1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

grpconv.exe Bad or Good?

Discussion in 'Virus & Other Malware Removal' started by furiousstylz, Feb 19, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. furiousstylz

    furiousstylz Thread Starter

    Joined:
    Dec 31, 2003
    Messages:
    5
    My log file is showing in the 04 section something about:
    grpconv.exe -o

    Good or Bad? I'm finding conflicting data on my google search to learn more about it.

    FWIW, I'm running XP, and I use AdAware and HiJackThis about once a week to keep up on this stuff. Today is the first time I've ever seen this one, but even the MS Utilities site is calling it okay, so I don't know now...

    Thanks everyone.
     
  2. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,885
    post a log so we can check

    it will depend on the location the grpconv.exe is running from, but I haven't heard or seen any bad ones but with the new breed of nasties around anything is possible

    Edit:

    There is a bad one around, part of the magistr viruses
     
  3. furiousstylz

    furiousstylz Thread Starter

    Joined:
    Dec 31, 2003
    Messages:
    5
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    O1 - Hosts: 216.93.168.167 auto.search.msn.com
    O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/ddc/shockwave/wtinst.cab
     
  4. furiousstylz

    furiousstylz Thread Starter

    Joined:
    Dec 31, 2003
    Messages:
    5
    I know the two 01 entries I'm going to dump.
    And I know the opnste thing I'm going to dump.

    The only one i'm not sure about is the grpconv...obviously... :rolleyes:

    pretty clean other than those, and short though I think... no?

    thanks.
     
  5. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,885
    if the grpconv is still there after a reboot, then fix it in HJT.

    DO NOT delete the file just fix the HJT entry

    and fix these
    O1 - Hosts: 216.93.168.167 auto.search.msn.com
    O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
    O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe

    reboot & delete the C:\Program Files\Open Site\ folder
     
  6. furiousstylz

    furiousstylz Thread Starter

    Joined:
    Dec 31, 2003
    Messages:
    5
    For what its worth, it would seem that the grpconv.exe -o is removed at reboot, perhaps because it had the "Run Once" tag with it. I'm just speculating.

    But yeah, I let it be, removed the rest, rebooted, and it was gone.

    Wish I knew what site I hit to get that. Haven't looked at anything even remotely shady today!
     
  7. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,885
    to help prevent further attacks

    go here http://forums.net-integration.net/index.php?showtopic=3051 for info on how to tighten your security settings and how to help prevent future attacks.
    On this page you will find links to Javacool's SpywareBlaster and SpywareGuard. Get them both and check for updates frequently.

    The Immunize feature in Spybot used in conjunction with SpywareBlaster , SpywareGuard and weekly scans with Spybot and Adaware will go a long way toward keeping your PC free of these pests.
    It also contains links for IE-SPYAD that puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

    And links to a browser & security test site to test for exploits that might let these baddies in to your computer

    Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/205163