Solve : Unwanted strange MSConfig entries?

Answer»

I've noticed some strange entries in my MS Config list that haven't been there before and I don't know where they came from, nor how to get them to stop coming back.

Startup ITEM Command Location
LuResult \LuResult.txt CommonStartup
MP3Lib \MP3Lib.zor Common Startu
ntuser \ntuser.bak Common Startup
ntuser \ntuser.dat Common Startup
ntuser.dat \ntuser.dat.LOG Common Startup
ntuser \ntuser.ini Common Startup
ntuser.tmp \ntuser.tmp.LOG Common Startup

Could someone enlighten me as to where these entries are coming from, how do I get them to stop regenerating, etc.?

I've updated definitions and did full scans with AVG Free, SUPERAntiSpyware Free Edition, Adaware 2007, A Squared Free, and Spybot S&D, and none of those have given me any insight as to what's causing this. I haven't added any new software, hardware, etc., and I just noticed these entries today.

I have also made sure that all MS updates are installed. I'd sure APPRECIATE any and all helpful input as how to get rid of this annoyance.

HP Pavillion a1412n
Win XP SP2
820 Intel Viiv Pentium D
512MB RAM
200GB HD
NVIDIA GeForce 6200SE
DVD+/-RW
Most are legitimate related to your user profile. ntuser

LuResult.txt - Do you have Norton?

MP3Lib.zor - Do you download torrents?evilfantasy, thanks for the reply. The ntuser entries have NEVER been in my MSConfig before--why now?

No Norton products installed--and haven't been since the pc was new about 3-4 yrs. ago--removed it immediately at that time.

Don't download torrents--don't even know what those are.Not sure on the ntuser entries. have you created a new profile recently? Might even be something included in an update from MS (they have been known to do unexplainable things in updates)

Post a Hijackthis log real quick. We can easily rule in or out malware that way.

Click HERE

Once it is installed click Do a system scan and save a logfile

Post the log here. It may take a few different posts to get it all in but that is OK.Logfile of HijackThis v1.99.1
Scan saved at 7:30:27 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155065900937
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180620944578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5150/mcfscan.cab
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-MAIL Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Intel Corporation - (no file)
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

I don't think it is anything malware related. You can have HJT fix this one entry.

O2 - BHO: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)

MSconfig is meant to be a diagnostics tool. Read this to better understand why not to use MSconfig as a Startup Manager: Dealing with Startup Processes

I suggest booting into Normal Startup mode and using a startup manager from the above link or a favorite of mine like StartUp Lite

I will look around some more on the entries and be back in a bit. The one entry that I asked about torrents is the only one to worry about (I think) Be back after I try to dig up some information.

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

Thats likely where the LuResult.txt entry is coming from. Live Update Result.txt

--

Have you had Zone Alarm installed? I think the .zor is from ZAs Mail Safe

.zor file extension
ZoneAlarm Mailsafe
http://www.file-extensions.org/zor-file-extensionevilfantasy, I fixed the BHO that u suggested, then downloaded/installed StartUp Lite--no unnecessary startups found.

Forgot to answer your question about creating a user profile. If u mean, have I created a new user account, I have not.

The Symantec Antivirus scanner entry in HiJack This is from an online scan that I did months ago. Zone Alarm has never been on this pc. I use Windows firewall and it is on.

While browsing thru HiJack This, I found that I have indeed installed new software and that was PalTalk yesterday. Today is when I found all the weird entries in MSConfig that I've never had before. Could that be a clue to something? Yahoo Messenger was acting really stupid yesterday when I was chatting with my cousin--never could get voice chat to work so I thought I'd try a new chat program. I installed PalTalk, but didn't go any further with it.

Hope some of this info might shed some light. Thanks.I'm at a loss. I also missed an entry to fix.
R3 - URLSearchHook: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)

We can do a more thorough scan and see if it turns up anything. This one will show me more startup entries. You will probably need to use two posts on this one, one for each log.

Download Deckard's System Scanner (DSS) from here or here to your Desktop.
Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open
main.txt <- this one will be maximized
extra.txt <- this one will be minimized

Add the contents of main.txt in your post.
Also add extra.txt to your post.

The text from these files may exceed the maximum post length for this forum, and may need to be sent over 2 or more posts. Please ensure all text is posted.

What DSS will do:

Create a new System Restore point in Windows XP and Vista.
Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Agere Systems PCI Soft Modem
Device ID: PCI\VEN_11C1&DEV_048C&SUBSYS_044C11C1&REV_03\4&1AF1648C&0&20F0
Manufacturer: Agere
Name: Agere Systems PCI Soft Modem
PNP Device ID: PCI\VEN_11C1&DEV_048C&SUBSYS_044C11C1&REV_03\4&1AF1648C&0&20F0
Service: Modem

-- Scheduled Tasks -------------------------------------------------------------

2008-03-31 15:28:45 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-03-31 15:15:51 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-02-29 and 2008-03-31 -----------------------------

