Win32 Bl Application

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

sinsation

Thread Starter
Joined
Sep 15, 2003
Messages
323
I recently came across a Win32 Bl Application in my add/remove programs. I did a little researching about it and saw it was spyware assocated free trial versions of software I'd never heard of before.. and the files, reg entries, and class id's that it says are supposed to be there arent.

I don't see anything in my hjt log, but I'm not the expert.
Any help would be appreciated.

Logfile of HijackThis v1.97.2
Scan saved at 12:08:07 PM, on 9/17/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\KMAESTRO\KMAESTRO.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\COMPAQ\INTERNET\CISRVR.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\MY DOCUMENTS\SECURITY\ZONEALARM\ZONEALARM.EXE
C:\EFDTOP\DTLOADER.EXE
C:\MY DOCUMENTS\DESKTOP\DICONS\DICONS.EXE
C:\EFDTOP\WINXSERVER.EXE
C:\MY DOCUMENTS\SECURITY\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\SECURITY\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\MY DOCUMENTS\SECURITY\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=0409&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=0409&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=0409&s=search&i=enu
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\MY DOCUMENTS\SECURITY\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ProDsl] C:\WINDOWS\ProDsl.exe /P
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [KeyMaestro] C:\KMAESTRO\KMaestro.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe -I
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: EDLoader.lnk = C:\EfDtop\DTLoader.exe
O4 - Startup: Shortcut to Dicons.exe.lnk = C:\My Documents\Desktop\Dicons\Dicons.exe
O4 - Startup: SpywareGuard.lnk = C:\My Documents\Security\Spywareguard\sgmain.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\My Documents\Security\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish
O9 - Extra 'Tools' menuitem: &AltaVista Home (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37872.7609837963
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
*edit*
A few things regarding my zipcd, mcafee, easy access button support, backweb, taskmon, and a quicktime task (whatever the hell that is) was unchecked in startup.
 
Joined
Aug 10, 2003
Messages
401
By 'Win32 Bl' do you mean Win32 Blaster? If so then you have the Blaster worm. Follow these instructions to remove the Blaster worm.

Here's info on QuickTime Task/qttask for you:
Qttask.exe , System Tray access to Apple's "Quick Time" viewer from version 5 onwards.
 

sinsation

Thread Starter
Joined
Sep 15, 2003
Messages
323
I have no idea to be honest, in add/remove it just has win32 Bl application.. I don't know if it's a lowercase L or an uppercase i.
 

sinsation

Thread Starter
Joined
Sep 15, 2003
Messages
323
Well, I don't think it's blaster, the tool didn't find any trace of it.
I was able to find it in my registry though.

Location:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Dbi
The variables in there are:
(Default) (value not set)
DisplayName "Win32 BI Application"
UninstallString "RunDLL32 advpack.dll,LaunchINFSection c:\windows\inf\bi2.inf, Uninstall"
Judging by the contents of bi2.inf it is the Win32 BI Application, which I guess is a transponder variant? I didn't catch it earlier because the values it put on my computer is different than the values I've found on sites about this.
I'm downloading a spyware program now called Bazooka that's said to detect this little demon.


I did find something else too that struck me as odd.
HKEY_LOCAL_MACHINE\Software\Microsoft\G<2<::99;
Contents:
(Default) (no value set)
¸¬º¹ 25 cd a5 a5

Any ideas?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top