Jump to content


Photo

hello! please help ID-ing suspicious startup progs


  • Please log in to reply
1 reply to this topic

#1 slackmeister

slackmeister

    Member

  • New Member
  • Pip
  • 2 posts

Posted 13 July 2004 - 08:49 PM

Hi all, I'm definitely glad this forum exists. I'm not a clueless user (I'm a half-clued user) but after getting second sight and wintools I ran ad-aware and appear to have removed almost all the spyware on my laptop.

I now have two continuing problems. a.) I am unable to update my version of internet explorer (5.5) -when trying to run the IE 6 installer (May '04) I get an error message saying it was unable to download components and would I like to continue later. b.) I think I still have 1-2 malware programs on my system. Following is my hijackthis log, with a * for every line that I am suspicious or curious about:

Logfile of HijackThis v1.97.7
Scan saved at 5:48:31 PM, on 7/13/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
* C:\PROGRAM FILES\APOINT\APOINT.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\SONY\1394\SCMON.EXE
C:\PROGRAM FILES\SONY\SMART LABEL\SSLFVIEW.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\CREATIVE\PC-CAM CENTER\CAMTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\NETGEAR\WG511\UTILITY\WG511WLU.EXE
* C:\WINDOWS\TEMP\UN.EXE
C:\WINDOWS\SYSTEM\PNUYNC.EXE
C:\PROGRAM FILES\SONY\HOTKEY UTILITY\HKSERV.EXE
* C:\WINDOWS\SYSTEM\PUBERVER.EXE
C:\PROGRAM FILES\POWERPANEL\PROGRAM\PCFMGR.EXE
C:\PROGRAM FILES\BATTERYSCOPE\BATMGR.EXE
C:\PROGRAM FILES\SONY\PPK SETUP\SESERVE.EXE
C:\PROGRAM FILES\QUICKENW\QWDLLS.EXE
* C:\PROGRAM FILES\APOINT\APWHEEL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

* R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startium....h.php?dst=DIST1
* R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homep...rt.cgi?new-hklm
* R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...earch/?new-hklm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
* R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
* R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\SYSTEM\CDSM32.DLL (file missing)
N1 - Netscape 4: user_pref("browser.startup.homepage", "C:\\My Documents\\mystartpage.html"); (C:\Program Files\Netscape\Users\stacy_1\prefs.js)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
* O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
* O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Smart Connect Monitor] C:\Program Files\Sony\1394\SCMon.exe
O4 - HKLM\..\Run: [Smart Connect Setup] C:\Program Files\Sony\1394\SCSetup.exe -c
O4 - HKLM\..\Run: [Smart Label RFViewer] C:\PROGRA~1\SONY\SMARTL~1\SSLFVIEW.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [PC-CAM 600 STI App Registration] RunDLL32.exe PD023pin.dll,RunDLL32EP 512
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
* O4 - HKLM\..\Run: [Un.exe] C:\WINDOWS\TEMP\UN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [r54i37l] PNUYNC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [HKserv.exe] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
* O4 - HKCU\..\Run: [a2vsRXJse] PUBERVER.EXE
O4 - Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\PROGRAM\PcfMgr.exe
O4 - Startup: BatteryScope.lnk = C:\Program Files\BatteryScope\batmgr.exe
O4 - Startup: PPK Setup(Server).lnk = C:\Program Files\Sony\PPK Setup\SEServe.exe
O4 - Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
* O9 - Extra button: Related (HKLM)
* O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
* O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...tzip/RdxIE6.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7598.5359606482
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yaho...utocomplete.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab

I'm pretty sure that /temp/un.exe is not kosher, and the IE search page registrty entries look bad too but some of the others I'm not really sure about. Thanks in advance for helping me out!

-Stacy

#2 slackmeister

slackmeister

    Member

  • New Member
  • Pip
  • 2 posts

Posted 14 July 2004 - 08:16 AM

bump :unsure:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button