1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

01Army.exe, Hole.exe, Sectplus.exe

Discussion in 'Virus & Other Malware Removal' started by connie_66, Apr 17, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. connie_66

    connie_66 Thread Starter

    Joined:
    Aug 25, 2003
    Messages:
    27
    My computer started running slow..so I pressed ctrl, alt, del to see what programs were running. One was called 01Army. I searched where this was located. It is in C:\Program Files\startdebugpile. In this folder is 01Army.exe, Hole.exe, and Sectplus.exe. I cannot find out anything on these. I've run spy-bot, Ad-aware and Norton Antivirus. I'm running Windows 98 SE. Any ideas where it came from and what it is? I deleted it once before but after my daughter was on the internet it came back. :confused:
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,171
    Please download Hijack This and post a scan log for the experts to take a look at.

    Please do this. Click here: http://www.sherrylynn.us/HijackThis.exe to download Hijack This. Save it to it’s own folder (not temporary files or the desktop).

    Close all open windows and open HIJACK THIS. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”. Click on “Save Log” and save it to NotePad. Copy the entire log and paste it here.

    DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise.

    Cookie
     
  3. connie_66

    connie_66 Thread Starter

    Joined:
    Aug 25, 2003
    Messages:
    27
    Logfile of HijackThis v1.97.7
    Scan saved at 10:01:16 AM, on 4/20/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\MYWEBSEARCH\BAR\2.BIN\MWSOEMON.EXE
    C:\PROGRAM FILES\STARTDEBUGPILE\01ARMY.EXE
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE
    C:\PROGRAM FILES\CALLWAVE\IAM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    D:\UNZIPPED\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\UNZIPPED\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {00a6faf1-072e-44cf-8957-5838f569a31d} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
    O2 - BHO: (no name) - {07b18ea1-a523-4961-b6bb-170de4475cca} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\2.BIN\MWSBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [FCJMZCJ] C:\WINDOWS\FCJMZCJ.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\2.BIN\MWSOEMON.EXE
    O4 - HKLM\..\Run: [2 Lite] C:\PROGRA~1\STARTD~1\01Army.exe
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\KDX\KHOST.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKCU\..\Run: [ShockmachineReminder] C:\Program Files\shockwave.com\Shockmachine\SmReminder.exe
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE
    O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
    O9 - Extra button: Hello from Picasa Capture (HKLM)
    O9 - Extra 'Tools' menuitem: Share in &Hello from Picasa (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .aif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O13 - WWW. Prefix: http://
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F621C77F-126F-4CA5-BC8B-2F64189E93A5} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {E344ADA2-75B6-4E7E-B221-0A04FD5B0165} (MaxisPublishX Control) - http://simcity.ea.com/us/simexchange/MaxisPublishX.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - http://www.myfamily.com/plugins/ue/Install_UE.exe
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37973.2046180556
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v55/cubis/cubis.cab
    O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
    O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - http://mirror.worldwinner.com/games/v46/collapse/collapse.cab
    O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldwinner.com/games/v58/swapit/swapit.cab
    O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/v44/wordcube/wordcube.cab
    O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://mirror.worldwinner.com/games/v49/bjattack/bjattack.cab
    O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games/v40/tilecity/tilecity.cab
    O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldwinner.com/games/v40/hangman/hangman.cab
    O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} (Shapetris Control) - http://mirror.worldwinner.com/games/v42/shape/shape.cab
    O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://mirror.worldwinner.com/games/v42/brickout/brickout.cab
    O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - http://mirror.worldwinner.com/games/v40/mines/mines.cab
    O16 - DPF: {90B7E2B3-2E56-4571-9E54-823E33C4B4B4} (TracMan Control) - http://mirror.worldwinner.com/games/v46/tracman/tracman.cab
    O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} (Focus Control) - http://mirror.worldwinner.com/games/v40/focus/focus.cab
    O16 - DPF: {7BC394DE-07B8-412B-9F98-52E7E7A4ABD4} (Pencil Wars Control) - http://mirror.worldwinner.com/games/v42/territory/territory.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {40689DFB-7484-4D82-BCDD-DE2B39F74FD3} (Ttt Control) - http://mirror.worldwinner.com//games/v41/ttt/tictactoe.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldwinner.com/games/v45/blockwerx/blockwerx.cab
    O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldwinner.com/games/v44/sol/sol.cab
    O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v45/pool/pool.cab
    O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://mirror.worldwinner.com/games/v40/freecell/freecell.cab
    O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://mirror.worldwinner.com/games/v41/golfsol/golfsol.cab
    O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - http://mirror.worldwinner.com/games/v41/jigsaw/jigsaw.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
    O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v44/wordmojo/wordmojo.cab
     
  4. hermes

    hermes

    Joined:
    Aug 12, 2000
    Messages:
    642
    Hi

    You don't by any chance use a screensaver program do you? 01army.exe is a screensaver of military stuff.
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    You can remove the 01army.exe if you want to keep it and know it's a screensaver...

    Run HJT again and check:

    O2 - BHO: (no name) - {00a6faf1-072e-44cf-8957-5838f569a31d} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
    O2 - BHO: (no name) - {07b18ea1-a523-4961-b6bb-170de4475cca} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\2.BIN\MWSBAR.DLL
    O4 - HKLM\..\Run: [FCJMZCJ] C:\WINDOWS\FCJMZCJ.exe
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\2.BIN\MWSOEMON.EXE
    O4 - HKLM\..\Run: [2 Lite] C:\PROGRA~1\STARTD~1\01Army.exe

    Close all applications and browser windows before you click "fix checked".
     
  6. connie_66

    connie_66 Thread Starter

    Joined:
    Aug 25, 2003
    Messages:
    27
    I don't have a screensaver called 01Army. I ran HJT again and checked all that you said. I went into the folder where these 3 files were. They were still there so I deleted the folder called startdebugpile. If anyone knows where these may have come from...I'd like to know. Thanks.
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/221203

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice