potentially questionable startup processes

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by intellecton, Aug 24, 2005.

  1. intellecton

    intellecton Private E-2

    Alright. So. I was trying to use msconfig to edit my startup programs. And I found some things I didn't like. First was one that is titled with chinese or japanese characters (I'm not sure which). It's location was hkcu\software\microsoft\windows nt\currentversion\windows:load. I also had one called WebSavingsfromEbates*, which I know is not a good thing. It also had two things I didn't recognize, one called weathercast and one called bpc but both were disabled.

    I first did some searches for the first questionable startup and couldn't find anything except people posting their HJT logs trying to get figured out, and no one was replying to them, so I found no answers.

    I decided to check for spyware and etc (I need to get rid of Ebates anyhow), so I went through the process described in one of the forum posts for basic spyware/virus removal. Ebates wasn't found anywhere, though some things were (namely Firefox tracking cookes and something called Atwola). I restarted and both startup processes were still around so I disabled the Ebates one, but I left the chinese/japanese one alone because I don't know what it is.

    I figured I would post my HJT log and hopefully it will give some information about this problem that someone can help me decipher. Thank you in advance:


    Edit by chaslang: Unrequested inline log removed. Please read the announcement and sticky threads.
     
    Last edited by a moderator: Aug 24, 2005
  2. intellecton

    intellecton Private E-2

    Sorry about the way I posted my HJT log, I read the forum post about it, but I got sidetracked when typing everything out and put it in anyway.

    Alright. So, I think most of my processes were enabled to begin with, but I went with normal in msconfig and restarted and went through the basic removal post again. I should mention that upon restart I got an error message that NEW DOT could not be found. Anyway, AdAware again came up with some tracking cookies (I think they were something like live365 and 2oL), but it didn't come up with anything else. Spybot found IGetNet and the same tracking cookies that AdAware had supposedly removed (I hadn't opened the internet for the since I'd restarted so I don't think they were properly removed). The other scans found nothing, but as a special sidenote, every scan was unreasonably fast. I looked at my msconfig processes after all was said and done, and Ebates was gone, but the other curious processes remained. There are also a few new ones that I don't recognize.

    Also, there is a problem with my attaching my log as an attachment. Nothing happens when I click Manage Attachments. Nothing at all. I guess I'll wait for a reply to figure out what to do next about this. Thanks for the reply.
     
  3. intellecton

    intellecton Private E-2

    No, I don't have a popup blocker at all. I have an antivirus program that claims to block popups, but I've used the Manage Attachments button before with it running. But it might be a bigger problem because I just tried to check my email and I get 3 popup windows and two error messages that contained a lot of numbers. Then another error message that said I couldn't check my email. Odd.

    I could try turning off Avast! and try the button again, but I'm nervous about turning off my antivirus and firewall with all of these popups and error messages...
     
  4. intellecton

    intellecton Private E-2

    Yes, I use Windows XP.

    I couldn't get the log to attach after a normal reboot (I tried with both Firefox and IE). So I restarted in SafeMode with Networking. It still didn't work in either of the above browsers, so I tried using Netscape in SafeMode, and it worked. 'Bout time. So here is the log, properly attached.
     

    Attached Files:

  5. intellecton

    intellecton Private E-2

    I disabled TeaTimer, and all of the lock options in IE Tweaks were already unchecked.

    NewdotNet wasn't in Add/Remove Programs, but all of the HJT options for me to fix were still there, and I fixed them. There also wasn't a NewDotNet or RVP folder in my Program Files, but CCleaner and deleting the prefetch files went smoothly.

    Upon restart the error messages were gone, and here is a new log.

    By the way, after all of this is finished, should I disable those strange processes that I initially was worried about or just leave them running?
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    O23 services reported as missing in HJT should not be fixed unless they are malware services. It is a bug in HijackThis that they sometimes report the files to be missing. You cannot fix services like this anyway.

    What does need to be done is to uninstall one of the antivirus applications. Only one should be used.
     
  7. intellecton

    intellecton Private E-2

    Hmm. I didn't know who to reply to. But I don't understand what either of you are talking about with those. I don't have Trend Micro installed anywhere on my computer. I checked Program Files and Add/Remove Programs just to check, but I didn't find anything. I do have Avast! though.

    So, I'm not sure where to go from here. And I still don't know what to do about the strange japanese startup process.
     
  8. intellecton

    intellecton Private E-2

    Yes, I only have one AV installed, but two show up in the HJT, both with files missing.

    I don't understand the question about a process running within characters. The process is listed in msconfig, but instead of saying something like qttask as the name and the location of qttask as the command, it has varied japanese characters for the name and command and the location is in my registry.

    I got an error when starting Process Manager that said something about needing Windows Debugger for a better version...and then it started anyway. But the menus at the top were all grayed out and couldn't be clicked on. I tried closing it and opening it again, but it doesn't help the problem. I did notice, however, when looking through the list of the processes in the program, that there isn't anything there titled with japanese characters.

    Maybe I could take a screenshot of it in msconfig?
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes you do or at least you did have Trend Micro installed because it is still there. It probably was not uninstalled properly.
     
  10. intellecton

    intellecton Private E-2

    I can assure you with complete and irreversible confidence that I do not and have never had anything by Trend Micro installed, with the exception of any cookies that might come with an online scan from their site. Before using Avast! I used ZoneAlarm, but that was uninstalled and isn't showing up.

    This is my own personal computer, and I'm the only one who uses it. So I'm not sure how Trend Micro could have been installed. And I again have searched for any files, just incase, and can find none to remove. I don't even know where Trend Micro would have installed if it somehow had, but it isn't anywhere it should be.
     
  11. intellecton

    intellecton Private E-2

    My ZA version had both AntiVirus and Firewall in the title, but it's already gone anyway. :)

    Alright, none of the processes were running, but I disabled them all in services.msc (they were set to automatic). They didn't show up in the HJT Process Manager nor were they in the scan that I did before or after reboot.

    In any case, here is the new log. :)
     

    Attached Files:

    • log.txt
      File size:
      5.5 KB
      Views:
      3
  12. intellecton

    intellecton Private E-2

    There weren't any Trend Micro folders.

    I guess the computer is fine, though I didn't realize there was much of a problem in the first place. I just didn't/don't understand that strange japanese process, but I'll probably just disable it and hope for the best.

    Thanks for all the help.
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run this MSConfig Cleanup and you may be able to take care of the strange stuff you see in msconfig.
     
  14. intellecton

    intellecton Private E-2

    It didn't get rid of the strange japanese process, but it did help eliminate the rest of the processes I was questioning. Thank you!
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Click Start, Run, and enter regedit and click OK. This will open the registry editor.

    Navigate to and select the below key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    If selected, it will show at the bottom of the registry editor window.

    Then click File and select Export when the next window comes up change the Save as type to Text Files (*.txt) and then enter a file name like startups.txt and save it somewhere that you can find it. Then upload that file here as an attachment.
     
  16. intellecton

    intellecton Private E-2

    Alright. I'm not sure it showed up, I don't see japanese text anywhere. There are some boxes though. Maybe that's it?
     

    Attached Files:

  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay I think that could be the problem.

    Before doing the below. You must stop using msconfig to control startups. Run msconfig and select Normal Startup. Then reboot and continue with the below.

    Do the same regedit thing again as the previous message but this time do not change the Save as type to Text Files. Just leave it at the default which is Registration Files. This will create a file that has a .reg extension. You will need to either rename it to a .txt file afterwards or compress it into a ZIP file. Then upload it here. From this we may be able to devise a patch to remove the problem.
     
  18. intellecton

    intellecton Private E-2

    Alright, I went through the process again as asked (with normal startup applied), but this time the boxed value didn't show up. There were only 8 of them. I figured maybe it was gone, but I looked and it is still showing up in msconfig. I rebooted again to try to get it to come back, but it still wasn't there. I didn't attach the new file because I don't think we can do anything without the value with the boxes. It's strange because other people claim to have this problem on other forums but no one can give them any answers (or they choose not to). Maybe it is some sort of new problem or something.

    Anyway. I'm not sure what to do from here. I don't know that I can be helped if we can't get it to show up in the registry save again.
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Save the regedit Export file anyway and post it here. Make sure you are not using msconfig to restrict startups. Also do the below:

    Generate a StartupList log using HijackThis.
    Run HJT and on the first screen, click the button that says "Open the Misc Tools section". In the next window first select "List also minor sections (full)" and then click the button that says "Generate StartupList log". CLick Yes to the Do you want to continue prompt. Now a notepad window will come up with the Startuplist.txt file. It is already saved in the the directory HJT is running from. So just come back here and upload the file as an attachment to your next message.
     
  20. intellecton

    intellecton Private E-2

    Alright. I'll send them anyway. Thanks so much, by the way, for attempting to help me figure this out.
     

    Attached Files:

  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The registry export shows that you are still using msconfig to control startups.

    "MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
     
  22. intellecton

    intellecton Private E-2

    I have it set to normal. Is there something else I have to do to change that?
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is not set to normal startup. It is set for selective startup.

    Also where you running Solitare and browsers when getting me those logs???

    C:\WINDOWS\system32\sol.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    Why??
     
  24. intellecton

    intellecton Private E-2

    I wasn't running Solitaire, but I was running Internet Explorer for one of them because I can't post attachments with Firefox. Also, I just opened msconfig, and it says it is set to normal. It really really is, I could rescan if you'd like but it was set to that already unless it changed itself after the logs...
     
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run msconfig and click the Startup tab and make sure all items are checked. You can even click the Enable All button if it lets you. Something is causing msconfig to not be in normal startup mode.

    After doing the above and double checking on the General Tab that it shows the below is selected, reboot your PC.

    Normal Startup - load all device drivers and services

    If you were not running Solitare, then that could be a virus. (but that file and path is for Windows Solitare).
    Post a current HijackThis log and a new export of the registry key.
     
  26. intellecton

    intellecton Private E-2

    Alright. Msconfig is still set to normal and all services and startups are enabled. And I wasn't running Solitaire, so yes, it could be a virus. I hope it isn't. :) I'll restart, though, and see if that helps anything and then I'll post those logs...
     
  27. intellecton

    intellecton Private E-2

    Okay, there has to be a bigger problem here somewhere.

    I rebooted and when it loaded up I got that popup that tells you msconfig is set to selective or diagnostic mode and to change it to normal to stop the service from running. So I thought maybe I made a mistake and I opened up msconfig and it was set to normal. So I clicked normal (even though it was already selected) just to humor myself and rebooted again and the same thing happened. But this time when I tried to open msconfig to check and see if normal was selected (it was, by the way) a box popped up and said it was trying to install Microsoft Office.

    I didn't know what it was doing so I let it go and once the progress bar stopped, another box popped up and said I needed to put in a disk. I didn't know what to do so I hit cancel and the progress bar went in reverse and then the whole process started over again. I had to hit cancel maybe 6 times to get the whole thing to go away. And I still can't seem to get msconfig to cooperate...

    This is so frustrating.
     
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well now at least you see why I was insisting that msconfig was not in Normal Startup mode. It is not, even though it is telling you that it is.

    Post a current HijackThis log (with NO browsers running when you do the scan).
     
  29. intellecton

    intellecton Private E-2

    Yeah, I apologize for being so frustrating, I'm just used to being able to solve these types of problems myself and I keep working myself into an impatient frenzy. But here is that log, though I don't think it has changed from the last one I posted...
     

    Attached Files:

    • log.txt
      File size:
      4.4 KB
      Views:
      2
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you using the ability of HijackThis to filter any lines from your log. It has an option in Misc Tools called Ignore List. Check to make sure nothing is being filtered (ignored).
     
  31. intellecton

    intellecton Private E-2

    Well, there isn't anything in the ignore list. I'm not intentionally filtering anything out, but this computer seems to have a mind of its own recently.

    Should I try running through the basic spyware/virus removal post again?
     
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No let's try this!

    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixSU.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixSU.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes
    Now reboot. Then let me know if you still see the message about msconfig controlling startups.
     
  33. intellecton

    intellecton Private E-2

    Yes, that fixed the msconfig problem. That Windows Installer/Microsoft Office thing did happen again though. I'm not even sure if that is a problem.
     
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay now that we have that fixed. Get me the regisrty export again.

    Do you have MS Office install? Do you have the CDs?
     
  35. intellecton

    intellecton Private E-2

    I didn't know if you wanted the txt or reg version, so I'm attaching both.

    And I have MS Office installed and I have the CDs.
     

    Attached Files:

  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Msconfig is now definitely fixed and I see no strange characters. Are you seeing any of the characters you mentioned earlier as "strange japanese process"?
     
  37. intellecton

    intellecton Private E-2

    Yeah, they are still showing up in msconfig, but they are only showing up in msconfig. Should I just ignore it and move on?
     
  38. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It could be registry corruption but I'm not sure.

    Which tab do you see them on? Is it the Startup tab?
     
  39. intellecton

    intellecton Private E-2

    Yeah, it is in the startup tab. There are actually 10 items there, and I think only 8 show up in those logs that we've done.
     
  40. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay they may be under another registry key?

    Like RunOnce, RunOnceEx.

    Or under a different key like: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    Or: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

    Take a look with Regedit!
     
  41. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also you can try doing the below to see if we can uncover any other hidden stuff:


    Download RunKeys and unzip it to your desktop. Then doubleclick to run it. It will generate a text file. Attach the text file to your next message.

    Now download SilentRunners and save it to your desktop. Doubleclick it to run it. You may have to disable script blocking if your antivirus interferes. It will create a text file on your desktop. Also attach this text file into your next message.
     
  42. intellecton

    intellecton Private E-2

    Yeah, they are. Their locations are listed. One is under the current user area of the same path we looked through before, but it is just ctfmon. The strange character one has this as a location:


    hkcu\software\microsoft\windows nt\currentversion\windows:load

    I'm not exactly how to locate it with the colon in there between windows and load. Should I be going windows as the folder I look in? There is also a folder in currentversion that has a hyphen (windows-), but nothing else.
     
  43. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Export the registry key (like before) and post it.

    Also see what I posted in message # 49.
     
  44. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just in case I was not clear. Export the below key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
     
  45. intellecton

    intellecton Private E-2

    Alright. Here is everything you asked for. I'll have to post again to get the third attachment as there is a max of 2 allowed.
     

    Attached Files:

  46. intellecton

    intellecton Private E-2

    And here is the last:
     

    Attached Files:

  47. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Post RegistryEditorLog.txt as a registry file. Nothing is showing in the text form under load.
     
  48. intellecton

    intellecton Private E-2

    Oh, sorry.
     

    Attached Files:

  49. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is nothing under the load key. It is not loading anything. So I'm not sure what you thought you were seeing in msg # 50.

    I'm really doubting that whatever you are seeing in msconfig is a problem. You could try doing the below if desired. It may take care or possible registry problems. Make sure you do the backup.


    Download RegSupreme Pro 1.1

    Install this program, after you install you will be prompted to "defrag" you registry for best performance. Go ahead and click YES, should take but a minute or so.

    After this completes at the top, click the REGISTRY CLEANER tab. Then click on "Aggressive" and let it scan. Afterwards you will see the total of invalid entries found. Once its complete, select ALL entries and select FIX. The program will then fix the ones that are fixable, the ones that are not will be removed. Type in a backup filename and save to an easy location just in case we run into any problems.
     
  50. intellecton

    intellecton Private E-2

    Yeah. I use something that cleans up invalid entries already, but I'll run it anyhow. I'm not even sure if the process I'm questioning is a problem. I just don't understand why its title and command are in another language. But what I was talking about in msg 50 is this:

    In msconfig there are three categories listed (name, command, and location) and for the strange process I'm seeing, the name and command are in japanese and the location is the one I mentioned, the one ending in windows:load. I didn't know if I should look for "load" in the windows folder or a different one because of the colon. And there was also a folder called windows- (with a hyphen) in the currentversion folder. I don't know if that made anything more sensible.

    That registry cleaning didn't clear it up, by the way. I'll just leave it there and disable it, I guess, because I know that it is a fairly new process and I can't think of anything 'd have done to put it there....
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds