TechSpot

Problems Deleting 0.exe in msconfig Startup

By dhamblet
Jun 1, 2009
  1. I cannot get 0.exe to quit executing on startup under Windows XP. Everything I read says it is malware. When I uncheck it using msconfig it just comes back on reboot. I have run Spybot, Registry First Aid, and I ran Regedit and changed HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Prnl Driver HPZ12/Start from 02 to 04 (althoug I have no idea why cause I don't think printer drivers are at fault. The command for it is c:\WINDOWS\system32\0.exe. ANy suggestions appreciated. Gonna try one more time.
     
  2. mscrx

    mscrx TS Rookie Posts: 310

  3. dhamblet

    dhamblet TS Rookie Topic Starter

    Not a lot of help at bleepingcomputer.com but thanks for the suggestion. Seems most of these sites just want to sell me another registry repair program for $29.95. I don't think so.

    Another complication is System Restore keeps getting turned off, I keep turning it back on. And my status as "Administrator" keeps getting turned off in 'User Accounts'. But I finally think I have the 0.exe problem fixed. I went to the windows system directory and renamed the file to zz0.exe, it no longer seems to reauthorize itself in Startup. ALso ran Registry First Aid and Spybot repeatedly.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The malware description is Description: Added by the W32/Mytob-HE mass-mailing worm and IRC backdoor. You were referred there for information.

    Please follow the steps in the Virus and Malware Removal HEREAll of the program are free.

    When you have finished, attach the three logs and we will review them. Do a system scan with your antivirus program and include that log also.

    Please move over to that forum. Copy and paste your description and include the logs.
     
  5. dhamblet

    dhamblet TS Rookie Topic Starter

    Thanks a bunch. This took care of the problem.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Logs?
     
  7. dhamblet

    dhamblet TS Rookie Topic Starter

    Logs

    Great instructions, thanks a bunch. Finally completed the process and it looks pretty clean. Here are my Logs. Let me know if I still have issues (with my computer that is) Obviously I have other issues or I wouldn't have been sitting here for the last 6 hours.:haha:
     
  8. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    dhamblet

    1) Before looking at any of your Windows issues, you need FIRST have your logs reviewed by one of the malware experts (like Bobbye) and declared malware free
    2) THEN you can get help for any remaining Windows issues
    3) Normally you should be posting your logs in Virus/Malware forum for help (but maybe Bobbye will notice your thread here. otherwise post there)
    4) And just fyi.. for info about Windows services (and another user with Windows services that keep stopping including System Restore! that i just sent for a virus check!) see here
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    dhamblet, if you have to attach logs in the future, it is best to attach each separately> not on a separate reply, but a separate attachment- it makes it easier to work with.

    In the HJ log, when I request either of the URLs below for your homepage, I get http://hp-desktop.aol.com/
    Checking hpwis.com brings up another site: http://www.insiderinfo.com/

    This redirect usually displays like this: The redirects usually shows like this:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
    But it is still a redirect and should be checked for removal:

    Please open HijackThis, and select Do a system scan only.

    Place a checkmark next to the following entries in BOLD(if present): Do not click on FixChecked until you have checked all the entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us7.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
    R3 - URLSearchHook: (no name) - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - (no file)
    O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - (no file)
    O4 - HKCU\..\Policies\Explorer\Run: [SunJavaUpdater] C:\WINDOWS\system32\0.exe

    (0.exe is a process which is registered as a Trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.)
    O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe">> scans the Windows registry for orphan file/folder references
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    >> monitors Registry changes in Real Time
    (you are running 2 Registry programs in Real Time. This can cause a conflict. Suggest disabling one of them and uninstalling-or-since AdWatch goes with the paid version of AdAware, suggest just disable AdWatch)

    O21 - SSODL: TFEXpjP - {5C283C24-F682-968E-6A91-9D8877AA20E4} - (no file)
    (ShellServiceObjectDelayLoad is an undocumented autorun method, normally used by a few Windows system components. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad are loaded by Explorer when Windows starts. HijackThis uses a whitelist of several very common SSODL items, so whenever an item is displayed in the log it is unknown and possibly malicious.

    O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
    O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

    (MarketBrowser is Personal Finance Software If you have downloaded this and are using it without problem. If not, please check for removal.Currently MKBrowser only provides viewing, but a future version will also provide editing and searching)

    Then, close all other open windows, leaving only HijackThis open, and select Fix checked.

    Please download ComboFix HERE.:

    With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.

    • Run Combo-Fix.exe and follow the prompts.
    **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the ComoboFix window, as it may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Please run a full system scan with your antivirus program. If anything is found, please attach the log. include new log from a HijackThis rescan and the Combofix report in your next reply.
     
  10. dhamblet

    dhamblet TS Rookie Topic Starter

    I wasn't totally clear on what you meant by:

    "O21 - SSODL: TFEXpjP - {5C283C24-F682-968E-6A91-9D8877AA20E4} - (no file)
    (ShellServiceObjectDelayLoad is an undocumented autorun method, normally used by a few Windows system components. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad are loaded by Explorer when Windows starts. HijackThis uses a whitelist of several very common SSODL items, so whenever an item is displayed in the log it is unknown and possibly malicious."

    Is this a line I should delete or leave alone?

    I did as instructed and re-ran Avira, ran Combo_Fix, and re-ran HJT, Logs are attached.

    Thank you very much for all the advice. I'd love to be able to get to the point where I could pick out all the problems from the logs.

    Also is it your suggestion that I discontinue using Registry First AId and just run with the paid version of Adaware? Do they both check the Registry and fix problems? I was under the impresson that AAW only checked for malware similar to Spybot. Maybe that's the same thing. There's a lot I don't know about all this.

    Again thanks
    Dennis
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I had the line in BOLD- that was the entry as it appeared in the HijackThis log. The information in the ( ) was not in BOLD as it was a description of the entry. I try to do this when I can so that people have some idea of what it/was on their computer. Sorry I didn't make that clear.

    The paid AdAware had an application called AdWatch. It monitors in Real Time and alerts you to attemps to change on the system. You will find an excellent description of it and the eplanation of how it can be customized here: http://www.lavasoftsupport.com/index.php?showtopic=53

    Unfortunately, the AV scan indicates that your system is filled with pirated software: a few examples:
    C:\Downloads\Adobe Acrobat Reader keygen.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    C:\Downloads\Adobe Photoshop CS4 crack.exe
    C:\Downloads\Google Earth Pro 4.2. with Maps and crack.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan

    The term keygen.exe and crack.exe means that you use a file sharing site to get the key for the license instead of buying the program.

    The difference in legitimate entries:
    C:\Downloads\Avast 4.8 Professional.exe
    C:\Downloads\Download Accelerator Plus v8.7.5.exe
    C:\Downloads\DVD Tools Nero 9 2 6 0.exe

    But there is a possibility that the Win32.Worm.McMaggot.A caused the entries to display this way due to their spreading mechanism:
    Worm will spread by copying itself into shared folders of Peer-2-Peer Applications (Kazza, DC++, eMule, Morpheus, Tesla, etc) using the following "hot" file names such as:

    "Windows XP PRO Corp SP3 valid-key generator.exe"

    We do not support piracy. So I ask you to be upfront with me. I am willing to give you the benefit of the doubt because these keygens and cracks should also show up in the Combfix report and they do not. The HJ log is fine except for one entry for the HP redirect:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/

    That is not a big concern. The file sharing and P2P is. Please let me know.
     
  12. dhamblet

    dhamblet TS Rookie Topic Starter

    I don't knowingly use ANY p2p file sharing programs nor does my wife (only users of the computer). And as far as I know ALL software on my computer is legit. I bought it new and no one else uses the computer. I bought Photoshop Elements years ago, Adobe Acrobat is free as is Google Earth, I don't have Google Earth Pro. We do not support piracy either but I don't know how I can prove that to you other than to offer my location and if you wish to send the BSA to check me out -- fine. I have nothing to hide. Thanks for your advice and consideration.
    Dennis

     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you for the confirmation. You don't have to prove anything to me. I wouldn't have asked unless I thought there was a good chance the Worm turned! When I saw those programs didn't show up in the Combofix log, I did think you were a victim of the Worm. I'm including AV scans with the logs because they give us a bit more information.

