Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Is Cloaker.exe Spyware?

  • This topic is locked This topic is locked
3 replies to this topic

#1 proanimaluver


  • Members
  • 5 posts
  • Local time:07:45 AM

Posted 10 August 2008 - 08:13 AM

Hello! I was wondering if someone would be kind enough to have a look at my HijackThis log for me .I noticed lately when Im surfing IE7 will close really fast like I was exiting it on purpose ,but afterwards, an error reporting message wouldnt display. When I installed HijackThis , I came across HijackReader .It suppose to give me an idea of what the log means.From what I understand it said certain startup entries might be a problem. Here is the part of the log that the HijackThisReader found. And underneath is my HijackThis log.

UNDETERMINED: O4 - .DEFAULT User Startup: Pin.lnk = C:hpbinCLOAKER.EXE (User 'Default user')(*** GOOD: N/A - Related to the Dell OEM version of the Sound Blaster Audigy 2 sound card. If this item is listed and checked in startup, the System32 Folder will appear on every startup. A patch is available - filename R75304.EXE - that fixes the issue. You can find that file at support.dell.com by typing that name in the 'Search' box available there. It addresses the root of the problem in Creative's software and corrects it. Unfortunately there is no direct link to the file, but it's easily available using the search function. *** GOOD: 3dldemon.exe. *** GOOD: AcctMgr.exe. *** GOOD: monitor.exe. *** GOOD: AnyDVD.exe. *** GOOD: AQ3HEL~1.EXE. *** GOOD: DealioAu.exe. *** GOOD: BI1HEL~1.EXE. *** GOOD: EWALLET.EXE. *** GOOD: BO1HEL~1.EXE. *** GOOD: Bo1helper.exe. *** GOOD: cbpopw.exe. *** GOOD: CAPing.exe. *** GOOD: sokscmpn.exe. *** GOOD: mcappins.exe. *** POSSIBLE THREAT: ipxwping.exe - Added by the PPDOOR-N TROJAN!. *** GOOD: ConKeepM.exe. *** GOOD: CookiePatrol.exe. *** GOOD: DesktopSearch.exe. *** GOOD: N/A. *** POSSIBLE THREAT: dnsping.exe. *** GOOD: duwi.exe. *** GOOD: Dvpinit.exe. *** POSSIBLE THREAT: e121307.exe. *** POSSIBLE THREAT: e121307.Stub.exe. *** GOOD: eSupCmd.exe. *** GOOD: EzEjMnAp.exe. *** GOOD: FBDirect.exe. *** GOOD: raidman.exe. *** GOOD: IBMBAY2N.EXE. *** GOOD: IBMBAYSN.EXE. *** GOOD: NAG.EXE. *** GOOD: 8x8_init.exe. *** GOOD: installstub.exe. *** GOOD: InstantDrive.exe. *** GOOD: PCLETray.exe. *** GOOD: pds.exe. *** GOOD: ZCfgSvc.exe. *** POSSIBLE THREAT: ipclient.exe. *** GOOD: ipmon32.exe. *** GOOD: N/A. *** GOOD: iwctrl.exe. *** GOOD: iwctrl.exe. *** GOOD: lcfep.exe. *** POSSIBLE THREAT: license_manager.exe. *** POSSIBLE THREAT: igps.exe. *** GOOD: RESWIN.EXE. *** POSSIBLE THREAT: pinmart.exe. *** GOOD: mcappins.exe. *** POSSIBLE THREAT: mpp2pl.exe. *** POSSIBLE THREAT: svchost.exe. *** POSSIBLE THREAT: winxpini.exe. *** GOOD: MiniMavis.exe. *** GOOD: misitray.exe. *** POSSIBLE THREAT: ml00!.exe. *** GOOD: ML1Helper.exe. *** GOOD: MNS.exe. *** POSSIBLE THREAT: msping.exe. *** POSSIBLE THREAT: msping.exe. *** POSSIBLE THREAT: mssync20.exe. *** POSSIBLE THREAT: svchost.exe. *** GOOD: Mw1helper.exe. *** GOOD: MW1HEL~1.EXE. *** GOOD: ncd.exe. *** GOOD: nwant33.exe. *** GOOD: nvraidservice.exe. *** GOOD: OAKSTART.EXE. *** GOOD: OPISTAT.EXE. *** GOOD: ppe.exe. *** GOOD: remoterm.exe. *** GOOD: pinger.exe. *** POSSIBLE THREAT: pingchek.exe. *** POSSIBLE THREAT: internal.exe. *** GOOD: PSDrvCheck.exe. *** GOOD: PLXSTART.EXE. *** GOOD: PQINIT.EXE. *** GOOD: FBDirect.exe. *** GOOD: PPInupdt.exe. *** GOOD: flatbed.exe. *** POSSIBLE THREAT: pingppac.exe. *** GOOD: neo.exe. *** POSSIBLE THREAT: prizesurfer.exe. *** GOOD: PSDrvCheck.exe. *** POSSIBLE THREAT: [filename]. *** POSSIBLE THREAT: Winrar.exe. *** GOOD: raid_tool.exe. *** POSSIBLE THREAT: RCSync.exe. *** GOOD: RegTool.exe. *** POSSIBLE THREAT: regmaping.exe. *** POSSIBLE THREAT: csrss.exe. *** GOOD: /l:eng. *** POSSIBLE THREAT: services.exe. *** GOOD: sfWinStartupInfo.exe. *** GOOD: Shadow.exe. *** GOOD: DShmap.exe. *** GOOD: sta.exe. *** GOOD: SnippingTool.exe. *** GOOD: spinner.exe. *** POSSIBLE THREAT: Wscript.exe OXNEY.B.VBS. *** POSSIBLE THREAT: svchosets.exe. *** POSSIBLE THREAT: taskmrg.exe. *** POSSIBLE THREAT: SVCHOSTES.EXE. *** POSSIBLE THREAT: taksmgr.exe. *** POSSIBLE THREAT: mcrt32.exe. *** POSSIBLE THREAT: windupds.exe. *** POSSIBLE THREAT: windupdts.exe. *** POSSIBLE THREAT: xdcc.exe. *** POSSIBLE THREAT: spoolnt.exe. *** POSSIBLE THREAT: svcchosts.exe. *** POSSIBLE THREAT: mssupdate.exe. *** GOOD: StayCon.exe. *** GOOD: sa.exe. *** GOOD: surveysa.exe. *** POSSIBLE THREAT: var.txt.exe. *** POSSIBLE THREAT: csrss.exe. *** POSSIBLE THREAT: svchost.exe. *** POSSIBLE THREAT: serwin.exe. *** POSSIBLE THREAT: svchîst.exe. *** GOOD: pprsen.exe. *** POSSIBLE THREAT: [path to trojan]. *** POSSIBLE THREAT: csrss.exe. *** GOOD: TDKSTART.EXE. *** GOOD: tinyspell.exe. *** GOOD: LCFEP.EXE. *** GOOD: pinger.exe. *** GOOD: wincool.exe. *** GOOD: tray_helper.exe. *** GOOD: KBOOST.exe. *** GOOD: PCLECoInst.dll. *** GOOD: usbmmkbd.exe. *** GOOD: USBTip.exe. *** GOOD: UTILIT~1.EXE. *** GOOD: InstantDrive.exe. *** GOOD: VOBRegCheck.exe. *** GOOD: Weatherscope.exe. *** POSSIBLE THREAT: WebSavingsfromEbatesrun.exe. *** POSSIBLE THREAT: WebSavingsFromEbates0.exe. *** POSSIBLE THREAT: wjview ...websearch.exe. *** GOOD: WebSecureAlert.exe. *** GOOD: VBI_SE~1.EXE. *** POSSIBLE THREAT: ssvsol.exe. *** POSSIBLE THREAT: winxpinit.exe. *** POSSIBLE THREAT: [4 random letters].exe. *** POSSIBLE THREAT: winrar.exe. *** GOOD: winroute.exe. *** POSSIBLE THREAT: WinStart.exe. *** POSSIBLE THREAT: WinStart001.exe. *** POSSIBLE THREAT: WinStart001.exe. *** GOOD: WonderFrog.exe. *** POSSIBLE THREAT: wsttrs.exe. *** GOOD: x3watch.exe. *** GOOD: YankClip.exe. *** GOOD: ZCfgSvc.exe. *** GOOD: zm32.exe. *** POSSIBLE THREAT: ping.exe. Autoloading programs from Registry or Startup group)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:41 AM, on 8/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
C:Program FilesAlwil SoftwareAvast4ashServ.exe
C:Program FilesIntelIntelDHIntelŽ Quick Resume Technology DriversElservice.exe
C:Program FilesAlwil SoftwareAvast4ashWebSv.exe
C:Program FilesHP DigitalMedia ArchiveDMAScheduler.exe
C:Program FilesHPHP Software UpdateHPwuSchd2.exe
C:Program FilesZone LabsZoneAlarmzlclient.exe
C:Program FilesYahoo!CommonYMailAdvisor.exe
C:Program FilesYahoo!Search ProtectionSearchProtection.exe
C:Program FilesVMwareVMware Playerhqtray.exe
C:Program FilesWindows Desktop SearchWindowsSearch.exe
C:Program FilesJavajre1.5.0_06binjusched.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe
C:Program FilesDISCDISCover.exe
C:Program FilesDISCDiscUpdMgr.exe
C:Program FilesDISCDiscStreamHub.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Documents and SettingsHP_AdministratorDesktopHiJackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.yahoo.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/servlet/P...;build=Symantec
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.5.0_06binssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:WINDOWSpchealthhelpctrVendorsCN=Hewlett-Packard,L=Cupertino,S=Ca,C=USpluginWebHelper.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:Program FilesZoneAlarmSBbar1.binSPYBLOCK.DLL
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:Program FilesYahoo!CompanionInstallscpnYTSingleInstance.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:Program FilesZoneAlarmSBbar1.binSPYBLOCK.DLL
O3 - Toolbar: Anonymous Browsing - {866D0E2C-8CCE-4AAE-B9F4-59F245945691} - C:Program FilesAnonymous BrowsingAAABBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O4 - HKLM..Run: [ehTray] C:WINDOWSehomeehtray.exe
O4 - HKLM..Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM..Run: [IAAnotif] C:Program FilesIntelIntel Matrix Storage ManagerIaanotif.exe
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM..Run: [DMAScheduler] "c:Program FilesHP DigitalMedia ArchiveDMAScheduler.exe"
O4 - HKLM..Run: [HPBootOp] "C:Program FilesHewlett-PackardHP Boot OptimizerHPBootOp.exe" /run
O4 - HKLM..Run: [HP Software Update] C:Program FilesHPHP Software UpdateHPwuSchd2.exe
O4 - HKLM..Run: [ZoneAlarm Client] "C:Program FilesZone LabsZoneAlarmzlclient.exe"
O4 - HKLM..Run: [avast!] C:PROGRA~1ALWILS~1Avast4ashDisp.exe
O4 - HKLM..Run: [YMailAdvisor] "C:Program FilesYahoo!CommonYMailAdvisor.exe"
O4 - HKLM..Run: [YSearchProtection] "C:Program FilesYahoo!Search ProtectionSearchProtection.exe"
O4 - HKLM..Run: [VMware hqtray] "C:Program FilesVMwareVMware Playerhqtray.exe"
O4 - HKLM..Run: [EPSON Stylus CX5800F Series] C:WINDOWSSystem32spoolDRIVERSW32X863E_FATIALA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
O4 - HKCU..Run: [Search Protection] C:Program FilesYahoo!Search ProtectionSearchProtection.exe
O4 - HKCU..Run: [YSearchProtection] C:Program FilesYahoo!Search ProtectionSearchProtection.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:hpbinCLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:hpbincloaker.exe (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:Program FilesWindows Desktop SearchWindowsSearch.exe
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_06binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_06binssv.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:WINDOWSPCHEALTHHELPCTRVendorsCN=Hewlett-Packard,L=Cupertino,S=Ca,C=USIEButtonsupport.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:WINDOWSPCHEALTHHELPCTRVendorsCN=Hewlett-Packard,L=Cupertino,S=Ca,C=USIEButtonsupport.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:Program FilesYahoo!CommonYinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218250718875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218250766015
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:Program FilesAlwil SoftwareAvast4ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:Program FilesAlwil SoftwareAvast4ashWebSv.exe
O23 - Service: IntelŽ Quick Resume technology (ELService) - Intel Corporation - C:Program FilesIntelIntelDHIntelŽ Quick Resume Technology DriversElservice.exe
O23 - Service: IntelŽ Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1050Intel 32IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:Program FilesVMwareVMware Playervmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:WINDOWSsystem32vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:Program FilesCommon FilesVMwareVMware Virtual Image Editingvmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:WINDOWSsystem32vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:WINDOWSsystem32ZoneLabsvsmon.exe

End of file - 10359 bytes

Merge posts. ~ OB

Edited by Orange Blossom, 10 August 2008 - 03:19 PM.

BC AdBot (Login to Remove)


#2 don77


    Forum Regular

  • Members
  • 3,212 posts
  • Gender:Male
  • Location:Boston Mass
  • Local time:08:45 AM

Posted 23 August 2008 - 09:48 PM

  • Hello and welcome to BC

    We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

    If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

    Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

    Thanks and again sorry for the delay.

    Seeing its been a number of days since your original scanning with HJT could you please run HJT now and post a fresh HJT log back to this topic please.


  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • You can click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into this topic please,

    Please do a scan with Kaspersky Online Scanner

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

    Click on the Accept button and install any components it needs.[list]
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

    In recap please post back the requested info from above
  • Fresh HJT log
  • Uninstall List
  • Log from the Kaspersky scan

#3 proanimaluver

  • Topic Starter

  • Members
  • 5 posts
  • Local time:07:45 AM

Posted 24 August 2008 - 07:04 PM

Hello and thankyou for reply but I ended up having to use a different hardrive because the one i was using wouldnt boot anymore due to missing files .I guess this post needs to be closed? Thanks again

#4 don77


    Forum Regular

  • Members
  • 3,212 posts
  • Gender:Male
  • Location:Boston Mass
  • Local time:08:45 AM

Posted 25 August 2008 - 06:22 AM

Thanks for letting us know and again sorry for not being able to get to you soomer,

Per the OP's request this topic is now closed.
Should you have any issues in the future please start a new topic.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users