Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Start-up Programs E_S82, E_S85, E_S1DE


  • Please log in to reply
10 replies to this topic

#1 Thoughtful Skeptic

Thoughtful Skeptic

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 05 February 2009 - 07:24 PM

I am trying to remove unwanted start up programs from my daughter's computer. The list that I obtained from the startup tab by running MSCONFIG contains three programs that I have not been able to identify, neither in BP's Startup list nor via Google. The three programs are identical except for their names.


1. The first of the three programs is

Startup item: E_S82
Command: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE/FU "C:\WINDOWS\TEMP\E_S82.tmp" /EF "HKLM"
Location: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

2. The second of the three programs is identical to the first except that E_S82 is replaced by E_S85

3. The third of the three programs is identical to the first except that E_S82 is replaced by E_S1DE

The operating system is:
Microsoft Windows XP Home Edition
Version 5.1.2600
Service Pack 3.0

Question: Are these malware? If not, what do they do? Will it speed up the computer if I disable these?

I would very much appreciate any help on this.

Thanks in advance

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 06 February 2009 - 09:35 AM

Hi,

Welcome here. :thumbsup:
Yes, this is malware. Let's deal with it:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

#3 Thoughtful Skeptic

Thoughtful Skeptic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  

Posted 06 February 2009 - 05:02 PM

Hi,

Welcome here. :thumbsup:
Yes, this is malware. Let's deal with it:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




Hi Superbird,

Thank you very much for your help. I followed the steps that you detailed and attach the logfile below. I notice that the three programs that are the subject of my query are still in the startup list when I run msconfig.

Malwarebytes' Anti-Malware 1.33
Database version: 1736
Windows 5.1.2600 Service Pack 3

2/6/2009 4:39:05 PM
mbam-log-2009-02-06 (16-39-05).txt

Scan type: Quick Scan
Objects scanned: 97132
Time elapsed: 47 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68132581-10f2-416e-b188-4e648075325a} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{68132581-10f2-416e-b188-4e648075325a} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{870b70d4-f6da-47ae-9158-d146440a0a4d} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{870b70d4-f6da-47ae-9158-d146440a0a4d} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaLoads (Adware.Medload) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\yekksat.dat (Trojan.BHO.H) -> Quarantined and deleted successfully.
C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\cpsa.dat (Trojan.BHO.H) -> Quarantined and deleted successfully.
C:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.

Thanks once again.

Regards,

Thoughtful Skeptic

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 07 February 2009 - 05:04 AM

Hi,

Do a new full scan with MBAM, and post the logfile in your next reply. :thumbsup:

#5 Thoughtful Skeptic

Thoughtful Skeptic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 07 February 2009 - 06:04 PM

Hi,

Do a new full scan with MBAM, and post the logfile in your next reply. :flowers:


Hi Superbird,

Thanks for getting back to me so promptly. I did a full scan as you suggested and attach the results. Nothing new was discovered.

Hope you will have some more ideas.


Malwarebytes' Anti-Malware 1.33
Database version: 1736
Windows 5.1.2600 Service Pack 3

2/7/2009 3:49:06 PM
mbam-log-2009-02-07 (15-49-06).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 191854
Time elapsed: 4 hour(s), 41 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Regards,

Thoughtful Skeptic :thumbsup:

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 07 February 2009 - 06:59 PM

Hello Thoughtful Skeptic .

The startup entry you listed is legitimate. It belongs to "Epson Stylus Photo CX6000 Series of inkjet printers".

With Regards,
The Panda

#7 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 08 February 2009 - 05:01 AM

Hi Thoughtful Skeptic,

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

--------------------

@Propagandapanda: You're right... Forgot that one boots from the temp dir... :thumbsup:

#8 Thoughtful Skeptic

Thoughtful Skeptic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 08 February 2009 - 12:09 PM

Hi PropagandaPanda and Superbird,

Yes, there is an Epson CX6000 connected. I am hoping to find out if I can disable the programs and if so, whether it speeds up the computer.

Thank you both for your help. :--)

Regards,

Thoughtful Skeptic

#9 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 08 February 2009 - 12:24 PM

Hi,

Can you please do the Kaspersky scan?

And as far I can see, you have to choose it has to run or not. So when you deem it not neccesary, you can disable it. :thumbsup:

#10 Thoughtful Skeptic

Thoughtful Skeptic
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 13 February 2009 - 06:39 PM

Hi PropagandaPanda and Superbird,

I think this answers my original question. It seems that I should not remove these programs.

Do you think we should add these programs to the Startup List? If so, do you know how I would go about it?

Big thanks to you both.

Regards,

Thoughtful Skeptic :thumbsup:

#11 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 14 February 2009 - 05:19 AM

Hi,

Well, you added both programs already to the startupentries in your registry. So no, you don't have to add them to the startup folder. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users