1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hunting UGO20.exe trojan downloader

Discussion in 'Virus & Other Malware Removal' started by JavaMaus, Sep 23, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. JavaMaus

    JavaMaus Thread Starter

    Joined:
    Jun 8, 2003
    Messages:
    76
    I suspected a possible trojan due to some problems I've had and recently installed the trial version of Trojan Hunter. It showed the file UGO20.exe found in C/Windows/Downloaded Program Files. I did a manual search for this file and cannot seem to find it anywhere!! I have run HijackThis, Spybot S&D, as well as anything else that might show the file someplace, and nothing shows up on these either. I did have the E2Give parasite a couple months ago, but got rid of it (I thought so anyway!! :rolleyes: ) Could this be a "leftover" in my registry that I am not finding, or a trojan that is hiding very well, or something else...:confused:

    This is on my home PC using Windows 98SE and I have the "show all files" enabled. Any clues where to look??? Thanxxxx!!!!!
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please copy & paste its contents to the forum.

    It will possibly show issues deserving our attention, but most of what it lists will be harmless or

    even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. JavaMaus

    JavaMaus Thread Starter

    Joined:
    Jun 8, 2003
    Messages:
    76
    Thanks dvk...I did post my HijackThis log a while back for review and it checked out OK at that time. I've also examined it this time for anything different than before and didn't see anything...but then I can't find that UGO20.exe file either!!! LOL Here's my current log..........


    Logfile of HijackThis v1.94.0
    Scan saved at 4:00:52 PM, on 9/23/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=about:blank
    N3 - Netscape 7: user_pref("browser.startup.homepage", "netscape.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\jagm7hmj.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\jagm7hmj.slt\prefs.js)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [Anti-keylogger check] C:\PROGRAM FILES\ANTI-KEYLOGGER\ANTIKEY.EXE /checkautorun
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
    O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.6\THGUARD.EXE"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - User Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - User Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37871.4406597222
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    StartupList report, 9/23/03, 4:01:44 PM
    StartupList version: 1.52
    Started from : C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\ANTI-KEYLOGGER\ANTIKEY.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
    C:\PROGRAM FILES\TROJANHUNTER 3.6\THGUARD.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Profiles\teresa\Start Menu\Programs\Startup]
    WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

    User shell folders Startup:
    [C:\WINDOWS\Profiles\teresa\Start Menu\Programs\Startup]
    WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    LoadQM = loadqm.exe
    SoundMan = SOUNDMAN.EXE
    NAV Agent = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    Anti-keylogger check = C:\PROGRAM FILES\ANTI-KEYLOGGER\ANTIKEY.EXE /checkautorun
    MMTray = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    Zone Labs Client = C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
    THGuard = "C:\PROGRAM FILES\TROJANHUNTER 3.6\THGUARD.EXE"

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe
    ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    Mozilla Quick Launch = "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 9/9/2003, 15:8:46)

    [Rename]
    NUL=C:\PROGRA~1\NORTON~2\NISUM.EXE
    NUL=C:\PROGRA~1\NORTON~2\NISUMPS.DLL
    NUL=C:\PROGRA~1\NORTON~2\NISUM.DAT

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Symantec NetDetect.job
    Maintenance-Defragment programs.job
    Maintenance-ScanDisk.job
    Maintenance-Disk cleanup.job
    Norton AntiVirus - kazaa & other.job
    Norton AntiVirus - full system scan.job
    Norton AntiVirus - wormchecker.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab

    [YInstStarter Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
    CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

    [CV3 Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
    CODEBASE = http://windowsupdate.microsoft.com/R1044/V31Controls/x86/w98/en/actsetup.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [PWMediaSendControl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PWACTIVEXIMGCTL.DLL
    CODEBASE = http://216.249.24.142/code/PWActiveXImgCtl.CAB

    [MSN Chat Control 4.5]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT45.OCX
    CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37871.4406597222

    [CWDL_DownLoadControl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CWDL_DOWNLOAD.DLL
    CODEBASE = http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

    [Microsoft Office Tools on the Web Control]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\OUTC.DLL
    CODEBASE = http://dgl.microsoft.com/downloads/outc.cab

    [ActiveDataObj Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACTIVEDATA.DLL
    CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

    [{8AD9C840-044E-11D1-B3E9-00805F499D93}]

    [{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}]

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AVSNIFF.DLL
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Symantec RuFSI Utility Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

    --------------------------------------------------
    End of report, 7,863 bytes
    Report generated in 0.065 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. JavaMaus

    JavaMaus Thread Starter

    Joined:
    Jun 8, 2003
    Messages:
    76
    Also...I've run the Trojan Hunter a couple more times since it found the UGO2O.exe...and it also shows an alert that port 68 is open...matches subseven 100 :eek:
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    port 68 will be open if you have a cable modem as it is the port that listens for dhcp renewal.

    you also have an out of date version of hijackthis, download & run the latest version which gives a lot more hidden start up info
    just to check if the "trojan" is hiding somewhere
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    Also the easy way to check whether trojan hunter is giving a false reading is to delete everything in the downlaoded program files folder. do a scan then when any legitimate program needs something from that folder, like windoze update or online virus scans they will prompt you to download it again.

    most of the files in that folder are .cab files so it is possible for the ugo20.exe file to be inside one of the cab folders.

