Unrecognized entries - bad?

Discussion in 'adware, spyware & hijack cleaning' started by mdinnick, Jul 2, 2004.

Thread Status:
Not open for further replies.
  1. mdinnick

    mdinnick Registered Member

    Joined:
    Jan 20, 2004
    Posts:
    7
    Location:
    Toronto
    I now have the new v1.98 and have 2 entries which are "new" and which I don't recognize - the 09 and the 020 entries

    You help is, as usual, much appreciated for giving us peace of mind.

    Here is my log

    Logfile of HijackThis v1.98.0
    Scan saved at 12:52:06, on 29/06/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMPUTER ASSOCIATES\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
    C:\WINDOWS\SYSTEM\VETMSG9X.EXE
    C:\WINDOWS\STARTUPMONITOR.EXE
    C:\REGPROT\REGPROT.EXE
    C:\WINDOWS\SYSTEM\USBMONIT.EXE
    C:\PROGRAM FILES\BHODEMON 2.0\BHODEMON.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO\COMPONENTS\QBAGENT\QBDAGENT2002.EXE
    C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
    C:\EUDORA\EUDORA.EXE
    C:\HIJACK THIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VETTRAY.EXE
    O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\Run: [RegProt] c:\regprot\regprot.exe /start
    O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
    O4 - HKLM\..\RunServices: [V128IID] Rundll32.exe C:\WINDOWS\SYSTEM\v128iitw.dll,STB_InitTweak
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - Startup: Acpana Online Backup.lnk = C:\Program Files\Acpana Business Solutions\Acpana Online Backup\startup.exe
    O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2.0\BHODemon.exe
    O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
    O20 - AppInit_DLLs: APITRAP.DLL

    thanks
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Yes.. those look suspicious at first. APITRAP.DLL however should be part of "Cleansweep" by the looks. You can email the file for checking if you like, to the email address in my profile :)

    Remove the other entry since the file is gone and its just a dead entry
     
  3. mdinnick

    mdinnick Registered Member

    Joined:
    Jan 20, 2004
    Posts:
    7
    Location:
    Toronto
    Gavin:

    Many thanks - I have sent you an e-mail with the file attached.

    I will now remove the 09 entry, and await your verdict on the 020 entry

    regards,

    Michael
     
  4. mdinnick

    mdinnick Registered Member

    Joined:
    Jan 20, 2004
    Posts:
    7
    Location:
    Toronto
    Gavin:

    Thanks for your help.

    The 09 and 020 entries are toast.

    best

    Michael
     
Thread Status:
Not open for further replies.