Annoyances.org - ''eplorer'' virus? trojan? Not according to Norton (Windows 98 Discussion Forum)


Home » Windows 98 Discussion Forum » Message 1059087917 » Entire Thread	Search \| Help \| Home

''eplorer'' virus? trojan? Not according to Norton
Showing all messages in thread #1059087917
Windows 98 Annoyances Discussion Forum

The following are all of the messages in this thread (24 in all), shown in chronological order. Click any message subject to view that message by itself or to view the thread hierarchy.

''eplorer'' virus? trojan? Not according to Norton
Thursday, July 24, 2003 at 4:05 pm
Posted by dustin (4 messages posted)

I cut my computer on the other day & as soon as windows loaded the dial-up connection popped up wanting me to connect. It's never done this before so I did a little piddling and found out a new program was starting up at start up called "eplorer"(not mispelled). It doesnt show up on the ctrl-alt-del box so I cant shut it down that route. It does show up with spybot(tools-tasks running, not spyware search) but it won't allow me to kill it either. It cant be deleted from the windows/system folder because it's "in use by windows". I've run regcleaner & removed it from the startup list only to have it reappear 5 min. later. It shows up in regcleaner as "winsock2 driver" under program & "eplorer.exe" under filename in the startup list. Here's the really annoying part, I figured since I couldnt get rid of it through these programs I would tackle it in the registry editor. But when I open the editor it pops up on the screen for maybe 3 seconds then closes, so that route seems hopeless. I researched a bit & found something about a trojan that runs "eplorer" but it also lists several other files that are installed & those files are not on my comp. I ran Norton(with all updated definitions) & it showed up nothing, so I ran an online virus scanner & an online trojan scanner which both came up nothing. So basically I was wondering if anybody has any idea what this could be & also if anyone could suggest a good freeware registry editor. Im thinking that if it is "evil" & keeping me from running windows regedit(which seems to be the case), maybe a second party editor would be able to get around it and allow me to delete the key. Any help would be GREATLY appreciated because I'm at a loss here. Thanks~~Dustin~~

[Reply or follow-up to this message]

Tip: Run a free scan for common Windows errors ad

re: ''eplorer'' virus? trojan? Not according to Norton
Thursday, July 24, 2003 at 4:44 pm
Posted by WhitPhil (703 messages posted)

Download and run HiJackThis, and post the contents of the log back here. http://www.tomcoyote.org/hjt/ ***ENSURE that you select the option at the bottom of the reply box that says "Check this box to preserve your spacing......" This will allow us to review all areas where trojans/viruses can start from and recommend a deletion process. Also, when you run NAV you should send the file into Symantec for analysis. And if it indicates that all is well, REsend it with an explanation. It would appear that you are the "lucky" recipient of a brand new virus.

[Reply or follow-up to this message]
re: ''eplorer'' virus? trojan? Not according to Norton
Thursday, July 24, 2003 at 5:38 pm
Posted by dustin (4 messages posted)

Logfile of HijackThis v1.95.1 Scan saved at 8:36:39 PM, on 7/24/03 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE C:\WINDOWS\SYSTEM\EPLORER.EXE C:\WINDOWS\START MENU\PROGRAMS\STARTUP\3CMLNKW.EXE C:\WINDOWS\START MENU\PROGRAMS\STARTUP\SYSTRAY.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\PDESK.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\ARUPLD32.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\LEXPPS.EXE C:\PROGRAM FILES\ANALOGX\MAXMEM\MAXMEM.EXE C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://tm.ask.com/r?t=c&s=a&sv=0&id=10990&u=http://www.ask.com/index.asp?origin=7051 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank O2 - BHO: (no name) - {8EDAB5C0-B061-11d1-801D-204C4F4F5020} - (no file) O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\PROGRAM FILES\EARTHLINK POP-UP BLOCKER\PNEL.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: (no name) - {09445DC0-42DD-11D7-ACE9-444553540000} - (no file) O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\PROGRAM FILES\EARTHLINK POP-UP BLOCKER\PNEL.DLL O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [Winsock2 driver] EPLORER.EXE O4 - Startup: 3CMLNKW.EXE O4 - Startup: SYSTRAY.EXE O4 - Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\Planner\PLNRnote.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: AIM (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/930260cd062fd5/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37638.1084837963 O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab There it is. I also noticed that there is nothing refering to Norton & all my shortcuts and such for it have dissappeared as though it has been uninstalled!!! While waiting for your reply I tried msconfig which does the same as regedit & msinfo will run but all of the "tools" do the same thing too. This one seems to be a doozy!!!

On Thursday, July 24, 2003 at 4:44 pm, WhitPhil wrote:
>Download and run HiJackThis, and post the contents of the log back here. > >http://www.tomcoyote.org/hjt/ > >***ENSURE that you select the option at the bottom of the reply box that says "Check >this box to preserve your spacing......" > >This will allow us to review all areas where trojans/viruses can start from and recommend >a deletion process. > >Also, when you run NAV you should send the file into Symantec for analysis. And if >it indicates that all is well, REsend it with an explanation. It would appear that >you are the "lucky" recipient of a brand new virus. >

[Reply or follow-up to this message]
re: ''eplorer'' virus? trojan? Not according to Norton
Thursday, July 24, 2003 at 6:12 pm
Posted by Helen~ (2547 messages posted)
Hi Dustin, I did a google search for eplorer.exe and it is a trojan. The entry is the third one in the list and gives some removal suggestions. Sorry I don't know how to send it as a link. Good luck! Helen

On Thursday, July 24, 2003 at 5:38 pm, dustin wrote:
>Logfile of HijackThis v1.95.1 >Scan saved at 8:36:39 PM, on 7/24/03 >Platform: Windows 98 SE (Win9x 4.10.2222A) >MSIE: Internet Explorer v6.00 (6.00.2600.0000) > >Running processes: >C:\WINDOWS\SYSTEM\KERNEL32.DLL >C:\WINDOWS\SYSTEM\MSGSRV32.EXE >C:\WINDOWS\SYSTEM\MPREXE.EXE >C:\WINDOWS\SYSTEM\mmtask.tsk >C:\WINDOWS\EXPLORER.EXE >C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE >C:\WINDOWS\SYSTEM\EPLORER.EXE >C:\WINDOWS\START MENU\PROGRAMS\STARTUP\3CMLNKW.EXE >C:\WINDOWS\START MENU\PROGRAMS\STARTUP\SYSTRAY.EXE >C:\WINDOWS\SYSTEM\WMIEXE.EXE >C:\WINDOWS\SYSTEM\PDESK.EXE >C:\WINDOWS\SYSTEM\DDHELP.EXE >C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE >C:\WINDOWS\SYSTEM\TAPISRV.EXE >C:\WINDOWS\SYSTEM\RNAAPP.EXE >C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\ARUPLD32.EXE >C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE >C:\WINDOWS\SYSTEM\SPOOL32.EXE >C:\WINDOWS\SYSTEM\LEXBCES.EXE >C:\WINDOWS\SYSTEM\RPCSS.EXE >C:\WINDOWS\SYSTEM\LEXPPS.EXE >C:\PROGRAM FILES\ANALOGX\MAXMEM\MAXMEM.EXE >C:\WINDOWS\NOTEPAD.EXE >C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE > >R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html >R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html >R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net >R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html >R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank >R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://tm.ask.com/r?t=c&s=a&sv=0&id=10990&u=http://www.ask.com/index.asp?origin=7051 >R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net >R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = >R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html >R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank >O2 - BHO: (no name) - {8EDAB5C0-B061-11d1-801D-204C4F4F5020} - (no file) >O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\PROGRAM >FILES\EARTHLINK POP-UP BLOCKER\PNEL.DLL >O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX >O3 - Toolbar: (no name) - {09445DC0-42DD-11D7-ACE9-444553540000} - (no file) >O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\PROGRAM >FILES\EARTHLINK POP-UP BLOCKER\PNEL.DLL >O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) >O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" >O4 - HKLM\..\Run: [Winsock2 driver] EPLORER.EXE >O4 - Startup: 3CMLNKW.EXE >O4 - Startup: SYSTRAY.EXE >O4 - Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\Planner\PLNRnote.exe >O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present >O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm >O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm >O9 - Extra button: Related (HKLM) >O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) >O9 - Extra button: AIM (HKLM) >O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net >O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab >O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab >O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information >Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab >O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - >http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab >O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/930260cd062fd5/housecall.antivirus.com/housecall/xscan53.cab >O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37638.1084837963 >O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab > > >There it is. I also noticed that there is nothing refering to Norton & all my shortcuts >and such for it have dissappeared as though it has been uninstalled!!! While waiting >for your reply I tried msconfig which does the same as regedit & msinfo will run >but all of the "tools" do the same thing too. This one seems to be a doozy!!! > >
[Reply or follow-up to this message]
re: ''eplorer'' virus? trojan? Not according to Norton
Thursday, July 24, 2003 at 6:37 pm
Posted by dustin (4 messages posted)
Thanks for the help, but I found that page the other night & tried every thing they suggested to no avail.

On Thursday, July 24, 2003 at 6:12 pm, Helen wrote:
>Hi Dustin,
>
>I did a google search for eplorer.exe and it is a trojan. The entry is the third
>one in the list and gives some removal suggestions. Sorry I don't know how to send
>it as a link. Good luck!
>
>Helen
>
>
[Reply or follow-up to this message]
re: ''eplorer'' virus? trojan? Not according to Norton
Thursday, July 24, 2003 at 6:42 pm
Posted by Ms. Eagle (33507 messages posted)

Dustin, this is the first case I've seen, but it's your very own ISP that installed the trojan. That is unless, you've got another one, besides! You should read this info., and in the meantime, we can check your logfile. I do see reference to "Total Access" in your log. Earthlink Wants Total Access (to Your PC) Why Earthlink's Pop-Up Blocker is Very, Very Bad.... http://www.pbs.org/cringely/pulpit/pulpit20030206.html Spyware Weekly March 19th Earthlink's Pop-up Blocker A Trojan? "PBS's Robert Cringely has published a rant about Earthlink's much-hyped pop-up blocking service. According to him, the Earthlink software is little more than a trojan. Cringely reports that the pop-up blocking software actually pops up its own ads pitching Earthlink products and services. Reportedly the software also hijacks multiple internet settings and even secretly installs other software on the computer using an auto-updater program. Earthlink's pop-up blocker for Windows computers is, in essence, a trojan -- innocent appearing code that carries with some hidden pathogen. Earthlink's Pop-up Blocker may stop any pop-ups from www.bigboobies.com, but it generates its own pop-up ads for Earthlink, itself. But it gets worse. What most people have installed is a beta copy of Pop-up Blocker. Now Earthlink members with Windows computers are being told that the beta has expired and they should download the permanent version. Don't do it. The so-called "permanent version" is a 14 megabyte suite of applications called Total Access 2003 that replaces your FTP client, your e-mail client, your PPPoE application, your browser preferences, your search engines, and more. It "takes over your computer" on boot-up, according to Earthlink, providing a tool bar and other unwanted, undocumented features."

[Reply or follow-up to this message]
re: ''eplorer'' virus? trojan? Not according to Norton
Thursday, July 24, 2003 at 6:43 pm
Posted by JmC (14166 messages posted)

You should go back to the Hijack This site, then download, run and post the 'StartupList' (it's on the menu). This isn't showing anything in the Registry and never has. JmC

On Thursday, July 24, 2003 at 6:37 pm, dustin wrote:
>Thanks for the help, but I found that page the other night & tried every thing they
>suggested to no avail.
>
>
[Reply or follow-up to this message]
Off topic!
Thursday, July 24, 2003 at 6:46 pm
Posted by JmC (14166 messages posted)

When you create a link, it should look like this. Just type or paste it in your post:
<a href="http://www.website.com">Link Name</a>
When you post it, it will look link this: Link Name You can click here for a place to practice. JmC

On Thursday, July 24, 2003 at 6:12 pm, Helen wrote:
>Hi Dustin,
>
>I did a google search for eplorer.exe and it is a trojan. The entry is the third
>one in the list and gives some removal suggestions. Sorry I don't know how to send
>it as a link. Good luck!
>
>Helen
>
>
[Reply or follow-up to this message]
re: Off topic!
Thursday, July 24, 2003 at 6:53 pm
Posted by Helen~ (2547 messages posted)
Hi JmC, Thanks for yet another good tip! Helen

On Thursday, July 24, 2003 at 6:46 pm, JmC wrote:
>
>

>
> >When you create a link, it should look like this. Just type or paste it in your post: > >
Link Name
> >When you post it, it will look link this: > >Link Name > >You can click color='orange'>here for a place to practice. > > > JmC >

>
>
>
>
[Reply or follow-up to this message]
re: ''eplorer'' virus? trojan? Not according to Norton
Thursday, July 24, 2003 at 7:01 pm
Posted by Ms. Eagle (33507 messages posted)

It's a mess, but "Total Access 2003" is probably listed in Add/Remove programs. Do these things, but you don't need to have Earthlink's software installed at all, in order to get internet service from them. You can run "Hijack This" again and choose to have all of these fixed. Then REBOOT. (You can reset your homepage afterward to what you want.) Then download the .REG file at the link below to reset I.E.'s default search settings. Fix these: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://tm.ask.com/r?t=c&s=a&sv=0&id=10990&u=http://www.ask.com/index.asp?origin=7051 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank O2 - BHO: (no name) - {8EDAB5C0-B061-11d1-801D-204C4F4F5020} - (no file) O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\PROGRAM FILES\EARTHLINK POP-UP BLOCKER\PNEL.DLL O3 - Toolbar: (no name) - {09445DC0-42DD-11D7-ACE9-444553540000} - (no file) O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\PROGRAM FILES\EARTHLINK POP-UP BLOCKER\PNEL.DLL O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file) O4 - HKLM\..\Run: [Winsock2 driver] EPLORER.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net Download this .reg file to your Desktop. Double-click on it and answer Yes, to merge into your registry. It will restore all the default Search settings for IE. IEFIX.reg

[Reply or follow-up to this message]
re: ''eplorer'' virus? trojan? Not according to Norton
Thursday, July 24, 2003 at 7:08 pm
Posted by Ms. Eagle (33507 messages posted)

It shows all those search settings that were changed. If I didn't know about Earthlink's little Trojan, I wouldn't think anything of it either. Do you remember me posting that info. awhile back from Spywareinfo newsletter? Some of these things should be posted as a warning, just like any other security issue! P.S. StartList can be run using Hijack This. I think there's an option in there. That would be a good thing to do after fixing those items. Carol

[Reply or follow-up to this message]
Startup List: How to..
Thursday, July 24, 2003 at 7:50 pm
Posted by Ms. Eagle (33507 messages posted)

The latest Hijack This! has the feature included to generate a Startup List. It's on the lower right - under Other Stuff - click Config. Click the Miscellaneous Tools button. On the left - choose Generate Startuplist Log.

