xIEPo$ter? Please help!

veil · Cadet Joined: Mar 13, 2004 Posts: 9 Location: Canada

Hi,

After having a (possibly?) wayward relative use our Internet service all day, I've noticed that two programs called xIEPo$ter1 and xIEPo$ter2 now run everytime we start Windows. I'm automatically hesitant, if only because of the x and $ involved, but can find no information on these when I google for them.

Could somebody please help me with this?

TonyKlein · Posted: Sat Apr 10, 2004 8:41 am Post subject:

Let's have a closer look:

Go to http://computercops.biz/downloads-cat-14.html , and download Hijack This.

Unzip to a folder other than your Desktop or the Temp folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

veil · Cadet Joined: Mar 13, 2004 Posts: 9 Location: Canada

Thanks for any help you can give me w/this!

Logfile of HijackThis v1.97.7
Scan saved at 12:44:43 PM, on 4/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.5.0\bin\jusched.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\AdsGone\adsgone.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\msiexec.exe
C:\Progra~1\Support.com\client\bin\forcesync.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Yog-Sothoth\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-online.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://riviera.cc (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://riviera.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://riviera.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-online.net/index.htm
O1 - Hosts: 69.50.187.196 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\oxa.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/...mv9VCM.CAB
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...9909837963
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8F6273F-B639-4FCF-939B-344C8ACADA71}: NameServer = 142.161.130.155 142.161.2.155

TonyKlein · Posted: Sat Apr 10, 2004 1:49 pm Post subject:

Go to http://computercops.biz/downloads-cat-14.html , and download the latest version of CWShredder by Merijn Bellekom, the creator of Hijack This.
Run it, press 'Fix', and allow it to fix all it finds.

Next, restart you computer, run Hijack This once more, repost to this forum thread, and please show us a fresh log.

BTW, there's no sign of those xIEPo$ter1 files in your log; did you disable or delete them?

veil · Cadet Joined: Mar 13, 2004 Posts: 9 Location: Canada

Here's my new HijackThis log, thanks again for all your help! I did not remove the xIEPo$ter1 and xIEPo$ter2.htm files from my computer. They don't show up in my start menu, but whenever I look at the Windows Task Manager after I've started my computer they've already started running and have to be manually cancelled. They might be nothing to worry about, but as I've never seen them before and they do have suspicious names...I'm kind of worried.

Logfile of HijackThis v1.97.7
Scan saved at 1:07:02 PM, on 4/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.5.0\bin\jusched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Progra~1\Support.com\client\bin\tgfix.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Documents and Settings\Yog-Sothoth\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\imapi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - Startup: AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\oxa.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/...mv9VCM.CAB
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...9909837963
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab

TonyKlein · Posted: Sat Apr 10, 2004 2:37 pm Post subject:

Well, there's nothing in this log...

If you rightclick one of these files, and choose 'Properties', does that tell you anything about their origin?

Also, In Hijack This, press "Config" > "Miscellaneous Tools".
Under the "Generate Startuplist log" button, check the "List also minor sections" box.

Now press "Generate Startuplist Log"
This will generate a text file that will list all applications that are loaded from practically every known startup location.

Go to Edit > select all, copy it and post its contents here.

veil · Cadet Joined: Mar 13, 2004 Posts: 9 Location: Canada

No, I can't find out any information about these. They seem to be Internet Explorer documents, but the only way I can even see them is by opening the Task Manager and manually closing them. I've noticed that ever since they started to pop up, Windows has started having to manually close the program "MHEQPK32.exe" every time I shut the computer down or restart, though. I don't know if that has anything to do w/it (being almost computer illiterate myself). The thing I find most disconcerting about these is just the total lack of information out there for them. Even if I do a search for them, my computer can't locate the files.

Anyway, sorry about all the hassle, I really do appreciate your help. Here's my StartupList report:

StartupList report, 4/10/2004, 5:55:04 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Yog-Sothoth\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.5.0\bin\jusched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Progra~1\Support.com\client\bin\forcesync.exe
D:\Soulseek\slsk.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Yog-Sothoth\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Yog-Sothoth\Start Menu\Programs\Startup]
AdsGone.lnk = C:\Program Files\AdsGone\adsgone.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
VAIO Action Setup (Server).lnk = ?
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\WINDOWS\System32\igfxtray.exe
ZTgServerSwitch = c:\program files\support.com\client\lserver\server.vbs
P2P Networking = C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched = C:\Program Files\Java\j2re1.5.0\bin\jusched.exe
Zone Labs Client = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\sstext3d.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Registration reminder 1.job
Registration reminder 2.job
Registration reminder 3.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[{10000000-1000-0000-1000-000000000000}]
CODEBASE = file://C:\Program Files\Internet Explorer\oxa.exe

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shoc...tor/sw.cab

[Web P2P Installer]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/...mv9VCM.CAB

[CDKey Class]
InProcServer32 = C:\WINDOWS\System32\ITCDKey.dll
CODEBASE = http://www.cdkeybonus.com/cdkey/ITCDKey.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/C...9909837963

[Live365Player Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\Play365.dll
CODEBASE = http://www.live365.com/players/play365.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shoc...wflash.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
vsdatant: \??\C:\WINDOWS\System32\vsdatant.sys (autostart)
TrueVector Internet Monitor: C:\WINDOWS\system32\ZONELABS\vsmon.exe -service (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
Web Event Logger: C:\WINDOWS\System32\Hfbfja32.dll

--------------------------------------------------
End of report, 11,039 bytes
Report generated in 0.250 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

veil · Cadet Joined: Mar 13, 2004 Posts: 9 Location: Canada

As a quick addendum, the only possible reference I can find relating to xIEPo$ter is in a Trojan extension summary here (http://spamwatch.codefish.net.au/storage/trojan/280304/sm-unpacked-exe-strings.txt). I don't know if that's any help. Also, just before they showed up, Bazooka indicated that I had a Trojan Horse Virus and removed it (w/help from Ad Aware).

Could it just be that the virus wasn't entirely removed (I'm grasping at straws, so you'll have to forgive me)?

TonyKlein · Posted: Sat Apr 10, 2004 7:26 pm Post subject:

First, would you please send a copy of the C:\WINDOWS\System32\Hfbfja32.dll file to submit-stuff @ xs4all.nl for analysis? (remove the spaces in that email address!)

We're pretty sure it doesn't belong on your computer, but we would still like to have a closer look at it. We'd also want to forward copies to developers in the security field if it turns out to be a brand new baddie.

Much appreciated Smile

The file could possibly have the "Hidden" attribute. Here's how to show hidden and operating system files

Now copy the contents of the Quote box to Notepad, and save as Remove.reg (save as type: 'all files' )
Doubleclick Remove.reg, and answer yes when asked to have its contents added to the Registry.

veil · Cadet Joined: Mar 13, 2004 Posts: 9 Location: Canada

The offending .htm files no longer seem to run whenever Windows is started! Thanks so much. I don't know what they were, but I do feel a lot better w/them gone. I sent a copy of the .dll file to the address you supplied as well.

The program "MHEQPK32.exe" still has to be manually terminated whenever I shut the computer down, but that's probably an entirely unrelated issue.

Also, I don't know if this helps at all, but I just noticed a new .txt file that appeared on my desktop on Thursday. It's called "hs_err_pid488" and these are the first few lines of it:

#
# An unexpected error has been detected by HotSpot Virtual Machine:
#
# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x6d7064a3, pid=488, tid=1080
#
# Java VM: Java HotSpot(TM) Client VM (1.5.0-beta-b32c mixed mode)
# Problematic frame:
# V [jvm.dll+0xe64a3]
#

Is this related at all? It's probably something unimportant, but I am pretty anal.

This site has been (and continues to be) incredibly helpful! It's good to know that there's somewhere you can actually get reliable help, especially when you're a complete beginner like myself.

TonyKlein · Posted: Sat Apr 10, 2004 7:50 pm Post subject:

Good to hear that seems to have helped. Smile

I'm somewhat curious about that MHEQPK32.exe file though... Lets's try this:

Go to http://www.billsway.com/vbspage/ and download the Registry Search Tool

Unzip and doubleclick the vbs file; enter MHEQPK32.exe and it will search the Registry of all instances of that string.

It will take a while, so give it time to finish. When done, please post the results.

TonyKlein · Posted: Sat Apr 10, 2004 7:53 pm Post subject:

Also, would you mind terribly sending us copies of xIEPo$ter1 and xIEPo$ter2 as well? The dll didn't yield much information, apart from the fact that it probably hails from the USSR.

The htm files may provide further clues.

TonyKlein · Posted: Sat Apr 10, 2004 8:12 pm Post subject:

Whoops, and a copy of MHEQPK32.exe would of course also be appreciated, if this isn't asking too much...

We want to know what this application is, and how it is activated.

veil · Cadet Joined: Mar 13, 2004 Posts: 9 Location: Canada

I believe I've sent you everything you need. As mentioned in the e-mail, the Registry Search couldn't seem to find any occurences of the MHEQPK32.exe program.

If there's anything else, just let me know.

TonyKlein · Posted: Sun Apr 11, 2004 8:56 am Post subject:

Thanks John,

The xIEPo$ter files are internet shortcuts, pointing to additional htm files in that Temp folder: pdmabkei.htm and pnmejneh.htm. Could you find and submit some of those, please?

As for your other file:

"MTS Email Virus Scan has detected a virus attached to this message.

Mheqpk32.exe was infected with the malicious virus Backdoor.Trojan and has been deleted because the attachment cannot be repaired."

So it's up to no good for sure; could you try zipping it up and sending it that way? that might work. Or use an other email account, if you have one.

Cheers,


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 1200 pages served in previous 5 minutes. Page Generation: 0.672 seconds.