2008-03-31 12:43:57 0 d-------- C:\Program Files\IObit
2008-03-31 11:21:52 0 d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2008-03-30 12:34:15 0 dr-h----- C:\Documents and Settings\HP_Administrator\Recent
2008-03-30 11:39:28 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Paltalk
2008-03-30 11:39:24 0 d-------- C:\WINDOWS\PaltalkScene
2008-03-30 11:39:24 0 d-------- C:\Program Files\Paltalk Messenger
2008-03-26 13:17:45 0 d-------- C:\WINDOWS\system32\Adobe
2008-03-21 11:11:13 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-03-21 11:09:22 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Mozilla
2008-03-01 19:18:06 0 d-------- C:\Program Files\RocketDock

-- Find3M Report ---------------------------------------------------------------

2008-03-31 12:23:35 26414 --a------ C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2008-03-31 11:21:52 7179 --a------ C:\WINDOWS\mozver.dat
2008-03-31 11:15:32 0 d-------- C:\Program Files\SpywareBlaster
2008-03-31 10:20:01 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\AVG7
2008-03-26 13:17:45 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-24 18:49:41 0 d-------- C:\Program Files\Freecorder
2008-03-24 18:49:29 737280 --a------ C:\WINDOWS\iun6002.exe
2008-03-24 18:40:14 0 d-------- C:\Program Files\Freecorder Toolbar
2008-03-24 16:59:26 0 d-------- C:\Program Files\Java
2008-03-24 15:44:27 0 d-------- C:\Program Files\The GodFather
2008-03-21 13:30:41 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-21 13:24:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-21 11:58:15 0 d-------- C:\Program Files\a-squared Free
2008-03-16 10:59:59 0 d-------- C:\Program Files\Microsoft Works
2008-03-09 12:25:07 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\WinMX Music
2008-02-26 17:16:26 21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll
2008-02-26 17:16:26 17212 --a-----t C:\WINDOWS\system32\SIntf32.dll
2008-02-26 17:16:26 12067 --a-----t C:\WINDOWS\system32\SIntf16.dll
2008-02-26 15:56:35 0 d-------- C:\Program Files\VibrateGameDeviceDriver
2008-02-26 14:53:55 0 d-------- C:\Program Files\Pure Networks
2008-02-26 14:52:58 0 d-------- C:\Program Files\Common Files
2008-02-26 14:52:58 0 d-------- C:\Program Files\Common Files\Pure Networks Shared
2008-02-24 14:16:12 0 d-------- C:\Program Files\Google
2008-02-21 17:30:55 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\uTorrent
2008-02-21 17:25:12 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\XnView
2008-02-21 13:48:48 0 d-------- C:\Program Files\Diskeeper Corporation
2008-02-14 21:15:45 0 d-------- C:\Program Files\mp3Trim
2008-02-12 14:09:11 0 d-------- C:\Program Files\Yahoo!
2008-02-12 14:09:05 0 d-------- C:\Program Files\Common Files\SureThing Shared
2008-02-10 21:45:38 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-02-07 17:27:12 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\TeraCopy
2008-02-07 16:53:18 0 d-------- C:\Program Files\Microsoft Money 95
2008-02-07 16:48:29 0 d-------- C:\Program Files\SYSTEM
2008-02-05 17:26:34 0 d-------- C:\Program Files\XnView
2008-02-05 14:00:45 0 d-------- C:\Program Files\Web Publish
2008-02-04 16:30:13 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Auslogics
2008-02-04 16:30:10 0 d-------- C:\Program Files\AusLogics Disk Defrag
2008-02-04 16:04:43 2045 --a------ C:\run.bat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [07/23/2005 01:14 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [10/05/2006 10:11 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/14/2008 10:57 AM]
"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [01/08/2008 06:20 PM]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [09/27/2005 02:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 02:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 02:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]
"C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

-- End of Deckard's System Scanner: finished at 2008-03-31 20:32:39 ------------

-- Application Event Log -------------------------------------------------------

Event Record #/Type8076 / Error
Event Submitted/Written: 03/31/2008 03:26:10 PM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Event Record #/Type8070 / Error
Event Submitted/Written: 03/31/2008 09:54:33 AM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Event Record #/Type8064 / Error
Event Submitted/Written: 03/31/2008 09:43:18 AM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Event Record #/Type8057 / Error
Event Submitted/Written: 03/30/2008 09:27:38 AM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Event Record #/Type8051 / Error
Event Submitted/Written: 03/29/2008 06:20:58 PM
Event ID/Source: 1802 / SecurityCenter
Event Description:
The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type27145 / Warning
Event Submitted/Written: 03/31/2008 08:32:23 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%YOUR-4DACD0EA7527 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-4DACD0EA7527 can't undo changes that you allow.

For more information please see the following:
%YOUR-4DACD0EA75275

   Scan ID: {845FC4C4-BA02-4C88-8015-5EE9E3F90DA4}

   User: YOUR-4DACD0EA75\HP_Administrator

   Name: %YOUR-4DACD0EA75271

   ID: %YOUR-4DACD0EA75272

   Severity: 1.1.1592.05

   Category: 1.1.1592.06

   Path Found: %YOUR-4DACD0EA75276

   Alert Type: %YOUR-4DACD0EA75278

   Detection Type: 1.1.1592.02

Event Record #/Type27144 / Warning
Event Submitted/Written: 03/31/2008 08:32:23 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%YOUR-4DACD0EA7527 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-4DACD0EA7527 can't undo changes that you allow.

For more information please see the following:
%YOUR-4DACD0EA75275

   Scan ID: {7F6377B1-6235-41EE-8963-C8F60B301E9B}

   User: YOUR-4DACD0EA75\HP_Administrator

   Name: %YOUR-4DACD0EA75271

   ID: %YOUR-4DACD0EA75272

   Severity: 1.1.1592.05

   Category: 1.1.1592.06

   Path Found: %YOUR-4DACD0EA75276

   Alert Type: %YOUR-4DACD0EA75278

   Detection Type: 1.1.1592.02

Event Record #/Type27143 / Warning
Event Submitted/Written: 03/31/2008 08:32:23 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%YOUR-4DACD0EA7527 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-4DACD0EA7527 can't undo changes that you allow.

For more information please see the following:
%YOUR-4DACD0EA75275

   Scan ID: {96DDF3F4-7B44-41B3-9157-84915C72661A}

   User: YOUR-4DACD0EA75\HP_Administrator

   Name: %YOUR-4DACD0EA75271

   ID: %YOUR-4DACD0EA75272

   Severity: 1.1.1592.05

   Category: 1.1.1592.06

   Path Found: %YOUR-4DACD0EA75276

   Alert Type: %YOUR-4DACD0EA75278

   Detection Type: 1.1.1592.02

Event Record #/Type27142 / Warning
Event Submitted/Written: 03/31/2008 08:32:23 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%YOUR-4DACD0EA7527 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-4DACD0EA7527 can't undo changes that you allow.

For more information please see the following:
%YOUR-4DACD0EA75275

   Scan ID: {BF51EE34-5010-41C1-AE38-A04F36FE5313}

   User: YOUR-4DACD0EA75\HP_Administrator

   Name: %YOUR-4DACD0EA75271

   ID: %YOUR-4DACD0EA75272

   Severity: 1.1.1592.05

   Category: 1.1.1592.06

   Path Found: %YOUR-4DACD0EA75276

   Alert Type: %YOUR-4DACD0EA75278

   Detection Type: 1.1.1592.02

Event Record #/Type27141 / Warning
Event Submitted/Written: 03/31/2008 05:17:11 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

-- End of Deckard's System Scanner: finished at 2008-03-31 20:32:39 ------------

Thats not all of the LOGS. There should have been another hijackthis log along with other information.

Are you the only one who uses this PC?

2008-02-21 17:30:55C:\Documents and Settings\HP_Administrator\Application Data\uTorrent << I asked about torrents....

2008-02-10 21:45:38C:\WINDOWS\system32\zllictbl.dat << Zone Alarm data file

I don't think you have anything to worry about.

Do this.

Create a Startup List

1. Open HijackThis and select Open the Misc Tools section
2. Click on the button which says Generate StartupList log
3. Click Yes when prompted and a notepad document will open.
4. Save the log to the desktop and attach it in the next post. Forgot that my son DID use this pc a month or so ago when he was home.

After running dss.exe, the only logs I got were main.txt and extra.txt, and I did see it running HJT during the scan, but no log was generated for it that I can find.

StartupList report, 3/31/2008, 9:00:47 PM
StartupList version: 1.52.2
Started from : C:\Hijack This\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16608)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijack This\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[]
AUTOEXEC.BAT
boot.ini
cmldr
CONFIG.001
CONFIG.SYS
DEFRAG.bat
devicetable.log
hpWebHelper.log
index.ini
IO.SYS
ipconfig.txt
LOG1.log
MSDOS.SYS
NTDETECT.COM
ntldr
pagefile.sys
run.bat
setup_all.exe
SSPPPoE.log
YServer.txt

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
nmctxth = "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
MP Scheduled Scan.job

--------------------------------------------------

Enumerating Download Program Files:

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[Malicious Software Removal Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WebCleaner.dll
CODEBASE = http://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-4eec-946b-ffe15472cabc/WebCleaner.cab

[Windows Live Safety Center Base Module]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\wlscBase.dll
CODEBASE = http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155065900937

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180620944578

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[McFreeScan Class]
CODEBASE = http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5150/mcfscan.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 6,839 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Everything looks normal. You might go to C:\WINDOWS\Downloaded Program Files and look for old folders that might not have been removed when a program was uninstalled and delete any you find.

For investigating startups go HERE and search them out.

I'm at a loss now what to do next for sure.Thanks for your time and help evilfantasy. We gave it our best shot and I learned a few things in the process.

I'll keep checking this post to see if anyone comes up with any other ideas.

I will ck. the Downloaded Program Files and read about investigating startups.

Thanks again.

Solve : Unwanted strange MSConfig entries?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment