Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I chasing after false positives? ctfmon.exe keylogger, bat.killall..


  • Please log in to reply
16 replies to this topic

#1 Alyssa89

Alyssa89

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 26 December 2008 - 09:45 PM

I am running Windows XP Pro edition on Service Pack 3 (less than a month installed).

I know we are only suppose to post one issue at a time. However, this is sort of all one issue - I am wondering if these are all just false positives from Comodo (as well as Spybot).

My computer has been acting a little weird, but every time I get something on a scan, or an alert from my firewall/antivirus I can't track down where it said it came from, and can find no other traces of it on my computer. It's starting to drive me nuts and I wonder if they are just false positives.

By acting weird, the main thing is upon restarting windows explorer has suddenly started taking 3+ minutes to load. I've been suffering slow reboot for a while now, however this is new. My wallpaper loads, but everything associated with explorer.exe doesn't - even though it's open and running. Sometimes I have to kill it and restart it manually (explorer.exe), and even then it takes very long to load.

I use Comodo firewall and Antivirus. Recently installed, I was using AVG and Outpost before - but Outpost would randomly lock up my computer and it would display a "recovered from serious error" message and every time I sent the report, it said it was caused by Outpost. I haven't had any issues like that since I switched.

On the 19th I had the comodo antivirus real time protection pop-up and tell me it found TrojWare.BAT.KillAll.C@9034. The file was located in Local Settings\Application data\Mozilla\Firefox\Profiles\8rw2in63.default\Cache\E3CB1C93d01. The file is currently still in quarantined and can be deleted/restored. I debated restoring the file to send to a friend so that he could look it but upon reading up on bat.killall I found it was a pretty serious trojan, however I have no idea how I could of gotten it. I've never had anything that serious before. The real time protection caught it, and when my scanner preformed a scheduled scan an hour later it was clean. I had Adobe Photoshop CS2 and Firefox open at the time, (I was on Youtube, DeviantART and Subeta.org) and I do recall Firefox updated itself a few hours earlier. So I am wondering if this was just a false positive due to a changed Firefox file during the update.

Yesterday, Comodo popped up telling me Acrobat Reader is trying to make a.exe in the System32 folder. I denied this. a.exe appears to also be a trojan, but I have no idea why AR would be trying to create such a file? Once again I could find no traces of anything like it on my system. Later that day my Firefox kept locking up, so I looked in task manager and AcroRd32.exe was running, and the Mem Usage was at an insane 1,269,396. I ended it with no issues and it never came back.

Also last night, I noticed ctfmon.exe was running in the task manager. To the best of my knowledge this is a legitimate process, but no matter how many times I killed it it would come back. I thought this file was only suppose to activate with programs in Microsoft Office which I do not even have on this computer. Also in language settings? But I don't mess with those at all, either. So I went into Comodo Defense+ and found the running process and terminated+blocked the file, and it hasn't come back. Upon looking at the event log in the same area, ctfmon.exe is being blocked nearly every 5 minutes, and being associated with MSN, explorer.exe, mmc.exe from System32, as well as my mIRC program. I've noticed no ill effects from blocking the file.

Fast forward to 30 minutes ago, I updated and ran Spybot Search & Destroy and the only issues it found were 2 entries of SCKeylogger. The infected file was C:\WINDOWS\system32\ctfmon.exe. Again, I could find no traces of SCKeylogger besides this report. It repaired the system32 file, but the registry value is in use and cannot be modified/deleted. I again question a false positive.

Edited by Alyssa89, 27 December 2008 - 07:09 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,129 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:07 PM

Posted 27 December 2008 - 08:25 AM

Use Super Antispyware to find and remove the malware. Be sure to UPDATE SAS after installing in regular mode. Then boot into safe mode to run the scan and allow it to remove whatever it finds. If it finds anything other than cookies, post the log here.
http://www.bleepingcomputer.com/forums/ind...t&p=1040160

Run an online scan using Kaspersky Online Scanner. Instructions in link below.
http://www.bleepingcomputer.com/forums/ind...t&p=1045589

Use Secunia Online scanner to scan your programs for missing security updates. IE browser, Adobe Reader, Adobe Flash,
Java have all been recently exploited by malware. http://secunia.com/vulnerability_scanning/online/
After updating Java, go to Add/Remove and remove ALL old Java programs.


Using the Firefox browser with the NoScript addon will protect you from "driveby" installs of malware and many others.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Alyssa89

Alyssa89
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 27 December 2008 - 07:08 PM

Use Super Antispyware to find and remove the malware. Be sure to UPDATE SAS after installing in regular mode. Then boot into safe mode to run the scan and allow it to remove whatever it finds. If it finds anything other than cookies, post the log here.
http://www.bleepingcomputer.com/forums/ind...t&p=1040160

Run an online scan using Kaspersky Online Scanner. Instructions in link below.
http://www.bleepingcomputer.com/forums/ind...t&p=1045589

Use Secunia Online scanner to scan your programs for missing security updates. IE browser, Adobe Reader, Adobe Flash,
Java have all been recently exploited by malware. http://secunia.com/vulnerability_scanning/online/
After updating Java, go to Add/Remove and remove ALL old Java programs.


Using the Firefox browser with the NoScript addon will protect you from "driveby" installs of malware and many others.


Thanks for the reply. I do use Firefox with NoScript since the day I installed the browser a long time ago :thumbsup:
The scanners did find 2 things, although the Kaspersky one is odd.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/27/2008 at 05:39 PM

Application Version : 4.23.1006

Core Rules Database Version : 3686
Trace Rules Database Version: 1663

Scan type : Complete Scan
Total Scan Time : 00:23:41

Memory items scanned : 170
Memory threats detected : 0
Registry items scanned : 4144
Registry threats detected : 0
File items scanned : 21293
File threats detected : 1

Trojan.Gen
C:\WINDOWS\UNIFISH3.EXE

Unifish3.exe appears to be part of Roller Coaster Tycoon according to google, but I've never had this game on my PC before.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 27, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 27, 2008 19:46:42
Records in database: 1521662
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 67309
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:53:53


File name / Threat name / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1


*edit
BOClean, part of Comodo, is now also identifying mIRC as a threat and won't let me start it. It says:

RSK-MIRC.SAC VARIANT STOPPED BY BOCL...
Location of startup: FILE
C:\PROGRAM FILES\MIRC\MIRC.EXE

This trojan horse program was found on your machine. It has been shut down, but the FILE from which it started still remains and can be started up again.

Do you want the file removed also?
Yes \ No

Looking at a FAQ, mIRC is included by default because of its frequent use in distributing things like this. But, I find it odd that 2 things have hit on it.

Edited by Alyssa89, 27 December 2008 - 07:37 PM.


#4 buddy215

buddy215

  • Moderator
  • 13,129 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:07 PM

Posted 27 December 2008 - 08:32 PM

Use the programs in links below.

MalwareBytes AntiMalware Do The Scan in safe mode after installing and updating in regular mode.
http://www.bleepingcomputer.com/forums/ind...st&p=944365

Bit Defender online scanner---Allow it to remove what it finds.
http://www.bitdefender.com/scan8/ie.html

Dr. Web Cureit
http://www.bleepingcomputer.com/forums/ind...st&p=961952

There was a chain of thunderstorms that hit here. Had to shut down for a while. Wanted to add that mirc.exe is part of a worm distributed on IRC channels. Here is BC's description: Added by the W32/IRCFlood-M IRC worm.

Here is a link to more info on the worm.
http://www.sophos.com/security/analyses/vi...2ircfloodm.html

I think that is the original source of your malware. It is a very dangerous worm as it can completely compromise your computer. Have you used Mirc to download files? torrents?

Edited by buddy215, 27 December 2008 - 09:38 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 Alyssa89

Alyssa89
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 27 December 2008 - 10:05 PM

I'm running the bit defender scan now, still have 15 minutes left.

I have the program mIRC. the file included to launch the program is mirc.exe, which is why I am not sure if this is the infection? I've had the program for over a year now, and this is all very sudden. I don't download with it or chat really; my boss has a paid password protected room on the Rizon channel that the staff of the website I work on use to be in constant, easy contact. Searching my computer the only instances of mirc related things are where they should be which is program files\mIRC (the full path to the file in question is C:\Program Files\mIRC\mirc.exe The file is 2.47 MB, and hasn't been modified since Nov 7th 2007, which is when it was installed). There also is no instance of poytura on my computer which that worm seems to create? That name also wasn't involved in any of the scans it hit on. Is there a place where I can test the file itself? I've never downloaded on mirc, or shared files in any way with it, nor have I gone to any chatroom or server other than what I mentioned; so this seems like an odd worm for me to just pick up?

Edited by Alyssa89, 27 December 2008 - 10:07 PM.


#6 buddy215

buddy215

  • Moderator
  • 13,129 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:07 PM

Posted 27 December 2008 - 10:14 PM

Submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis. Post back with the results.
http://virusscan.jotti.org/
http://www.virustotal.com/metodos.html
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 Alyssa89

Alyssa89
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 28 December 2008 - 01:30 AM

MalwareBytes - found nothing.

Bit Defender - found nothing.

Dr. Web Cureit found some things. No infections, but "suspicious" and"risky" files. One of the "risky" files was mirc.exe again. The suspicious ones were AIM files (I haven't used aim in 2 years, I didn't even know I still had it). 2 restore points were also labeled as suspicious. I didn't know it didn't save a clean log file, so I can't post everything but here are some things I wrote down, I don't remember what each one was labeled as.

evidence.boc
ocpinst.exe (this was labled suspicious)
A01g6289.exe
B0C426 (this was labeled risky)

I told it to cure them, I got no "successful" or "failed" message..

Here are the logs of the mirc.exe file

100%File: mirc.exe
Status:
INFECTED/MALWARE
MD5: e72425de3cb77a4ddff9289f728017b4
Packers detected:
-
Scanner results
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found Riskware.Client-irc.Mirc.631
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found Client-IRC.W32.mIRC.63
Dr.Web
Found Program.mIRC.623
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found not-a-virus:Client-IRC.Win32.mIRC.631 (6, 2, 601)
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found not-a-virus:Client-IRC.Win32.mIRC.631
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