    I'd like you to run one of the online virus scans. Hopefully Avira found and moved everything. Go ahead and delete the files it quarantined>?> Empty the Recycle Bin after doing that.

    I see you are running Teatimer.
    I suggest you disable it because it can interfere with the changes you'll make on your system.
    When everything is done and your log is clean again, you can enable it again.
    If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    How to disable TeaTimer during HijackThis Cleanup
    Then, download ResetTeaTimer.bat.
    Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

    After all of the fixes are complete it is very important that you enable TeaTimer again.
    Print out the following. You can find the entire sequence animated here:
    http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

    Open Kaspersky Online Scanner in Internet Explorer HERE.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

    Reopen HijackThis to 'do system scan only' and check the following entry if present:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
    Now close all Windows except HijackThis and click on Fix Checked. Attach new log and the Kaspersky log.

    We will remove all these cleaning tools when finished.
     
  14. dhamblet

    dhamblet TS Rookie Topic Starter

    Thanks. I'l get on this tonight when my wife gets off the computer (Tax season). A couple of questions:

    I Paid for Spybot and Registry First Aid and I run the free version of Adaware. I had Norton on this computer but didn't like it cause it is such a memory hog so I took it off -- same with McAfee. There are so many AV, Registry, Spyware, Malware programs out there and so many of them are just about as much of a problem as what they purport to fix. So I'm reluctant to spend money on them unless I know they are effective. Can you recommend a package (and I don't mind paying) that would monitor spyware/adware/malware, clean the Registry, and deal with Virus' ?

    Next question: you have spent a lot of time with me for free and I appreciate it. I suspect I am not the only person you are helping. How did you learn all this and how do you find the time necessary?
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I don't recommend packages for security. My personal preference is free standing programs. Then if there is a problem, I know which to look into.

    You can get very good security programs free> no, there's no free "one program does it all" although some programs say they do. you've already experienced Norton and McAfee. Suites ARE big resource users, but you can get only what you want and need separately.

    The basic security is one antivirus program, one firewall if it's software, but a router has hardware firewalls and two or more spyware/adware programs. Most of us don't recommend registry programs. Here are some suggestions: All free:

    Free Security: Suggestions:
    Recommended Free Anti Virus:
    Avast Free:http://www.avast.com/eng/download-avast-home.html
    Avira Free:http://www.free-av.com/en/products/1/avira_antivir_personal__free_antivirus.html

    Recommended Free Firewall:
    Comodo:http://www.personalfirewall.comodo.com/
    Zonealarm:http://www.zonealarm.com/store/content/catalog/products/zonealarm_free_firewall.jsp

    Spyware/Adware Programs:
    Spybot Search & Destroy: http://www.techspot.com/downloads/149-spybot-search-and-destroy-detection-update.html

    SpywareBlaster: http://www.techspot.com/downloads/568-spywareblaster.html

    AdAware: http://www.lavasoft.com/products/ad_aware_free.php

    Why pay for a package that will have more than you need when you can get good coverage free! Use the security setting in your browser- most have pop-up blockers and there are safe Active X settings.

    Helping other users resolve problems is a great learning tool. The time- that's a matter of checks and balances! It's usually lopsided one way or the other!
     
  16. dhamblet

    dhamblet TS Rookie Topic Starter

  17. dhamblet

    dhamblet TS Rookie Topic Starter

    You might take note the instructions given for Kaspersky with respect to Scan Settings do not match the program. I suspect Kaspersky has issued a newer version and the instructions have not been updated.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

  19. dhamblet

    dhamblet TS Rookie Topic Starter

    Kaspersky's running right now, when it finishes I will take another look to make sure I don't have my head up my ****.

    The animated version goes by so quickly it is hard to follow unless I can slow it down.
     
  20. dhamblet

    dhamblet TS Rookie Topic Starter

    Kaspersky Log

    K Log was empty. Kaspersky found nothing.

    FWIW, when you click on Kaspersky "SCAN", "TOOLS" you only have 3 options. Check for Virus is not one of them.

    Here is HJT Log.

    Computer is running pretty well right now. A bit slow to boot up with the virus and spyware programs active but not a big deal
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...