Yet another HijackThis log

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Lisa24, May 31, 2004.

  1. Lisa24

    Lisa24 Private E-2

    Hi,

    my Windows98 machine is getting lots of bluescreens lately. I am running Ad-aware, Spybot, SpywareBlaster, a² free and CWShredder regularly. I do also have PC-cillin running.
    This is my HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:27:46, on 31.05.04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\RUNSERVICE.EXE
    C:\PROGRAMME\TREND MICRO\PC-CILLIN 9\PCCIOMON.EXE
    C:\PROGRAMME\TREND MICRO\PC-CILLIN 9\PCCPFW.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAMME\TREND MICRO\PC-CILLIN 9\PCCGUIDE.EXE
    C:\PROGRAMME\TREND MICRO\PC-CILLIN 9\PCCCLIENT.EXE
    C:\PROGRAMME\TREND MICRO\PC-CILLIN 9\POP3TRAP.EXE
    C:\WINDOWS\SYSTEM\IRMON.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\P480ZI98.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAMME\TREND MICRO\PC-CILLIN 9\WEBTRAP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    D:\PROGRAMME\HIJACKTHIS\HIJACKTHIS.EXE
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Programme\Trend Micro\PC-cillin 9\pccguide.exe"
    O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Programme\Trend Micro\PC-cillin 9\PCCIOMON.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Programme\Trend Micro\PC-cillin 9\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Programme\Trend Micro\PC-cillin 9\Pop3trap.exe"
    O4 - HKLM\..\Run: [IrMon] IrMon.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [PL2210Z] C:\WINDOWS\P221ZI98.exe
    O4 - HKLM\..\Run: [P480ZI98.exe] C:\WINDOWS\P480ZI98.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [LicCtrl] runservice.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Programme\Trend Micro\PC-cillin 9\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [PCCPFW] C:\Programme\Trend Micro\PC-cillin 9\PCCPFW.exe
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38009.4956134259
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1


    IMO the C:\WINDOWS\P221ZI98.exe and C:\WINDOWS\P480ZI98.exe look suspicious.
    What do you guys think? Anything at work or just the usual windows crashs?
    I would appreciate any help a lot. Thanks.
     
    Lisa24, May 31, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, May 31, 2004
    #2
  3. Lisa24

    Lisa24 Private E-2

    Yes I have, fortunately it revealed nothing. I did those other scans as well and they came out clean.
    Further research showed that P480ZI98.EXE is a program related to my digital camera - I disabled it in startup and will start in when I need it. The same goes for IrMon.exe which is for my infrared device.
    I still do not know what P221ZI98.exe is but the file does not seem to be there anyway so I deleted the entry.
    I also found ways to disable that wretched EnsoniqMixer and even tried removing WMIEXE.EXE as very few applications seem to need that.
    Furthermore I unchecked LoadPowerProfile, TaskMonitor and LicCtrl (eLicense) in startup as it seems you can safely do that.
    So my new log is as follows:

    Logfile of HijackThis v1.97.7
    Scan saved at 22:18:26, on 31.05.04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAMME\TREND MICRO\PC-CILLIN 9\PCCIOMON.EXE
    C:\PROGRAMME\TREND MICRO\PC-CILLIN 9\PCCPFW.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAMME\TREND MICRO\PC-CILLIN 9\PCCGUIDE.EXE
    C:\PROGRAMME\TREND MICRO\PC-CILLIN 9\PCCCLIENT.EXE
    C:\PROGRAMME\TREND MICRO\PC-CILLIN 9\POP3TRAP.EXE
    C:\PROGRAMME\TREND MICRO\PC-CILLIN 9\WEBTRAP.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    D:\PROGRAMME\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Programme\Trend Micro\PC-cillin 9\pccguide.exe"
    O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Programme\Trend Micro\PC-cillin 9\PCCIOMON.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Programme\Trend Micro\PC-cillin 9\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Programme\Trend Micro\PC-cillin 9\Pop3trap.exe"
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Programme\Trend Micro\PC-cillin 9\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [PCCPFW] C:\Programme\Trend Micro\PC-cillin 9\PCCPFW.exe
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2003050...all/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8009.4956134259
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1


    Any comments?
    Have I been too bold especially concerning WMIEXE.EXE?
    Of course I did not delete but only rename it so I hope there would be no real harm done in the case I WOULD need it after all...
    Is there anything left that is not really needed?
    Thanx in advance,
    Lisa24
     
    Lisa24, May 31, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do not disable Taskmon or WMIEXE.EXE:

    wmiexe - wmiexe.exe - Process Information
    Process File: wmiexe or wmiexe.exe
    Process Name: Microsoft’s Windows Management Instrumentation (WMI).
    Description: Application that gives a standard method of accessing system information, performance information, event monitors, and application monitors. The application works as a transparent task.
    Company: Microsoft Corp.
    System Process: Yes


    taskmon - taskmon.exe - Process Information
    Process File: taskmon or taskmon.exe
    Process Name: Windows Task Optimizer
    Description: Application that is used to collect information from hard disksby monitoring the most frequently used programs. This information is used by the Disk Defragmenter program, so that the programs and files that the user accesses the most will load faster.
    Company: Microsoft Corp.
    System Process: Yes
    LicCtrl - is used by sum gaming software. So you will have to check if it causes you any problems when you disable it.


    If you disable "O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" you will loose power management capabilities.
     
    chaslang, May 31, 2004
    #4
  5. Lisa24

    Lisa24 Private E-2

    The information I read suggested that the advantages of taskmon are minimal on modern machines. Do you think that is not true?
    I do not think I have any eLicensed programs but I will have to check again.
    What exactly are those power management capabilities, do you know?
    Anyway I can enable these 3 in an instant.
    As I said I am not at all sure about wmiexe but right now my system does not seem to really miss it...    http://www.majorgeeks.com/vb/images/icons/icon12.gif
     
    Lisa24, May 31, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Modern machines are not running Win98 and you will see Taskmon (taskmgr.exe on XP) is used quite often to see what applications are running and to shut them down sometimes. Most often when having problems with spyware or a virus.

    You may want to give SFC a run to see if any other system file are damage or missing. Click Start, click Run, type sfc.exe in the Open box, and then click OK.

    Power management features relate to powering down a monitor, hard disk, etc. You know for things like sleep and hibernation modes for energy conservation.
     
    chaslang, May 31, 2004
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds