Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT -- troubled


  • This topic is locked This topic is locked
12 replies to this topic

#1 troubled

troubled

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 09 May 2005 - 10:13 PM

Hi - I have spent weeks cleaning literally 100's of malware items, including several trojans, from my parents' Dell Inspiron 2500 laptop (WinME, 128 MB RAM -- tho it actually shows 126 MB).

They have Norton AV 2001, but the virus def's are uptodate. I used several onboard scanners (AdAware with the VX2 add-on, SpyBot, a-squared, McAfee Stinger, WinPatrol, SpySweeper, Spyware Doctor (trial), TDS-3 (trial), Trojan Hunter (trial), CWShredder, Bazooka). I also used several online scanners (Kaspersky, TrendMicro, BitDefender, RAVantivirus, blackcode.com, ZoneAlarm). (I could not get the Symantec and PestPatrol online scanners to work, tho I put them in IE's trusted sites.)

I am getting clean scans from all, except for ZA. ZA found 2 MS Media Player ID problems, which I think I've fixed, and 2 LinkGrabber 99 refences, which I think may be false positives.

I also ran CCleaner and deleted/fixed everything found. I ran Spyware Blaster and IE-SPYAD.
I resolved a Windows Update problem, and the machine is fully patched, including the critical update KB891711, which I read can cause system problems. I installed Sygate Personal Firewall. I updated to IE6, and tightened up the IE settings, and installed Firefox.

It would be very helpful if someone could look over my HijackThis log, posted below. I am fairly confident the machine is clean (or almost clean). There are no more popups or weird desktop icons. But the system seems a bit unstable -- apps hang, the computer freezes, sometimes I get a blue screen saying Windows is busy or unstable. And the RAM reads 126, but Dell support says that 2MB are being used as shared RAM. I have no experience using this computer before it was infected, and I've never run WinME, so I don't know if this instability is new, or if it is due to residual infection, or problems I caused when trying to remove malware, or to KB891711.

I am also having some trouble understanding some of the firewall logs and warnings. (Eg, WSCRIPT.EXE, or Win32 Kernel Core Component, or etc., is trying to access the Internet.) But all my ports seem to be stealthed.

Also, is it ok to run SpySweeper and WinPatrol simultaneously? Could any of these anti-spyware, anti-hijack programs interact negatively with each other?

Any help would be much appreciated. While I am waiting for a reply, I will defrag, read thru the tutorial on using HJT, and look for a firewall tutorial. (I am a mid-level user, so please be fairly explicit in any instructions you may give.) Thanks very much!
**************
Logfile of HijackThis v1.99.1
Scan saved at 6:56:39 PM, on 5/9/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\DELL\ACCESSDIRECT\DADAPP.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDSG.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O15 - Trusted Zone: www.symantec.com
O15 - Trusted Zone: http://security.symantec.com
O15 - Trusted Zone: http://*.symantec.com
O15 - Trusted Zone: www.mozilla.org
O15 - Trusted Zone: download.mozilla.org
O15 - Trusted Zone: http://download.mozilla.org
O15 - Trusted Zone: http://v4.windowsupdate.microsoft.com
O15 - Trusted Zone: http://windowsupdate.microsoft.com
O15 - Trusted Zone: http://support.microsoft.com
O15 - Trusted Zone: www.msn.com
O15 - Trusted Zone: www.dellnet.msn.com
O15 - Trusted Zone: http://membercenter.msn.com
O15 - Trusted Zone: http://explorer.msn.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: http://login.passport.net
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://v5.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://*.pandasoftware.com
O15 - Trusted Zone: http://www.bitdefender.com
O15 - Trusted Zone: http://store.ca.com
O15 - Trusted Zone: http://www3.ca.com
O15 - Trusted Zone: http://home.ca.com
O15 - Trusted Zone: http://*.pcpitstop.com
O15 - Trusted Zone: http://downloads.zonelabs.com
O15 - Trusted Zone: http://download.zonelabs.com
O15 - Trusted Zone: http://*.us.mcafee
O15 - Trusted Zone: http://www.webroot.com
O15 - Trusted Zone: http://sales.webroot.com
O15 - Trusted Zone: http://www.ewido.net
O15 - Trusted Zone: http://housecall.trendmicro.com
O15 - Trusted Zone: http://www.bitdefender.us
O15 - Trusted Zone: http://www.windowsecurity.com
O15 - Trusted Zone: http://*.windowsecurity.com
O15 - Trusted Zone: http://www.rav.ro
O15 - Trusted Zone: http://www.my-etrust.com
O15 - Trusted Zone: www.blackcode.com
O15 - Trusted Zone: http://support.dell.com
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:32 AM

Posted 10 May 2005 - 10:58 PM

Fix these lines and you will be clean:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.symantec.com
O15 - Trusted Zone: http://security.symantec.com
O15 - Trusted Zone: http://*.symantec.com
O15 - Trusted Zone: www.mozilla.org
O15 - Trusted Zone: download.mozilla.org
O15 - Trusted Zone: http://download.mozilla.org
O15 - Trusted Zone: http://v4.windowsupdate.microsoft.com
O15 - Trusted Zone: http://windowsupdate.microsoft.com
O15 - Trusted Zone: http://support.microsoft.com
O15 - Trusted Zone: www.msn.com
O15 - Trusted Zone: www.dellnet.msn.com
O15 - Trusted Zone: http://membercenter.msn.com
O15 - Trusted Zone: http://explorer.msn.com
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: http://login.passport.net
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://v5.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://*.pandasoftware.com
O15 - Trusted Zone: http://www.bitdefender.com
O15 - Trusted Zone: http://store.ca.com
O15 - Trusted Zone: http://www3.ca.com
O15 - Trusted Zone: http://home.ca.com
O15 - Trusted Zone: http://*.pcpitstop.com
O15 - Trusted Zone: http://downloads.zonelabs.com
O15 - Trusted Zone: http://download.zonelabs.com
O15 - Trusted Zone: http://*.us.mcafee
O15 - Trusted Zone: http://www.webroot.com
O15 - Trusted Zone: http://sales.webroot.com
O15 - Trusted Zone: http://www.ewido.net
O15 - Trusted Zone: http://housecall.trendmicro.com
O15 - Trusted Zone: http://www.bitdefender.us
O15 - Trusted Zone: http://www.windowsecurity.com
O15 - Trusted Zone: http://*.windowsecurity.com
O15 - Trusted Zone: http://www.rav.ro
O15 - Trusted Zone: http://www.my-etrust.com
O15 - Trusted Zone: www.blackcode.com
O15 - Trusted Zone: http://support.dell.com


Its ok to run winpatrol and spysweeper, though you may get some conflicts/double popups when certain registry changes happen.

#3 troubled

troubled
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 12 May 2005 - 10:35 AM

Hi, Grinler -- thank you for the reply. I have fixed the 2 R1 items. I just have a few questions about the others. (I just like to understand what I'm doing.)

The 2 09 items -- these seem to be related to the BitDefender Online scan, and one seems to be related to an uninstall function. If I delete them, I assume I will still be able to uninstall whatever activeX or whatever thingie was installed?

012 -- not sure what this is, I will uninstall, as per your instructions. (Possibly related to Spyware Doctor, which I have a trial version of, but which is set not to run on startup?)

The trusted zone sites -- I entered these myself. I intend to encourage my parents (whose laptop this is) to use IE only for Windows Update and online ActiveX security scans, and use Firefox for all other browsing. So I tightened up IE security settings, so that no downloads, activeX, javascript, etc., is enabled for the Internet zone, and I put these sites in the Trusted zone in order to be able to run Windows Update, Norton's LiveUpdate, online scans, and to download necessary software from MSN (my parents' ISP). I agree that the list has mushroomed a bit out of control. But don't I at least need to leave the Windows Update and maybe the Norton sites in the trusted zone?

And what is the difference (if any) between fixing this in HJT and just removing the sites in the IE Security settings?

Thank you very much for your help!

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:32 AM

Posted 12 May 2005 - 03:18 PM

The 09 is reporting the files are missing. Can you confirm if they are or not?

O12 get rid of. Its suspicous and you dont need it.

I am a big believer in having nothing in your trusted sites. The only advantage to have a domain in your trusted sites, is that it wont prompt you when installing software. This also means, that if a new exploit comes out where a site can spoof their domain to one that matches one in your trusted sites, then you will never know when they install software on your machine.

As these sites will still be able to install the software on your machine, even if you dont have the O15 entries, by just hitting yes to the prompt, I suggest leaving those empty.

Fixing them in hijackthis is the same exact thing as remopving them from IE. It clears the entries in the registry

#5 troubled

troubled
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 17 May 2005 - 07:58 PM

Hi -- I googled the 012 item, and it seems to be associated with Adobe Acrobat, so I think it is probably safe to leave it. (Among other items, my search pulled up HJT logs you analyzed, and in those cases you did not recommend deleting it.)

I can see your point about keeping the trusted sites zone empty. From a security standpoint, is there any difference if you list the site by its numerical IP address, rather than by its www or http address? (Would that preclude spoofing?)

I will empty the Trusted Sites Zone, but I would like to re-run the online scans again first, unless you think that's unnecessary.

The bdoscandel.exe file is found in c:\windows, so I don't know if I should delete the 09 items -- I don't know why they are being reported as missing -- a problem with the path, perhaps?

Thanks!

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:32 AM

Posted 18 May 2005 - 09:28 PM

Leave the O9 and O12..they are causing no harm there.

I can see your point about keeping the trusted sites zone empty. From a security standpoint, is there any difference if you list the site by its numerical IP address, rather than by its www or http address? (Would that preclude spoofing?)


It may help, but I am just big believer in ckeeping that section clean as ultimately you do not need the entries there.

Go ahead and do a new scan before we close the topic down. Looks clean to me.

#7 troubled

troubled
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 23 May 2005 - 09:46 PM

Sorry, things have been very hectic at home. I will run the scan and post back ASAP -- hopefully by the end of the wk, or just after the wkend. Thanks!

#8 troubled

troubled
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 08 June 2005 - 12:32 PM

I am re-running some of the scans. Sorry for the delay, things are still hectic. I see there is a new tutorial on IE security, but I haven't had a chance to read it yet.

Thanks for your patience.

#9 troubled

troubled
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 03 July 2005 - 03:15 PM

Hi -- thanks for your patience. I updated Spyware Doctor (trial version) -- found 1 icon file associated with ILookup.BegintoSearch (not found on previous scans). Updated and ran Webroot's SpySweeper -- found several registry entries associated with Locator Toolbar and ABetterInternet (again, not detected on prior scans). After cleaning these up, new scans with these programs and with AdAware and SpyBot all were clean. Tried to run online dual spyware/virus scan from TrendMicro Housecall. Took a long time to download and get thru 70% of the scan. Then it bombed, and I didn't have time to re-run it.

NAV 2001 scan (with updated definitions) is also clean. The Pest Patrol online virus scan finds an Outlook Express mail msg infected with haptime virus, but it's in an Outlook Express Hotmail Deleted Items folder, so I doubt it can do harm. (I don't have access to the acct. because I don't know my cousin's pswd.)

I removed some sites from the IE Trusted Zone, but opted to leave some, such as the Windows Update sites, because I want it to be easy for my parents to run WU, but didn't want to lower the IE security settings. (Of course, I am encouraging them to use Firefox as their default browser.)

I returned the laptop to my parents before having a chance to re-run HJT. But I can go to their house and run it, if you think it's important.

There is one more thing I am concerned/curious about. When connected to the Internet, I keep getting a message from the Sygate Personal Firewall that Win32 KernelCore Component is trying to access the Internet. I have been blocking it. Is this approrpriate, or should I let it get through? I haven't had much success in Googling this, so if you can shed some light, I'd appreciate it.

Thank you very much for the help.

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:32 AM

Posted 03 July 2005 - 07:09 PM

What port is kernelcore compoent connecting with or to? generally if you block it and it causes no problems, then you can leave it blocked.

#11 troubled

troubled
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 12 July 2005 - 05:39 PM

The message from Sygate varies.

Once I got: "Win32 Kernel Core component is trying to broadcast to 239.255.255.250."

Once I got: "Win32Kernel Core Compponent (kernel32.dll) is being contacted from a remote machine www.google.com 64.233.167.99 using localport 1060 (POLESTAR-POLESTAR)."

But I think once I told Sygate to block it, I just usually just get a msg that it was trying to access the Internet and that it had been blocked, but no specifics.

I think Kernel32.dll is listening on ports 137, 138, 139 (but I forget which program told me that info).

I am not sure that blocking it is causing any problem, so I guess I can leave it blocked.

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:32 AM

Posted 13 July 2005 - 01:30 PM

You can block that unless you want to do file sharing

#13 troubled

troubled
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:32 AM

Posted 27 July 2005 - 08:06 PM

Thank you very much. You can close this thread. I have returned the computer to my folks, and hope it will stay clean!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users