rage4
2006-03-14, 21:42
Hi I am trying to fix my parents computer. Its running Windows 98. IE couldnt open some websites (including yahoo and hotmail mailboxes) a dialog box saying it couldnt open and the operation was aborted and had an ok button and the webpage could not be displayed.
So I ran spybot removed couple tracking cookies, a DOS exloit and another file. I started looking at some of the programs running and found a couple wierd ones so I started googleing them. I ran msconfig and noticed serveral repeating programs listed in the startup tab. One was listed three time process services.exe NAME xp_system LOCATION C:\WINDOWS\INET20000\SERVICES.EXE (the same program was also listed as run= with the same location). I researched it and found out it was either Krepper-G TROJAN, a CoolWebSearch parasite variant or W32.Conycspa.G WORM (Symantec says its a mass mailer). My computer hasnt mass emailed and when I was looking at a forum to remove the trojan for Search-paga it was in a different folder C:\WINDOWS\INETDATA\SERVICES.EXE. But then I came across another forum here had a similar problem. It was from February called "Please help with this system - shdocapi problem". I was going to follow those instruction to remove but wasnt sure if I should because I am running 98 not XP and also the folders the process is located in was a little different (C:\WINDOWS\INET20001\SERVICES.EXE). Please help. Im not sure what to do my web page hasnt been hijacked to either of those web-pages mentioned in the two trojan forums so I dont know if its a trojan or not. Im not
sure on two other process that DIDNT show up in my google search; listed twice Msranalx.exe NAME Security Media LOCATION C:\WINDOWS\SYSTEM\msranalx.exe & listed four time is Xlehxlqq NAME
XLEHXLQQ LOCATION C:\WINDOWS\SYSTEM\XLEHXLQQ.EXE. These three
programs are the only programs listed multiple times in my system configuration utilities. This lead me to belive that they are some type of malware and I am going to disable theses startup items (let me know if I need to have them running in order for the next scans to find them) after I finish posting my Hijackthis log below:
For some reason I cant submit this forum it says this long message isnt long enough. It needs to be at least 10 characters long(?) I still couldn't get into my email but I managed to get everything to my computer.
Logfile of HijackThis v1.99.1
Scan saved at 2:50:47 PM, on 3/13/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE
VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE
VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE
VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\INET20000\SERVICES.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA
KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA
KEYBOARD\KEYBDMGR.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\MSRANALX.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\XLEHXLQQ.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET G
SERIES\BIN\HPODEV07.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA
KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET G
SERIES\BIN\HPOEVM07.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\FREXT.EXE
C:\WINDOWS\SYSTEM\HPOIPM07.EXE
C:\WINDOWS\SYSTEM\HPOID407.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET G
SERIES\BIN\HPOSTS07.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOCUMENTS AND SETTINGS\PYEE\DESKTOP\NEWW\QWEST IB
IE6\IE6\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.yahoo.com/p/hp/?http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.yahoo.com/ext/hp/search.html
F1 - win.ini: run=C:\WINDOWS\INET20000\SERVICES.EXE
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} -
C:\WINDOWS\inet20000\3.02.00.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\PROGRAM FILES\ADOBE\ACROBAT
5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch
Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee
VirusScan\VSEcomR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK
ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee
VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [Security Media] C:\WINDOWS\SYSTEM\msranalx.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INET20000\SERVICES.EXE
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK
ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\Run: [XLEHXLQQ] C:\WINDOWS\SYSTEM\XLEHXLQQ.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK
ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK
ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL
deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Security Media] C:\WINDOWS\SYSTEM\msranalx.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INET20000\SERVICES.EXE
O4 - HKCU\..\Run: [XLEHXLQQ] C:\WINDOWS\SYSTEM\XLEHXLQQ.EXE
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet G
Series\bin\hpodev07.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop:
C:\DOCUME~1\PYEE\DESKTOP\NEWW\QWESTI~1\IE6\Plugins\NPDocBox.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O21 - SSODL: Internet Player - {239F2140-B275-11DA-B01B-0010B506B4A4} -
C:\WINDOWS\SYSTEM\ripud407.dll
So I ran spybot removed couple tracking cookies, a DOS exloit and another file. I started looking at some of the programs running and found a couple wierd ones so I started googleing them. I ran msconfig and noticed serveral repeating programs listed in the startup tab. One was listed three time process services.exe NAME xp_system LOCATION C:\WINDOWS\INET20000\SERVICES.EXE (the same program was also listed as run= with the same location). I researched it and found out it was either Krepper-G TROJAN, a CoolWebSearch parasite variant or W32.Conycspa.G WORM (Symantec says its a mass mailer). My computer hasnt mass emailed and when I was looking at a forum to remove the trojan for Search-paga it was in a different folder C:\WINDOWS\INETDATA\SERVICES.EXE. But then I came across another forum here had a similar problem. It was from February called "Please help with this system - shdocapi problem". I was going to follow those instruction to remove but wasnt sure if I should because I am running 98 not XP and also the folders the process is located in was a little different (C:\WINDOWS\INET20001\SERVICES.EXE). Please help. Im not sure what to do my web page hasnt been hijacked to either of those web-pages mentioned in the two trojan forums so I dont know if its a trojan or not. Im not
sure on two other process that DIDNT show up in my google search; listed twice Msranalx.exe NAME Security Media LOCATION C:\WINDOWS\SYSTEM\msranalx.exe & listed four time is Xlehxlqq NAME
XLEHXLQQ LOCATION C:\WINDOWS\SYSTEM\XLEHXLQQ.EXE. These three
programs are the only programs listed multiple times in my system configuration utilities. This lead me to belive that they are some type of malware and I am going to disable theses startup items (let me know if I need to have them running in order for the next scans to find them) after I finish posting my Hijackthis log below:
For some reason I cant submit this forum it says this long message isnt long enough. It needs to be at least 10 characters long(?) I still couldn't get into my email but I managed to get everything to my computer.
Logfile of HijackThis v1.99.1
Scan saved at 2:50:47 PM, on 3/13/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE
VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE
VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE
VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\INET20000\SERVICES.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA
KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA
KEYBOARD\KEYBDMGR.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\MSRANALX.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\XLEHXLQQ.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET G
SERIES\BIN\HPODEV07.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA
KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET G
SERIES\BIN\HPOEVM07.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\FREXT.EXE
C:\WINDOWS\SYSTEM\HPOIPM07.EXE
C:\WINDOWS\SYSTEM\HPOID407.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET G
SERIES\BIN\HPOSTS07.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOCUMENTS AND SETTINGS\PYEE\DESKTOP\NEWW\QWEST IB
IE6\IE6\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.yahoo.com/p/hp/?http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.yahoo.com/ext/hp/search.html
F1 - win.ini: run=C:\WINDOWS\INET20000\SERVICES.EXE
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} -
C:\WINDOWS\inet20000\3.02.00.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\PROGRAM FILES\ADOBE\ACROBAT
5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch
Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee
VirusScan\VSEcomR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK
ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee
VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [Security Media] C:\WINDOWS\SYSTEM\msranalx.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INET20000\SERVICES.EXE
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK
ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\Run: [XLEHXLQQ] C:\WINDOWS\SYSTEM\XLEHXLQQ.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK
ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK
ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL
deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Security Media] C:\WINDOWS\SYSTEM\msranalx.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INET20000\SERVICES.EXE
O4 - HKCU\..\Run: [XLEHXLQQ] C:\WINDOWS\SYSTEM\XLEHXLQQ.EXE
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet G
Series\bin\hpodev07.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop:
C:\DOCUME~1\PYEE\DESKTOP\NEWW\QWESTI~1\IE6\Plugins\NPDocBox.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O21 - SSODL: Internet Player - {239F2140-B275-11DA-B01B-0010B506B4A4} -
C:\WINDOWS\SYSTEM\ripud407.dll