Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Configuration Utility/startup Programs


  • Please log in to reply
22 replies to this topic

#1 Kleigh

Kleigh

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 12 February 2007 - 12:22 PM

Hello,

I was going through the programs which are set to start up in the System Configuration Utility, actually going through a list that I found of unnecessary programs which take up CPU and could be turned off safely, as my computer has been very slow for some reason.

There is a program called "1" listed, and it shows it's location in Windows (HKCU\Software\Microsoft\Windows\Current Version). The glossary I was using shows a program called "1.exe" listed as a Trojan. However as I stated, it's listed only as "1" as running in my startup programs (1 without the quotations.)

Is this a legitimate program and if so what is it? My antivirus, etc... does not detect it as a virus or trojan.

Any help with this would be greatly appreciated.

Thank You,
Kleigh

BC AdBot (Login to Remove)

 


#2 Kleigh

Kleigh
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 12 February 2007 - 01:19 PM

In addition to the above, the changes that I made yesterday (I disabled several unnecessary programs) are now enabled again. The changes that I made didn't remain for some reason and I don't know why. My computer has been acting terribly slow and none of the utilities I use have found anything. I get a lot of alerts on Zonealarm, and don't know how many of these are actual intrusion attempts, but I am and have been very concerned about security. I know this is a lot, but any help with these things would be appreciated. I am using Windows XP Home edition.

Kleigh

#3 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:06:06 AM

Posted 12 February 2007 - 07:02 PM

This sounds a bit like an infection. I'd try these free, online scans to see if you can isolate it:

http://safety.live.com/
http://housecall.trendmicro.com/

Let us know the results and we can move on from there.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#4 Kleigh

Kleigh
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 12 February 2007 - 07:24 PM

Thank you, John for your reply. It seems to be something that isn't easily detected, yet it is there. I've searched to try to identify what it is online, and have not seen any evidence anywhere that it's a legit program - yet there it is set on my startup programs.

I've scanned my system with the following utilities to try to identify and isolate it with no success:

Trendmicro Housecall (online scan)
Spy Sweeper
Super AntiSpyware Free Edition
Advanced Spyware Remover
Trojan Hunter
BitDefender 8

Any suggestions you might have would be appreciated. Thank you once again.

Kleigh

#5 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:06:06 AM

Posted 12 February 2007 - 07:46 PM

Well, as a last ditch (you've scanned with more than we scan with at work) I'd try looking for a rootkit. Here's a thread with some discussion about them (and a link to a couple of free tools): http://www.bleepingcomputer.com/forums/t/81247/deleting-alternate-data-streams/

Once that's done (and I presume that it'll come up clean), then we can move on to what's resetting your settings. If everything is clean, then it's likely that one of the protection programs is saving you from yourself. :thumbsup:
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#6 Kleigh

Kleigh
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 12 February 2007 - 08:24 PM

Hi John and thanks again. I just did a scan with Rootkit Revealer (just downloaded it after I read your message) and it turned up these 3 discrepancies:

HKLM\SECURITY\POLICY\SECRETS\SAC* Key name contains embedded nulls
HKLM\SECURITY\POLICY\SECRETS\SAI* Key name contains embedded nulls
HKLM\SOFTWARE\CLASSES\Clsid Hidden from Windows API

I've never done a scan like this before and I have no earthly idea what those are, or what to do with them. Help??? :thumbsup:

Thank you

Kleigh

#7 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:06:06 AM

Posted 12 February 2007 - 08:45 PM

I think that they're bad. Try the gmer program in the other post to be sure.

My HKLM\SECURITY key doesn't contain any sub-keys
My HKLM\Software\Classes\CLSID doesn't contain any values, but does contain some sub-keys (but all of the sub-keys are visible to the Windows API).

My XP installation is on a virtual machine and has limited access to the web. It's also only used for experimentation/reference - so it's relatively "pure" and uncluttered by a lot of programs.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#8 Kleigh

Kleigh
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 12 February 2007 - 09:26 PM

O.K. I just loaded GMER 1.0.12.12027 from the link you posted, and did the scan.

Are all of the results of this scan rootkits and am I supposed to delete some/all of them? There are probably 50 or more listed. I don't see any keys to do this. It just shows the results and that's it. I'm searching online now to see what I can find out.

Thanks

Kleigh

#9 Kleigh

Kleigh
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 12 February 2007 - 09:36 PM

I posted prematurely, I think. Just read more about the scanner. None of the results were highlighted in red so I assume (and hope) the scan results were clean.

