http://www.hatrack.com/ubb/cgi/ultimatebb....ic;f=2;t=020741 (http://www.hatrack.com/ubb/cgi/ultimatebb.cgi?ubb=get_topic;f=2;t= 020741)

i started this thread at Hatrack and was wondering if you knew anything i could do. you can reply here, i just didn't feel like retyping it.

Well, you could just highlight the whole text and press ctrl+c(copy) and then press ctrl+v in the text field. :P ;)

Reading your post though, I have to say that the same thing happened on my parents computer. It was exactly as you said. The system 32 folder opened up every time the computer booted. Since my parents got a new computer and gave that one to my sister who is in college, they just had me reformat the hard drive. That fixed it. ;)

I don't know how to fix something like that. Norton didn't see on my parent's computer either. Norton doesn't see a lot of things. Sorry, wish I could help you out. :(

Okay, I need to know what OS you're running. Is it XP? If so, and you have gotten rid of the virus, you may not have gotten rid of a registry key that the virus wrote to your registry. Go to this link (http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml), download the software called "Autoruns," and then list all of the programs that it lists that start up automatically. From there, I can tell you which you need to delete. If you can, update your antivirus as well (just in case, I know most do it automatically). The program I linked to will help find out which autostart key is causing the problem, and it's most likely something a virus left behind.

cool, i'll take a look. i got rid of the ie search bar. i then got rid of the system32 folder from popping open on start up. but the virus or wahtever is definitely still there.

i'll get back to you.

thanks man. i knew there was a reason we call you the sexy dictator. or is that just me? Don't tell Kira... :ph34r:

What antivirus do you use? They are not all created equal, you know.

Don't tell Kira...

what did i tell you?

he's gotta meet his quota

Shut up You! :P

I use Norton Corporate.

here's the autoruns log. and it is XP btw. So let me know what you think.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userin it

+ C:\WINDOWS\system32\userinit.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

+ Explorer.exe

HKCU\Software\Microsoft\Windows\Cur rentVersion\Policies\System\Shell

HKLM\SOFTWARE\Microsoft\Windows\Cur rentVersion\RunOnce\

HKLM\SOFTWARE\Microsoft\Windows\Cur rentVersion\RunOnceEx\

HKLM\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run\

+ C:\Program Files\Norton Personal Firewall\IAMAPP.EXE

+ C:\Program Files\NavNT\vptray.exe

+ %systemroot%\system32\dumprep 0 -k

+ "C:\Program Files\QuickTime\qttask.exe" -atboottime

+ C:\WINDOWS\system32\NeroCheck.exe

+ c:\program files\winfavorites\WinFavorites.exe 1

+ C:\WINDOWS\CNU.exe

+ C:\WINDOWS\Belt.exe

+ C:\WINDOWS\System32\cefeqfal.exe

+ C:\WINDOWS\System32\xxlelrpj.exe

+ C:\WINDOWS\PCHealth\HelpCtr\Binarie s\MSConfig.exe /auto

+ c:\WINDOWS\System32\

HKCU\Software\Microsoft\Windows\Cur rentVersion\Run\

+ C:\WINDOWS\System32\ctfmon.exe

+ C:\Program Files\AIM95\aim.exe -cnetwait.odl

+ "C:\Program Files\Messenger\msmsgs.exe" /background

+ c:\WINDOWS\System32\

HKLM\SOFTWARE\Microsoft\Windows\Cur rentVersion\RunServices\

HKLM\SOFTWARE\Microsoft\Windows\Cur rentVersion\RunServicesOnce\

HKCU\Software\Microsoft\Windows\Cur rentVersion\RunServices\

HKCU\Software\Microsoft\Windows\Cur rentVersion\RunServicesOnce\

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

+ Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

+ InterVideo WinCinema Manager.lnk -> C:\Program Files\InterVideo\Common\Bin\WinCine maMgr.exe

+ Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE

C:\Documents and Settings\Greg\Start Menu\Programs\Startup

+ DLHelperEXE.exe

HKLM\SOFTWARE\Microsoft\Windows\Cur rentVersion\ShellServiceObjectDelay Load\

+ PostBootReminder -> C:\WINDOWS\system32\shell32.dll

+ CDBurn -> C:\WINDOWS\system32\shell32.dll

+ WebCheck -> C:\WINDOWS\system32\webcheck.dll

+ SysTray -> C:\WINDOWS\system32\stobject.dll

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

HKCU\Software\Policies\Microsoft\Wi ndows\System\Scripts

HKLM\Software\Policies\Microsoft\Wi ndows\System\Scripts

HKCU\Software\Microsoft\Windows\Cur rentVersion\Policies\Explorer\Run\

HKLM\SOFTWARE\Microsoft\Windows\Cur rentVersion\Policies\Explorer\Run\

HKCU\Software\Microsoft\Windows\Cur rentVersion\RunOnce\

HKCU\Software\Microsoft\Windows\Cur rentVersion\RunOnceEx\

C:\WINDOWS\win.ini

Task Scheduler

Looks like that belt.exe is some kind of adware.

Symantec's info on it. (http://securityresponse.symantec.com/avcenter/venc/data/adware.binet.html)

Indeed, I would suggest that you download and install Spybot: Search & Destroy (http://tomcoyote.org/SPYBOT/index1.php) for your computer, and that may help you get rid of the offending startup processes. However, you can go to this page (http://www.merijn.org/downloads.html) and download "HijackThis" and "CWShredder" from the list, and try using them to remove the offending program. However, if you continue to have problems, and the Symmantec site is not helpful, give me a yell again, and I will walk you through it.

well, i use spybot and ad-aware on a regular basis. i got that shredder thing the other day. so now I have that too. :)

and none of that worked. i'll try hijack this now i guess.

and i got rid of that belt thing too earlier.

i'm slowly cleaning up this machine. Soon...

Thanks for all the help guys.

i used hijack this and got the log file. but i'm not completely sure what to fix. some things seem obvious to me, but i may be wrong. and there's more too that i'm not sure about. so if any of you guys could take a look and let me know, that would be much appreciated. i'd rather wait to hear from one of you then just go ahead and do it myself.

Logfile of HijackThis v1.97.7
Scan saved at 1:39:11 PM, on 1/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\CFusionMX\runtime\bin\jrunsvc.ex e
C:\CFusionMX\db\slserver52\bin\swag ent.exe
C:\CFusionMX\db\slserver52\bin\swst rtr.exe
C:\CFusionMX\db\slserver52\bin\swso c.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\WINDOWS\System32\inetsrv\inetinf o.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLO OK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Greg\Desktop\HijackThis.ex e

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hatrack.com/ubb/cgi/ultimatebb....m&f=2&submit=Go (http://www.hatrack.com/ubb/cgi/ultimatebb.cgi?ubb=forum&f=2&submit=Go)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = +w
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.oc x
O2 - BHO: (no name) - {555E96D3-ED0E-DDA4-80FA-CFE19CBAC8F4} - C:\WINDOWS\system32\lviouwau.dll
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AAC72EF6-ABEF-A5E3-54F6-AF1DFB0AAF8E} - C:\WINDOWS\system32\dbhegyhx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe 1
O4 - HKLM\..\Run: [CNU] C:\WINDOWS\CNU.exe
O4 - HKLM\..\Run: [gozkagtw] C:\WINDOWS\System32\cefeqfal.exe
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\xxlelrpj.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCine maMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL .EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clie...nts/y/pt0_x.cab (http://download.games.yahoo.com/games/clients/y/pt0_x.cab)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab (http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7602.7454166667 (http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37602.7454166667)
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n6/dlhelper.cab (http://activex.microgaming.com/DLhelper/version6/dlhelper.cab)
O16 - DPF: {C7932801-AF0C-11D6-8137-0050DA5F0293} (RdxIE Class) - http://www.grokster.com/rdx/RdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab)
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://atlantisfortune.microgaming.com/atl...une/FlashAX.cab (https://atlantisfortune.microgaming.com/atlantisfortune/FlashAX.cab)

I figured it out.

Loosely translated, it means:

Greg is a monkey. Vodka is good for you. Kill the squirrels.

O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe 1
Well, that sent up a red flag. Do you have some kind of program called "Winfavorites" or something? Apparently, your computer thinks you do, and is trying to start something with an improper file extension. That is, unless the ".exe1" part is a typo on your part. If it is not a typo on your part, follow the next directions very carefully: Open a run window (windows key + R, or start>run), and type "regedit"
In the RegEdit window that pops up, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microso ft\Windows\CurrentVersion\Run
Under the "name" column, look for "WinFavorites" or "WinFavorites.exe" on the list, or look in the "data" column for "c:\program files\winfavorites\WinFavorites.exe 1" in the list.
When you find that entry, click it once in the "name" column to highlight it.
Then right-click it and select "remove"

After you do this, go to your start menu, navigate to the control panel, and go to "Add/Remove Programs." In the window that opens up, look for something called "WinFavorites" in the list, select it, and click the "Remove/Change" button. If that is not listed in the "Add/Remove Programs" section, navigate to the Program Files folder in your C drive, and look for the folder called "winfavorites" which should be near the end (alphabetically listed, and all). If there is such a folder there, I want you to list for me every file that is in there. If you see only one or two files, go to tools>folder options in your explorer (or My Computer) window, and in the menu window that comes up, click the view tab, and look for "Hidden files and folders," and select "Show hidden files and folders." If you still only see a few files, then list them for me here, and I will tell you what to do from there.

Also, go once again to your start menu, go to "All Programs," and find the "startup" folder. Mouse over to it, and it will list some processes that start up automatically for you when Windows starts. If there is a "WinFavorites" icon there, right-click and select delete.

Save unfinished work, shut off everything else and reboot.

Let me know how things turn out.

So John, I have this annoying quicktime system tray program that I have to shut down every time I start my computer. Can I remove those from the path you listed? Here is mine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microso ft\Windows\CurrentVersion\Run

In there I have:
Winamp Agent
Quicktime Task
Nero Filter Check
Adaptec DirectCD

I only want the direct CD there, so can I delete the other ones?

what about the two of these:

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

what are they doing?

Nick, you can remove the Quicktime task and if you really don't want it there, the WinAmp one. However, if you have Nero installed, you want to keep the Nero Filter Check. You may also want to check your startup folder under programs in the start menu.


Greg: Yes, you can remove both of those. I skimmed right past those, and didn't think about that command opening an explorer window with that. You should stop getting the window opening up for you if you remove those entries. However, if that was not a typo in the last list of startup entries, you should still get rid of that sketchy .exe1 file as well. Do you have a program called WinFavorites that you installed?

Winfavorites is a virus (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_WINFAVS.A), albeit non-destructive. Kick it to the curb.

if i did, i got rid of it a while ago. i went and deleted that bogus exe1 thing. and got rid of the two system32 start up commands.

i'm about to reboot and keeping my fingers crossed. :)

Thanks for the heads-up, Tick. I didn't look for a definition of the file.

Oh, my:Compiled using Visual Basic...
The author should be embarrassed.

No problem. When I get home, my current PCWorld has a link to a website that lists most things you'll see in startup, and what they are. Very handy in a situation like this.

it's still around. and just like before, everything will be fine, and they my norton antivirus will pop up, telling me it's found and quarantined a virus in my "temp internet files/content.ie5" directory, and then my system32 folder pops open.

Does it list what virus is being quarantined?

py[1].exe

it lists it as a "download.trojan"

it's always the same thing but in a different folder in the content.ie5 directory.

which i can't for the life of me seem to access at all.

I'm still researching...

One suggestion I've seen to get rid of the download.trojan is to try safe mode, and run your virus software there.

You have a polymorphic virus, which tends to reside in memory and rewrite itself at every reboot and shutdown. I would suggest that, along with keeping your Norton Antivirus on the machine, that you go download AVG Antivirus (http://www.grisoft.com/us/us_dwnl_free.php) and install that as well. It's free, and not quite as comprehensive (or feature-rich) as Norton, but it doesn't get deactivated by this virus like your Norton apparently is.

This isn't the only option, it's just the best one I can give you without having you bring your machine (or just the hard drive) to me for me to manually clean it out for you.

+ c:\program files\winfavorites\WinFavorites.exe 1

+ C:\WINDOWS\CNU.exe

+ C:\WINDOWS\Belt.exe

+ C:\WINDOWS\System32\cefeqfal.exe

+ C:\WINDOWS\System32\xxlelrpj.exe
The bolded ones are definitely viruses, and the italicized ones may or may not be (I didn't research the file names). Your Norton A/V isn't catching some programs before they start up when you turn the machine on.

This isn't the only option, it's just the best one I can give you without having you bring your machine (or just the hard drive) to me for me to manually clean it out for you.


It'd be a good excuse to hang out though, eh?

Anyway. it's been a while, john!

Greg and I don't get to see Hatrackers anymore. :(

Hey, you bring the vodka, I'll grab the kaluha, we can get a few others together and have a small party. :-) I can even supply a place for you to sleep if you think it'd help.

hmmm...this sounds like an intriguing idea.

and i like intriguing ideas...

Let's DO EET!!!

Party at Leto's house!

:ph34r: :blink: B) :rolleyes: :ph34r:

Can I come?

What can you bring?

Myself.

:ph34r:

Good enough for me. Yeah, you're invited.

Greg and I seriously want to do this, Johnny boy. And if we plan something we should try to get other jersey/new york/pa area hatrackers involved. cause like i mentioned before, we haven't met any new hatrackers since the philly thing at Dave and Busters. And Godric doesn't even post anymore!

well, i talked to John last night about it, and he'll get back to us when he's got a better idea of when he'll be free. :)

May I suggest August? :angry:

you can live vicariously through the pictures we post. :P

don't worry Kamila, we'll do it in August too.

John and I just live close enough that there's no reason we don't hang out more often.

I figured this would be a more low key just hanging out thing, then a full blown Hatrackian/Grenmetic get-together.

I want to do "a more low key just hanging out thing" too :angry:

really? thanks for letting me know, BOYFRIEND

john and you live so close together? Did i miss the part where I moved to Kentucky? :angry:

kama, get your polish bottom over here and you and i will have a more low-key just hanging out thing. stupid boys.