hijackthis #2 cleanup

This is the other machine at the house I'm babysitting the dogs. After getting the router going from the dogs playing inthe chords I figured I'd give this machine a looksee. I disabled the Nortons 2000 and have run most of the applicable av software. Machin is running ok but a little sluggish on startup and shudown, especially in netscape. There are two epson printers and a scanner hoooked up for photo reprinting.

This box has seen many a porn site and has been to the local repair shop more than once and I was the one (with all the great knowledge here), to get it back working. (boy I could use a pat on the back). I just got em back online and ran the hijack and here's the log. (copy paste didn't work right either).

I'm going to Bold what I think should go and was hoping some of the gurus could go over it and check me out.

Thanks much.

Logfile of HijackThis v1.97.7
Scan saved at 2:46:32 PM, on 5/10/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE ?
C:\WINDOWS\SYSTEM\MPREXE.EXE ?
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\PCS\PCSVC.EXE ?
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\APPLICATION DATA\EESD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TEKL.EXE
C:\WINDOWS\SYSTEM\AWIEW8E.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\PROGRAM FILES\WINRAR\WINRAR.EXE
C:\WINDOWS\TEMP\RAR$EX00.535\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://list2004.com/search/d
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ebay.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) Probably a leftover
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.ebay.com/"); (C:\Program Files\Netscape\Users\bond_jamesbond_\prefs.js)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe ?
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE ?nortons?
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [sysme] C:\WINDOWS\SYSTEM\sysme.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo 2200] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus Photo 2200" /O5 "LPT1:" /M "Stylus Photo 2200"
O4 - HKLM\..\Run: [4DC2SXN3HXJ4MS] C:\WINDOWS\SYSTEM\Uqxt.exe
O4 - HKLM\..\Run: [ALiUSBfix] C:\WINDOWS\SYSTEM\GREENMK.exe
O4 - HKLM\..\Run: [GMWKAHNU] C:\WINDOWS\GMWKAHNU.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe ?ati? what is it?
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Oaao] C:\WINDOWS\Application Data\eesd.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O13 - DefaultPrefix: http://list2004.com/p/
O13 - WWW Prefix: http://list2004.com/p/



There's just so much to remeber, how do you do it?

 

chaslang, I believe you're right about that greenmk.exe being a USB thing for mobos with ALi chipsets, that other alphabet soup stuff is pretty much always bad.

This one:
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE ?nortons?
is not Norton it's a backdoor trojan...
http://vil.nai.com/vil/content/v_99793.htm

This should also be fixed and the file deleted:
O4 - HKLM\..\Run: [sysme] C:\WINDOWS\SYSTEM\sysme.exe

 

Hello

You have a Peper infection (among other things). It cannot be removed with HijackThis. To get rid of It, please download and run this Peper Trojan uninstaller from http://tools.zerosrealm.com/uninst.exe. Once it's finished downloading, and while remaining online, double click it and let it install and run until it's finished. Then, run it a second time to make sure the uninstaller does its job. You must be online to have this work and do not block any attempts for the program to connect to the internet by any firewall you may have.

Reboot your computer.

Note: This is the line that indicates Peper:

O4 - HKLM\..\Run: [4DC2SXN3HXJ4MS] C:\WINDOWS\SYSTEM\Uqxt.exe

 

Thanks everyone! Here's the latest scan, I just went to town and probably removed more than needed, but what the heck. It's just so hard to stop when your having fun .

NoSuch, thanks, that link worked well. I tried getting it gone with the hijackthis and it would come back on the next scan.

Logfile of HijackThis v1.97.7
Scan saved at 9:19:45 AM, on 5/11/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\PCS\PCSVC.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\APPLICATION DATA\EESD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\PROGRAM FILES\WINRAR\WINRAR.EXE
C:\WINDOWS\TEMP\RAR$EX01.451\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ebay.com/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.ebay.com/"); (C:\Program Files\Netscape\Users\bond_jamesbond_\prefs.js)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo 2200] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus Photo 2200" /O5 "LPT1:" /M "Stylus Photo 2200"
O4 - HKLM\..\Run: [ALiUSBfix] C:\WINDOWS\SYSTEM\GREENMK.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Oaao] C:\WINDOWS\Application Data\eesd.exe

This last one is interesting enough, anybody know what it is?

Well the Loving couple made it back last night (early morning), and I'm no longer needed, so Im going home. Ran out of computers to monkey around on anyway I'll show the owner of this box how to remove Oaao if it turns out to be bad stuff.

Thanks again
mag00

 

This item is most likely related to a Trojan. Try using Sygate's online Trojan scan at http://scan.sygatetech.com/pretrojanscan.html

O4 - HKCU\..\Run: [Oaao] C:\WINDOWS\Application Data\eesd.exe

 

NS, she checked OK, so I guess I'll just leave it for now.


I did find out however that the list 2004 entries are related to an epson download site. Deleted them anyway and everything still works OK. Shows to go ya, even the reputable sites are tagging boxes.
Thanks again.