help! strange entries in startup file ?

Discussion in 'adware, spyware & hijack cleaning' started by midtown, Jan 20, 2004.

Thread Status:
Not open for further replies.
  1. midtown

    midtown Registered Member

    Joined:
    Jan 20, 2004
    Posts:
    8
    Hi,
    We've been having some terrible problems with starting up (Windows 98 second edition), so I used Spybot's Search and Destroy startup tool to examine, hoping to discover the problem.
    In doing so, I spotted one item (in there twice), which I have disabled. According to Spybot's info, this appears to be some sort of spyware?...... if so, the question seems to be how to remove it.

    I am also posting log file just generated by HiJack This, since that's instructed for this forum.
    Thanks so much for any help!

    The item from Spybot's startup tool (this is actually in that list twice):
    Current value: LoadPowerProfile
    Current filename: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

    Database status: Not required - virus, spyware, malware or other resource hog
    Value: LoadPowerProfile
    Filename: Rundll32.exe

    Description
    Added as a result of the <a href=\"http://securityresponse.symantec.com/avcenter/venc/data/w32.miroot.worm.html\" target=\"_blank\">MIROOT</a> VIRUS! Note - do not confuse with the valid LoadPowerProfile entry which has \"powrprof.dll\" appended to the command/data line

    Source: Paul Collins Startup list
    ---------------

    Here is my HijackThis log:

    Logfile of HijackThis v1.96.4
    Scan saved at 11:32:27 AM, on 1/20/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\PICASA\PICASAMEDIADETECTOR.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\WINDOWS\MIXER.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SOL.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY 1.1\SPYBOTSD.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - Default URLSearchHook is missing
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://start.earthlink.net/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\93sj79yd.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\93sj79yd.slt\prefs.js)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
    O2 - BHO: (no name) - {4220C701-945E-11D7-821F-00D009278F7E} - (no file)
    O2 - BHO: (no name) - {5F766D81-9E2E-11D7-821F-00D009278F7E} - (no file)
    O2 - BHO: (no name) - {19DF3CC1-D394-11D7-821F-00D009278F7E} - (no file)
    O2 - BHO: (no name) - {64C32941-D731-11D7-821F-00D009278F7E} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {23DDAE8C-6A79-4d62-80AA-E95D89CB9811} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37864.394849537
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://netscape.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/27a1b6d444490d3f9c06/netzip/RdxIE601.cab
    O16 - DPF: {79403BA0-6FC2-45C6-82FC-CD6DD268C5EA} (InstAXCtrl Class) - http://sojoin.buyersport.com/Install.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    -----------------------

    Thank you for any help in interpreting this and removing whatever might be in here that shouldn't be.
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    hey midtown,
    welcome to wilders mate :)
    about the first part maybe you can get some help from here

    SYMPTOMS
    When you view the programs that are loaded when you start your computer, you may notice that LoadPowerProfile is listed twice.

    CAUSE
    This behavior can occur because LoadPowerProfile is started twice to provide a power management profile before and after you log on to Windows. LoadPowerProfile starts as a machine service so that the default power management settings are available when Windows 98 starts. It is loaded again after you log on to Windows to process preferences for individual users of the computer.

    STATUS
    This behavior is by design.

    MORE INFORMATION
    To view the programs that are loaded when you start your computer, use any of the following system tools:

    Dr. Watson
    System Configuration Utility
    Microsoft System Information

    or you can go here

    maybe this would give you some idea..
    about the log file... i would say you wait for some expert over here to help you in the best possible way

    thx
     
  3. midtown

    midtown Registered Member

    Joined:
    Jan 20, 2004
    Posts:
    8
    Well, the problem is -- according to Spybot Search & Destroy's information from Paul Collins startup list, that particular entry is NOT legit.....
    note the quote from Spybot:

    Database status: Not required - virus, spyware, malware or other resource hog
    Value: LoadPowerProfile
    Filename: Rundll32.exe
    Description
    Added as a result of the <a href=\"http://securityresponse.symantec.com/avcenter/venc/data/w32.miroot.worm.html\" target=\"_blank\">MIROOT</a> VIRUS! Note - do not confuse with the valid LoadPowerProfile entry which has \"powrprof.dll\" appended to the command/data line
    Source: Paul Collins Startup list"

    So, if I am reading this report correctly, that startup list entry is not legit, rather is "spyware, malware or other resource hog"

    -- of course, perhaps I have somehow misread or misunderstood this description?
    o_O
     
  4. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    hey midtown,
    mate do wait for some expert to give you the best advice and help you out...( i assume you already know these instructions )
    thx
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi midtown,


    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {4220C701-945E-11D7-821F-00D009278F7E} - (no file)
    O2 - BHO: (no name) - {5F766D81-9E2E-11D7-821F-00D009278F7E} - (no file)
    O2 - BHO: (no name) - {19DF3CC1-D394-11D7-821F-00D009278F7E} - (no file)
    O2 - BHO: (no name) - {64C32941-D731-11D7-821F-00D009278F7E} - (no file)

    O3 - Toolbar: (no name) - {23DDAE8C-6A79-4d62-80AA-E95D89CB9811} - (no file)

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/27a1b6d444490d3f9c06/netzip/RdxIE601.cab

    Then can you please check if this file exists in that location on your computer:
    C:\cmd.exe

    If you still have questions or issues, could you download the latest cersion of HijackThis and post a log using that. The later versions show some extra information, that might come in handy.

    Regards,

    Pieter
     
  6. midtown

    midtown Registered Member

    Joined:
    Jan 20, 2004
    Posts:
    8
    Thanks Pieter.
    I have used HiJackThis "fix" for the items noted.

    As for the latest version of HijackThis, well, I thought I was using it. I downloaded and ran the program just before posting - downloaded from the link in this forum, i.e.:
    Download HijackThis from here: http://www.tomcoyote.org/hjt/
    - Use the HijackThis button on left which has the green flashing light next to it.

    And so that's what I did. Not quite sure why my version would not be the latest...... any ideas? o_O

    Also am still unsure about the items I "unchecked" from Spybot's startup tool - should I have unchecked these? Or is this something I should allow in startup?
    Spybot's description said:
    Database status: Not required - virus, spyware, malware or other resource hog
    Value: LoadPowerProfile
    Filename: Rundll32.exe
    Description
    Added as a result of the <a href=\"http://securityresponse.symantec.com/avcenter/venc/data/w32.miroot.worm.html\" target=\"_blank\">MIROOT</a> VIRUS! Note - do not confuse with the valid LoadPowerProfile entry which has \"powrprof.dll\" appended to the command/data line
    Source: Paul Collins Startup list"

    Thank you again for your help. (I normally use a Mac, so am pretty "lost" with all of this!)
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi midtown,

    Your log shows v1.96.4 The latest is version 1.97.7
    This link should give yuou the latest
    http://www.merijn.org/files/HijackThis.exe

    I asked you to look for cmd.exe in the C directory, because that would show if you really have the Miroot worm
    I don't think so, but I would feel better knowing that file is not there.

    Regards,

    Pieter
     
  8. midtown

    midtown Registered Member

    Joined:
    Jan 20, 2004
    Posts:
    8
    Pieter,
    Thanks. I'm sorry I forgot to check for the cmd, but have now - or at least I think I have.
    I went to Start>>Find and ran a search for cmd.exe in files and folders in "my computer" and it came back showing nothing found.
    Please let me know if that is the correct way to search for it. If so, I don't seem to have it, in which case I'm wondering if I should turn back ON those two items in the startup folder? o_O

    Meanwhile, I'll go take care of getting the latest "Hijack This." Thanks again so much!
     
  9. midtown

    midtown Registered Member

    Joined:
    Jan 20, 2004
    Posts:
    8
    Pieter,
    Okay, so this is the log from the newer version of Hijack This:
    And thank you again for all of this help!

    Logfile of HijackThis v1.97.7
    Scan saved at 4:50:41 PM, on 1/20/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\PICASA\PICASAMEDIADETECTOR.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\WINDOWS\MIXER.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://start.earthlink.net/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\93sj79yd.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\93sj79yd.slt\prefs.js)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37864.394849537
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://netscape.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {79403BA0-6FC2-45C6-82FC-CD6DD268C5EA} (InstAXCtrl Class) - http://sojoin.buyersport.com/Install.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi midtown,

    The Load Powerprofile entries are only needed if you are using power saving schemes.
    If your computer is working fine without them, leave them disabled.

    Your log is clean.

    Regards,

    Pieter
     
  11. midtown

    midtown Registered Member

    Joined:
    Jan 20, 2004
    Posts:
    8
    Wonderful! Thank you very much, Pieter, for all of your time and help. :-*
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    My pleasure,

    Pieter
     
Thread Status:
Not open for further replies.