[Reply or follow-up to this message]
re: ''eplorer'' virus? trojan? Not according to Norton
Thursday, July 24, 2003 at 8:04 pm
Posted by JmC (14166 messages posted)

I think you scared Dustin, it did me! JmC

[Reply or follow-up to this message]
Scared me too!
Thursday, July 24, 2003 at 8:23 pm
Posted by Ms. Eagle (33507 messages posted)

[Reply or follow-up to this message]
re: ''eplorer'' virus? trojan? Not according to Norton
Thursday, July 24, 2003 at 8:34 pm
Posted by dustin (4 messages posted)

StartupList report, 7/24/03, 11:24:17 PM StartupList version: 1.52 Started from : C:\MY DOCUMENTS\DOCUMENTS\HIJACKTHIS.EXE Detected: Windows 98 SE (Win9x 4.10.2222A) Detected: Internet Explorer v6.00 (6.00.2600.0000) * Using default options * Including empty and uninteresting sections * Showing rarely important sections ================================================== Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE C:\WINDOWS\START MENU\PROGRAMS\STARTUP\3CMLNKW.EXE C:\WINDOWS\START MENU\PROGRAMS\STARTUP\SYSTRAY.EXE C:\SIERRA\PLANNER\PLNRNOTE.EXE C:\WINDOWS\SYSTEM\EPLORER.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\ARUPLD32.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\MY DOCUMENTS\DOCUMENTS\HIJACKTHIS.EXE -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\WINDOWS\Start Menu\Programs\StartUp] 3CMLNKW.EXE SYSTRAY.EXE Event Planner Reminders Tray Icon.lnk = C:\SIERRA\Planner\PLNRnote.exe Shell folders AltStartup: *Folder not found* User shell folders Startup: *Folder not found* User shell folders AltStartup: *Folder not found* Shell folders Common Startup: [C:\WINDOWS\All Users\Start Menu\Programs\StartUp] *No files* Shell folders Common AltStartup: *Folder not found* User shell folders Common Startup: *Folder not found* User shell folders Alternate Common Startup: *Folder not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run IntelliType = "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" Winsock2 driver = EPLORER.EXE -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Winsock2 driver = EPLORER.EXE -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- File association entry for .EXE: HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .COM: HKEY_CLASSES_ROOT\comfile\shell\open\command *Registry key not found* -------------------------------------------------- File association entry for .BAT: HKEY_CLASSES_ROOT\batfile\shell\open\command *Registry key not found* -------------------------------------------------- File association entry for .PIF: HKEY_CLASSES_ROOT\piffile\shell\open\command *Registry key not found* -------------------------------------------------- File association entry for .SCR: HKEY_CLASSES_ROOT\scrfile\shell\open\command *Registry key not found* -------------------------------------------------- File association entry for .HTA: HKEY_CLASSES_ROOT\htafile\shell\open\command (Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %* -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [SetupcPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf [AppletsPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf [FontsPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf [PerUser_ICW_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383} [{89820200-ECBD-11cf-8B85-00AA005B4395}] * StubPath = rundll32.exe advpack.dll,LaunchINFSectionEx C:\WINDOWS\SYSTEM\ie4uinit.inf,Shell.UserStub,,36 [{CA0A4247-44BE-11d1-A005-00805F8ABE06}] * StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf [PerUser_Msinfo] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf [PerUser_Msinfo2] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf [MotownMmsysPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf [MotownAvivideoPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf [MmoptPreferredAudioDevices] * StubPath = rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SPCI\VEN_1013&DEV_6003&SUBSYS_42801013&REV_01\08F000 [{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub [MotownMPlayPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\mplay98.inf [PerUser_Base] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf [ShellPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf [Shell2PerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf [PerUser_winbase_Links] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf [PerUser_winapps_Links] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf [PerUser_LinkBar_URLs] * StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L [TapiPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf [{73fa19d0-2d75-11d2-995d-00c04f98bbc9}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\webfdr16.inf,PerUserStub.Install,1 [PerUserOldLinks] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf [MmoptRegisterPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf [PerUser_Paint_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf [PerUser_Calc_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf [PerUser_CVT_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf [MotownRecPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf [PerUser_Vol] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf [PerUser_MSWordPad_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf [PerUser_RNA_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf [PerUser_Dialer_Inis] StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis_remove 64 C:\WINDOWS\INF\appletpp.inf [PerUser_CDPlayer_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf [{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Remove.PerUser.W95 [PerUser_Wingames_Inis] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\appletpp.inf [OlsAolPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 C:\WINDOWS\INF\ols.inf [OlsAttPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 C:\WINDOWS\INF\ols.inf [OlsCompuservePerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsCompuservePerUserRemove 64 C:\WINDOWS\INF\ols.inf [OlsProdigyPerUser] * StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 C:\WINDOWS\INF\ols.inf [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] * StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = "C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserRemove [>{307A1C06-B3D2-11D4-8C88-0001026A9A3B}JW3221] * StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP -------------------------------------------------- Enumerating ICQ Agent Autostart apps: HKCU\Software\Mirabilis\ICQ\Agent\Apps *Registry key not found* -------------------------------------------------- Load/Run keys from C:\WINDOWS\WIN.INI: load= run= -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DFLOW~1.SCR drivers=mmsystem.dll power.drv -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present C:\WINDOWS\Fonts\Explorer.exe: not present -------------------------------------------------- C:\WINDOWS\WININIT.INI listing: *File not found* -------------------------------------------------- C:\WINDOWS\WININIT.BAK listing: (Created 22/7/2003, 17:51:8) [rename] NUL=C:\WINDOWS\TEMP\_iu14D2N.tmp -------------------------------------------------- C:\AUTOEXEC.BAT listing: rem - By Windows 98 Network - C:\WINDOWS\net start rem - By Windows Setup - C:\SAMSUNG\MSCDEX /D:SSCD000 C:\SAMSUNG\MSCDEX /D:SSCD000 -------------------------------------------------- C:\CONFIG.SYS listing: REM DEVICE=C:\SAMSUNG\SSCDROM.SYS /D:SSCD000 /v DEVICE=C:\SAMSUNG\SSCDROM.SYS /D:SSCD000 /v -------------------------------------------------- C:\WINDOWS\WINSTART.BAT listing: *File not found* -------------------------------------------------- C:\WINDOWS\DOSSTART.BAT listing: C:\SAMSUNG\MSCDEX /D:SSCD000 -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: NO!) .pif: HIDDEN! (arrow overlay: NO!) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Verifying REGEDIT.EXE integrity: - Regedit.exe found in C:\WINDOWS - .reg open command is normal (regedit.exe %1) - Company name OK: 'Microsoft Corporation' - Original filename OK: 'REGEDIT.EXE' - File description: 'Registry Editor' Registry check passed -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - (no file) - {8EDAB5C0-B061-11d1-801D-204C4F4F5020} EarthLink Popup Blocker - C:\PROGRAM FILES\EARTHLINK POP-UP BLOCKER\PNEL.DLL - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} -------------------------------------------------- Enumerating Task Scheduler jobs: *No jobs found* -------------------------------------------------- Enumerating Download Program Files: [Microsoft XML Parser for Java] CODEBASE = file://C:\WINDOWS\Java\classes\xmldso4.cab OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd [DirectAnimation Java Classes] CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd [Internet Explorer Classes for Java] CODEBASE = file://C:\WINDOWS\SYSTEM\iejava.cab OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\SWFLASH.OCX CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab [CV3 Class] InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL CODEBASE = http://windowsupdate.microsoft.com/R989/V31Controls/x86/w98/en/actsetup.cab [Symantec RuFSI Registry Information Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab [Symantec AntiVirus scanner] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AVSNIFF.DLL CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab [HouseCall Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX CODEBASE = http://a840.g.akamai.net/7/840/537/930260cd062fd5/housecall.antivirus.com/housecall/xscan53.cab [Update Class] InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37638.1084837963 [AvxScanOnline Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\BITDEF~1.OCX CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab -------------------------------------------------- Enumerating Winsock LSP files: NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll Protocol #2: C:\WINDOWS\SYSTEM\msafd.dll Protocol #3: C:\WINDOWS\SYSTEM\msafd.dll Protocol #4: C:\WINDOWS\SYSTEM\msafd.dll Protocol #5: C:\WINDOWS\SYSTEM\rsvpsp.dll Protocol #6: C:\WINDOWS\SYSTEM\rsvpsp.dll -------------------------------------------------- Enumerating Win9x VxD services: VNETSUP: vnetsup.vxd NDIS: ndis.vxd,ndis2sup.vxd JAVASUP: JAVASUP.VXD CONFIGMG: *CONFIGMG NTKern: *NTKERN VWIN32: *VWIN32 VFBACKUP: *VFBACKUP VCOMM: *VCOMM IFSMGR: *IFSMGR IOS: *IOS MTRR: *mtrr SPOOLER: *SPOOLER UDF: *UDF VFAT: *VFAT VCACHE: *VCACHE VCOND: *VCOND VCDFSD: *VCDFSD VXDLDR: *VXDLDR VDEF: *VDEF VPICD: *VPICD VTD: *VTD REBOOT: *REBOOT VDMAD: *VDMAD VSD: *VSD V86MMGR: *V86MMGR PAGESWAP: *PAGESWAP DOSMGR: *DOSMGR VMPOLL: *VMPOLL SHELL: *SHELL PARITY: *PARITY BIOSXLAT: *BIOSXLAT VMCPD: *VMCPD VTDAPI: *VTDAPI PERF: *PERF VRTWD: C:\WINDOWS\SYSTEM\vrtwd.386 VFIXD: C:\WINDOWS\SYSTEM\vfixd.vxd VNETBIOS: vnetbios.vxd VREDIR: vredir.vxd DFS: dfs.vxd NDISWAN: ndiswan.vxd -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL -------------------------------------------------- End of report, 20,368 bytes Report generated in 0.382 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only I've had the total access since it came out & have auto update cut off. Also the eplorer.exe file properties show it as being created late Sunday night at which time I wasnt connected to the www. Don't know if that has much to do with it but at this point I'm shooting for anything. Also JMC, I read in one of your earlier posts about booting to command prompt & restore a previous registry. Think this could be something to try?

On Thursday, July 24, 2003 at 6:43 pm, JmC wrote: > >
>
> >You should go back to the Hijack This site, then download, run and post the 'StartupList' >(it's on the menu). This isn't showing anything in the Registry and never has. > > > > JmC >
> > > >

[Reply or follow-up to this message]
re: ''eplorer'' virus? trojan? Not according to Norton
Thursday, July 24, 2003 at 8:48 pm
Posted by WhitPhil (703 messages posted)

Restart to SAFE mode. Then, Run MSCONFIG and UNselect the 2 entries dealing with Winsock2 Driver. You should also be able to rename the Eplorer file from safe mode also. Then, do a Normal restart and confirm that all is well.

[Reply or follow-up to this message]
FYI, I hadn't seen....
Thursday, July 24, 2003 at 9:28 pm
Posted by Ms. Eagle (33507 messages posted)

....any of your posts, before I replied to Dustin and told him what to fix! Just so you, and whoever else knows...

On Thursday, July 24, 2003 at 8:04 pm, JmC wrote: > >
>
> >I think you scared Dustin, it did me! > > > > JmC >
>

[Reply or follow-up to this message]
Remove Trojan?
Thursday, July 24, 2003 at 10:44 pm
Posted by Ms. Eagle (33507 messages posted)

How is that going to get rid of the trojan, and all those other problems I instructed him to fix?

On Thursday, July 24, 2003 at 8:48 pm, WhitPhil wrote:
>Restart to SAFE mode. >Then, Run MSCONFIG and UNselect the 2 entries dealing with Winsock2 Driver. >You should also be able to rename the Eplorer file from safe mode also. > >Then, do a Normal restart and confirm that all is well.

[Reply or follow-up to this message]
re: Remove Trojan?
Friday, July 25, 2003 at 2:39 pm
Posted by WhitPhil (703 messages posted)

"How is that going to get rid of the trojan" The (Eplorer) Trojan is being initiated from the RUN and RUNONCE keys, so when he starts in SAFE mode, these keys shouldn't be processed. Thus the trojan won't start, the filename won't be in use, and can be renamed or deleted. UNselecting it in Msconfig is neither here nor there, once the file has been dealt with. "and all those other problems I instructed him to fix?" Your instructions are still there on how to rectify these issues.

[Reply or follow-up to this message]
re: Remove Trojan?
Friday, July 25, 2003 at 3:56 pm
Posted by Ms. Eagle (33507 messages posted)

What was the point then, in instructing him later, to remove from Run, etc. When fixing those items with 'HT' would remove it from the Run, Runonce keys, and fix the other problems besides that?? That probably really confused him, but....whatever! It doesn't make any difference to me, since I enjoy wasting my time.

On Friday, July 25, 2003 at 2:39 pm, WhitPhil wrote:
>"How is that going to get rid of the trojan" > >The (Eplorer) Trojan is being initiated from the RUN and RUNONCE keys, so when he >starts in SAFE mode, these keys shouldn't be processed. Thus the trojan won't start, >the filename won't be in use, and can be renamed or deleted. >UNselecting it in Msconfig is neither here nor there, once the file has been dealt >with. > >"and all those other problems I instructed him to fix?" > >Your instructions are still there on how to rectify these issues.

[Reply or follow-up to this message]
re: Remove Trojan?
Friday, July 25, 2003 at 4:06 pm
Posted by Ms. Eagle (33507 messages posted)
I don't doubt, you probably sent him a PM, just like some other people around here do...
[Reply or follow-up to this message]
re: Remove Trojan?
Friday, July 25, 2003 at 4:15 pm
Posted by WhitPhil (703 messages posted)

And no, I have not sent him a PM. This is NOT the way to resolve issues, as you obviously agree. If anyone sends me a PM, on any board, asking a question, I attempt to give a quick response, and then recommend they create a new post, and explain why.

[Reply or follow-up to this message]
re: Remove Trojan?
Friday, July 25, 2003 at 4:21 pm
Posted by WhitPhil (703 messages posted)

I believe that it was you who asked (&instructed) him to generate a StartupList, which, btw, showed the RUNONCE key, that HT did not, for some reason. Thus, if you apply your HT changes, the trojan will still start via the RunOnce key.

[Reply or follow-up to this message]
re: Remove Trojan?
Sunday, July 27, 2003 at 11:35 pm
Posted by Ms. Eagle (33507 messages posted)

JmC suggested the StartupList, and we both posted about the same time. I'd just posted info. on Earthlink, and posted the list of items to have fix...hadn't seen JmC's replies yet. You're right that doesn't show in the RunOnce key, but I would think having those items fixed would get rid of it altogether. Doing that should remove the culprit, so I don't know how it could still run. I was thinking the StartupList could be run afterward to see, if there's anything left. Oh well, I haven't heard back, so whatever. He's probably still in shock about Earthlink!

On Friday, July 25, 2003 at 4:21 pm, WhitPhil wrote:
>I believe that it was you who asked (&instructed) him to generate a StartupList, >which, btw, showed the RUNONCE key, that HT did not, for some reason. >Thus, if you apply your HT changes, the trojan will still start via the RunOnce key.

[Reply or follow-up to this message]
Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread

Search this forum
Start a new thread on a different subject
Report abuse of the forum
Return to the Windows 98 Discussion Forum