1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Unknown system process - malware?

Discussion in 'Virus & Other Malware Removal' started by chort, Jan 24, 2005.

Thread Status:
Not open for further replies.
  1. chort

    chort Thread Starter

    Joined:
    Jan 24, 2005
    Messages:
    2
    Hi there...
    in past few days i have noticed a strange behavior of my computer (slowing down etc..) so i checked the process list and there it was. An obviously random named file "zfrafp.exe" which reappeared and reappeared no matter how i tried to kill the process... i tried to scan the system with AVG Free (updated every day) and it was already listed as a system file inside AVG.. of course it was diagnosed as ok. Then i tried spybot and it found nothing. I ran HJT and i'll post the log at the end of the message. Another strange behaviour is that "calc.exe" has been listed in process list sometimes, but i'm sure as hell that i didn't start it. Info about the file: c:\windows\system32\zfrafp.exe 172,032 bytes.
    another thing, i recently (about two weeks ago) allowed traffic from network on which there are two more computers to my computer to everyone. i think this was a bad idea.. probably this was how the thing got to me because i didn't start any suspicious files received by email or sth. dunno :)

    and now, hjt log. it has been run from normal mode.

    Logfile of HijackThis v1.99.0
    Scan saved at 13:20:18, on 24.1.2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Root\Apache2\bin\Apache.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
    C:\mysql\bin\mysqld.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\No-IP\DUC20.exe
    C:\Root\Apache2\bin\Apache.exe
    C:\WINDOWS\System32\r_server.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\windows\system32\zfrafp.exe
    C:\windows\system32\packager.exe
    C:\Program Files\Grisoft\AVG Free\avgcc.exe
    C:\Program Files\YahooPOPs\YahooPOPs.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Thunderbird\thunderbird.exe
    C:\Program Files\totalcmd\TOTALCMD.EXE
    C:\Program Files\hjt\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://mail.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.arnes.si
    O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [zfrafp] c:\windows\system32\zfrafp.exe
    O4 - Startup: YahooPOPs.lnk.disabled
    O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
    O4 - Global Startup: Monitor Apache Servers.lnk.disabled
    O4 - Global Startup: Post-it® Software Notes Lite.lnk.disabled
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093462823495
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O18 - Filter: text/html - {4DF5EE04-E3BB-46B8-B55A-331626E4CD44} - C:\Documents and Settings\CHoRT\Local Settings\Application Data\microsoft\internet explorer\V0.26.dat
    O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apache2 - Apache Software Foundation - C:\Root\Apache2\bin\Apache.exe
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: MATLAB Server - Unknown - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
    O23 - Service: MySql - Unknown - C:\mysql\bin\mysqld (file missing)
    O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
    O23 - Service: Remote Administrator Service - Unknown - C:\WINDOWS\System32\r_server.exe
    O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)

    anyone has an idea?
     
  2. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
    Close ALL browser and explorer windows.

    Run HijackThis scan again.

    Place a checkmark next to the following items only, and click "fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll (Transponder/DeepDive malware)

    O4 - HKLM\..\Run: [zfrafp] c:\windows\system32\zfrafp.exe

    O18 - Filter: text/html - {4DF5EE04-E3BB-46B8-B55A-331626E4CD44} - C:\Documents and Settings\CHoRT\Local Settings\Application Data\microsoft\internet explorer\V0.26.dat

    O23 - Service: MySql - Unknown - C:\mysql\bin\mysqld (file missing)

    O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)



    Optional:

    O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
    O4 - Global Startup: Monitor Apache Servers.lnk.disabled
    O4 - Global Startup: Post-it® Software Notes Lite.lnk.disabled

    These .disabled files are usually created when you use msconfig to disable items in the StartUp folder. However, they could be using system resources just by still being in the startup folder.

    You could use HJT to fix them and/or you could just cut+paste the files to a backup folder somewhere, incase you ever wish to use the shortcuts again.



    Make sure you can view hidden/system files and folders
    (c/o Control Panel > Folder Options > View tab)
    Also uncheck "hide extensions for known filetypes"

    End Process for zfrafp.exe in Task Manager

    Locate and delete the following files:

    C:\WINDOWS\localNRD.dll
    C:\Documents and Settings\CHoRT\Local Settings\Application Data\microsoft\internet explorer\V0.26.dat
    c:\windows\system32\zfrafp.exe

    If you have problems deleting localNRD.dll, see here


    Also empty your internet cache (IE Control Panel > Temp Internet Files > Delete)
    and clear out the Temp folder (start > run > %temp% > select all > delete)


    If you haven't done so already, go to windowsupdate and make sure you've got all Critical Updates installed.
     
  3. chort

    chort Thread Starter

    Joined:
    Jan 24, 2005
    Messages:
    2
    Thanks A LOT! I owe you a beer or something :)
    It's gone and i'm glad it is :)
    only the
    C:\Documents and Settings\CHoRT\Local Settings\Application Data\microsoft\internet explorer\V0.26.dat
    file wasn't there. i double checked and triple checked but it has disappeared.

    once again, thanx a lot :)
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/322864

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice