Program exe files and commands reassigned?

Discussion in 'other software & services' started by credralin, May 5, 2004.

Thread Status:
Not open for further replies.
  1. credralin

    credralin Registered Member

    Joined:
    May 5, 2004
    Posts:
    6
    Can this be a possible worm?

    When I click on a program to start it in xp, a windows installer pops up. I close it then in control panel install programs, I reinstall that program, then another program starts installer. This also happens randomly when using commands such as paste, after cutting from one directory then pasting anywhere, the installer also starts. This is intermittent. And I also noticed that Microsoft Virtual Machine couldn't be found and I did have it, so I installed Sun Java Web Start, although this might be another problem. I also use multiple video editing packages.

    I'm using a sony vaio rz34g p4 2.8ghz 1.5gb mem 120 and 160 hd.

    Is this a possible virus? What can I do?

    I also have norton int sec, zonealarm, pestpatrol.

    I used spybot and then hijackthis with the following results:

    Logfile of HijackThis v1.97.7
    Scan saved at 5:59:48 PM, on 5/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\Program Files\Norton Internet Security\NISUM.EXE
    D:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Sony\Giga Pocket\shwserv.exe
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
    C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
    C:\Program Files\Sony\Giga Pocket\GPVSvr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
    C:\Program Files\Sony\Giga Pocket\RM_SV.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\QUICKENW\QAGENT.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\WINDOWS\System32\hphmon04.exe
    D:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\program files\quicktime\qttask.exe
    D:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\WINDOWS\System32\HPHipm11.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe
    C:\Program Files\iPod\bin\iPodService.exe
    D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Sony\USBSircs\usbsircs.exe
    D:\Program Files\Sony Handheld\HOTSYNC.EXE
    D:\My Documents\Downloads\antivirus\hijackthis1977\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_1_5_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_5_0.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
    O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
    O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - HKCU\..\Run: [Mobipocket Web Companion] C:\Program Files\Common Files\Mobipocket Shared\webcomp.exe -m
    O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [SpyKiller] D:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Startup: HotSync Manager.lnk = D:\Program Files\Sony Handheld\HOTSYNC.EXE
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Remocon Driver.lnk = ?
    O8 - Extra context menu item: Convert for CLIE - D:\Program Files\Sony\Image Converter\menu.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
    O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
    O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab
    O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...W/win/019-0123.20031218.zes4d/iTunesSetup.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1878c4dcf31ce3234201/netzip/RdxIE601.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37863.0083449074
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {C5D8D76A-D99F-4B68-A10E-B9BEFAD7E24C} (Screenblastuploadctrl1 Control) - http://www.screenblast.com/main/my_projects/screenblastuploadctrl1.cab
    O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4356/mcfscan.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I don't think there is anything really bad in there, although not all viruses show up in a HijackThis log.

    From what I gathered the Windows installer starts for a different program everytime?

    Anyway. I will move this thread to another forum where it may fit in a bit better.

    Regards,

    Pieter
     
  3. credralin

    credralin Registered Member

    Joined:
    May 5, 2004
    Posts:
    6
    Thank you for your response.

    Yes, it also happens to commands too. I cut one file from directory X and paste it to directory Y, and as soon as I pasted it, the install program for Videowave, started. I closed that window, then reinstalled Videowave, then the cut and paste problem went away. But, the RecordNow program started another programs install program. Sometimes, some files turn up missing. For example, in Smartsound, the sound files stayed in tact, but the file that tells it where these files are had changed to only show three out of over 20 sound files. And this keeps on cycling through. So, I think its some kind of worm, but I can't see where the file or command is getting changed from.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Would using System Restore be an option?
    Going back to a previous state, before this started happening.

    Regards,

    Pieter
     
  5. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    Hi credralin,

    You should check the following registry keys :

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command

    Both values should be equal to "%1" %* (and nothing else)

    You should also check the value of the following key :

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe

    There should not be any value. If you find a value like "Application" in it (could be associated with, for example, the "setup.exe" string) you should remove it. There might only be the "OpenWithList" subkey.
     
  6. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Credralin,

    You do appear to have drivers for both ATI and NVidia graphics cards installed. Unless you actually have both installed (unlikely) you should remove the one that isn't being used (try Control Panel's Add/Remove Programs first - if no entries are listed for the graphics card then try Driver Cleaner). Although I cannot see this as being the direct cause, having multiple graphics drivers can cause other problems.

    Pieter,

    The log does show a www.xxxtoolbar.com entry - a possible issue?
     
  7. credralin

    credralin Registered Member

    Joined:
    May 5, 2004
    Posts:
    6
    "You should check the following registry keys :

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command

    Both values should be equal to "%1" %* (and nothing else)"

    This is true. However there is also :
    HKEY_CLASSES_ROOT\exefile\shellex\drophandler
    with the default value of {86C86720-42A0-1069-A2E8-08002B30309D}
    and HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers also
    with

    HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps
    {86F19A00-42A0-1069-A2E9-08002B30309D}
    HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page {513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}




    "You should also check the value of the following key :

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe" I have no .exe key.

    There should not be any value. If you find a value like "Application" in it (could be associated with, for example, the "setup.exe" string) you should remove it. There might only be the "OpenWithList" subkey."

    I have an nvidia board and the sony capture card uses the ati drivers (i tried removing it already but then sony gigapocket stopped.

    And how do i get rid of the xxx toolbar? I didn't install it and it doesnt appear to have an uninstaller. there is also one with a blank name.
     
  8. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    Good.


    Well, I think this is normal.

    Well, this is probably normal. I suppose I have some because I'm used to open .exe file with hexeditors, debuggers....things like that. Since you don't do it, it
    is normal that you do not have this key.

    I do not think your problem is there.

    You can do this with HijackThis.
     
  9. credralin

    credralin Registered Member

    Joined:
    May 5, 2004
    Posts:
    6
    Thank You.

    For now, my computer is fine. But we shall see.
     
Loading...
Thread Status:
Not open for further replies.