1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Suspicious files in Windows

Discussion in 'Virus & Other Malware Removal' started by Flintstone, Sep 25, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Flintstone

    Flintstone Thread Starter

    Joined:
    Sep 25, 2003
    Messages:
    28
    Hi,

    I discovered some strange files in my Windows XP pro .
    74500674.exe - 87865847.exe - 65491884.exe All in C:\windows\system32 .
    Another one I don't trust : DKRYFM.EXE .
    Who can tell me more about it ?

    Thank you !:)
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    the 1st 2 files will change(morph) their file name to avoid detection but if you post your H/T log we will nuke em.
    go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please copy & paste its contents to the forum.

    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.

    ;)
     
  3. Flintstone

    Flintstone Thread Starter

    Joined:
    Sep 25, 2003
    Messages:
    28
    This is my H/T logfile .
    Thanks for trying to help me !

    Logfile of HijackThis v1.97.2
    Scan saved at 11:22:59, on 25-Sep-03
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hplampc.exe
    C:\WINDOWS\System32\87865847.exe
    F:\Program Files\MailShieldDesktop\mailshield.exe
    F:\Program Files\Kleptomania\k-mania.exe
    F:\Program Files\CurWave\CurWave Client\CyberoamClient.exe
    F:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
    F:\Program Files\ItsTime\ITSTIME.EXE
    f:\Program Files\NetCaptor\NetCaptor.exe
    F:\Program Files\Personal Firewall Pro\spfw.EXE
    F:\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PopUpKiller] F:\Program Files\Personal Firewall Pro\WebWatch.EXE
    O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
    O4 - HKLM\..\Run: [DKRYFM] C:\WINDOWS\DKRYFM.exe
    O4 - HKLM\..\Run: [65491884.exe] C:\WINDOWS\System32\65491884.exe
    O4 - HKCU\..\Run: [MailShieldDesktop] F:\Program Files\MailShieldDesktop\mailshield.exe
    O4 - HKCU\..\Run: [Kleptomania] F:\Program Files\Kleptomania\k-mania.exe
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Startup: ItsTime!.lnk = F:\Program Files\ItsTime\ITSTIME.EXE
    O4 - Startup: Personal Firewall Pro.lnk = ?
    O4 - Global Startup: CurWave Client.lnk = F:\Program Files\CurWave\CurWave Client\CyberoamClient.exe
    O4 - Global Startup: ORiNOCO Client Manager.lnk = F:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{748D3458-2719-401C-AEEF-F9B61D1CBEEA}: NameServer = 65.163.241.6 65.163.241.5
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9C6D03E8-24D4-4439-88BE-BF6FCAE7FA19}: NameServer = 10.169.14.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{748D3458-2719-401C-AEEF-F9B61D1CBEEA}: NameServer = 65.163.241.6 65.163.241.5
     
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    you can fix these entries:
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O4 - HKLM\..\Run: [DKRYFM] C:\WINDOWS\DKRYFM.exe


    now then..........i was right with this one:
    O4 - HKLM\..\Run: [65491884.exe] C:\WINDOWS\System32\65491884.exe

    note how the file name has changed!
    what you will have to do is check its location in H/T and when you run H/T again it will have changed again.
    "fix" it and then re-boot into safe mode(by tapping the f8 key as windows boots) and delete:
    C:\WINDOWS\System32\87865847.exe(or whatever its morphed to.)
    it should be easy to locate.
    also while your there delete this:
    C:\WINDOWS\DKRYFM.exe

    let us know how you do.

    ;)
     
  5. Flintstone

    Flintstone Thread Starter

    Joined:
    Sep 25, 2003
    Messages:
    28
    Hello Steve ,

    Everything OK now ! I feel a lot better .
    After fixing and running H/T again , I didn't see the suspicious files any more .So I didn't need to restart in SafeMode .
    But how about the other suspicious files : 74500674.exe; 87865847.exe ? I continued to search them in the registry and yes , they appeared in HKEY_LOCAL_MACHINE\SOFTWARE\pup
    I also find the 65491884.exe file in the same "pup" folder. Remember that's the file we have fixed with H/T .
    Can I just delete this 3 values .Or should I simply delete this "pup" folder altogether ?
    Please advice

    Logfile of HijackThis v1.97.2
    Scan saved at 15:06:14, on 25-Sep-03
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    F:\Program Files\Personal Firewall Pro\WebWatch.EXE
    C:\WINDOWS\system32\hplampc.exe
    F:\Program Files\MailShieldDesktop\mailshield.exe
    F:\Program Files\Kleptomania\k-mania.exe
    F:\Program Files\CurWave\CurWave Client\CyberoamClient.exe
    F:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
    F:\Program Files\ItsTime\ITSTIME.EXE
    F:\Program Files\Personal Firewall Pro\spfw.EXE
    F:\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PopUpKiller] F:\Program Files\Personal Firewall Pro\WebWatch.EXE
    O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
    O4 - HKCU\..\Run: [MailShieldDesktop] F:\Program Files\MailShieldDesktop\mailshield.exe
    O4 - HKCU\..\Run: [Kleptomania] F:\Program Files\Kleptomania\k-mania.exe
    O4 - Startup: ItsTime!.lnk = F:\Program Files\ItsTime\ITSTIME.EXE
    O4 - Startup: Personal Firewall Pro.lnk = ?
    O4 - Global Startup: CurWave Client.lnk = F:\Program Files\CurWave\CurWave Client\CyberoamClient.exe
    O4 - Global Startup: ORiNOCO Client Manager.lnk = F:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9C6D03E8-24D4-4439-88BE-BF6FCAE7FA19}
     
  6. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    yes...i would delete the pup folder............the 8 numbered.exe file is no longer running so all should be clear.

    ;)
     
  7. Flintstone

    Flintstone Thread Starter

    Joined:
    Sep 25, 2003
    Messages:
    28
    Ok Steve , you have been a great help . Thanx again ,Louis
     
  8. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    no problem louis..........your very welcome:)
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/167327

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice