\\ols.inf"
[32]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_PCHealth 64 C:\\WINDOWS\\INF\\pchealth.inf"
[33]"StubPath"=""
[34]"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\mplayer2.inf,PerUserStub"
[35]"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\wmp.inf,PerUserStub"
[36]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\\WINDOWS\\INF\\applets.inf"
[37]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\\WINDOWS\\INF\\applets.inf"
[38]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 C:\\WINDOWS\\INF\\enable.inf"
[39]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\\WINDOWS\\INF\\games.inf"
[40]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_ZoneGame_Inis 64 C:\\WINDOWS\\INF\\games.inf"
[41]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_PBGame_Inis 64 C:\\WINDOWS\\INF\\games.inf"
[42]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\\WINDOWS\\INF\\motown.inf"
[43]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\\WINDOWS\\INF\\motown.inf"
[44]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\\WINDOWS\\INF\\motown.inf"
[45]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\\WINDOWS\\INF\\rna.inf"
[46]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 C:\\WINDOWS\\INF\\appletpp.inf"
[47]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\\WINDOWS\\INF\\appletpp.inf"
[48]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 C:\\WINDOWS\\INF\\mmopt.inf"
[49]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 C:\\WINDOWS\\INF\\mmopt.inf"
[50]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 C:\\WINDOWS\\INF\\mmopt.inf"
[51]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 C:\\WINDOWS\\INF\\mmopt.inf"
[52]"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\msnetmtg.inf,NetMtg.Install.PerUser.W95"
[53]"StubPath"="rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}"
[54]"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /install"
[55]"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
[56]"StubPath"="rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}"
[57]"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"
[58]"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
[59]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\\WINDOWS\\INF\\ols.inf"
[60]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\\WINDOWS\\INF\\ols.inf"
[61]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\\WINDOWS\\INF\\ols.inf"
[62]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection OlsEarthlinkPerUser 64 C:\\WINDOWS\\INF\\ols.inf"
[63]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection Shell3PerUser 64 C:\\WINDOWS\\INF\\shell3.inf"
[64]"StubPath"="rundll.exe Setupx.dll,InstallHinfSection Install 64 C:\\WINDOWS\\INF\\RUNLAST.INF"
[65]"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\msmsgs.inf,BLC.Install.PerUser"
[66]"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\wpie5x86.inf,PerUserStub"
[67]"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
[68]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 C:\\WINDOWS\\INF\\themes.inf"
[69]"StubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
----------------------------------------------------------------
(End)
---------- C:\WINDOWS\desktop\StartUp.Log
Start-Ups checked at 05-04-2002 11:42:06.80p
__________________________________________________________________________
__________________________________________________________________________
StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________
Comments:
This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.
StartUp Log (version 1.56) - Release Date 3/11/2002
__________________________________________________________________________
__________________________________________________________________________
StartUp Log Index
1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations
__________________________________________________________________________
__________________________________________________________________________
The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________
1. HKLM Run - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Digital Dashboard"="C:\\Program Files\\Compaq\\Digital Dashboard\\DevGulp.exe"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"Service Connection"="c:\\cpqs\\bwtools\\sccenter.exe"
"SystemTray"="SysTray.Exe"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NORTON~1\\NAVAPW32.EXE"
"NPROTECT"="C:\\Program Files\\Norton SystemWorks\\Norton Utilities\\nprotect.exe"
"QD FastAndSafe"=""
"MSConfigReminder"="C:\\WINDOWS\\SYSTEM\\msconfig.exe /reminder"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
==========================================================================
__________________________________________________________________________
2. HKCU Run - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
==========================================================================
__________________________________________________________________________
3. HKLM RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
==========================================================================
__________________________________________________________________________
4. HKCU RunOnce - Registry
[RegPath]
"StartUp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"QRIA"=dword:00000000
==========================================================================
__________________________________________________________________________
5. HKLM RunServices - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CSINJECT.EXE"="C:\\Program Files\\Norton SystemWorks\\Norton CleanSweep\\CSINJECT.EXE"
"NPROTECT"="C:\\Program Files\\Norton SystemWorks\\Norton Utilities\\nprotect.exe"
"SymTray - Norton SystemWorks"="C:\\Program Files\\Common Files\\Symantec Shared\\SymTray.exe \"Norton SystemWorks\""
"GoBack Polling Service"="C:\\Program Files\\Roxio\\GoBack\\GBPoll.exe"
==========================================================================
__________________________________________________________________________
6. HKLM RunServicesOnce - Registry
[RegPath]
"StartUp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
==========================================================================
__________________________________________________________________________
7. WIN.INI File - (c:\windows\win.ini)
Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.
