Jump to content


Photo

Trojan horse Startpage.4.BS.


  • Please log in to reply
6 replies to this topic

#1 nero

nero

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 23 May 2004 - 09:41 AM

Hi there

I receive a message from AVG telling me this:

Trojan horse startpage.4. BS. bct.dll
discovered in file C:\Windows\system32\notepad.exe
please run AVG for Windows to remove.

Sadly it does not remove it.

If I try to open Notepad I get the message:
Windows cannot access the specified drive, path, or file. You may not have the appropriate permissions to access the item.

Please help me to get rid of this dll. file, as I really need notepad.

Thank you

#2 nero

nero

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 24 May 2004 - 03:09 AM

I was wrong on one thing above, AVG do detect the virus, but warns me rather to ignore the virus because it can be critical to my system. Is it critical to my system or can I remove it.

Thank you, and I hope this help.

#3 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 24 May 2004 - 07:07 AM

Hi,
Download "Hijack This!"
http://www.spywarein.../hijackthis.zip

Create a folder via Windows Explorer for HijackThis, unzip, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

Double-click "HijackThis.exe" and Press "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Click: "Save Log" (generates: "hijackthis.log")

Copy and Paste the entire log into your next post.

Note: do not attempt to "Fix" anything, as we need to see the entire log.
Also if you have any Startup items unchecked in Msconfig, uncheck those items, reboot, then post a fresh log. HijackThis can not "see" disabled items in Startup.

Hint: after posting your log click "Track this topic" at the top of the page, this way you will be notified (email) when a response is made to your post.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#4 nero

nero

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 25 May 2004 - 07:15 AM

Hi there, did as you said, and here is my hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 02:12:42 PM, on 2004/05/25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\CommsWizard\CommsWizard Server.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [mwavscan] "C:\DOCUME~1\CARELV~1\LOCALS~1\Temp\mwavscan.com" /s
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - Startup: Lotus SmartSuite Release 9 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: CommsWizard Server.lnk = C:\Program Files\CommsWizard\CommsWizard Server.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)

Thanks

#5 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 25 May 2004 - 08:56 AM

Hi,
I don't see anything in your log to indicate a problem, however you seem to be missing the bottom part ... try rescanning again and post the entire log.

Note: Notepad must be working as that's what HijackThis opens the log in. Are you sure of this:

discovered in file C:\Windows\system32\notepad.exe


Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#6 nero

nero

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 27 May 2004 - 02:54 AM

Hi, yes I am sure, if I try to open Notepad with the accesories menu I cant get it open, it gives me the message, with hijackthis it gives me the same message, but it open notepad eventuallly. Here is another hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 09:46:38 AM, on 2004/05/27
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\CommsWizard\CommsWizard Server.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [mwavscan] "C:\DOCUME~1\CARELV~1\LOCALS~1\Temp\mwavscan.com" /s
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - Startup: Lotus SmartSuite Release 9 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: CommsWizard Server.lnk = C:\Program Files\CommsWizard\CommsWizard Server.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)

If I try to run AVG in save mode it doesnt want to open, why??

Thank you so far.

#7 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 27 May 2004 - 07:08 AM

Hi,

Trojan horse startpage.4. BS. bct.dll
discovered in file C:\Windows\system32\notepad.exe


Ok let's try this:
Start | Search (type) "notepad.exe" (no quotes)

Let it search for all instances of Notepad. (results in right pane)

Note: the valid Notepad.exe = "Size: 64.5 KB (66,048 bytes)"
Version: 5.1.2600.0
Locations: Windows and Windows\System32

If the results show a different Size or Version, use the "Msconfig" tool to "Expand" a fresh copy overwriting the infected copy. Or if only one location shows a different Size or Version, delete the infected copy and copy the good Notepad.exe to the infected location.

Start | Run (type) msconfig
Click the Expand File button

File to restore: (click Browse and locate the infected copy)
Restore from: (click Browse and locate the "I386" folder)
Note: restore this file "NOTEPAD.EX_" if the folder does not exist on your hard drive you may need to insert your XP CD.

Save file in: (select the infected file location)

After the above reboot and see if you get the same error from AVG.

If I try to run AVG in save mode it doesnt want to open, why?

XP in Safe Mode bypasses the "Startup" files, thus the required files for AVG are not loaded = won't run.

Have HijackThis "fix" the following:
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
("?" = broken link)

Note: it still appears that you are missing the bottom of your log?

Edited by WinHelp2002, 27 May 2004 - 07:19 AM.

Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button