File mirc.exe received on 12.28.2008 01:39:03 (CET)
Current status: finished
Result: 5/39 (12.82%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.27 -
AhnLab-V3 2008.12.25.0 2008.12.27 -
AntiVir 7.9.0.45 2008.12.27 -
Authentium 5.1.0.4 2008.12.27 -
Avast 4.8.1281.0 2008.12.27 -
AVG 8.0.0.199 2008.12.28 -
BitDefender 7.2 2008.12.27 -
CAT-QuickHeal 10.00 2008.12.27 -
ClamAV 0.94.1 2008.12.27 -
Comodo 826 2008.12.27 -
DrWeb 4.44.0.09170 2008.12.27 -
eSafe 7.0.17.0 2008.12.24 Client-IRC.Win32.mIR
eTrust-Vet 31.6.6276 2008.12.24 -
Ewido 4.0 2008.12.27 -
F-Prot 4.4.4.56 2008.12.27 -
F-Secure 8.0.14332.0 2008.12.28 Client-IRC.Win32.mIRC.631
Fortinet 3.117.0.0 2008.12.27 -
GData 19 2008.12.27 -
Ikarus T3.1.1.45.0 2008.12.27 -
K7AntiVirus 7.10.568 2008.12.27 not-a-virus:Client-IRC.Win32.mIRC.631
Kaspersky 7.0.0.125 2008.12.28 not-a-virus:Client-IRC.Win32.mIRC.631
McAfee 5476 2008.12.27 -
McAfee+Artemis 5476 2008.12.27 -
Microsoft 1.4205 2008.12.28 -
NOD32 3719 2008.12.27 -
Norman 5.80.02 2008.12.26 -
Panda 9.0.0.4 2008.12.27 -
PCTools 4.4.2.0 2008.12.27 -
Prevx1 V2 2008.12.28 -
Rising 21.09.52.00 2008.12.27 -
SecureWeb-Gateway 6.7.6 2008.12.27 -
Sophos 4.37.0 2008.12.27 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.28 -
TheHacker 6.3.1.4.200 2008.12.26 -
TrendMicro 8.700.0.1004 2008.12.26 -
VBA32 3.12.8.10 2008.12.27 -
ViRobot 2008.12.26.1536 2008.12.26 Not_a_virus:ClientIRC.mIRC.2756096
VirusBuster 4.5.11.0 2008.12.27 -
Additional information
File size: 2756096 bytes
MD5...: e72425de3cb77a4ddff9289f728017b4
SHA1..: fdd7d321b8842162ec338e796eba5b3e28ea3cba
SHA256: ae0e65baa03ec1fee5f49c45c52616e065191a7e4e6c737c9c41551db34bfb8f
SHA512: de9eb280683cfca10011d0d68062f668d8ca1288aa3fa957968c6939df402a38
d875f9be24e36302b5e9e4f8db4fa1e0d3528228828ae37a5d7dc75d52f0581b
ssdeep: 24576:rYcbN5oxZY2sQYH2Sr0N//GxKnCTMxjjz7rzyKfOb/Y+V5Js2DOMGeYriz
By/RhR:ffODxihrV2RhN24Zai56kwZdaTEDw
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (59.5%)
Windows Screen Saver (20.6%)
Win32 Executable Generic (13.4%)
Generic Win/DOS Executable (3.1%)
DOS Executable Generic (3.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x5d4b6d
timedatestamp.....: 0x472a2fa3 (Thu Nov 01 19:57:23 2007)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1e80ea 0x1e8200 6.63 984bce31494c2a483555a1467cb70287
.rdata 0x1ea000 0x2328a 0x23400 6.22 93952b38069c99985f48fc997bf30008
.data 0x20e000 0x4f370 0x4000 5.66 8f752f0b907977cbec4ebc3fcaccdf9a
.rsrc 0x25e000 0x91318 0x91400 4.83 24805ba997fb490870a80145c4e48d1d

