Tech Support Guy banner
Status
Not open for further replies.
1 - 10 of 10 Posts

·
Registered
Joined
·
18 Posts
Discussion Starter · #1 ·
i have recently had several viruses on my computer and my startup was affected. i now load up windows on a selective startup and there are several files that i do not wish to be ther. everything loads up fine now, but i dont want to unclick them and then have my computer screwed up again.

they are froma common startup group and the names are all different like n4tyoc05.exe and morze5.exe and the command line files are all deleted.
 

·
Registered
Joined
·
45,855 Posts
The path to the "common startup group" in Win98 (also known as "global startup) is c:\windows\all users\start menu\programs\startup

If the files or shortcuts are there, just delete them; if they are shortcuts, the files are in another location and you need to right click on the short cut link, select "properties" and find the path. Or you can just do a Find files for them.
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #3 ·
that got rid of most of them, now i have xw7dfy00.exe in registry (per-user run), xw7dfy00.exe in registry (machine run), atipolab (machine serivce), and ssdpsrv (machine serivce)


i don't know if these are related to the viruses but i don't want to take a chance
 

·
Gone but Never Forgotten
Joined
·
26,895 Posts
Hello willywilly and Rog:
I believe those files are spyware related. Is a HijackThis log in order?
 

·
Gone but Never Forgotten
Joined
·
26,895 Posts
Ok, never mind. I see willywilly has another thread going with a Hijack log in it...
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #6 ·
here is my latest log

Logfile of HijackThis v1.97.7
Scan saved at 1:24:48 AM, on 4/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\APOINT\APOINT.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\APOINT\APWHEEL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
 

·
Registered
Joined
·
45,855 Posts
The scanlog you are posting is clean. However I cannot see what ever you might have UNchecked in msconfig. Those entries from the OTHER scanlog in the "global startup" group will be removed from msconfig if you simply delete them from the folder they are in.

For the record it was this trojan:

http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=TROJ_TOMADI.A

It has proven rather difficult for some, and required specialized advice. If you continue to have trouble with it, I will move your OTHER thread to the Security forum for further dealings with it.

You can clean this up by checking and "fixing" them.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #8 ·
these are whats left unchecked in my msconfig startup

xw7dfy00.exe in registry (per-user run)
xw7dfy00.exe in registry (machine run)
atipolab (machine serivce)
ssdpsrv (machine serivce)
 

·
Registered
Joined
·
45,855 Posts
Go to start and run regedit

Navigate to these two keys:

Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run-

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run- and RunServices -

Notice that the last folder in each of these keys is RUN - or RunServices-

The "minus" indicates disabled items removed from the "Run" folder. Just right click on those entries in the right hand pane and delete them
 
1 - 10 of 10 Posts
Status
Not open for further replies.
Top