Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Csrss.exe


  • This topic is locked This topic is locked
74 replies to this topic

#1 Commander Gman

Commander Gman

  • Members
  • 1,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 AM

Posted 07 July 2007 - 08:53 AM

I was just logging in my comp and entering my log-in password then suddenly,my computer hanged when entering so i checked for vulnerabilities and found this in the task manager csrss.exe according to reports,it is malware so i needed help removing it heres the HJT log in the other hand




Logfile of HijackThis v1.99.1
Scan saved at 9:51:58 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\DeskSlide\DeskSlide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\user\Desktop\VGR\Tools\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DeskSlide] C:\Program Files\DeskSlide\DeskSlide.exe -logon -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Motherboard: MSI P35 Neo-F (Socket 775 LGA) Processor: Intel Core 2 Quad Q6600 @ 2.40 Ghz Kentsfield Chipset: Intel P35 Graphics Card: Nvidia Geforce GT 440 Memory: 2x 2GB DDR2 800 RAM Storage: 1x IDE 80GB, 1x SATA II 500 GB, 1x External 500GB HD Power Supply: 600W Power supply Monitor: Dual screen set-up Casing: Mini-ATX Fan(s): 1x 80mm silent fan OS: Windows XP SP3


BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:08:33 PM

Posted 18 July 2007 - 08:45 PM

Hi Commander Gman,

I don't see any signs of malware in this log.

While malware can be named anything, and some malwares do name themselves after legitimate files in order to escape detection, csrss.exe if found in its normal location (the \system32 folder) is a normal and necessary Windows system file.

See for example this writeup:

http://www.liutilities.com/products/wintas...slibrary/csrss/

You can also do a quick check by locating the file icon in the \system32 folder, then right clicking it and selecting Properties.

Regarding your crash while logging in, I would suggest you look in your system event log. Here is a link to Microsoft's introduction to the event logs. It will link you to other pages that list and explain specific events and errors recorded in the logs.

If you need more guidance with this, I would suggest posting to the WinXP forum. You'll get quicker and probably better help there. I am trained in malware, and I am just learning some of the general Windows troubleshooting myself.

Dave

#3 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:08:33 PM

Posted 09 August 2007 - 07:53 PM

Due to lack of feedback, this topic is now closed. If you want it re-opened, please PM me and put the url in your request.

This applies to the original poster only. Everyone else please start a new topic.

#4 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:08:33 PM

Posted 12 August 2007 - 01:15 PM

Topic re-opened as per user request.

Please post a fresh HJT log and describe how the computer is behaving now.

Dave

#5 Commander Gman

Commander Gman
  • Topic Starter

  • Members
  • 1,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 AM

Posted 13 August 2007 - 06:36 AM

Logfile of HijackThis v1.99.1
Scan saved at 7:11:41 PM, on 8/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comodo\Firewall\cpf.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\User1\Desktop\VGR\Tools\Hijack This 3000.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [BigDog303] "C:\WINDOWS\VM303_STI.EXE" VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


My computer has been acting very strange lately

smss.exe and winlogon.exe uses low memory
Usually 200-300K
Normally,this would be using thousands of K (1000-2000)rather than hundreds which made me very worried Is it regular for one to have this??

My internet connection got haywired
When I open firefox,the homepage doesn't load
all it could say is the server's page is reloaded,etc.
This is also similar to IE6(with more vulnerabilities)it loads also Mozilla's home page
Even if i do searches in the mini search engine found in the upper right corner of firefox
It would give me nothing but a loading page that takes too long to respond
I also tested the internet plug that i was using (DSL) in my laptop
same results too...I could probably conclude that maybe theres probably going on with Mozilla's start page? if it is unavailable or under maintenace? if it is under these circumstances,pls. notify me
Or is it something wrong with my DSL plug??? It's ok in the outside but Im not sure if thats the cause
I'll try changing the home page and see if theres any effort

