Unkown Application

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Mike101

Thread Starter
Joined
Apr 13, 2004
Messages
4
I am running a Windows Xp and recently realized I have an application that I don't know about. The application is called uLBu.exe. I Google Searched it and nothing came up...I ran a search on my computer and all I found was a prefetch of the file. If any of you could explain to me what this is, I would really appreciate it! :confused:
 
Joined
Mar 22, 2004
Messages
248
Please do this. Click here: http://www.sherrylynn.us/HijackThis.exe to download Hijack This. Save it to it’s own folder (not temporary files or the desktop).
Close all open windows and open HIJACK THIS. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”. Click on “Save Log” and save it to NotePad. Copy the entire log and paste it here.

DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise
 
Joined
Mar 8, 2004
Messages
2,326
Can you do a "Search" for uLBu.exe to see if it is anywhere else on your harddrive? It is probably in a hidden file or folder,so you will have to unhide...in folder options
 

Mike101

Thread Starter
Joined
Apr 13, 2004
Messages
4
Man! That's big!


Logfile of HijackThis v1.97.7
Scan saved at 8:35:36 PM, on 4/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
F:\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\docume~1\michae~1.flo\locals~1\temp\uLBu.exe
C:\Program Files\RSNet\RSEDNClient.exe
F:\HP Share-to-Web\hpgs2wnf.exe
F:\Teamspeak2_RC2\TeamSpeak.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Michael S. Flores\My Documents\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZillaBar - {CAAE9D7F-FFCC-46CF-8DEE-00DCC6CDF5A1} - C:\Program Files\STOPzilla!\ZILLAbar\ZillaBar.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
O4 - HKLM\..\Run: [QuickTime Task] "F:\program files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] F:\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] F:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\AozDF.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [fhtssdax] C:\WINDOWS\System32\yufzhbyc.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [tanmxcx] C:\WINDOWS\tanmxcx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [uLBu] C:\docume~1\michae~1.flo\locals~1\temp\uLBu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [Tukati:4] C:\Program Files\Tukati\Redistributor\4\TukatiRedistributor.exe -r:4 -x:2
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] F:\Program Files\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12c1e1f4f07aeaee0c21/netzip/RdxIE601.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37821.4867013889
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/stx/install.cab
O16 - DPF: {BD9B72E4-DC9C-4922-80E9-2D3315E3AADC} (UAClientControl Control) - http://www.ultimatearena.com/UAClientControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
 
Joined
Mar 22, 2004
Messages
248
the file shows in your temp files

C:\docume~1\michae~1.flo\locals~1\temp\uLBu.exe

but you have a lot more in there than that
im going to leave this up to thew expert diagnosers
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,578
Not an expert but I do see that you have the peper.a trojan so you can start by running the uninstaller.

Peper.a trojan uninstaller

http://www.zerosrealm.com/downloads/uninst.exe

You must be connected to the Internet to run this program.

Click on the uninst.exe and let it run. When it’s finished it will close itself.

After that, I suggest that you download and run the following programs.
AD-AWARE

Go here: http://www.lavasoftusa.com/support/download/
and download Ad-Aware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right-hand corner and click on Check for updates now and download the latest reference files.

Make sure the following settings are made and on -------ON=GREEN

From main window: Click Start then Activate in-depth scan (recommended)

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right click the window and choose select all from the drop down menu and click Next)

Restart your computer

Download and run: SPYBOT SEARCH & DESTROY, here:

http://download.com.com/3000-2144-1...tml?tag=lst-0-1

Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems'', Put a check in every entry Spybot Search & Destroy flags with a red exclamation mark and click ''Fix Selected Problems'' , Then restart your computer.

Download both of these for added protection: SPYWAREBLASTER & SPYWAREGUARD, here:

http://www.javacoolsoftware.com/spywareblaster.html

Once you've done all that and after rebooting, please post another log here for an expert to take a look at as I’m not qualified to analyze the log.

Cookie
 

Mike101

Thread Starter
Joined
Apr 13, 2004
Messages
4
I ran that uninstall program and a box appeared for about a second and then closed itself...while I was connected to the internet. I checked ALL of my running processes and all of them check out fine. Why isn't this Trojan running in my processes?
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,578
That's all it does, it runs and then closes itself.

This is the entry showing it's an autoloading program in your registry:

O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\AozDF.exe

I don't know all the ins and outs but I suspect that uLBu entry could be related. There are other suspecious entries in your startups as well.

Have you run the programs I suggested? If not, please do so and post a fresh log.

Cookie
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top