These are the run and load lines in your WIN.INI file
run=
load=
==========================================================================
__________________________________________________________________________
8. SYSTEM.INI File - (c:\windows\system.ini)
Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.
This is the shell line in your SYSTEM.INI file
shell=Explorer.exe
==========================================================================
__________________________________________________________________________
9. AUTOEXEC.BAT File - (c:\autoexec.bat)
(Some trojans have been known to start from this file)
These are your program startups and set paths in your autoexec.bat file
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
==========================================================================
__________________________________________________________________________
10. StartUp Folder - (c:\windows\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your StartUp folder
C:\WINDOWS\Start Menu\Programs\StartUp\Compaq Knowledge Center.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Watch.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Norton Disk Doctor.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\CleanSweep Smart Sweep-Internet Sweep.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Norton System Doctor.lnk
==========================================================================
__________________________________________________________________________
11. All Users Folder - (c:\windows\all users\start menu\programs\startup)
Shortcuts to any program will automatically start when placed here.
These are the shortcuts located in your All Users StartUp folder
C:\WINDOWS\All Users\Start Menu\Programs\StartUp\GoBack.lnk
==========================================================================
__________________________________________________________________________
12. Miscellaneous StartUp Configurations
-============================-
Registry StartUp Directories
-============================-
Should show the Start Menu StartUp and All Users StartUp directories
.....................................................................
[1] HKCU - Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"
.....................................................................
[2] HKCU - User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
.....................................................................
[3] HKLM - Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"
.....................................................................
[4] HKLM - User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
.....................................................................
-=======================-
Registry Shell Spawning
-=======================-
Open Commands for Executable File Types
@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)
@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)
@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)
@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)
@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)
@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)
-=========================-
HKLM RunOnceEx - Registry
-=========================-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
-=========================-
HKU (.Default) Run - Registry
-=========================-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
-==============================-
HKU (.Default) RunOnce - Registry
-==============================-
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"QRIA"=dword:00000000
-================================-
StubPaths - Registry (Partial Listing)
-================================-
(Please see the StubPath.txt on your desktop for complete listing)
HKLM\Software\Microsoft\Active Setup\Installed Components
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"StubPath"=""
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
"StubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
-=================-
WINSTART.BAT File - (c:\windows\winstart.bat)
-=================-
@C:\WINDOWS\tmpcpyis.bat
-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-
@echo off
-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
(name) (type) (size)(modified)(time)
wininit bak 80 05-04-02 4:36p
-=================-
[rename]
NUL=C:\WINDOWS\SYSTEM\EAREMOVE.EXE
NUL=C:\WINDOWS\SYSTEM\EAEXEC.EXE
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-
==========================================================================
__________________________________________________________________________
- Supplemental Environment Information -
COMSPEC=C:\WINDOWS\COMMAND.COM
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
windir=C:\WINDOWS
File - c:\windows\Wininit.bak
File - c:\windows\deletefi.ini
==========================================================================
__________________________________________________________________________
- End -
---------- StubPath.txt
=========================================================
StartUp Log Full StubPath List - 05-04-2002 11:42:58.98p
=========================================================
Comments:
The application referenced by a StubPath entry is only run once
when Windows is started.
At that time a corresponding entry is automatically placed in the
HKCU\...Active Setup\Installed Components section of the registry.
This added entry tells Windows to ignore that particular StubPath
in all future start-ups.
Removing the added HKCU entry will make the StubPath active again.
A New User logging into Windows can also activate it.
This StubPath list is separate from StartUp.Log due to the large
number of registry StubPaths that are found on some computers.
-=====================-
Stub Paths - Registry
-=====================-
[1] HKLM\Software\Microsoft\Active Setup\Installed Components
[2] These are "all" of the StubPath start-ups in your registry:
[3]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\\WINDOWS\\INF\\setupc.inf"
[4]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\\WINDOWS\\INF\\applets.inf"
[5]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\\WINDOWS\\INF\\applets1.inf"
[6]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection FontsPerUser 64 C:\\WINDOWS\\INF\\fonts.inf"
[7]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_HNW_Inis 64 C:\\WINDOWS\\INF\\ICS.inf"
[8]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\\WINDOWS\\INF\\icw97.inf"
[9]"StubPath"="RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP"
[10]"StubPath"="regsvr32.exe /s /n /i:U shell32.dll"
[11]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_moviemaker 64 C:\\WINDOWS\\INF\\moviemk.inf"
[12]"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
[13]"StubPath"="RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf"
[14]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\\WINDOWS\\INF\\msinfo.inf"
[15]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\\WINDOWS\\INF\\msinfo.inf"
[16]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\\WINDOWS\\INF\\motown.inf"
[17]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\\WINDOWS\\INF\\motown.inf"
[18]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Base 64 C:\\WINDOWS\\INF\\msmail.inf"
[19]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection SamplerPerUser 64 C:\\WINDOWS\\INF\\sampler.inf"
[20]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection ShellPerUser 64 C:\\WINDOWS\\INF\\shell.inf"
[21]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\\WINDOWS\\INF\\shell2.inf"
[22]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\\WINDOWS\\INF\\subase.inf"
[23]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\\WINDOWS\\INF\\subase.inf"
[24]"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
[25]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection TapiPerUser 64 C:\\WINDOWS\\INF\\tapi.inf"
[26]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\\WINDOWS\\INF\\wordpad.inf"
[27]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\\WINDOWS\\INF\\appletpp.inf"
[28]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\\WINDOWS\\INF\\mmopt.inf"
[29]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\\WINDOWS\\INF\\mmopt.inf"
[30]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection OlsPerUser 64 C:\\WINDOWS\\INF\\ols.inf"
[31]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\\WINDOWS\\INF\\ols.inf"
[32]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_PCHealth 64 C:\\WINDOWS\\INF\\pchealth.inf"
[33]"StubPath"=""
[34]"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\mplayer2.inf,PerUserStub"
[35]"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\wmp.inf,PerUserStub"
[36]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\\WINDOWS\\INF\\applets.inf"
[37]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\\WINDOWS\\INF\\applets.inf"
[38]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 C:\\WINDOWS\\INF\\enable.inf"
[39]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\\WINDOWS\\INF\\games.inf"
[40]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_ZoneGame_Inis 64 C:\\WINDOWS\\INF\\games.inf"
[41]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_PBGame_Inis 64 C:\\WINDOWS\\INF\\games.inf"
[42]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\\WINDOWS\\INF\\motown.inf"
[43]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\\WINDOWS\\INF\\motown.inf"
[44]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\\WINDOWS\\INF\\motown.inf"
[45]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\\WINDOWS\\INF\\rna.inf"
[46]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_CharMap_Inis 64 C:\\WINDOWS\\INF\\appletpp.inf"
[47]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\\WINDOWS\\INF\\appletpp.inf"
[48]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MmoptMusicaPerUser 64 C:\\WINDOWS\\INF\\mmopt.inf"
[49]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MmoptJunglePerUser 64 C:\\WINDOWS\\INF\\mmopt.inf"
[50]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MmoptRobotzPerUser 64 C:\\WINDOWS\\INF\\mmopt.inf"
[51]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection MmoptUtopiaPerUser 64 C:\\WINDOWS\\INF\\mmopt.inf"
[52]"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\msnetmtg.inf,NetMtg.Install.PerUser.W95"
[53]"StubPath"="rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}"
[54]"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /install"
[55]"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
[56]"StubPath"="rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}"
[57]"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"
[58]"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
[59]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\\WINDOWS\\INF\\ols.inf"
[60]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\\WINDOWS\\INF\\ols.inf"
[61]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\\WINDOWS\\INF\\ols.inf"
[62]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection OlsEarthlinkPerUser 64 C:\\WINDOWS\\INF\\ols.inf"
[63]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection Shell3PerUser 64 C:\\WINDOWS\\INF\\shell3.inf"
[64]"StubPath"="rundll.exe Setupx.dll,InstallHinfSection Install 64 C:\\WINDOWS\\INF\\RUNLAST.INF"
[65]"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\msmsgs.inf,BLC.Install.PerUser"
[66]"StubPath"="rundll32.exe advpack.dll,LaunchINFSection C:\\WINDOWS\\INF\\wpie5x86.inf,PerUserStub"
[67]"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
[68]"StubPath"="rundll.exe C:\\WINDOWS\\SYSTEM\\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 C:\\WINDOWS\\INF\\themes.inf"
[69]"StubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
----------------------------------------------------------------
(End)
- Thread starter
- #6
I just got the norton firewall. It detected that home page. it has it blocked for 30 minutes for now. I'm trying to find how to block it perminatly. It reads: Default block bla trojan horse the info above it says: tock.usask.ca(128.233.3.101) blocked for 30 minutes. The good news is it didn't change my home page.
