PDA

View Full Version : ?about startup item is it a virus? spybot found



JOE.G
2007-01-02, 17:16
I have ascreen shot of the start up menu, from spy bot in there it tells you what stuff it, on the scanregisty it says it is a virus and I should delete it but when I search the net it seems to be a valid ext. I would like you guys to look at it


This is a old one but it is on there.
It ias the 7th 04 entry, scan reg one.one spybot where you can get teh entry of your start up menu to see if it is valid or not it says this one is not and that not the real scanreg the one that isneeded. This is the only one I have found in the start up menu and all teh searching on the internet says it is valid. Thanks
Logfile of HijackThis v1.99.1
Scan saved at 7:42:21 PM, on 7/2/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPRMMON.EXE
C:\WINDOWS\SYSTEM\M2AUDMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIGHJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.catskill.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: starter.exe
O4 - HKLM\..\Run: c:\windows\taskmon.exe
O4 - HKLM\..\Run: C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: c:\windows\SYSTEM\m1mmpti.exe
O4 - HKLM\..\Run: c:\windows\scanregw.exe /autorun
O4 - HKLM\..\RunServices: WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: c:\windows\SYSTEM\mprmmon.exe
O4 - HKCU\..\Run: C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

pskelley
2007-01-06, 15:25
Hello Joe and welcome to the forum, I see no obvious problem in the HJT log. Are you having malware issues? Here are free scanners which you can use to check any file you have doubt about:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

While hackers can and do call their junk anything they want, from here this item looks fine:
http://www.liutilities.com/products/wintaskspro/processlibrary/scanregw/

If you feel you are having malware issues, you need to read and follow these instructions:
"BEFORE you POST" -Preliminary Steps
http://forums.spybot.info/showthread.php?t=288

Post the online anti-virus scan results required in the instructions, a new HJT log and more information about the issue.

Thanks

JOE.G
2007-01-06, 22:37
Know I went to the start up menu option in spy bot and it said that this entry was not need and to erase because it is a virus, I check every where on the net and this one seems to be valid.

JOE.G
2007-01-11, 04:31
Anyone?

JOE.G
2007-01-15, 17:59
How do i verify if it is a virus?

pskelley
2007-01-15, 23:44
What I would like you to do is read the instructions and follow them. Especially these:

If you feel you are having malware issues, you need to read and follow these instructions:
"BEFORE you POST" -Preliminary Steps
http://forums.spybot.info/showthread.php?t=288

Post the online anti-virus scan results required in the instructions, a new HJT log and more information about the issue.

Thanks

JOE.G
2007-01-18, 14:36
The new log is teh same as the one above, my avg virus scans turn up nothing, I have a screen shot of the spy bot part I am talking about if you would like to see it.Just tell me how to post it. thanks

pskelley
2007-01-18, 14:58
You have yet to tell me what this item is. I do not need to see a screen shot, copy/paste the results of the scan or type the name of the item with the complete pathway in this topic .

The instructions give at leat four free online scans, I do not want to know what your resident antivirus did, if so I would have asked for a scan from it. I wish to view a scan results from another opinion. I also want a new HJT posted since the original log is from
Scan saved at 7:42:21 PM, on 7/2/06 and over two weeks old.

Thanks

JOE.G
2007-01-20, 19:39
c:\windows\scanregw.exe/autorun.

pskelley
2007-01-20, 19:58
YOu are talking about this item:
O4 - HKLM\..\Run: c:\windows\scanregw.exe /autorun

I am not setting in front of your computer, so I am depending on search to locate information. This is what I believe that is:
http://www.liutilities.com/products/wintaskspro/processlibrary/scanregw/

Now several worms have run that look similiar: w32.blackmal@mm
This one: O4 - HKLM\..\Run: [ScanRegistry] scanregw.exe /scan <<< look at how it is running
http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal@mm.removal.tool.html

and others like this one: Nyxem.E worm
Look here: http://www.bleepingcomputer.com/startups/scanregw.exe-14331.html
running from: C:\Windows\System32\scanregw.exe /scan

and there are many more:
http://www.google.com/search?hl=en&q=scanregw.exe&btnG=Google+Search

But they are running from C:\Windows\System32\ and NOT c:\windows\scanregw.exe <<< which should be a valid item as you read in the link above. I understand this can be confusing, confuses me at times and I have been killing malware for ten years. What I suggest you do to satisfy yourself is make sure all files and folder as showing:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Then use one or more of these free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

Browse to that file in C:\Windows\scanregw.exe and upload it to as many scanners as you wish to verify what it is.

Thanks

pskelley
2007-01-27, 12:54
It appears there were no issues on this computer, if you read the topic.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.