Suspicious files in Windows

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Flintstone

Thread Starter
Joined
Sep 25, 2003
Messages
28
Hi,

I discovered some strange files in my Windows XP pro .
74500674.exe - 87865847.exe - 65491884.exe All in C:\windows\system32 .
Another one I don't trust : DKRYFM.EXE .
Who can tell me more about it ?

Thank you !:)
 
Joined
Oct 9, 2001
Messages
9,396
the 1st 2 files will change(morph) their file name to avoid detection but if you post your H/T log we will nuke em.
go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

;)
 

Flintstone

Thread Starter
Joined
Sep 25, 2003
Messages
28
This is my H/T logfile .
Thanks for trying to help me !

Logfile of HijackThis v1.97.2
Scan saved at 11:22:59, on 25-Sep-03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hplampc.exe
C:\WINDOWS\System32\87865847.exe
F:\Program Files\MailShieldDesktop\mailshield.exe
F:\Program Files\Kleptomania\k-mania.exe
F:\Program Files\CurWave\CurWave Client\CyberoamClient.exe
F:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
F:\Program Files\ItsTime\ITSTIME.EXE
f:\Program Files\NetCaptor\NetCaptor.exe
F:\Program Files\Personal Firewall Pro\spfw.EXE
F:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PopUpKiller] F:\Program Files\Personal Firewall Pro\WebWatch.EXE
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [DKRYFM] C:\WINDOWS\DKRYFM.exe
O4 - HKLM\..\Run: [65491884.exe] C:\WINDOWS\System32\65491884.exe
O4 - HKCU\..\Run: [MailShieldDesktop] F:\Program Files\MailShieldDesktop\mailshield.exe
O4 - HKCU\..\Run: [Kleptomania] F:\Program Files\Kleptomania\k-mania.exe
O4 - HKLM\..\RunOnce: [SpyBotSnD] "F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Startup: ItsTime!.lnk = F:\Program Files\ItsTime\ITSTIME.EXE
O4 - Startup: Personal Firewall Pro.lnk = ?
O4 - Global Startup: CurWave Client.lnk = F:\Program Files\CurWave\CurWave Client\CyberoamClient.exe
O4 - Global Startup: ORiNOCO Client Manager.lnk = F:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{748D3458-2719-401C-AEEF-F9B61D1CBEEA}: NameServer = 65.163.241.6 65.163.241.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C6D03E8-24D4-4439-88BE-BF6FCAE7FA19}: NameServer = 10.169.14.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{748D3458-2719-401C-AEEF-F9B61D1CBEEA}: NameServer = 65.163.241.6 65.163.241.5
 
Joined
Oct 9, 2001
Messages
9,396
you can fix these entries:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [DKRYFM] C:\WINDOWS\DKRYFM.exe


now then..........i was right with this one:
O4 - HKLM\..\Run: [65491884.exe] C:\WINDOWS\System32\65491884.exe

note how the file name has changed!
what you will have to do is check its location in H/T and when you run H/T again it will have changed again.
"fix" it and then re-boot into safe mode(by tapping the f8 key as windows boots) and delete:
C:\WINDOWS\System32\87865847.exe(or whatever its morphed to.)
it should be easy to locate.
also while your there delete this:
C:\WINDOWS\DKRYFM.exe

let us know how you do.

;)
 

Flintstone

Thread Starter
Joined
Sep 25, 2003
Messages
28
Hello Steve ,

Everything OK now ! I feel a lot better .
After fixing and running H/T again , I didn't see the suspicious files any more .So I didn't need to restart in SafeMode .
But how about the other suspicious files : 74500674.exe; 87865847.exe ? I continued to search them in the registry and yes , they appeared in HKEY_LOCAL_MACHINE\SOFTWARE\pup
I also find the 65491884.exe file in the same "pup" folder. Remember that's the file we have fixed with H/T .
Can I just delete this 3 values .Or should I simply delete this "pup" folder altogether ?
Please advice

Logfile of HijackThis v1.97.2
Scan saved at 15:06:14, on 25-Sep-03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
F:\Program Files\Personal Firewall Pro\WebWatch.EXE
C:\WINDOWS\system32\hplampc.exe
F:\Program Files\MailShieldDesktop\mailshield.exe
F:\Program Files\Kleptomania\k-mania.exe
F:\Program Files\CurWave\CurWave Client\CyberoamClient.exe
F:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
F:\Program Files\ItsTime\ITSTIME.EXE
F:\Program Files\Personal Firewall Pro\spfw.EXE
F:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PopUpKiller] F:\Program Files\Personal Firewall Pro\WebWatch.EXE
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKCU\..\Run: [MailShieldDesktop] F:\Program Files\MailShieldDesktop\mailshield.exe
O4 - HKCU\..\Run: [Kleptomania] F:\Program Files\Kleptomania\k-mania.exe
O4 - Startup: ItsTime!.lnk = F:\Program Files\ItsTime\ITSTIME.EXE
O4 - Startup: Personal Firewall Pro.lnk = ?
O4 - Global Startup: CurWave Client.lnk = F:\Program Files\CurWave\CurWave Client\CyberoamClient.exe
O4 - Global Startup: ORiNOCO Client Manager.lnk = F:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C6D03E8-24D4-4439-88BE-BF6FCAE7FA19}
 
Joined
Oct 9, 2001
Messages
9,396
yes...i would delete the pup folder............the 8 numbered.exe file is no longer running so all should be clear.

;)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top