( 13 imports )
> COMCTL32.dll: ImageList_Draw, ImageList_Destroy, ImageList_Create, ImageList_GetIconSize, ImageList_ReplaceIcon
> MPR.dll: WNetCloseEnum, WNetOpenEnumA, WNetEnumResourceA
> VERSION.dll: GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
> WINMM.dll: sndPlaySoundA, mciSendStringA, mciGetDeviceIDA, timeEndPeriod, timeSetEvent, timeKillEvent, timeBeginPeriod, timeGetDevCaps, mixerClose, mixerSetControlDetails, mixerGetControlDetailsA, mixerGetLineControlsA, mixerGetLineInfoA, mixerOpen, mciGetErrorStringA
> WSOCK32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> KERNEL32.dll: GetLocaleInfoA, GetSystemDefaultLCID, GetWindowsDirectoryA, SetEndOfFile, GetModuleFileNameA, GlobalUnlock, GlobalLock, GlobalFree, GlobalAlloc, lstrcatW, lstrlenW, lstrcpyW, GetVersionExA, QueryPerformanceCounter, QueryPerformanceFrequency, CreateFileA, EnumResourceNamesA, EnumResourceTypesA, LoadLibraryExA, GetDiskFreeSpaceA, GetCurrentProcess, QueryDosDeviceA, GetFileType, GetFileAttributesA, WinExec, FindClose, FindNextFileA, FindFirstFileA, _lwrite, _lclose, _hwrite, GlobalSize, OpenFile, WriteFile, MulDiv, InterlockedIncrement, InterlockedDecrement, SetFilePointer, GetLastError, ReadFile, FlushFileBuffers, GetSystemDefaultLangID, GetDriveTypeA, GetLogicalDriveStringsA, SetFileAttributesA, WritePrivateProfileStringA, GetPrivateProfileStringA, RemoveDirectoryA, CreateDirectoryA, GetLocalTime, GetCurrentThreadId, UnmapViewOfFile, MapViewOfFile, OpenFileMappingA, CreateMutexA, SetErrorMode, FindCloseChangeNotification, FindNextChangeNotification, WaitForMultipleObjects, FindFirstChangeNotificationA, GetEnvironmentVariableA, GetShortPathNameA, CompareFileTime, GetFileTime, ReleaseMutex, GetTimeZoneInformation, LocalAlloc, LocalReAlloc, LocalFree, DeleteFileA, CopyFileA, MoveFileA, SetLastError, GetTempPathA, EnterCriticalSection, SetStdHandle, GetSystemTimeAsFileTime, CreateThread, TlsGetValue, TlsSetValue, ExitThread, RtlUnwind, HeapFree, HeapAlloc, TerminateProcess, GetModuleHandleA, ExitProcess, CreateEventA, WaitForSingleObject, LoadLibraryA, GetProcAddress, FreeLibrary, GetCurrentThread, SetThreadPriority, SetEvent, Sleep, WideCharToMultiByte, CloseHandle, MultiByteToWideChar, GetTickCount, FindResourceA, LoadResource, LockResource, LeaveCriticalSection, HeapReAlloc, FileTimeToSystemTime, FileTimeToLocalFileTime, SetConsoleCtrlHandler, GetACP, GetOEMCP, GetCPInfo, RaiseException, GetTimeFormatA, GetDateFormatA, GetStartupInfoA, GetCommandLineA, TlsFree, TlsAlloc, DeleteCriticalSection, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, UnhandledExceptionFilter, LCMapStringA, LCMapStringW, SetHandleCount, GetStdHandle, InitializeCriticalSection, GetFullPathNameA, GetCurrentDirectoryA, SetCurrentDirectoryA, GetStringTypeA, GetStringTypeW, HeapSize, SetUnhandledExceptionFilter, SetEnvironmentVariableA, SetEnvironmentVariableW, VirtualProtect, GetSystemInfo, VirtualQuery, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCurrentProcessId, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, GetFileInformationByHandle, GetVolumeInformationA, PeekNamedPipe
> USER32.dll: DdeDisconnect, DdeUninitialize, DdeNameService, DdeFreeDataHandle, DdeUnaccessData, DdeAccessData, DdeQueryStringA, DdeCreateDataHandle, DdeClientTransaction, DdeConnect, DdeCreateStringHandleA, DdeInitializeA, CallWindowProcA, GetMessageA, ClipCursor, SetKeyboardState, GetKeyboardState, ToAscii, ScrollDC, GetSystemMetrics, MessageBoxA, FlashWindow, RedrawWindow, ShowScrollBar, CharLowerBuffA, CharLowerA, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, VkKeyScanA, GetKeyboardLayout, CopyAcceleratorTableA, MapVirtualKeyA, CallNextHookEx, GetCapture, CharUpperBuffA, DrawIcon, LoadIconA, GetWindowDC, DefMDIChildProcA, GetScrollInfo, IsMenu, GetMenuState, RemoveMenu, SetMenuItemInfoA, GetMenuItemInfoA, GetMenuItemID, TrackPopupMenu, RegisterWindowMessageA, SetWindowsHookExA, GetWindowThreadProcessId, LoadAcceleratorsA, DispatchMessageA, TranslateMessage, TranslateMDISysAccel, TranslateAcceleratorA, IsDialogMessageA, LoadMenuA, PostQuitMessage, DefFrameProcA, RegisterClassExA, UnhookWindowsHookEx, ValidateRect, InvertRect, DefWindowProcA, DrawFrameControl, RegisterClassA, CopyImage, CreateIconIndirect, GetWindowRgn, SetWindowRgn, IsRectEmpty, OffsetRect, SetScrollInfo, DdeFreeStringHandle, GetWindow, GetWindowPlacement, GetMessagePos, GetAsyncKeyState, GetWindowLongA, IsClipboardFormatAvailable, EmptyClipboard, SetClipboardData, OpenClipboard, EnumClipboardFormats, GetClipboardFormatNameA, CreateWindowExA, GetClipboardData, DestroyWindow, CloseClipboard, LoadStringA, MessageBeep, GetTopWindow, IsZoomed, GetActiveWindow, IsWindow, IsCharAlphaA, IsCharAlphaNumericA, GetDesktopWindow, IsIconic, GetDialogBaseUnits, SetDlgItemInt, GetDlgItemInt, GetSystemMenu, CheckMenuItem, LoadCursorA, SetCursor, CreatePopupMenu, DestroyMenu, GetMenu, GetSubMenu, GetMenuItemCount, DeleteMenu, EnableMenuItem, AppendMenuA, DrawMenuBar, GetWindowTextA, FrameRect, GetParent, DrawFocusRect, GetSysColor, GetKeyState, PeekMessageA, MsgWaitForMultipleObjects, BeginPaint, EndPaint, DrawIconEx, DestroyIcon, LoadImageA, IsWindowVisible, FillRect, DrawEdge, IsDlgButtonChecked, EndDialog, SetFocus, CheckDlgButton, SetWindowPlacement, GetWindowTextLengthA, SetActiveWindow, GetMenuStringA, SetRect, SendMessageA, GetDlgCtrlID, GetCursorPos, ScreenToClient, SetWindowPos, UpdateWindow, PtInRect, SetWindowTextA, EnableWindow, ShowWindow, DialogBoxParamA, IsChild, IntersectRect, ModifyMenuA, GetNextDlgTabItem, ChildWindowFromPointEx, GetScrollPos, GetScrollRange, SetScrollPos, CreateMenu, SetMenu, SetScrollRange, SetCapture, EqualRect, ReleaseCapture, IsWindowUnicode, CreateDialogParamA, CopyRect, FindWindowExA, ReleaseDC, PostMessageA, MapWindowPoints, GetWindowRect, GetDlgItem, GetDC, SendDlgItemMessageA, wsprintfA, SetForegroundWindow, ClientToScreen, ChildWindowFromPoint, WindowFromPoint, BringWindowToTop, SetWindowLongA, GetClassNameA, GetFocus, GetIconInfo, WinHelpA, SystemParametersInfoA, GetForegroundWindow, DrawTextA, FindWindowA, MoveWindow, GetClientRect, SetTimer, KillTimer, IsWindowEnabled, InvalidateRect, InsertMenuA
> GDI32.dll: BitBlt, GetObjectA, CreateCompatibleDC, SetBrushOrgEx, SetStretchBltMode, StretchBlt, CreateCompatibleBitmap, GetDIBits, CreateDIBSection, CombineRgn, LineTo, MoveToEx, CreatePen, SelectClipRgn, CreateRectRgn, GetNearestColor, GetDeviceCaps, GetTextExtentPointA, CreateFontIndirectA, PtInRegion, CreatePolygonRgn, DeleteDC, CreatePatternBrush, Rectangle, RoundRect, Ellipse, GetStockObject, SetROP2, SetBkMode, IntersectClipRect, GetClipRgn, ExtTextOutW, GetBkColor, GetTextColor, GetCurrentObject, EnumFontFamiliesExA, GetTextCharset, GetTextExtentPointW, Polyline, ExcludeClipRect, GetObjectType, CreateBitmap, Polygon, FrameRgn, CreateRoundRectRgn, CreateRectRgnIndirect, RectInRegion, CreateFontA, CreateHatchBrush, GetTextMetricsA, ExtTextOutA, CreateSolidBrush, DeleteObject, SelectObject, SetTextColor, SetBkColor, GetPixel, ExtFloodFill, SetPixelV
> comdlg32.dll: ChooseColorA, CommDlgExtendedError, ChooseFontA
> ADVAPI32.dll: RegSetValueA, RegCreateKeyA, RegQueryValueA, RegOpenKeyA, RegDeleteKeyA, RegCreateKeyExA, RegSetValueExA, RegOpenKeyExA, RegEnumKeyA, RegCloseKey
> SHELL32.dll: SHBrowseForFolderA, SHGetDesktopFolder, SHGetMalloc, SHFileOperationA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, DragQueryFileA, FindExecutableA, SHAppBarMessage, ShellExecuteExA, ShellExecuteA, ExtractIconExA, ExtractIconA, Shell_NotifyIconA
> ole32.dll: ReleaseStgMedium, RegisterDragDrop, CoTaskMemFree, CoGetInterfaceAndReleaseStream, RevokeDragDrop, CoCreateInstance, ProgIDFromCLSID, OleSetContainedObject, CoGetClassObject, CoLockObjectExternal, OleInitialize, CLSIDFromProgID, OleUninitialize
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -

( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md...ff9289f728017b4


I really didn't think my mirc.exe file had been tampered with in any way but out of curosity I deleted the program and reinstalled anew from their website and resubmitted the file; this time the logs were clean. Of course, the original was over a year old and the mirc.exe file more than likely wasn't an exact copy of mine. Not sure where to go from here, my explorer.exe is still disgustingly slow starting up, if that was in any way related. I schedualed a check disk to run on restart earlier and it came up fine.

Edited by Alyssa89, 28 December 2008 - 08:00 AM.


#8 buddy215

buddy215

  • Moderator
  • 13,129 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:07 PM

Posted 28 December 2008 - 09:34 AM

I have asked Quietman7 to take a look at this topic and give his expert opinion.

Suggest you update Java and delete all old Java programs after updating.

If you haven't defragged or run the cleanup tool in some time, I would suggest you do that. If you need instructions (which I don't think you do) for doing the above, please just ask.

Some scans identified Not a virus.

not-a-virus:Client-IRC.Win32.mIRC [Ikarus] is known to be created as:
%System%\fvist.com
%System%\java.log\radx.exe
%System%\ttt\ournik.com
%Temp%\mirc-6.31-ita_tuttoirc\mirc-6.31-ita_tuttoirc\mirc.exe

Edited by buddy215, 28 December 2008 - 09:40 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:07 PM

Posted 28 December 2008 - 12:04 PM

Certain embedded files that are part of legitimate programs may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted program", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

In your case it appears the older mirc.exe file was flagged as "Riskware", "not a virus" due to the detection of how the file was packed.

A Packed file is a specially compressed (protected) file that may have been obfuscated or encrypted in order to conceal itself. Packed files often trigger alerts by anti-virus software using heuristic detection because they are resistant to scanning (difficult to read). Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The techniques involves inspecting the code in a file to see if it contains virus-like characteristics. What makes an executable file compressor a tool of malware writers is that when a file is packed, the file itself is changed significantly. As a result, the viral signature is essentially destroyed and the anti-virus program needs to have the ability to unpack these file compressors to read the code inside of it. When the file cannot be read, it is considered to be suspicious by the anti-virus program and often detected as malware or a threat.

When you updated the file, its newer packing mechanism was not detected as suspicious.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Alyssa89

Alyssa89
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 28 December 2008 - 06:07 PM

Hi quietman7, thank you. I really thought it was something like that, since it got hit on so randomly. In any case I've delete mIRC (as well as the new one) until I figure out what else is wrong; currently just using mibbit.com to connect.

I think I uninstalled all old Java? I'm not sure. I uninstalled the other Java entry on my add/remove; there was only one.

As far as what I've done to try to fix the explorer load...
I've defragmented twice this week; once last night, neither time was it very fragmented at all.
I've delete up to 10 gigs of things I don't need.
I've disabled all services that are safe to disable.
I've tried turning every single start up item off, and it makes no difference; I just have 2 things running now, which is my display driver and firewall.
I've brought my "processes" list in task manager from 38 down to 23 during start up.
I've run CCleaner, both to delete unneeded junk and the registry fixer.
I've run check disk twice, neither time was anything wrong.
I've turned off all themes and am using windows classic theme.