But I got here through means of typing the URL which was my last hope
It was quite difficult for me to get here trying to find possible ways...
I could only go to other sites that I only know of.. (url)

About 4 days ago... I was warned with my trial version of my Max Spyware Detector when I was scanning that there was this Trojan dropper that dropped some empty folder in my "Temp"folder under C:\Documents and Settings\User1\Local Settings then searched the internet for the file name to get some background info
It was indeed caused by malware
I can barely remember the file name but I was getting to feel that I'm being infected again even though the folder was empty
Also I took note of this entry that Max Spyware Detector found:
c:\system volume information\_restore{db38c71b-f098-4d25-b22e-e02b226cfaf3}\rp34\a0018812.dll#@#C845380C64F8DB0538EB4AF4689EC2F7
Identified as "Trojan.MIRC" in Spyware Detector
When I wanted to get a detailed info about it,it says its currently a file that was downloaded from malware programs
without authorization
maybe this could explain my internet problem...



I just want a thorough check of my PC and remove any malware that can cause harm
Especially the ones that prevent me from internet access (if there is any)

Edited by Commander Gman, 13 August 2007 - 07:17 AM.

Motherboard: MSI P35 Neo-F (Socket 775 LGA) Processor: Intel Core 2 Quad Q6600 @ 2.40 Ghz Kentsfield Chipset: Intel P35 Graphics Card: Nvidia Geforce GT 440 Memory: 2x 2GB DDR2 800 RAM Storage: 1x IDE 80GB, 1x SATA II 500 GB, 1x External 500GB HD Power Supply: 600W Power supply Monitor: Dual screen set-up Casing: Mini-ATX Fan(s): 1x 80mm silent fan OS: Windows XP SP3


#6 Commander Gman

Commander Gman
  • Topic Starter

  • Members
  • 1,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 AM

Posted 13 August 2007 - 06:46 AM

updates
changed homepage to msn temporarily :D
It loads slow but at least it works but yahoo and google's hompage doesn't work :thumbsup:

About the csrss.exe issue
I have another file called"CSRSS.EXE-12B63473.pf"under the system32 folder
is this normal?

Edited by Commander Gman, 13 August 2007 - 07:18 AM.

Motherboard: MSI P35 Neo-F (Socket 775 LGA) Processor: Intel Core 2 Quad Q6600 @ 2.40 Ghz Kentsfield Chipset: Intel P35 Graphics Card: Nvidia Geforce GT 440 Memory: 2x 2GB DDR2 800 RAM Storage: 1x IDE 80GB, 1x SATA II 500 GB, 1x External 500GB HD Power Supply: 600W Power supply Monitor: Dual screen set-up Casing: Mini-ATX Fan(s): 1x 80mm silent fan OS: Windows XP SP3


#7 Commander Gman

Commander Gman
  • Topic Starter

  • Members
  • 1,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 AM

Posted 13 August 2007 - 08:19 AM

Update:
Firefox sometimes,can't download anything..it comes out empty handed
with an error message: server unable to etc.....
Should I reinstall? (just to ask if there are any tools to download)

Edited by Commander Gman, 13 August 2007 - 08:20 AM.

Motherboard: MSI P35 Neo-F (Socket 775 LGA) Processor: Intel Core 2 Quad Q6600 @ 2.40 Ghz Kentsfield Chipset: Intel P35 Graphics Card: Nvidia Geforce GT 440 Memory: 2x 2GB DDR2 800 RAM Storage: 1x IDE 80GB, 1x SATA II 500 GB, 1x External 500GB HD Power Supply: 600W Power supply Monitor: Dual screen set-up Casing: Mini-ATX Fan(s): 1x 80mm silent fan OS: Windows XP SP3


#8 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:08:33 PM

Posted 13 August 2007 - 01:15 PM

Hi again Commander Gman,

I still don't see any definite signs of malware in your log. Your symptoms are odd, they could be the result of an infection but also could be some problem with your Internet settings or connection.

