This for a friend's laptop. She's getting fax program install messages at XP startup that started within the last week. She has to acknowledge this message several times before it quits. No other references to it come up until she boots again.
Initial message:
Fax Wait while windows configures fax.
Second message:
The feature you are trying to use is on a CDROM or other removable disk that is not available. Insert the Fax disk and click OK.
-------------------------
Logfile of HijackThis v1.99.1
Scan saved at 8:07:51 PM, on 3/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Digital Asphyxia\Y!TunnelPro 2.0\YTPro.exe
C:\DOCUME~1\[user]\LOCALS~1\Temp\bwgo000749ba.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Documents and Settings\[user]\Desktop\Yaheek.exe
C:\Documents and Settings\[user]\Desktop\HijackThis.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YServer.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Air2Data] C:\Program Files\Air2Data\a2dservice.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Y!TunnelPro] C:\Program Files\Digital Asphyxia\Y!TunnelPro 2.0\YTPro.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFAB6F27-A468-4767-B582-B995B4C9E57D}: NameServer = 134.50.254.5,134.50.250.46
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common
Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
0
HJT log analysis
Started by mfenech, Mar 10 2006 03:45 AM
2 replies to this topic
#1 OFFLINE
-
- Members
-
- 299 posts
Advanced Member
- Gender:Male
- Location:Texas
Posted 10 March 2006 - 03:45 AM
#2 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 12 March 2006 - 01:56 AM
Hi mfenech
Does your friend have any software installed to enable her to send or receive faxes ? There is a fax service feature in XP but this would have to be manually enabled and Im not aware of it displaying a message on startup so its difficult to know how the message would appear unless she has installed different software to send or receive faxes. The XP Fax service can be found by going to
Start Menu > All Programs > Accessories > Communications > Fax
If Fax is not in the Communications options list then its not enabled so it wouldnt be connected to XP's Fax Service. If you can ask her about any software she may have installed to enable Faxes to be sent or received it may help find the solution.
There's a few entries that can be fixed in the log and there is a reference to Idaho University so she may be best asking their tech' staff for advise if the problems continue. I am not familiar with Yaheek but have never used Yahoo and this maybe some sort of Add-On for one of Yahoo's products, Pest Patrol does have it listed Here as a Exploit file which allows a system to be hacked.
If you believe thats a false detection and the product is safe could you give me some information about what the file is used for and also consider uploading it Here to have it scanned for malware by various Anti-Virus vendors. I've provided a link for VirusTotal as Jotti's Malware scan site is constantly having server problems recently (Probably due to the amount of traffic the site is receiving) . When you open the VirusTotal site press Browse then locate the Yaheek.exe file, double click it to load the path into VirusTotal and press Send. Once you get the results you can left click and cover the results text and then press Control + C together to copy to clipboard, then right click into a reply here and choose Paste to post it back.
Here's the items that can be fixed in the log
Run Hijack This and choose 'Do a system scan' then place checks next to these entries if you wish to remove any of them:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:// red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:// red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http:// red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http:// red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:// red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http:// red.clientapps.yahoo.com/customize/...//www.yahoo.com
Note, all the above are from Yahoo but you can see from the addresses that the system is being redirected through red.clientapps before going to the Yahoo site, red.clientapps is Red Sheriff and a form of spyware and although its nothing nasty it is recommended they are fixed. Here's some info on Red Sheriff.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
Both of these are missing the paths to the file, the default path is %systemroot%\system32\blank.htm, Fix both of the above to return them to Microsoft's default settings.
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
This is a file from Microsoft but it shouldnt remain running on the system, It's a leftover from a DirectX 6.0 upgrade. It was supposed to run once and go away but on some systems it sticks around, it can be fixed using Hijack This to stop the file running .
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dumprep.exe is from Microsoft and is their fault logging software. Once serious errors happen on the system this program will write the details to a text file and request the information be sent to Microsoft. Having this indicates there is some issues on the pc but the entry can be fixed if it remains in the log.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
QuickTime tray icon and doesnt need to start with Windows . Quicktimes movies will still automatically play when they are run. To stop it coming back right click the blue Quicktime Icon in the system tray then click Quicktime Preferences. Goto the Advanced tab and Uncheck the 'Install Quicktime Icon In System Tray' box then press Apply and OK and fix the above entry in Hijack This if it remains.
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Application Scheduler installed along with Real Player. Once installed, it runs independently but doesnt need to start up automatically with Windows. To disable this after fixing so it doesnt return, Start Real Player, click Tools -> Preferences, select Automatic services in the Categories pane, then Uncheck all options and press OK
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
This is Installed with the software for Logitech & automatically checks for software upgrades AND new products, services and special offerings. Updates can still be done manually whenever they become available and updates really do not happen that often so this Backweb entry doesnt need to be running all the time on the system (See Here for more information on Backweb)
If you decide to fix any of the above entries place checks next to them, close all open browser and other windows then press the Fix Checked button.
If the problems continue see if you can find out if she has enabled XP's Fax Service or installed any other software to enable that feature and let me know abit more about Yaheek.exe and I will try help.
All The Best
Andy
Quote
Initial message:
Fax Wait while windows configures fax.
Second message:
The feature you are trying to use is on a CDROM or other removable disk that is not available. Insert the Fax disk and click OK.
Fax Wait while windows configures fax.
Second message:
The feature you are trying to use is on a CDROM or other removable disk that is not available. Insert the Fax disk and click OK.
Does your friend have any software installed to enable her to send or receive faxes ? There is a fax service feature in XP but this would have to be manually enabled and Im not aware of it displaying a message on startup so its difficult to know how the message would appear unless she has installed different software to send or receive faxes. The XP Fax service can be found by going to
Start Menu > All Programs > Accessories > Communications > Fax
If Fax is not in the Communications options list then its not enabled so it wouldnt be connected to XP's Fax Service. If you can ask her about any software she may have installed to enable Faxes to be sent or received it may help find the solution.
There's a few entries that can be fixed in the log and there is a reference to Idaho University so she may be best asking their tech' staff for advise if the problems continue. I am not familiar with Yaheek but have never used Yahoo and this maybe some sort of Add-On for one of Yahoo's products, Pest Patrol does have it listed Here as a Exploit file which allows a system to be hacked.
If you believe thats a false detection and the product is safe could you give me some information about what the file is used for and also consider uploading it Here to have it scanned for malware by various Anti-Virus vendors. I've provided a link for VirusTotal as Jotti's Malware scan site is constantly having server problems recently (Probably due to the amount of traffic the site is receiving) . When you open the VirusTotal site press Browse then locate the Yaheek.exe file, double click it to load the path into VirusTotal and press Send. Once you get the results you can left click and cover the results text and then press Control + C together to copy to clipboard, then right click into a reply here and choose Paste to post it back.
Here's the items that can be fixed in the log
Run Hijack This and choose 'Do a system scan' then place checks next to these entries if you wish to remove any of them:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:// red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http:// red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http:// red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http:// red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:// red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http:// red.clientapps.yahoo.com/customize/...//www.yahoo.com
Note, all the above are from Yahoo but you can see from the addresses that the system is being redirected through red.clientapps before going to the Yahoo site, red.clientapps is Red Sheriff and a form of spyware and although its nothing nasty it is recommended they are fixed. Here's some info on Red Sheriff.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
Both of these are missing the paths to the file, the default path is %systemroot%\system32\blank.htm, Fix both of the above to return them to Microsoft's default settings.
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
This is a file from Microsoft but it shouldnt remain running on the system, It's a leftover from a DirectX 6.0 upgrade. It was supposed to run once and go away but on some systems it sticks around, it can be fixed using Hijack This to stop the file running .
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dumprep.exe is from Microsoft and is their fault logging software. Once serious errors happen on the system this program will write the details to a text file and request the information be sent to Microsoft. Having this indicates there is some issues on the pc but the entry can be fixed if it remains in the log.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
QuickTime tray icon and doesnt need to start with Windows . Quicktimes movies will still automatically play when they are run. To stop it coming back right click the blue Quicktime Icon in the system tray then click Quicktime Preferences. Goto the Advanced tab and Uncheck the 'Install Quicktime Icon In System Tray' box then press Apply and OK and fix the above entry in Hijack This if it remains.
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Application Scheduler installed along with Real Player. Once installed, it runs independently but doesnt need to start up automatically with Windows. To disable this after fixing so it doesnt return, Start Real Player, click Tools -> Preferences, select Automatic services in the Categories pane, then Uncheck all options and press OK
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
This is Installed with the software for Logitech & automatically checks for software upgrades AND new products, services and special offerings. Updates can still be done manually whenever they become available and updates really do not happen that often so this Backweb entry doesnt need to be running all the time on the system (See Here for more information on Backweb)
If you decide to fix any of the above entries place checks next to them, close all open browser and other windows then press the Fix Checked button.
If the problems continue see if you can find out if she has enabled XP's Fax Service or installed any other software to enable that feature and let me know abit more about Yaheek.exe and I will try help.
All The Best
Andy
#3 OFFLINE
-
- Members
-
- 299 posts
Advanced Member
- Gender:Male
- Location:Texas
Posted 12 March 2006 - 03:11 AM
Thanks Andy. She isn't using any fax service.
Yaheek is a mic lock freeware for use in Yahoo Messenger chatrooms, usually for when playing music in the rooms. It originally comes with a .dll that is often flagged as a keylogger, but the .dll is not necessary for using the program. As this is common knowledge with most yaheek users, it's never included when the program is passed around, or it's deleted if downloaded.
I'll go over the above next chance I get to speak to her. Thanks again for the help.
Yaheek is a mic lock freeware for use in Yahoo Messenger chatrooms, usually for when playing music in the rooms. It originally comes with a .dll that is often flagged as a keylogger, but the .dll is not necessary for using the program. As this is common knowledge with most yaheek users, it's never included when the program is passed around, or it's deleted if downloaded.
I'll go over the above next chance I get to speak to her. Thanks again for the help.