- Thread starter
- #7
Here is what it says in the event log:
Date: 5/5/2002 Time: 21:11:01
Rule "Default Block Bla Trojan horse" blocked (computer(216.201.37.190),1042). Details:
Inbound UDP packet
Local address,service is (computer(216.201.37.190),1042)
Remote address,service is (tock.usask.ca(128.233.3.101),time(37))
Process name is "N/A"
Date: 5/5/2002 Time: 21:11:01
Rule "Default Block Bla Trojan horse" blocked (computer(216.201.37.190),1042). Details:
Inbound UDP packet
Local address,service is (computer(216.201.37.190),1042)
Remote address,service is (tock.usask.ca(128.233.3.101),time(37))
Process name is "N/A"
The fastest way to do it was just to clear your Temporary Internet Files. The script executes from there. Also, check this registry key for information:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
This is what the virus modifies. Probably runs from a .HTA or .REG file so be on the lookout for those files being executed automatically.
AVChap
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
This is what the virus modifies. Probably runs from a .HTA or .REG file so be on the lookout for those files being executed automatically.
AVChap
keyla, your startlog doesn't show where it's coming from. It might be in your TIF folder as AVchap suggested. What's listed when you do a ctrl + alt + del?
By the way, you're getting a window at startup referring to selective startup right? That's what this entry is for:
MSConfigReminder"="C:\\WINDOWS\\SYSTEM\\msconfig.exe /reminder"
There should be a box on that message that appears where you can check to not show the message again. Check that box.
By the way, you're getting a window at startup referring to selective startup right? That's what this entry is for:
MSConfigReminder"="C:\\WINDOWS\\SYSTEM\\msconfig.exe /reminder"
There should be a box on that message that appears where you can check to not show the message again. Check that box.
this is the jsseeker virus, and it resides in your temporary internet files, goto A DIFFERENT PAGE, delete all of your temporary internet files, and change your start page, and run a scan... FatesWebb
if you do what I suggested it is not my fault...
if you do what I suggested it is not my fault...
yeah my bad, IEStart is a generic detection, for viruses like JS/Seeker, which change your start page... which he did say it was IEStart, but it is practicaly the same thing.. you should be glad you didnt get a meaner virus really because it isnt really a virus with a damaging payload.. so you havent been hit too hard by it. just annoying if anything. I hate it when that happens hehe..
FatesWebb
if you do what I suggested it is not my fault...
FatesWebb
if you do what I suggested it is not my fault...
See the original post guys:
"I recieved a virus called js.ie/start. I've followed norton's removal instructions. I got the virus deleted, but I can't keep my default home page and search engine. I've gone into internet tools, tried putting in and ust it as current. As soon as I reboot it resets to a pornographic page, the one I got from the virus. Then it sends alot of pop ups at once tryng to freeze the computer. I found in the regedit it changed my start and search page and next to default, under data it shows '"'. I've tried modifing the pages through regedit, but again, as soon as I reboot it changes the prefrences back to that web page. How can I get my home page and search page back to normal?"
"I recieved a virus called js.ie/start. I've followed norton's removal instructions. I got the virus deleted, but I can't keep my default home page and search engine. I've gone into internet tools, tried putting in and ust it as current. As soon as I reboot it resets to a pornographic page, the one I got from the virus. Then it sends alot of pop ups at once tryng to freeze the computer. I found in the regedit it changed my start and search page and next to default, under data it shows '"'. I've tried modifing the pages through regedit, but again, as soon as I reboot it changes the prefrences back to that web page. How can I get my home page and search page back to normal?"
keyla, I doubt you are but if you're still looking in on this thread, change the homepage through the registry FIRST and NOT through internet options and then run another virus scan and delete all the infected files. Then restart and see if it holds.
- Status
Similar threads
- Locked
- Question