    If it is I would suspect the call wave or yahoo or msn chat cabs
     
  7. JavaMaus

    JavaMaus Thread Starter

    Joined:
    Jun 8, 2003
    Messages:
    76
    Thanks again, dvk...here's my new HijackThis file from the newer version. Sorry about that. On the port 68 being open...I don't have a cable modem, I have a dial up connection.

    Logfile of HijackThis v1.97.2
    Scan saved at 10:26:57 AM, on 9/24/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\ANTI-KEYLOGGER\ANTIKEY.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
    C:\PROGRAM FILES\TROJANHUNTER 3.6\THGUARD.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    N3 - Netscape 7: user_pref("browser.startup.homepage", "netscape.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\jagm7hmj.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\jagm7hmj.slt\prefs.js)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [Anti-keylogger check] C:\PROGRAM FILES\ANTI-KEYLOGGER\ANTIKEY.EXE /checkautorun
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
    O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.6\THGUARD.EXE"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - User Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - User Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37871.4406597222
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

    StartupList report, 9/24/03, 10:40:32 AM
    StartupList version: 1.52
    Started from : C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\ANTI-KEYLOGGER\ANTIKEY.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
    C:\PROGRAM FILES\TROJANHUNTER 3.6\THGUARD.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Profiles\teresa\Start Menu\Programs\Startup]
    WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

    User shell folders Startup:
    [C:\WINDOWS\Profiles\teresa\Start Menu\Programs\Startup]
    WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    LoadQM = loadqm.exe
    SoundMan = SOUNDMAN.EXE
    NAV Agent = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    Anti-keylogger check = C:\PROGRAM FILES\ANTI-KEYLOGGER\ANTIKEY.EXE /checkautorun
    MMTray = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    Zone Labs Client = C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
    THGuard = "C:\PROGRAM FILES\TROJANHUNTER 3.6\THGUARD.EXE"

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe
    ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    Mozilla Quick Launch = "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 24/9/2003, 0:40:24)

    [rename]
    NUL=C:\WINDOWS\TEMP\_iu14D2N.tmp

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Symantec NetDetect.job
    Maintenance-Defragment programs.job
    Maintenance-ScanDisk.job
    Maintenance-Disk cleanup.job
    Norton AntiVirus - kazaa & other.job
    Norton AntiVirus - full system scan.job
    Norton AntiVirus - wormchecker.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab

    [YInstStarter Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
    CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

    [CV3 Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
    CODEBASE = http://windowsupdate.microsoft.com/R1044/V31Controls/x86/w98/en/actsetup.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [PWMediaSendControl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PWACTIVEXIMGCTL.DLL
    CODEBASE = http://216.249.24.142/code/PWActiveXImgCtl.CAB

    [MSN Chat Control 4.5]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT45.OCX
    CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37871.4406597222

    [CWDL_DownLoadControl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CWDL_DOWNLOAD.DLL
    CODEBASE = http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

    [Microsoft Office Tools on the Web Control]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\OUTC.DLL
    CODEBASE = http://dgl.microsoft.com/downloads/outc.cab

    [ActiveDataObj Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ACTIVEDATA.DLL
    CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

    [{8AD9C840-044E-11D1-B3E9-00805F499D93}]

    [{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}]

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AVSNIFF.DLL
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Symantec RuFSI Utility Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
    CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

    --------------------------------------------------
    End of report, 7,697 bytes
    Report generated in 0.099 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    if port 68 is still open when you are running Zone alarm there must be something wrong.

    try a scan at https://grc.com/x/ne.dll?bh0bkyd2 see if that says the port is open.

    I suspect that trojan hunter is givging false positives
     
  9. JavaMaus

    JavaMaus Thread Starter

    Joined:
    Jun 8, 2003
    Messages:
    76
    Thanks again dvk! I think it was a false positive also on Trojan Hunter. The Shields Up showed that all was well. I also found the UGO20.exe by process of elimination of those .cab files...it was hiding in msn chat control :eek: Sooooo...all is well for now. Thanks again!!!
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166861

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice