Help prevent hyjack

Discussion in 'Windows Desktop Systems' started by Saldrin, Jun 23, 2006.

  1. Saldrin

    Saldrin OSNN Junior Addict

    Messages:
    31
    I made a stupid mistake, I mistyped elderscrolls and went to a "bad" page instead of going to the official site.

    Ewido picked up nothing, Kaspersky IS picked up nothing, but I have a hyjackthis log entry:

    Code:
    O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
    I'm running XP and this was not there before...

    I did notice a Neptune homepage in my program files, which I know shouldn't be there, haven't figured out how to remove it yet. And I don't want to reboot yet because I can tell something is going to happen when I do. I have a good hunch that the two are related.

    Here is the full Hyjack log:
    Code:
    Logfile of HijackThis v1.99.0
    Scan saved at 11:02:04 AM, on 6/23/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    P:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    p:\Program Files\ewido anti-malware\ewidoctrl.exe
    p:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\wscntfy.exe
    P:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
    C:\WINDOWS\CTHELPER.EXE
    P:\Program Files\DAEMON Tools\daemon.exe
    C:\WINDOWS\system32\ctfmon.exe
    D:\Data\installers\utilities\security\hijackthis_199\HijackThis.exe
    P:\Program Files\Opera\Opera.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\WINDOWS\system32\SearchFilterHost.exe
    
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [kis] "P:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [CTStartup] P:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] p:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [DAEMON Tools] "p:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [QuickTime Task] "P:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: Add to Kaspersky Anti-Banner - P:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://P:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - P:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - P:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.5.1.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1148254262468
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
    O20 - AppInit_DLLs: P:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Kaspersky Internet Security 6.0 - Kaspersky Lab - P:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: ewido security suite control - ewido networks - p:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - p:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    
    Any tips on finding out whats going to get installed if I reboot and clean it before it gets installed?

    Edit: I figured out what Neptune is, is the active X plugin for Opera. I do need that.
     
    Last edited: Jun 23, 2006
  2. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    I think grpconv.exe is harmless. - File Information - but I suppose it could be running at startup to help something else install, I really don't know.

    Have hijackthis 'Fix' the following:

    O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.5.1.cab



    I suggest exporting the runonce key listing grpconv.exe (backing it up) and then deleting the runonce key. Make sure it is not in HKCU either in the runonce. Setup Spybot Search and Destroy to run after updating it. If the scan reports it needs to scan at startup, go ahead and reboot and have it do it's dirty work.

    Should be OK after that.

    This one
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL

    worries me a bit... but I think it's Office.. something you need.
     
  3. Saldrin

    Saldrin OSNN Junior Addict

    Messages:
    31
    Yeah... that download manager, that came from the MS site when I was trying to grab the Vista beta. That's gone now. I didn't want to install the darn thing, but Opera kept erroring out on my transfers, and MS has a fit if you visit certain MSDN sites without using IE....

    The MSO poppped in after I installed the Office beta.

    I went ahead and got rid of the grpconv.exe and rebooted, everything seems to be OK. S&D scan was clean, but I perfer my Ewido.

    Thanks for the tips!

    EDIT: Doh! Tried to rep ya, but I'm getting this: "You must spread some Reputation around before giving it to Mastershakes again." Quit helping me so much!! lol.