• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
nero

Trojan horse Startpage.4.BS.

7 posts in this topic

Hi there

 

I receive a message from AVG telling me this:

 

Trojan horse startpage.4. BS. bct.dll

discovered in file C:\Windows\system32\notepad.exe

please run AVG for Windows to remove.

 

Sadly it does not remove it.

 

If I try to open Notepad I get the message:

Windows cannot access the specified drive, path, or file. You may not have the appropriate permissions to access the item.

 

Please help me to get rid of this dll. file, as I really need notepad.

 

Thank you

Share this post


Link to post
Share on other sites

I was wrong on one thing above, AVG do detect the virus, but warns me rather to ignore the virus because it can be critical to my system. Is it critical to my system or can I remove it.

 

Thank you, and I hope this help.

Share this post


Link to post
Share on other sites

Hi,

Download "Hijack This!"

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

 

Create a folder via Windows Explorer for HijackThis, unzip, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

 

Double-click "HijackThis.exe" and Press "Scan".

 

When the scan is finished, the "Scan" button will change into a "Save Log" button.

Click: "Save Log" (generates: "hijackthis.log")

 

Copy and Paste the entire log into your next post.

 

Note: do not attempt to "Fix" anything, as we need to see the entire log.

Also if you have any Startup items unchecked in Msconfig, uncheck those items, reboot, then post a fresh log. HijackThis can not "see" disabled items in Startup.

 

Hint: after posting your log click "Track this topic" at the top of the page, this way you will be notified (email) when a response is made to your post.

Share this post


Link to post
Share on other sites

Hi there, did as you said, and here is my hijackthis log:

 

Logfile of HijackThis v1.97.7

Scan saved at 02:12:42 PM, on 2004/05/25

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\NILaunch.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\WINDOWS\NCLAUNCH.EXe

C:\Program Files\CommsWizard\CommsWizard Server.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\unzipped\hijackthis\HijackThis.exe

 

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [mwavscan] "C:\DOCUME~1\CARELV~1\LOCALS~1\Temp\mwavscan.com" /s

O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe

O4 - Startup: Lotus SmartSuite Release 9 Registration.lnk = C:\lotus\register\remind32.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: CommsWizard Server.lnk = C:\Program Files\CommsWizard\CommsWizard Server.exe

O4 - Global Startup: Free WebSite Tools.lnk = ?

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

 

Thanks

Share this post


Link to post
Share on other sites

Hi,

I don't see anything in your log to indicate a problem, however you seem to be missing the bottom part ... try rescanning again and post the entire log.

 

Note: Notepad must be working as that's what HijackThis opens the log in. Are you sure of this:

discovered in file C:\Windows\system32\notepad.exe

Share this post


Link to post
Share on other sites

Hi, yes I am sure, if I try to open Notepad with the accesories menu I cant get it open, it gives me the message, with hijackthis it gives me the same message, but it open notepad eventuallly. Here is another hijackthis log:

 

Logfile of HijackThis v1.97.7

Scan saved at 09:46:38 AM, on 2004/05/27

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\NILaunch.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\WINDOWS\NCLAUNCH.EXe

C:\Program Files\CommsWizard\CommsWizard Server.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\unzipped\hijackthis\HijackThis.exe

 

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [mwavscan] "C:\DOCUME~1\CARELV~1\LOCALS~1\Temp\mwavscan.com" /s

O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe

O4 - Startup: Lotus SmartSuite Release 9 Registration.lnk = C:\lotus\register\remind32.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: CommsWizard Server.lnk = C:\Program Files\CommsWizard\CommsWizard Server.exe

O4 - Global Startup: Free WebSite Tools.lnk = ?

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

 

If I try to run AVG in save mode it doesnt want to open, why??

 

Thank you so far.

Share this post


Link to post
Share on other sites

Hi,

Trojan horse startpage.4. BS. bct.dll

discovered in file C:\Windows\system32\notepad.exe

 

Ok let's try this:

Start | Search (type) "notepad.exe" (no quotes)

 

Let it search for all instances of Notepad. (results in right pane)

 

Note: the valid Notepad.exe = "Size: 64.5 KB (66,048 bytes)"

Version: 5.1.2600.0

Locations: Windows and Windows\System32

 

If the results show a different Size or Version, use the "Msconfig" tool to "Expand" a fresh copy overwriting the infected copy. Or if only one location shows a different Size or Version, delete the infected copy and copy the good Notepad.exe to the infected location.

 

Start | Run (type) msconfig

Click the Expand File button

 

File to restore: (click Browse and locate the infected copy)

Restore from: (click Browse and locate the "I386" folder)

Note: restore this file "NOTEPAD.EX_" if the folder does not exist on your hard drive you may need to insert your XP CD.

 

Save file in: (select the infected file location)

 

After the above reboot and see if you get the same error from AVG.

 

If I try to run AVG in save mode it doesnt want to open, why?

XP in Safe Mode bypasses the "Startup" files, thus the required files for AVG are not loaded = won't run.

 

Have HijackThis "fix" the following:

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Free WebSite Tools.lnk = ? ("?" = broken link)

 

Note: it still appears that you are missing the bottom of your log?

Edited by WinHelp2002

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0