Jump to content


Photo

Unknown .exe's at startup


  • Please log in to reply
6 replies to this topic

#1 mister_ed2

mister_ed2

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 11 June 2004 - 03:05 PM

Trying to cleanout my boss's pc. It was loaded with horrendous amounts of nasty junk. Cleaned up a lot of things I've seen and/or read about before. HijackThis lists several startup items that ar not on PacMan's list. Here's the log with the unknowns highlighted:

Logfile of HijackThis v1.97.7
Scan saved at 3:20:08 PM, on 6/11/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\XAKBAV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\TEMP\MWL.EXE
C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE
C:\WINDOWS\SYSTEM\SCSRTZ.EXE
C:\WINDOWS\SYSTEM\EXSODBC.EXE
C:\WINDOWS\SYSTEM\SYCFILTA.EXE
C:\COMPUTER\PROGRAMS\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\MXTARGET.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [uplmbb] C:\WINDOWS\SYSTEM\XAKBAV.EXE
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpjsiroute169.254.27.14] hpjsira.exe -i 169.254.27.14 -g 192.168.1.6
O4 - HKLM\..\Run: [hpjsiroute169.254.187.94] hpjsira.exe -i 169.254.187.94 -g 192.168.1.6
O4 - HKLM\..\Run: [hpjsiroute169.254.233.117] hpjsira.exe -i 169.254.233.117 -g 192.168.1.6
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [hpjsiroute192.168.2.61] hpjsira.exe -i 192.168.2.61 -g 192.168.2.59
O4 - HKLM\..\Run: [Mwl.exe] C:\WINDOWS\TEMP\MWL.EXE
O4 - HKLM\..\Run: [hrjmlqax] C:\WINDOWS\SYSTEM\xakbav.exe
O4 - HKLM\..\Run: [47MSJ2W3J7PQJE] C:\WINDOWS\SYSTEM\Ahm9.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [p4mW37T] SCSRTZ.EXE
O4 - HKLM\..\Run: [ldhsnxtvktnz] C:\WINDOWS\SYSTEM\XAKBAV.EXE
O4 - HKLM\..\Run: [ceszpdd] C:\WINDOWS\SYSTEM\XAKBAV.EXE
O4 - HKLM\..\Run: [SYCFILTA] C:\WINDOWS\SYSTEM\SYCFILTA.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [Y356RXf6R] EXSODBC.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7699.3352662037
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell..../SysProfLCD.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

I appreciate any help anyone can provide on IDing these items. If they are truly new, I can provide the files for analysis.

Thanks in advance

#2 mister_ed2

mister_ed2

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 June 2004 - 12:31 AM

bump

#3 mister_ed2

mister_ed2

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 June 2004 - 10:20 AM

bump

#4 gobolts

gobolts

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 14 June 2004 - 10:54 AM

Just a quick note, C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE
is a baddy that i recognize. it is assoc. with DyFuCa

#5 mister_ed2

mister_ed2

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 June 2004 - 01:41 PM

Thanks gobolts

I checked PAcman's startup list but it was a bit vague about that one.

Really need someone to take a look at those unknowns though. Haven't been able to find specifics on any of those .exe's. I think they might be random names associated with Peper or some other trojan.

#6 gobolts

gobolts

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 15 June 2004 - 06:07 PM

hmm don't know why nobody has helped you out. you prolly know as much or more than me, but i think the hjt entries you highlighted should be fixed, except maybe mwl.exe which could be mathwright library. i'm not sure about sycfilta, but it sure sounds suspicious. i'd say the xakbav, exsodbc, and scsrtz entries are garbage for sure. prolly ahm9, too.
i'd run a deep scan with updated adaware, run the updated cws shredder from Merijn and then make a new restore point and see if you stay clean.

Edited by gobolts, 15 June 2004 - 06:11 PM.


#7 mister_ed2

mister_ed2

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 18 June 2004 - 01:54 PM

Thanks for you rinterest gobolts.

Since posting I have been able to run adaware and spybot. Something in the system was causing problems when I tried to download. I ultimately had to download to another system on my LAN, rename the files to something different then copy them over to the infected machine. What a pain in the a$$.

Anyway, I'm down to one unknown in hjt, still researching it but I have it disabled through msconfig.

Thanks again for your interest.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button