First off, the memory question. Right now on my work computer (XP SP2, fully updated, 2 users but only one logged on), I show the following in Task Manager:

smss.exe -- 372K
winlogon.exe -- 568K

So I would say your memory usage is not out of line.

That detection you mentioned:

c:\system volume information\_restore{db38c71b-f098-4d25-b22e-e02b226cfaf3}\rp34\a0018812.dll#@#C845380C64F8DB0538EB4AF4689EC2F7
Identified as "Trojan.MIRC" in Spyware Detector


That's in your system restore files, it cannot do any damage unless you do a system restore.

Spyware Detector is somewhat questionable. At least one respected security company (A-squared) regards it as adware. You can read their writeup here.

I suggest you remove this program, it's a trial anyway, you can get good antispyware that is permanently free, such as Spybot and Superantispyware.

Are you sure that CSRSS.EXE-12B63473.pf file is in the Windows\System32 folder? That's a normal file but it should be in your \Windows\Prefetch folder. Take a look in that folder, and check to make sure there's a copy of the file there. If so, look at the properties (right click, select Properties and look at the date created and modified, also the file size. Write that information down. Then go to the \Windows\System32 folder and look at the copy of the file there. Let me know if there are any discrepancies.

Should I reinstall?


Do you mean Firefox, or Windows? Firefox is worth a try but if you are also having trouble with IE that's not likely to fix this. Reinstalling Windows is a big job. If you can put up with the aggravation for a while it might be less work to diagnose this.

Here's one suggestion to try that might help with your problem of not being able to reach sites or download:

Click Start, and then click Run.

Type or paste in regsvr32 urlmon.dll , and then click OK.

When you receive the "DllRegisterServer in urlmon.dll" succeeded message, click OK.

If this does not resolve the problem, repeat for:

regsvr32 Shdocvw.dll
regsvr32 Msjava.dll
regsvr32 Actxprxy.dll
regsvr32 Oleaut32.dll
regsvr32 Mshtml.dll
regsvr32 Browseui.dll
regsvr32 Shell32.dll


You may get an error message on the Java. In fact you should, because you should be running the latest Sun Java rather than the old MSJava. I can't tell what version of Java you are running, your log does not show any signs. Let me know about this.

Looking forward to your reply.

Dave

#9 Commander Gman

Commander Gman
  • Topic Starter

  • Members
  • 1,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 AM

Posted 14 August 2007 - 02:22 AM

CSRSS.EXE-12B63473.pf
is located in the prefetch folder
not in the system32
In Prefetch folder:
Created:Wednesday, July 18, 2007, 6:43:03 PM
Modified:Sunday, August 12, 2007, 10:04:56 AM
Accessed:Today, August 14, 2007, 3:01:27 PM
Size:35.0 KB (35,926 bytes)
Size on disk:36.0 KB (36,864 bytes)

For Max Spyware Detector....
well...it's quite unusual to consider this program as malware
It had served me very good during the past years,detecting rogue programs like SpyFalcon installed on my laptop which explains the slow activity :flowers:
Also fixed my internet connection in the past when it was disabled by malware using it's fix internet connection feature :huh:

But for me it would be hard to believe this
Although I can't see any reason why a-squared considered it as malware
I'll have to decide myself later on..

Internet went back to normal :huh:
Google and Mozilla's homepage works again
Maybe my modem is open out for quite sometime
other people are using it..but I'd rather take out my DSL plug since I can't disable the whole thing :thumbsup:

everything looks normal in the outside
but any suggestions on scanning?,at least run a few scans just to make sure?

Edited by Commander Gman, 14 August 2007 - 02:34 AM.

Motherboard: MSI P35 Neo-F (Socket 775 LGA) Processor: Intel Core 2 Quad Q6600 @ 2.40 Ghz Kentsfield Chipset: Intel P35 Graphics Card: Nvidia Geforce GT 440 Memory: 2x 2GB DDR2 800 RAM Storage: 1x IDE 80GB, 1x SATA II 500 GB, 1x External 500GB HD Power Supply: 600W Power supply Monitor: Dual screen set-up Casing: Mini-ATX Fan(s): 1x 80mm silent fan OS: Windows XP SP3


#10 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:08:33 PM

Posted 14 August 2007 - 10:03 AM

Hi again Commander Gman,

I did not realize you had been using Max Spyware Detector for several years. Also, I had never heard of it before. That's why I did a Google search on it. The A-squared listing jumped out at me, because I know they are a respected company that does their own research. However, classifying a program as adware is always a judgment call. The judgment is whether the software company uses high pressure or deceptive tactics to persuade you to buy. Personally I think there are several "big names" who come very close to the line that separates ethical sales tactics from unethical ones. Claims like "100 percent guarantee" make me bristle. Having been trained in this area I know there is no such thing as a product that is 100 percent effective in detecting and removing malware.

After reading your post this morning, I did some more checking on Max Spyware Detector. To be specific, I went to this website:

Spyware Warrior

Since the owner of that website is an impartial judge, with no financial interest in promoting or attacking any product, I trust the ratings I see there. Your program is not listed as Rogue or questionable. Therefore, I withdraw my recommendation that you remove it, and I apologize for any worry that I may have caused you.

Please note, this is not an endorsement. I am not expressing an opinion on the effectiveness of the program compared with other antispywares. I am simply accepting Spyware Warrior's finding that it is not adware and does not use unethical methods of advertising.

Internet went back to normal


How did this happen? did you do the regsvr32 commands I asked for? Or did it just happen "all by itself," as we say?

If you did not do anything to restore the connection, then I would say that you have a problem with your ISP. Next time the connections goes bad, you should call them and ask them to check it.

Maybe my modem is open out for quite sometime


I do not understand what you are saying here. Do you think your DSL modem is faulty?

any suggestions on scanning?


Yes. Here are two. First, Combofix:

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Then Kaspersky. Note that you must use Internet Explorer for this online scan.

First go to the Kaspersky online scanner. Accept the terms, let it install an ActiveX program (since you have XP SP2 this is blocked by default, you must allow it), then accept the terms again, let it download the files (about 8 MB total). Click Next, and select "My Computer" as the scan area. Kaspersky takes a long time but it is very thorough. When it is finished, save the report as a text file (easier to work with than an HTML file) to your desktop.

Post the Kaspersky report, the Combofix log, and a fresh HijackThis log to your next reply.

Edit: you did not tell me about your Java. Please include that information in your reply.

Dave

Edited by DaveM59, 14 August 2007 - 10:08 AM.


#11 Commander Gman

Commander Gman
  • Topic Starter

  • Members
  • 1,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 AM

Posted 15 August 2007 - 12:18 AM

Well actually, I wasn't quite worried about a-squared's comments
In fact, a-squared detects innocent programs like Game Spy (A popular addon program found in most of Microsoft Games which allows you to play in an online network)which is totally not malware,do not include any trojans,etc.
A-squared has to adjust it's definitions..
Detecting innocent programs and mistakenly take them as malware maybe a risky situation for a-squared users.
Even rogue anti-malware products tend to name their software closely related names to confuse you
This happened to me when I though i downloaded Pest Patrol but It was rather Pest Trap that caught me :flowers:
Although Max Spyware Detector also uses 100% this and that...guarantee you ultimate protection...
It is highly suspicious looking only at the outside of the software..but inside,is a rather more trustworthy software despite of the enticing description

For the Internet....
Yes it went back to normal all by itself :huh:
But in some circumstances,my computer's internet connection is totaly disabled by malware itself :huh:
The internet usually goofs of for a day only but if it exceeds and continues to be in that state for more than 2-3 days,It could be possible that malware had disabled it.
I would rather disable my internet connection to avoid such tragedy or either set my Comodo Firewall to block all traffic when I'm posting or viewing online content :thumbsup:
Malware usually gets in fast :huh: I can see symptoms of it with the other computers in my house that my family uses...Undeletable tracking files,Bugs,Worms,etc.

I think my DSL cable is faulty
If i hold the wire of my DSL (near the plug),it's sort of...sticky
I may as well get a replacement for this..

HJT log
Logfile of HijackThis v1.99.1
Scan saved at 1:17:30 PM, on 8/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\User1\Desktop\VGR\Tools\Hijack This 3000.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [BigDog303] "C:\WINDOWS\VM303_STI.EXE" VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

ComboFix 07-08-14.4 - "User1" 2007-08-15 12:32:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.571 [GMT 8:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


D:\Autorun.inf


((((((((((((((((((((((((( Files Created from 2007-07-15 to 2007-08-15 )))))))))))))))))))))))))))))))


2007-08-15 12:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-13 17:04 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-08-12 10:22 <DIR> d-------- C:\DOCUME~1\User1\APPLIC~1\SoundSpectrum
2007-08-12 09:58 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-08-12 09:58 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-08-12 09:58 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-08-12 09:58 783,224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-08-12 09:58 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-08-12 09:58 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-12 09:58 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-08-12 09:58 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-10 18:38 15,360 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-08-10 18:38 14,848 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-08-10 18:38 13,824 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-08-10 18:38 117,248 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-08-10 18:38 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-08-10 18:36 <DIR> d-------- C:\Program Files\Webroot
2007-08-10 18:36 <DIR> d-------- C:\DOCUME~1\User1\APPLIC~1\Webroot
2007-08-10 18:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-08-09 15:33 <DIR> d-------- C:\DOCUME~1\User1\APPLIC~1\U3
2007-08-09 14:23 <DIR> d-------- C:\Program Files\eMule
2007-08-09 14:07 <DIR> d-------- C:\Program Files\SoundSpectrum
2007-08-04 20:00 <DIR> d-------- C:\DOCUME~1\User1\APPLIC~1\Microsoft Games
2007-08-04 19:53 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-08-04 19:10 <DIR> d-------- C:\Program Files\Buddy Spy
2007-08-04 19:05 26,000 --a------ C:\WINDOWS\system32\E3TL.DLL
2007-08-04 19:05 <DIR> d-------- C:\Program Files\Zenturi
2007-08-04 19:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Zenturi
2007-08-01 21:55 67,024 --a------ C:\WINDOWS\system32\CloseAll.exe
2007-08-01 21:55 63 --a------ C:\WINDOWS\system\SysSD.dll
2007-08-01 21:55 270,336 --a------ C:\WINDOWS\system32\CheckDll.dll
2007-08-01 21:55 <DIR> d-------- C:\Program Files\SpywareDetector
2007-07-30 21:00 3,051,520 --------- C:\WINDOWS\UNMRW.exe
2007-07-30 20:59 8,704 --------- C:\WINDOWS\system32\drivers\InCDrec.sys
2007-07-30 20:59 32,640 --------- C:\WINDOWS\system32\drivers\InCDrm.sys
2007-07-30 20:59 3,051,520 --------- C:\WINDOWS\NuNinst.exe
2007-07-30 20:59 29,440 --------- C:\WINDOWS\system32\drivers\InCDpass.sys
2007-07-30 20:59 102,016 --------- C:\WINDOWS\system32\drivers\InCDfs.sys
2007-07-30 20:59 1,916,928 --------- C:\WINDOWS\UNNVEContent.exe
2007-07-30 20:59 <DIR> d-------- C:\WINDOWS\InCD
2007-07-30 20:58 2,977,792 --------- C:\WINDOWS\UNNMP.exe
2007-07-30 20:58 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2007-07-30 20:56 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-07-30 20:56 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-07-30 20:55 24,064 --------- C:\WINDOWS\system32\msxml3a.dll
2007-07-30 20:55 2,977,792 --------- C:\WINDOWS\UNNeroVision.exe
2007-07-30 20:54 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-07-30 20:54 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-07-30 20:54 38,912 --------- C:\WINDOWS\system32\picn20.dll
2007-07-30 20:54 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2007-07-30 20:54 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-07-30 20:54 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-07-30 20:54 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-07-30 20:54 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-07-30 20:54 <DIR> d-------- C:\Program Files\Ahead
2007-07-30 20:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-07-30 20:05 <DIR> d-------- C:\Program Files\AusLogics Disk Defrag
2007-07-30 18:56 <DIR> d-------- C:\DOCUME~1\User1\APPLIC~1\CyberLink
2007-07-30 18:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CyberLink
2007-07-30 18:55 <DIR> d-------- C:\Program Files\CyberLink
2007-07-29 15:18 0 --a------ C:\WINDOWS\PowerReg.dat
2007-07-29 13:43 <DIR> d-------- C:\Program Files\CCleaner
2007-07-29 13:42 <DIR> d-------- C:\Program Files\Recuva
2007-07-29 09:15 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-07-29 08:26 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-29 08:18 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-07-29 08:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-29 08:07 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-07-28 22:54 <DIR> d-------- C:\DOCUME~1\User1\APPLIC~1\uTorrent
2007-07-28 22:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-28 22:47 <DIR> d-------- C:\DOCUME~1\User1\APPLIC~1\SUPERAntiSpyware.com
2007-07-28 22:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-28 22:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-28 09:06 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-07-28 09:06 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-07-24 18:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-07-24 18:49 <DIR> d-------- C:\Program Files\Yahoo!
2007-07-22 21:07 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-07-21 19:41 <DIR> d-------- C:\Program Files\ExtractNow
2007-07-21 19:39 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-07-21 19:38 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-07-21 19:38 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-07-21 19:37 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-07-21 19:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-21 19:36 <DIR> d-------- C:\Program Files\DeskSlide
2007-07-20 18:00 <DIR> d-------- C:\DOCUME~1\User1\APPLIC~1\SiteAdvisor
2007-07-20 18:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SiteAdvisor
2007-07-20 18:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-07-19 21:20 1,156 --a------ C:\WINDOWS\mozver.dat
2007-07-19 21:20 <DIR> d-------- C:\DOCUME~1\User1\APPLIC~1\Apple Computer
2007-07-19 21:13 <DIR> d-------- C:\Program Files\QuickTime
2007-07-19 21:13 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-19 21:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-19 21:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-19 20:51 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-19 20:51 <DIR> d-------- C:\DOCUME~1\User1\APPLIC~1\Talkback
2007-07-19 20:47 2,828 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-19 20:46 <DIR> d-------- C:\DOCUME~1\User1\APPLIC~1\Corel
2007-07-19 20:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-07-19 20:36 <DIR> d-------- C:\Program Files\Corel


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-30 08:40 11376 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-20 19:08 2722 --a------ C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
2007-07-20 19:05 8972 --a------ C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BigDog303"="C:\WINDOWS\VM303_STI.exe" [2005-10-25 12:56]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-07-19 20:22]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-08-03 20:02]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 06:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 15:17]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-08-07 18:49]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
C:\Program Files\SpywareDetector\SDNotify.dll 2007-07-23 12:38 176128 C:\Program Files\SpywareDetector\SDNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli

R3 ZSMC303;A4 TECH PC Camera H;C:\WINDOWS\system32\Drivers\usbVM303.sys
S2 InCDsrvR;InCD Helper (read only);C:\Program Files\Ahead\InCD\InCDsrv.exe -r
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\WINDOWS\system32\21.tmp


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2321cdbf-4647-11dc-8005-f776aa3eee09}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe FS6519.dll.vbs


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-15 12:34:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-15 12:35:20
C:\ComboFix-quarantined-files.txt ... 2007-08-15 12:35

--- E O F ---

Going to Kaspersky

Motherboard: MSI P35 Neo-F (Socket 775 LGA) Processor: Intel Core 2 Quad Q6600 @ 2.40 Ghz Kentsfield Chipset: Intel P35 Graphics Card: Nvidia Geforce GT 440 Memory: 2x 2GB DDR2 800 RAM Storage: 1x IDE 80GB, 1x SATA II 500 GB, 1x External 500GB HD Power Supply: 600W Power supply Monitor: Dual screen set-up Casing: Mini-ATX Fan(s): 1x 80mm silent fan OS: Windows XP SP3


#12 Commander Gman

Commander Gman
  • Topic Starter

  • Members
  • 1,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 AM

Posted 15 August 2007 - 01:50 AM

The Kaspersky log is attached since I can't copy paste it directly
or copy paste the url since it isn't http://www.
It is in a web page link so open it with your web browser
Thanks for the scanning suggestions :flowers:
Kaspersky and Webroot Spy Sweeper conflicts as it detects Spy Sweeper as a threat :thumbsup:

For Java....
I didn't do anything yet,didn't install it
can you give me the link to download the latest version?
Btw,I got an error message before when installing that the latest version isn't compatible with firefox
(before)but I'm going to try again if i works

Attached Files


Edited by Commander Gman, 15 August 2007 - 01:54 AM.

Motherboard: MSI P35 Neo-F (Socket 775 LGA) Processor: Intel Core 2 Quad Q6600 @ 2.40 Ghz Kentsfield Chipset: Intel P35 Graphics Card: Nvidia Geforce GT 440 Memory: 2x 2GB DDR2 800 RAM Storage: 1x IDE 80GB, 1x SATA II 500 GB, 1x External 500GB HD Power Supply: 600W Power supply Monitor: Dual screen set-up Casing: Mini-ATX Fan(s): 1x 80mm silent fan OS: Windows XP SP3


#13 Commander Gman

Commander Gman
  • Topic Starter

  • Members
  • 1,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 AM

Posted 15 August 2007 - 07:04 AM

Ohh silly me :flowers: I forgot to post a fresh new HJT log just after my Kaspersky scan :huh:

Logfile of HijackThis v1.99.1
Scan saved at 8:03:10 PM, on 8/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User1\Desktop\VGR\Tools\Hijack This 3000.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [BigDog303] "C:\WINDOWS\VM303_STI.EXE" VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


Looking forward to your reply :thumbsup:

Motherboard: MSI P35 Neo-F (Socket 775 LGA) Processor: Intel Core 2 Quad Q6600 @ 2.40 Ghz Kentsfield Chipset: Intel P35 Graphics Card: Nvidia Geforce GT 440 Memory: 2x 2GB DDR2 800 RAM Storage: 1x IDE 80GB, 1x SATA II 500 GB, 1x External 500GB HD Power Supply: 600W Power supply Monitor: Dual screen set-up Casing: Mini-ATX Fan(s): 1x 80mm silent fan OS: Windows XP SP3


#14 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:08:33 PM

Posted 15 August 2007 - 07:07 AM

Hi again,

Thanks for your observations about A-squared. I have very little experience with it, but it is part of the "battery" of tools used by Virustotal and Jotti for scanning suspicious files. So I think it is legitimate if a bit "touchy."

It sounds like you have a problem with either your physical wiring or your ICS, or maybe both. There's nothing in these logs to indicate that malware is involved.

Basically, you're clean.

I did notice UTorrent in your combofix log, so here's the canned speech about that:

I see that you are running one or more Peer-to-Peer file sharing programs. These things are dangerous, even if they do not install spyware themselves. The first rule of safe internet use is, Never download a file unless you know and trust the source. By their very design these programs put files on your computer from unknown sources. They are a prime means of spreading viruses and other malware.

Consider whether the use of these programs is worth the risk. Please read this article for more information.

Okay, that's Grandpa's warning for today.

One little thing you missed, I asked you to save the Kaspersky log as a text file rather than the default HTML. It's better to have all logfiles showing in the body of a post, makes it easier for others who may read this to follow what is going on and examine the logs. However, here's my summary:

Kaspersky found two items, one is in your System Restore, which we will flush as part of the final cleanup. The other is a file on your desktop, zapu2.145.exe which looks to be an installation file. Kaspersky deems that it is adware. Delete it if you agree. Please let me know what it is. I did a quick Google but didn't turn up anything.

Instructions for installing Java:

You need to update your Java. Earlier versions have serious security vulnerabilities. Click Start, Control Panel, then double click Add/Remove Programs. When the list is populated look for any and all entries with the little Java icon (a coffee cup). Many will begin with J2SE or JRE. Remove them all, one by one. Then open your browser and go to this web page to get the latest version. Scroll dow to the middle of the page where you will find Java Runtime Environment (JRE) 6u2. Click Download which will take you to the secure download page. At the top, select the Accept License Agreement button. Then look to the first block for the J2SE downloads for the Windows Platform. Choose the Offline version; it's a bigger download but seems to cause less trouble.

Download the file to your desktop, close your browser and any other programs you have running. Double click the file icon to begin installation. Follow the prompts.

After installation, open your browser and go to this page to verify that it is working:

http://www.java.com/en/download/installed.jsp

Not much left except final cleanup. You should delete any specialized tools I asked you to download. Standard antispyware scanners you may keep and use for occasional scans as you see fit, but tools like Gmer, combofix, smitfraudfix et.al. are updated very frequently, and if God forbid you ever need them again, you will need to re-download them anyway.

The next step is to delete all temp files,

Get ATF Cleaner here . It does not require installation, just download it to your desktop.
Double-click the ATFCleaner icon on your desktop to launch the program. For this first run, check the select all box on the main page, then click Empty selected. Then, if you use Firefox or Opera, click on the appropriate tab and repeat the same drill.


Now you need to Flush your System Restore files and set a clean restore point. To do this, you must first disable System Restore, then reboot your computer, and finally, turn System Restore back on...For the details, I refer you to this tutorial:

http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/


Then, please read and implement the recommendations found here.

http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

There are more tips found here:

http://users.telenet.be/bluepatchy/miekiem...prevention.html

Any questions or concerns, just ask.

Dave

EDIT: Just spotted your HJT log after posting this. It's clean. However, I suggest you only run one real-time spyware scanning program. It looks like you are running two or more right now. (Spy Sweeper and Spyware Detector) They can interfere with each other and degrade system performance, so please decide which one you want to run and disable the others. Just use them for occasional system scans.

Edited by DaveM59, 15 August 2007 - 07:13 AM.


#15 Commander Gman

Commander Gman
  • Topic Starter

  • Members
  • 1,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 AM

Posted 15 August 2007 - 06:58 PM

ATF Cleaner did the same thing again to me :thumbsup:
It made the background in bleeping computer turn white :flowers:
All I can see is plain text with the buttons on it

Java is already installed
System Restore point done
ATF Cleaner done (fixing the problem)

For Zapu
It's some upload accelerator program thats rumored to work
but I didn't installed it
Most people would consider this as M doalware since because of the accelerator program itself
But I didn't instead,I considered it loaded with Malware since it came with a tool bar that tracks down activity
If there was a choice not to install the tool bar,then I would already have installed it excluding the tool bar
So out of confusion,I left it there in my desktop....not knowing what I should do about it :huh:

I'll explain Utorrent and P2P later on as I'm fixing what ATF Cleaner had done upon me :huh:

Motherboard: MSI P35 Neo-F (Socket 775 LGA) Processor: Intel Core 2 Quad Q6600 @ 2.40 Ghz Kentsfield Chipset: Intel P35 Graphics Card: Nvidia Geforce GT 440 Memory: 2x 2GB DDR2 800 RAM Storage: 1x IDE 80GB, 1x SATA II 500 GB, 1x External 500GB HD Power Supply: 600W Power supply Monitor: Dual screen set-up Casing: Mini-ATX Fan(s): 1x 80mm silent fan OS: Windows XP SP3





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users