• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
mister_ed2

Unknown .exe's at startup

7 posts in this topic

Trying to cleanout my boss's pc. It was loaded with horrendous amounts of nasty junk. Cleaned up a lot of things I've seen and/or read about before. HijackThis lists several startup items that ar not on PacMan's list. Here's the log with the unknowns highlighted:

 

Logfile of HijackThis v1.97.7

Scan saved at 3:20:08 PM, on 6/11/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\XAKBAV.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\TEMP\MWL.EXE

C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE

C:\WINDOWS\SYSTEM\SCSRTZ.EXE

C:\WINDOWS\SYSTEM\EXSODBC.EXE

C:\WINDOWS\SYSTEM\SYCFILTA.EXE

C:\COMPUTER\PROGRAMS\HIJACKTHIS\HIJACKTHIS.EXE

 

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\MXTARGET.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [uplmbb] C:\WINDOWS\SYSTEM\XAKBAV.EXE

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.ExE

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [hpjsiroute169.254.27.14] hpjsira.exe -i 169.254.27.14 -g 192.168.1.6

O4 - HKLM\..\Run: [hpjsiroute169.254.187.94] hpjsira.exe -i 169.254.187.94 -g 192.168.1.6

O4 - HKLM\..\Run: [hpjsiroute169.254.233.117] hpjsira.exe -i 169.254.233.117 -g 192.168.1.6

O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE

O4 - HKLM\..\Run: [hpjsiroute192.168.2.61] hpjsira.exe -i 192.168.2.61 -g 192.168.2.59

O4 - HKLM\..\Run: [Mwl.exe] C:\WINDOWS\TEMP\MWL.EXE

O4 - HKLM\..\Run: [hrjmlqax] C:\WINDOWS\SYSTEM\xakbav.exe

O4 - HKLM\..\Run: [47MSJ2W3J7PQJE] C:\WINDOWS\SYSTEM\Ahm9.exe

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [p4mW37T] SCSRTZ.EXE

O4 - HKLM\..\Run: [ldhsnxtvktnz] C:\WINDOWS\SYSTEM\XAKBAV.EXE

O4 - HKLM\..\Run: [ceszpdd] C:\WINDOWS\SYSTEM\XAKBAV.EXE

O4 - HKLM\..\Run: [sYCFILTA] C:\WINDOWS\SYSTEM\SYCFILTA.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKCU\..\Run: [Y356RXf6R] EXSODBC.EXE

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7699.3352662037

O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

I appreciate any help anyone can provide on IDing these items. If they are truly new, I can provide the files for analysis.

 

Thanks in advance

Share this post


Link to post
Share on other sites

Just a quick note, C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE

is a baddy that i recognize. it is assoc. with DyFuCa

Share this post


Link to post
Share on other sites

Thanks gobolts

 

I checked PAcman's startup list but it was a bit vague about that one.

 

Really need someone to take a look at those unknowns though. Haven't been able to find specifics on any of those .exe's. I think they might be random names associated with Peper or some other trojan.

Share this post


Link to post
Share on other sites

hmm don't know why nobody has helped you out. you prolly know as much or more than me, but i think the hjt entries you highlighted should be fixed, except maybe mwl.exe which could be mathwright library. i'm not sure about sycfilta, but it sure sounds suspicious. i'd say the xakbav, exsodbc, and scsrtz entries are garbage for sure. prolly ahm9, too.

i'd run a deep scan with updated adaware, run the updated cws shredder from Merijn and then make a new restore point and see if you stay clean.

Edited by gobolts

Share this post


Link to post
Share on other sites

Thanks for you rinterest gobolts.

 

Since posting I have been able to run adaware and spybot. Something in the system was causing problems when I tried to download. I ultimately had to download to another system on my LAN, rename the files to something different then copy them over to the infected machine. What a pain in the a$$.

 

Anyway, I'm down to one unknown in hjt, still researching it but I have it disabled through msconfig.

 

Thanks again for your interest.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0