HELP! New items on desk top at startup

Discussion in 'adware, spyware & hijack cleaning' started by unholyone, Mar 31, 2004.

Thread Status:
Not open for further replies.
  1. unholyone

    unholyone Registered Member

    Joined:
    Jan 30, 2004
    Posts:
    28
    Hello,

    I started up my computer this morning and there were several icon I never saw and .exe files. I deleted them from the desk top. But on every start-up it is looking for a file named "morze1.exe" never had this before.

    In the system start up menu there are many new numerical entries I have never seen like:
    6FA4APRL.lnk
    EI7IQ8ED.lnk
    GR9R2ETL.lnk

    The Hijack-this log is below.

    Any help would be greatly appreciated as I am a newbie to this.

    Thanks
    Woody



    Logfile of HijackThis v1.97.7
    Scan saved at 1:10:49 PM, on 3/31/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\EVIDENCE ELIMINATOR\EE.EXE
    C:\WINDOWS\ALL USERS\START MENU\PROGRAMS\STARTUP\ECEC.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\CRYPTAINER\CRYPTAINER.EXE
    C:\WINDOWS\GR9R2ETL.EXE
    C:\- D\SOFTWARE\SECURITY\HIJACK THIS\HIJACKTHIS.EXE
    C:\WINDOWS\SYSTEM\MSCONFIG.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://worldnetdaily.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [GR9R2ETL.EXE] C:\WINDOWS\GR9R2ETL.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [GR9R2ETL.EXE] C:\WINDOWS\GR9R2ETL.EXE /dk
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: 6FA4APRL.lnk = C:\WINDOWS\ei7iq8ed.exe
    O4 - Startup: EI7IQ8ED.lnk = C:\WINDOWS\ei7iq8ed.exe
    O4 - Startup: GR9R2ETL.lnk = C:\WINDOWS\gr9r2etl.exe
    O4 - Global Startup: ECEC.EXE
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: 6FA4APRL.lnk = C:\WINDOWS\ei7iq8ed.exe
    O4 - Global Startup: EI7IQ8ED.lnk = C:\WINDOWS\ei7iq8ed.exe
    O4 - Global Startup: GR9R2ETL.lnk = C:\WINDOWS\gr9r2etl.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37923.5788310185
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 24.234.0.71
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Thios is very difficult to fix, but athis is the best cure we have at the moment
    http://www.wilderssecurity.com/showthread.php?t=25926

    Edit: A semi automatic cure has now been discovered and is at the above link
     
  3. unholyone

    unholyone Registered Member

    Joined:
    Jan 30, 2004
    Posts:
    28
    OK did that.

    But when windows starts and gets to the desktop it is still looking for the "morze1.exe" file.

    Should I delete the file and all reg entries showing that file with Hijack-this?

    I have no idea what this file is.

    Thanks
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi unholy one,

    Post a new HJT log here so we can be sure it is gone and any other recommendations....

    Regards,
    Kent
     
  5. unholyone

    unholyone Registered Member

    Joined:
    Jan 30, 2004
    Posts:
    28
    Here is the new hijack log:

    Thanks

    Logfile of HijackThis v1.97.7
    Scan saved at 6:14:40 PM, on 3/31/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\EVIDENCE ELIMINATOR\EE.EXE
    C:\WINDOWS\ALL USERS\START MENU\PROGRAMS\STARTUP\ECEC.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\- D\SOFTWARE\SECURITY\HIJACK THIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://worldnetdaily.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: ECEC.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37923.5788310185
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 24.234.0.71
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi unholyone,

    Welcome to Wilders.

    Yes, you can go ahead and delete that one.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe

    O4 - Global Startup: ECEC.EXE <-- And do you know what this one is? If not go ahead and fix it too.

    If you fix the EXEC.EXE, then reboot into safe mode, and zip the following file and e-mail them to Pieter at the address in his profile. Please include a link to this thread.

    ECEC.EXE <-- You may have to do a search for it for it being sure that the advanced options of showwing hidden files and system folder is checked.

    Do not delete it yet tho, wait to here the status of it from Pieter.

    Regards,
    Kent
     
  7. unholyone

    unholyone Registered Member

    Joined:
    Jan 30, 2004
    Posts:
    28
    OK did that to thanks. I also sent the ECEC.EXE file to Pieter. I didn't delete it yet. I will wait for confirmation from him. I hope he got it.

    Thanks so much,
    Woody
     
  8. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi unholyone,

    It will probably be 3 or 4 hours before Pieter is on here and then he will need some time to research it, just check back and I am sure he will find an answer for you.

    Regards,
    Kent
     
  9. unholyone

    unholyone Registered Member

    Joined:
    Jan 30, 2004
    Posts:
    28
    Also there are the following files with the ECEC in the C:\WINDOWS\APPLOG

    Ecec.lgc
    Ecec.~~c

    So I assume they are linked or associated with the ECEC.EXE file.

    Just in case this helps.

    Thanks again,
    Woody
     
  10. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    It may be a legit file, I just could not find out anything about it....

    Kent
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi unholyone,

    The file you sent me was detected by my mailscanners as: Win32/Bugbear.B worm      
    http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.