#10 joygreen

joygreen

  • Members
  • 242 posts
  • OFFLINE
  •  
  • Location:Southeast U.S.A.
  • Local time:06:06 AM

Posted 12 February 2007 - 10:04 PM

Hello Kleigh,

My guess is that this program is NOT valid. Plus, you got information that this is a TROJAN, which is malware (shortcut for virus/spyware/hacker junk). Trojans are indeed bad programs. I have had lots of problems with my XP SP2 machine. It seems that once a malware gets on here, it disables my anti-virus/spyware/firewall programs as well as changing settings. You need to find a program to remove that Trojan from your machine. You are lucky to know the name of the malware that is on your machine. Try getting rid of it; reboot; check your windows security settings and see what happens. Hopefully that will be the only problem. My latest adventure was the destruction of my Windows Installer file. That means I wasn't getting updates, but no messages about the problem. John, do you agree? Good luck, Kleigh.

Joy
"Restore an environmentally sustainable and economically just America"

#11 Kleigh

Kleigh
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 12 February 2007 - 11:12 PM

Hi Joy,

And thank you for the reply. I am now thinking that it could be realplayer, although I'm not completely sure. I just did a search (and you can imagine all of the files that came up I had to go through searching for a file named "1"!!) No files came up that were listed as programs, but there were 2 files with that title that belonged to realplayer. I'm going to have to go back later though to confirm whether or not that's the case. It didn't show up on the glossary that I was referring to and wasn't listed that way when I searched online trying to figure it out.

I've had the same problems as you with XP ever since setting up this computer. My settings do get changed, and my antivirus/spyware programs malfunction, or stop working. Shortly after setting this up, my entire Netscape email account mysteriously got wiped out. There's no doubt there's a problem somewhere.

Thank you again,
Kleigh

#12 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,046 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:06 AM

Posted 13 February 2007 - 12:00 AM

Hello Kleigh:

I suggest you follow the directions in this guide. I realize that you have done some of this already, but it won't hurt to repeat. I would also try some of the other online scanners listed in the guide. Then create an HJT log, you will find the directions in the guide.

Create a new topic in this forum, not here and give it a good descriptive title. Briefly summarize what the problems are, what you have done to try to solve it, and what worked and didn't work and paste in your HJT log. You may wish to paste in a link to this topic.

After you post your log, DO NOT make any further changes to your computer: deleting files, editing the registry, using special fix tools, installing or uninstalling software etc. as this will make it more difficult for the HJT team to help you.

Please be patient as the HJT team is very busy. DO NOT bump your log as the team may think that someone is already helping you. If you have not had a response in five days, add a response to the five days no response topic and paste in the link to your thread.

Once you have been declared clean and you are still having problems, please post back in this thread and we'll work to resolve the issue.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#13 joygreen

joygreen

  • Members
  • 242 posts
  • OFFLINE
  •  
  • Location:Southeast U.S.A.
  • Local time:06:06 AM

Posted 13 February 2007 - 12:02 AM

Kleigh, did you get an e-machine with OEM software that wipes the drive whenever you have to reinstall windows? I am one month away from the one year warranty, I have been "fighting" with gateway all year. I've lost a bunch of stuff; just found a link to a file restore program on another topic here at bleep, "http://www.pcinspector.de/file_recovery/uk/manual.htm"

It's late and forgive me if I asked you this before, but have you used and had any luck with One Care? It was awful last year (beta test) I reloaded it this time and it did clean up the machine a bit. But I'm still torked off about losing my mail (the first time didn't know how to do it) now I can't get itt restored but someone gave me a how to here and I'll do a search to find it since Il ost my note.

I have always heard that weird filenames are no-no's. Wasn't it you that got a trojan message on that file? Aren't you going to get rid of it? I would think real player would use real file names for their songs? I think I have seen one character or one digit file names. They're gone now. Do you know the start-run-cleanmgr command to get rid of junk files on your hard drive? OH! Where is that file named "1?" is it in a temp file and cannot be deleted? If so it is definitely a nono. nightnight.

Best wishes,
Joy
"Restore an environmentally sustainable and economically just America"

#14 Kleigh

Kleigh
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 21 February 2007 - 11:50 AM

I am reposting this question here again, after following the steps suggested by Orange Blossom.

My HJT log is clean now from what I understand. My computer seems to be running okay. It was discovered that I had a Red Sheriff infection so I don't know if that has anything to do with this.

There is a program that I cannot identify called "1" in my start up programs in the System Configuration Utility. It doesn't match anything I have running, and searches on the internet have not turned up anything in terms of identifying what it is, as in being a part of Windows XP's operating system. The location for it shows to be Software\Microsoft\Windows\Current Version\Run.

Kleigh

#15 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:11:06 AM

Posted 21 February 2007 - 11:55 AM

Doing a Google on 1.exe gave a lot of references both malicious and harmless . Can you do the following :
Look in the freeware section for Process Explorer and download it. Install it and open it. If the 1.exe appears you can click on it and it will tell you which programm is affiliated with it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users