Runonce.exe/Schoolbus 2.0?

Tonight, I ran a full scan of my PC with Trojan Hunter and it claimed to find a trojan named Schoolbus 2.00. It's file extension was C:\WINDOWS\SYSTEM\RUNONCE.EXE.

Like a headfast fool, I selected to "clean" it when prompted by TH before checking to see if it was a false positive.

Well, I just ran Hijack This pasted the logfile below. Could I trouble anyone of you to please take a look to see if anything seems out of whack?

Thanks in advance.
/QPro

Logfile of HijackThis v1.97.7
Scan saved at 21:03:17, on 2004-01-27
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM\DRWEB\SPIDER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=sve
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&i=sve
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=2c98&s=consumer&i=sve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telia Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c98&s=search&query=%s&i=enu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy1.telia.com:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\Program\FreshDevices\FreshDownload\fdcatch.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRAM\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM\FLASHGET\FGIEBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] "c:\windows\scanregw.exe " /autorun
O4 - HKLM\..\Run: [SystemTray] "SysTray.Exe"
O4 - HKLM\..\Run: [LoadPowerProfile] "Rundll32.exe " powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EACLEAN] "C:\Program\Compaq\Easy Access Button Support\eaclean.exe " /NORESTART
O4 - HKLM\..\Run: [AtiCwd32] "Aticwd32.exe"
O4 - HKLM\..\Run: [AtiKey] "Atitask.exe"
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] "A3dInit.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Vanliga filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CPQEASYACC] "C:\PROGRAM\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe"
O4 - HKLM\..\Run: [TaskMonitor] "c:\windows\taskmon.exe"
O4 - HKLM\..\Run: [Aktivitetsfältet] SysTray.Exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SpIDer] "C:\PROGRAM\DRWEB\SPIDER.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] "C:\WINDOWS\SYSTEM\STIMON.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] "Rundll32.exe " powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] "sa3dsrv.exe"
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\PROGRAM\MRU-BLASTER\indexcleaner.exe -COOKIES
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with &FD - file://C:\PROGRAM\FRESHDEVICES\FRESHDOWNLOAD\fdiectx.htm
O8 - Extra context menu item: Download &All by FD - file://C:\PROGRAM\FRESHDEVICES\FRESHDOWNLOAD\fdiectx2.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM\FLASHGET\jc_all.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O12 - Plugin for .pdf: C:\PROGRAM\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRAM\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/151b94ba9bf508fffc16/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37874.5646759259
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

 

Hi there,

Schoolbus is a known backdoor, so I think you did the right thing having it cleaned up.

Nothing too worrying in Hijackthis, just fix :

R3 - Default URLSearchHook is missing

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/151b94ba9bf508fffc16/netzip/RdxIE601.cab

And unless you set some blockings / restrictions in IE to people who use your PC :

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Hope this helps

Cheers,

 

Thanks a bunch, Unzy!

Does locking my start page in IE (via Spybot-S&D) count?