My startup time has improved, but not the explorer load. Basically, what happens is I just don't have a task bar; it's not stuck or anything. I can move my mouse down to the area where it should be and there is no hour glass or indication that it's there; no sliver of color, nothing. In task manager, explorer.exe is running, using 11k mem, my cpu usage is at 0%. If I end and restart explorer manually it does not speed up the loading. I can run other things from the "run" command and they come up fine. For example, regedit and msconfig load instantly when I open them from "run".

I'm not sure if this is significant; in Safe Mode the load is normal. No hang.

This has been going on for a little over or almost a month, I can't recall exactly. I previously did not have SP3 installed, and I installed it thinking it would help the issue, it did not (but it's not the cause, it was doing this before). I don't recall anything significant I did to make it start doing this.

I dread restarting because of how long it takes. My computer use to restart so fast. I just want to fix it :thumbsup:

Some scans identified Not a virus.

not-a-virus:Client-IRC.Win32.mIRC [Ikarus] is known to be created as:
%System%\fvist.com
%System%\java.log\radx.exe
%System%\ttt\ournik.com
%Temp%\mirc-6.31-ita_tuttoirc\mirc-6.31-ita_tuttoirc\mirc.exe


Upon searching my computer, I don't have any of these entries anywhere.

Edited by Alyssa89, 28 December 2008 - 06:33 PM.


#11 buddy215

buddy215

  • Moderator
  • 13,129 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:07 PM

Posted 28 December 2008 - 07:09 PM

There is a ton of info on the web about "missing taskbar".
I suspect you have already looked around for an answer but here is what Windows says on one site.
http://support.microsoft.com/kb/318027

I think earlier you said you had a problem with Outpost Firewall. Here is a link to manual uninstalling Outpost that you
can use the info there to see if some of Outpost might still be on your computer.
http://www.agnitum.com/support/kb/article....159&lang=en

It may come down to reinstalling Windows as one of the fixes mentioned in the first link. Do you have a XP CD or a restore partition?
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#12 Alyssa89

Alyssa89
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 28 December 2008 - 08:20 PM

I did have some Outpost stuff left over, and I do think getting rid of it improved the load time slightly. Still, it's taking a long time.

Nothing in the help page helped. One thing I noticed was that when I went into another newly made account, there was an "Applying your personal settings" box that stayed open for as long as explorer.exe usually hangs. It was also part of explorer as it closed when I ended explorer. Explorer opened after it finished. It did not come up again after rebooting into the account a second time, but explorer still hanged.

I have an XP CD somewhere. I have been considering reinstall, but I'd really rather not do it.

Edited by Alyssa89, 28 December 2008 - 08:24 PM.


#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:07 PM

Posted 28 December 2008 - 10:39 PM

You seem like an advanced user, have you ever considered slipstreaming sp3 into your windows xp cd and running as a repair disk?
Chewy

No. Try not. Do... or do not. There is no try.

#14 Alyssa89

Alyssa89
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 28 December 2008 - 11:11 PM

I'm not sure how to do that. About 2 years ago I did do an installation disk with sp2 on it, is it like that? That was for a clean install though. I'm not sure if making a repair disk is different.

#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:07 PM

Posted 28 December 2008 - 11:24 PM

I took my xp disk w/ sp1 and slipstreamed and burned a xp sp2 disk after sp2 came out

http://www.google.com/search?hl=en&q=s...p;oq=slipstream

then

http://www.michaelstevenstech.com/XPrepairinstall.htm

it doesn't always work but saves a lot of time when it does

One time I had to do it twice to the same computer, first to repair windows enough to remove the malware and then again to get windows update to work, this was before sp3 came out

Edited by DaChew, 28 December 2008 - 11:26 PM.

Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users