Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

grpconv.exe Bad or Good?

(New)
(!)

furiousstylz's Avatar
furiousstylz furiousstylz is offline
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Dec 2003
19-Feb-2004, 05:59 PM #1
grpconv.exe Bad or Good?
My log file is showing in the 04 section something about:
grpconv.exe -o

Good or Bad? I'm finding conflicting data on my google search to learn more about it.

FWIW, I'm running XP, and I use AdAware and HiJackThis about once a week to keep up on this stuff. Today is the first time I've ever seen this one, but even the MS Utilities site is calling it okay, so I don't know now...

Thanks everyone.
dvk01's Avatar
dvk01   (Derek) dvk01 is online now dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,592 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
19-Feb-2004, 06:07 PM #2
post a log so we can check

it will depend on the location the grpconv.exe is running from, but I haven't heard or seen any bad ones but with the new breed of nasties around anything is possible

Edit:

There is a bad one around, part of the magistr viruses
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | How to protect yourself and other Security Advice
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
furiousstylz's Avatar
furiousstylz furiousstylz is offline
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Dec 2003
19-Feb-2004, 06:18 PM #3
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

O1 - Hosts: 216.93.168.167 auto.search.msn.com
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/w...ave/wtinst.cab

Last edited by furiousstylz; 19-Feb-2004 at 06:59 PM..
furiousstylz's Avatar
furiousstylz furiousstylz is offline
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Dec 2003
19-Feb-2004, 06:20 PM #4
I know the two 01 entries I'm going to dump.
And I know the opnste thing I'm going to dump.

The only one i'm not sure about is the grpconv...obviously...

pretty clean other than those, and short though I think... no?

thanks.
dvk01's Avatar
dvk01   (Derek) dvk01 is online now dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,592 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
19-Feb-2004, 06:29 PM #5
if the grpconv is still there after a reboot, then fix it in HJT.

DO NOT delete the file just fix the HJT entry

and fix these
O1 - Hosts: 216.93.168.167 auto.search.msn.com
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe

reboot & delete the C:\Program Files\Open Site\ folder
furiousstylz's Avatar
furiousstylz furiousstylz is offline
Junior Member with 5 posts.
THREAD STARTER
 
Join Date: Dec 2003
19-Feb-2004, 06:41 PM #6
For what its worth, it would seem that the grpconv.exe -o is removed at reboot, perhaps because it had the "Run Once" tag with it. I'm just speculating.

But yeah, I let it be, removed the rest, rebooted, and it was gone.

Wish I knew what site I hit to get that. Haven't looked at anything even remotely shady today!
dvk01's Avatar
dvk01   (Derek) dvk01 is online now dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,592 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
20-Feb-2004, 04:14 AM #7
to help prevent further attacks

go here http://forums.net-integration.net/in...showtopic=3051 for info on how to tighten your security settings and how to help prevent future attacks.
On this page you will find links to Javacool's SpywareBlaster and SpywareGuard. Get them both and check for updates frequently.

The Immunize feature in Spybot used in conjunction with SpywareBlaster , SpywareGuard and weekly scans with Spybot and Adaware will go a long way toward keeping your PC free of these pests.
It also contains links for IE-SPYAD that puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

And links to a browser & security test site to test for exploits that might let these baddies in to your computer

Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