1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Rouge programs

Discussion in 'Virus & Other Malware Removal' started by Dingus, Oct 20, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Dingus

    Dingus Thread Starter

    Joined:
    Apr 21, 2002
    Messages:
    1,149
    Hi folks,
    I had cause to check my start up programs using msconfig and in there I found a program I don't recognise. I've ran Spy-bot and ad-aware but neither report it as a problem.
    Does anyone know what it is and if it's a problem. I found it lives in C:/windows/system/63668459.exe
     
  2. BillC

    BillC

    Joined:
    May 28, 2003
    Messages:
    2,366
    Whenever I see an application that is not something I can find on a search, it makes me think it could be bad. The first thing I'd suggest is an antivirus scan. Try TrendMicro's Housecall.

    You might want to do a search on your computer for the application and see if you can check it's properties; maybe that will give you a clue. You know, it could be begnin, but I'd do what you are doing, check it out.
     
  3. Corrosive

    Corrosive

    Joined:
    Jan 9, 2003
    Messages:
    1,058
    Indeed, it does look very dodgy. Run Housecall (as suggested by my learned buddy above) and then update the definitions for Ad-Aware, Spybot and the AV app that you should be running.

    After that, it'd be best if we had a little check to see if there's anything else: After all, it there's rats theres probably roaches too.

    Download HijackThis! from www.tomcoyote.org/hjt and follow the instructions. Don't fix anything yourself, as most of it is probably required. We'll make a list of the nasties for you to get rid of.
     
  4. Dingus

    Dingus Thread Starter

    Joined:
    Apr 21, 2002
    Messages:
    1,149
    To my uneducated eye it all looks OK. I've also submitted it to Symantec


    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\PHOTO IMAGING\HPI_MONITOR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\CNXDSLTB.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\HIDEFOLDERS\HF.EXE
    C:\PROGRAM FILES\PRESTONOTES\PRESTONOTES.EXE
    C:\WINDOWS\ALL USERS\START MENU\PROGRAMS\STARTUP\TRANSPARENTW.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\WINOA386.MOD
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btinternet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.wazzupnet.com
    F1 - win.ini: run=HPFsched
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {2BC43670-C0BD-4794-BB11-F60F3E001DC5} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\CFGWIZ.EXE /R
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [CnxDslTaskBar] C:\WINDOWS\SYSTEM\CnxDslTb.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [bpcpost.exe] C:\WINDOWS\SYSTEM\bpcpost.exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [hf] C:\PROGRAM FILES\HIDEFOLDERS\HF.EXE /s
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O4 - HKCU\..\Run: [PrestoNotes] C:\PROGRAM FILES\PRESTONOTES\PRESTONOTES.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\REFRESH.EXE
    O4 - Global Startup: TransparentW.exe
    O4 - Global Startup: msimn.exe.lnk = C:\Program Files\Outlook Express\msimn.exe
    O9 - Extra button: BT Yahoo! Sidebar (HKLM)
    O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com/
    O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - http://moneymanager.egg.com/activex/accounttracking.cab
    O16 - DPF: {6CAE02B8-EB30-11D1-8CE5-0004ACF74B57} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_List.cab
    O16 - DPF: {1E89A357-CF86-11D1-8CAE-00805F93E2D7} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz01.cab
    O16 - DPF: {5DD1BBF5-E4B2-11D1-9211-0004ACF75CFC} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz02.cab
    O16 - DPF: {74545298-2152-11D2-8D16-0004ACF74B57} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz03.cab
    O16 - DPF: {F3DAE1EA-01DA-11D2-8E33-08005AAA630C} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz04.cab
    O16 - DPF: {5915C16A-F555-11D1-8E31-08005AAA630C} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz05.cab
    O16 - DPF: {29166FB6-2AD6-11D2-8DB7-0001FAF8D270} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz06.cab
    O16 - DPF: {C6C07D4E-3911-11D2-8708-0001FAF8D5C4} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz07.cab
    O16 - DPF: {B37DB118-5623-11D3-8769-0010E36241AE} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Wz09.cab
    O16 - DPF: {1096842F-FEE8-11D2-965E-0010E3622565} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_RYD.cab
    O16 - DPF: {8F78C964-B20B-11D2-8D4A-0004ACF74B57} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb01.cab
    O16 - DPF: {C6726AD0-E1E0-11D2-929E-0004ACF75CFC} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb03.cab
    O16 - DPF: {219CF65A-B13C-11D2-8D4A-0004ACF74B57} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb04.cab
    O16 - DPF: {6A863F66-CA4A-11D2-9FF9-0004ACF74B57} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb05.cab
    O16 - DPF: {F0FB4064-2940-11D3-92B1-0004ACF75CFC} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb06.cab
    O16 - DPF: {4DE7E614-E69B-11D2-947C-0001FAF8503C} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb07.cab
    O16 - DPF: {5B2FD039-D08C-11D2-9FFD-0004ACF74B57} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb08.cab
    O16 - DPF: {498439C0-0921-11D3-9484-0001FAF8503C} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb10.cab
    O16 - DPF: {C1BA9623-F27F-11D2-947D-0001FAF8503C} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb11.cab
    O16 - DPF: {9E2D89BB-D888-11D2-A002-0004ACF74B57} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb12.cab
    O16 - DPF: {9D24756B-CBFC-11D2-9FFB-0004ACF74B57} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb13.cab
    O16 - DPF: {D71A2028-D578-11D2-9FFF-0004ACF74B57} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb14.cab
    O16 - DPF: {BBAE9E7E-3F7D-11D3-94B7-0001FAF8503C} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb16.cab
    O16 - DPF: {DF3AA904-233E-11D3-9495-0001FAF8503C} - http://roylinedirect.rbs.co.uk/dbpc2/controls/2.6.11.0/IFS_Lb17.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37864.6514351852
    O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btopenworld.com/templates/btwebcontrol012.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://download.yahoo.com/dl/installs/yab_af.cab
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/ddm_control.CAB
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 213.120.62.97,213.120.62.98
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/173374

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice