# grpconv.exe Bad or Good?



## furiousstylz (Dec 31, 2003)

My log file is showing in the 04 section something about:
grpconv.exe -o

Good or Bad? I'm finding conflicting data on my google search to learn more about it.

FWIW, I'm running XP, and I use AdAware and HiJackThis about once a week to keep up on this stuff. Today is the first time I've ever seen this one, but even the MS Utilities site is calling it okay, so I don't know now...

Thanks everyone.


----------



## dvk01 (Dec 14, 2002)

post a log so we can check

it will depend on the location the grpconv.exe is running from, but I haven't heard or seen any bad ones but with the new breed of nasties around anything is possible

Edit: 

There is a bad one around, part of the magistr viruses


----------



## furiousstylz (Dec 31, 2003)

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

O1 - Hosts: 216.93.168.167 auto.search.msn.com
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/ddc/shockwave/wtinst.cab


----------



## furiousstylz (Dec 31, 2003)

I know the two 01 entries I'm going to dump.
And I know the opnste thing I'm going to dump. 

The only one i'm not sure about is the grpconv...obviously...  

pretty clean other than those, and short though I think... no?

thanks.


----------



## dvk01 (Dec 14, 2002)

if the grpconv is still there after a reboot, then fix it in HJT.

DO NOT delete the file just fix the HJT entry

and fix these 
O1 - Hosts: 216.93.168.167 auto.search.msn.com
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe

reboot & delete the C:\Program Files\Open Site\ folder


----------



## furiousstylz (Dec 31, 2003)

For what its worth, it would seem that the grpconv.exe -o is removed at reboot, perhaps because it had the "Run Once" tag with it. I'm just speculating.

But yeah, I let it be, removed the rest, rebooted, and it was gone.

Wish I knew what site I hit to get that. Haven't looked at anything even remotely shady today!


----------



## dvk01 (Dec 14, 2002)

to help prevent further attacks

go here* http://forums.net-integration.net/index.php?showtopic=3051 *for info on how to tighten your security settings and how to help prevent future attacks. 
On this page you will find links to Javacool's SpywareBlaster and SpywareGuard. Get them both and check for updates frequently.

The Immunize feature in Spybot used in conjunction with SpywareBlaster , SpywareGuard and weekly scans with Spybot and Adaware will go a long way toward keeping your PC free of these pests.
It also contains links for IE-SPYAD that puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

And links to a browser & security test site to test for exploits that might let these baddies in to your computer

Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis.


----------

