/insfin - what does it mean?

D

Dave

I noticed my Internet connection was a bit sluggish today and ran
hijackthis.exe, which revealed this entry that was also in msconfig,
loading on startup.

O4 - HKLM\..\Run: [msci]
C:\DOCUME~1\Matthew\LOCALS~1\Temp\2005112820123_mcinfo.exe /insfin

Nothing was detected by fully updated McAffee or Spybot S&D.

I have removed the entry from msconfig, checked this in regedit, and
wiped the file. However, is it suspicious as a search for "/insfin"
seems to suggest this is the case, but not conculsively.

Also, does 20051128 refer to 28 November 2005, in which case, the
sluggishness of today would have been a coincidence. Does anyone know
anything more about this entry? What does /insfin mean?

Finally, I enclose my current hijackthis log after I did the removals.
Can people be so kind as to tell me if there is anything suspicious on it?

And should I be concerned about anything with reference to this entry
since I have no idea how long it has been there? Should I scan with any
other software? Thanks, all.

Logfile of HijackThis v1.99.0
Scan saved at 18:18:14, on 13/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\system32\SLEE401.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\QBU\QkOnBtn.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\MRU-Blaster\scheduler.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.packardbell.co.uk/musicstation
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Packard Bell
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PBUKV2 - {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} -
C:\WINDOWS\system32\pbukv2.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class -
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON
Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: PBUKV2 - {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} -
C:\WINDOWS\system32\pbukv2.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D}
- C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655}
- c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE"
/Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [QkOnBtn] C:\Program Files\QBU\QkOnBtn.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program
Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [EPSON Stylus C46 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON
Stylus C46 Series" /O6 "USB002" /M "Stylus C46"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program
Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program
Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program
Files\MRU-Blaster\mrublaster.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\microsoft
office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} -
C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ -
{6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\system32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating
System Class) -
http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class)
- http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4587/mcfscan.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{666C40C4-2013-44F5-B328-E78EB8BB8A78}:
NameServer = 194.168.4.100 194.168.8.100
O23 - Service: CA ISafe - Computer Associates International, Inc. -
C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: McAfee WSC Integration - McAfee, Inc - c:\program
files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield - McAfee Inc. -
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler - McAfee, Inc -
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc -
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Steganos Live Encryption Engine (Version 401) [Service] -
Unknown - C:\WINDOWS\system32\SLEE401.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
D

David H. Lipman

From: "Dave" <[email protected]>

| I noticed my Internet connection was a bit sluggish today and ran
| hijackthis.exe, which revealed this entry that was also in msconfig,
| loading on startup.
|
| O4 - HKLM\..\Run: [msci]
| C:\DOCUME~1\Matthew\LOCALS~1\Temp\2005112820123_mcinfo.exe /insfin
|
| Nothing was detected by fully updated McAffee or Spybot S&D.
|
| I have removed the entry from msconfig, checked this in regedit, and
| wiped the file. However, is it suspicious as a search for "/insfin"
| seems to suggest this is the case, but not conculsively.
|
| Also, does 20051128 refer to 28 November 2005, in which case, the
| sluggishness of today would have been a coincidence. Does anyone know
| anything more about this entry? What does /insfin mean?
|
| Finally, I enclose my current hijackthis log after I did the removals.
| Can people be so kind as to tell me if there is anything suspicious on it?
|
| And should I be concerned about anything with reference to this entry
| since I have no idea how long it has been there? Should I scan with any
| other software? Thanks, all.
|

< HJT Log >

Dave this is not the correct place to post HiJack This! (HJT) logs.
Please ignore anyone who tells you otherwise.

The following are the correct places to post these logs...

Forums where you can get expert advice for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order

http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/index.php?showforum=5

{ borrowed from the alt.privacy.spyware News Group }


Now that I have stated that...

I hope you are using SpyBot Search and Destroy v1.4 !

There should be NO EXE files being executable from the TEMP folder such as that so, remove
this..

O4 - HKLM\..\Run: [msci]
C:\DOCUME~1\Matthew\LOCALS~1\Temp\2005112820123_mcinfo.exe /insfin

"/insfin" is just a switch parameter to "2005112820123_mcinfo.exe" which is the real
worry.

I suggest, submitting "2005112820123_mcinfo.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against 18 different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

When you get the report, please post back the exact results.

Chances are it is adware/spyware and the Retail version of McaFee you are using may not
detect "unwanted programs"

I also suggest removing...
O2 - BHO: PBUKV2 - {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} -
C:\WINDOWS\system32\pbukv2.dll (file missing)
O3 - Toolbar: PBUKV2 - {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} -
C:\WINDOWS\system32\pbukv2.dll (file missing)
O4 - HKLM\..\Run: [QkOnBtn] C:\Program Files\QBU\QkOnBtn.EXE


/* Please post in one of the suggested HJT Forums and verify what I have told you to remove.
*/

I strongly suggest that you install and update Ad-aware SE v1.06 and if the version of
SpyBot you have is not v1.4 I suggest removing the version you have and installing SpyBot
S&D v1.4

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
 
P

pcbutts1

First you do not have the current version of HJT, download the current
version from here http://www.pcbutts1.com/downloads/HijackThis.zip Then
have hjt fix the following lines by placing a check in the box next to each
line then clicking on the fix checked button on the bottom.

O2 - BHO: PBUKV2 - {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} -
C:\WINDOWS\system32\pbukv2.dll (file missing)
O3 - Toolbar: PBUKV2 - {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} -
C:\WINDOWS\system32\pbukv2.dll (file missing)
O4 - HKLM\..\Run: [QkOnBtn] C:\Program Files\QBU\QkOnBtn.EXE

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
 
M

Max Wachtel

(e-mail address removed) AKA pcbutts1 on 12/13/2005 in
First you do not have the current version of HJT, download the
current version from here
SNIPPED Then have hjt fix
the following lines by placing a check in the box next to each line
then clicking on the fix checked button on the bottom.

O2 - BHO: PBUKV2 - {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} -
C:\WINDOWS\system32\pbukv2.dll (file missing)
O3 - Toolbar: PBUKV2 - {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} -
C:\WINDOWS\system32\pbukv2.dll (file missing)
O4 - HKLM\..\Run: [QkOnBtn] C:\Program Files\QBU\QkOnBtn.EXE
Click to expand...
******************Reply Separator*************************

NEVER download files from anywhere unless it is from the website of the
developer,manufacturer or some entity you trust. The developers
websites ALWAYS have the most up to date files that haven't been
tampered with by some third party who is "hosting"(read Leeching or
Stealing) those files without permission.

max
--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
Keeping Windows Clean: http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help: http://home.neo.rr.com/manna4u/tools.html
Specific Fixes: http://home.neo.rr.com/manna4u/fixes.html
Forums for HiJackThis Logs:
http://home.neo.rr.com/manna4u/forums_for_hijackthis_logs.html
To reply by e-mail change nomail.afraid.org to gmail.com
nomail.afraid.org is setup specifically for use in USENET
feel free to use it yourself. Registered Linux User #393236
 
@

@nti_H_a_C-e_r

Hey i have the same thing except
C:\DOCUME~1\Andriy\LOCALS~1\Temp\se.dll
kinda seems the same??
How do i get rid of it???
 
O

optikl

@nti_H_a_C-e_r said:
Hey i have the same thing except
C:\DOCUME~1\Andriy\LOCALS~1\Temp\se.dll
kinda seems the same??
How do i get rid of it???
Click to expand...

Start\Run\%temp%>enter>edit\select all>delete.

You may have to restart your system in Safe Mode to accomplish this.
 
D

David H. Lipman

From: "@nti_H_a_C-e_r" <[email protected]>

| Hey i have the same thing except
| C:\DOCUME~1\Andriy\LOCALS~1\Temp\se.dll
| kinda seems the same??
| How do i get rid of it???

It isn't the same.

It is verylike the Trojan.StartPage --
http://securityresponse.symantec.com/avcenter/venc/data/trojan.startpage.html

Exceute MSCONFIG.EXE and go to the Startup Tab.
look for...
"sp" = "rundll32 %Temp%\se.dll,DllInstall"
Disable it then reboot the PC.

Go to; Start --> Run
Exexcute; %temp%

Delete all files.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

after trojan cleanup, system grinds to halt (freezes) after 1-2 minutes 5
Best place for hijackthis logs? 16
Virtumonde 0
Downloader.Swizzor by AVG 2
Computer freezes 13
Hijack this, take a looks see mucks? 6
Windows XP Control Panel Missing 7
Please help worm_attck_v122.02a 4

Top