Solve : Unwanted strange MSConfig entries? – InterviewSolution

InterviewSolution

1.	Solve : Unwanted strange MSConfig entries?
Answer» <html><body><p>I've noticed some strange entries in my MS Config list that haven't been there before and I don't know where they came from, nor how to get them to stop coming back.<br/><br/>Startup <a href="https://interviewquestions.tuteehub.com/tag/item-770211" style="font-weight:bold;" target="_blank" title="Click to know more about ITEM">ITEM</a> Command Location<br/>LuResult \LuResult.txt CommonStartup<br/>MP3Lib \MP3Lib.zor Common Startu<br/>ntuser \ntuser.bak Common Startup<br/>ntuser \ntuser.dat Common Startup<br/>ntuser.dat \ntuser.dat.LOG Common Startup<br/>ntuser \ntuser.ini Common Startup<br/>ntuser.tmp \ntuser.tmp.LOG Common Startup<br/><br/>Could someone enlighten me as to where these entries are coming from, how do I get them to stop regenerating, etc.?<br/><br/>I've updated definitions and did full scans with AVG Free, SUPERAntiSpyware Free Edition, Adaware 2007, A Squared Free, and Spybot S&D, and none of those have given me any insight as to what's causing this. I haven't added any new software, hardware, etc., and I just noticed these entries today.<br/><br/>I have also made sure that all MS updates are installed. I'd sure <a href="https://interviewquestions.tuteehub.com/tag/appreciate-882308" style="font-weight:bold;" target="_blank" title="Click to know more about APPRECIATE">APPRECIATE</a> any and all helpful input as how to get rid of this annoyance.<br/><br/>HP Pavillion a1412n<br/>Win XP SP2<br/>820 Intel Viiv Pentium D<br/>512MB RAM<br/>200GB HD<br/>NVIDIA GeForce 6200SE<br/>DVD+/-RW<br/>Most are legitimate related to your user profile. ntuser<br/><br/>LuResult.txt - Do you have Norton?<br/><br/>MP3Lib.zor - Do you download torrents?evilfantasy, thanks for the reply. The ntuser entries have NEVER been in my MSConfig before--why now?<br/><br/>No Norton products installed--and haven't been since the pc was new about 3-4 yrs. ago--removed it immediately at that time.<br/><br/>Don't download torrents--don't even know what those are.Not sure on the ntuser entries. have you created a new profile recently? Might even be something included in an update from MS (they have been known to do unexplainable things in updates)<br/><br/>Post a Hijackthis log real quick. We can easily rule in or out malware that way.<br/><br/>Click <a href="http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe"> HERE</a><br/><br/>Once it is installed click <strong>Do a system scan and save a logfile</strong><br/><br/>Post the log here. It may take a few different posts to get it all in but that is OK.Logfile of HijackThis v1.99.1<br/>Scan saved at 7:30:27 PM, on 3/31/2008<br/>Platform: Windows XP SP2 (WinNT 5.01.2600)<br/>MSIE: Internet Explorer v7.00 (7.00.6000.16608)<br/><br/>Running processes:<br/>C:\WINDOWS\System32\smss.exe<br/>C:\WINDOWS\system32\winlogon.exe<br/>C:\WINDOWS\system32\services.exe<br/>C:\WINDOWS\system32\lsass.exe<br/>C:\WINDOWS\system32\svchost.exe<br/>C:\Program Files\Windows Defender\MsMpEng.exe<br/>C:\WINDOWS\System32\svchost.exe<br/>C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe<br/>C:\WINDOWS\Explorer.EXE<br/>C:\WINDOWS\system32\spoolsv.exe<br/>C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe<br/>C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe<br/>C:\PROGRA~1\Grisoft\AVG7\avgemc.exe<br/>C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe<br/>C:\Program Files\Windows Defender\MSASCui.exe<br/>C:\PROGRA~1\Grisoft\AVG7\avgcc.exe<br/>C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe<br/>C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe<br/>C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE<br/>C:\WINDOWS\system32\nvsvc32.exe<br/>C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe<br/>C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe<br/>C:\Program Files\Mozilla Firefox\firefox.exe<br/>C:\WINDOWS\system32\ntvdm.exe<br/>C:\WINDOWS\system32\NOTEPAD.EXE<br/>C:\Hijack This\HijackThis.exe<br/><br/>R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = <br/>R3 - URLSearchHook: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)<br/><a href="https://interviewquestions.tuteehub.com/tag/o2-241046" style="font-weight:bold;" target="_blank" title="Click to know more about O2">O2</a> - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll<br/>O2 - BHO: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)<br/>O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll<br/>O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll<br/>O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE<br/>O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide<br/>O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP<br/>O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"<br/>O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto<br/>O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll<br/>O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll<br/>O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe<br/>O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - <a href="http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab">http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab</a><br/>O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - <a href="https://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab">http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab</a><br/>O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - <a href="http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab">http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab</a><br/>O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - <a href="http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155065900937">http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155065900937</a><br/>O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - <a href="https://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab">http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab</a><br/>O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - <a href="http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180620944578">http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180620944578</a><br/>O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - <a href="http://acs.pandasoftware.com/activescan/as5free/asinst.cab">http://acs.pandasoftware.com/activescan/as5free/asinst.cab</a><br/>O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - <a href="https://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5150/mcfscan.cab">http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5150/mcfscan.cab</a><br/>O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp3.dll<br/>O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll<br/>O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll<br/>O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll<br/>O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe<br/>O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe<br/>O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe<br/>O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe<br/>O23 - Service: AVG E-<a href="https://interviewquestions.tuteehub.com/tag/mail-244595" style="font-weight:bold;" target="_blank" title="Click to know more about MAIL">MAIL</a> Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe<br/>O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe<br/>O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe<br/>O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe<br/>O23 - Service: InstallDriver Table Manager (IDriverT) - Intel Corporation - (no file)<br/>O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)<br/>O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe<br/>O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe<br/><br/>I don't think it is anything malware related. You can have HJT fix this one entry.<br/><br/>O2 - BHO: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)<br/><br/>MSconfig is meant to be a diagnostics tool. Read this to better understand why <strong>not</strong> to use MSconfig as a Startup Manager: <a href="http://forums.majorgeeks.com/showthread.php?t=149804">Dealing with Startup Processes</a><br/><br/>I suggest booting into Normal Startup mode and using a startup manager from the above link or a favorite of mine like <a href="https://www.malwarebytes.org/startuplite.php"> StartUp Lite</a><br/><br/>I will look around some more on the entries and be back in a bit. The one entry that I asked about torrents is the only one to worry about (I think) Be back after I try to dig up some information.<br/><br/>O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (<strong>Symantec AntiVirus scanner</strong>) - <a href="https://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab">http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab</a><br/><br/>Thats likely where the LuResult.txt entry is coming from. Live Update Result.txt<br/><br/>--<br/><br/>Have you had Zone Alarm installed? I think the .zor is from ZAs Mail Safe<br/><br/>.zor file extension<br/>ZoneAlarm Mailsafe <br/><a href="http://www.file-extensions.org/zor-file-extension">http://www.file-extensions.org/zor-file-extension</a>evilfantasy, I fixed the BHO that u suggested, then downloaded/installed StartUp Lite--no unnecessary startups found.<br/><br/>Forgot to answer your question about creating a user profile. If u mean, have I created a new user account, I have not.<br/><br/>The Symantec Antivirus scanner entry in HiJack This is from an online scan that I did months ago. Zone Alarm has never been on this pc. I use Windows firewall and it is on.<br/><br/>While browsing thru HiJack This, I found that I have indeed installed new software and that was PalTalk yesterday. Today is when I found all the weird entries in MSConfig that I've never had before. Could that be a clue to something? Yahoo Messenger was acting really stupid yesterday when I was chatting with my cousin--never could get voice chat to work so I thought I'd try a new chat program. I installed PalTalk, but didn't go any further with it.<br/><br/>Hope some of this info might shed some light. Thanks.I'm at a loss. I also missed an entry to fix.<br/>R3 - URLSearchHook: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)<br/><br/>We can do a more thorough scan and see if it turns up anything. This one will show me more startup entries. You will probably need to use two posts on this one, one for each log.<br/><br/>Download <strong>Deckard's System Scanner (DSS)</strong> from <strong><a href="http://www.techsupportforum.com/sectools/Deckard/dss.exe">here</a></strong> or <strong><a href="http://deckard.geekstogo.com/dss.exe">here</a></strong> to your Desktop.<br/><strong>Note:</strong> You must be logged onto an account with administrator privileges.</p><ul><li><strong>Close</strong> all applications and windows.<br/></li><li><strong>Double-click</strong> on <strong>dss.exe</strong> to run it, and follow the prompts.<br/></li><li> When the scan is complete, two text files will open<ul></ul></li><li><strong>main.txt</strong> <- this one will be maximized<br/></li><li><strong>extra.txt</strong> <- this one will be minimized</li></ul><ul><li> Add the contents of <strong>main.txt</strong> in your post.<br/></li><li> Also <strong>add extra.txt</strong> to your post.</li></ul><ul><li> The text from these files may exceed the maximum post length for this forum, and may need to be sent over 2 or more posts. Please ensure all text is posted.</li></ul><strong>What DSS will do:</strong><ul><li> Create a new System Restore point in Windows XP and Vista.</li><li> Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.</li><li> Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.</li></ul>-- Device Manager: Disabled ----------------------------------------------------<br/><br/>Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}<br/>Description: Agere Systems PCI Soft Modem<br/>Device ID: PCI\VEN_11C1&DEV_048C&SUBSYS_044C11C1&REV_03\4&1AF1648C&0&20F0<br/>Manufacturer: Agere<br/>Name: Agere Systems PCI Soft Modem<br/>PNP Device ID: PCI\VEN_11C1&DEV_048C&SUBSYS_044C11C1&REV_03\4&1AF1648C&0&20F0<br/>Service: Modem<br/><br/><br/>-- Scheduled Tasks -------------------------------------------------------------<br/><br/>2008-03-31 15:28:45 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job<br/>2008-03-31 15:15:51 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<br/><br/><br/>-- Files created between 2008-02-29 and 2008-03-31 -----------------------------<br/><br/>2008-03-31 12:43:57 0 d-------- C:\Program Files\IObit<br/>2008-03-31 11:21:52 0 d-------- C:\WINDOWS\system32\SuperAdBlocker.com<br/>2008-03-30 12:34:15 0 dr-h----- C:\Documents and Settings\HP_Administrator\Recent<br/>2008-03-30 11:39:28 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Paltalk<br/>2008-03-30 11:39:24 0 d-------- C:\WINDOWS\PaltalkScene<br/>2008-03-30 11:39:24 0 d-------- C:\Program Files\Paltalk Messenger<br/>2008-03-26 13:17:45 0 d-------- C:\WINDOWS\system32\Adobe<br/>2008-03-21 11:11:13 0 dr------- C:\Documents and Settings\NetworkService\Favorites<br/>2008-03-21 11:09:22 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Mozilla<br/>2008-03-01 19:18:06 0 d-------- C:\Program Files\RocketDock<br/><br/><br/>-- Find3M Report ---------------------------------------------------------------<br/><br/>2008-03-31 12:23:35 26414 --a------ C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat<br/>2008-03-31 11:21:52 7179 --a------ C:\WINDOWS\mozver.dat<br/>2008-03-31 11:15:32 0 d-------- C:\Program Files\SpywareBlaster<br/>2008-03-31 10:20:01 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\AVG7<br/>2008-03-26 13:17:45 0 d-------- C:\Program Files\Common Files\Adobe<br/>2008-03-24 18:49:41 0 d-------- C:\Program Files\Freecorder<br/>2008-03-24 18:49:29 737280 --a------ C:\WINDOWS\iun6002.exe <br/>2008-03-24 18:40:14 0 d-------- C:\Program Files\Freecorder Toolbar<br/>2008-03-24 16:59:26 0 d-------- C:\Program Files\Java<br/>2008-03-24 15:44:27 0 d-------- C:\Program Files\The GodFather<br/>2008-03-21 13:30:41 0 d-------- C:\Program Files\SUPERAntiSpyware<br/>2008-03-21 13:24:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<br/>2008-03-21 11:58:15 0 d-------- C:\Program Files\a-squared Free<br/>2008-03-16 10:59:59 0 d-------- C:\Program Files\Microsoft Works<br/>2008-03-09 12:25:07 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\WinMX Music<br/>2008-02-26 17:16:26 21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll<br/>2008-02-26 17:16:26 17212 --a-----t C:\WINDOWS\system32\SIntf32.dll<br/>2008-02-26 17:16:26 12067 --a-----t C:\WINDOWS\system32\SIntf16.dll<br/>2008-02-26 15:56:35 0 d-------- C:\Program Files\VibrateGameDeviceDriver<br/>2008-02-26 14:53:55 0 d-------- C:\Program Files\Pure Networks<br/>2008-02-26 14:52:58 0 d-------- C:\Program Files\Common Files<br/>2008-02-26 14:52:58 0 d-------- C:\Program Files\Common Files\Pure Networks Shared<br/>2008-02-24 14:16:12 0 d-------- C:\Program Files\Google<br/>2008-02-21 17:30:55 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\uTorrent<br/>2008-02-21 17:25:12 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\XnView<br/>2008-02-21 13:48:48 0 d-------- C:\Program Files\Diskeeper Corporation<br/>2008-02-14 21:15:45 0 d-------- C:\Program Files\mp3Trim<br/>2008-02-12 14:09:11 0 d-------- C:\Program Files\Yahoo!<br/>2008-02-12 14:09:05 0 d-------- C:\Program Files\Common Files\SureThing Shared<br/>2008-02-10 21:45:38 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat<br/>2008-02-07 17:27:12 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\TeraCopy<br/>2008-02-07 16:53:18 0 d-------- C:\Program Files\Microsoft Money 95<br/>2008-02-07 16:48:29 0 d-------- C:\Program Files\SYSTEM<br/>2008-02-05 17:26:34 0 d-------- C:\Program Files\XnView<br/>2008-02-05 14:00:45 0 d-------- C:\Program Files\Web Publish<br/>2008-02-04 16:30:13 0 d-------- C:\Documents and Settings\HP_Administrator\Application Data\Auslogics<br/>2008-02-04 16:30:10 0 d-------- C:\Program Files\AusLogics Disk Defrag<br/>2008-02-04 16:04:43 2045 --a------ C:\run.bat<br/><br/><br/>-- Registry Dump ---------------------------------------------------------------<br/><br/>Note empty entries & legit default entries are not shown<br/><br/><br/>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]<br/>"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [07/23/2005 01:14 AM]<br/>"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [10/05/2006 10:11 PM]<br/>"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/14/2008 10:57 AM]<br/>"nmctxth"="C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [01/08/2008 06:20 PM]<br/>"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [09/27/2005 02:34 AM]<br/><br/>[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]<br/>"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles<br/>"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme<br/><br/>[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]<br/>"DisableRegistryTools"=0 (0x0)<br/><br/>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]<br/>"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 02:55 PM 77824]<br/><br/>[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] <br/>C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 02:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll<br/><br/>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]<br/>="Service"<br/><br/>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]<br/>backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup<br/><br/>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]<br/>C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe<br/><br/>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]<br/><br/>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]<br/>"C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash<br/><br/>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]<br/>"LightScribeService"=3 (0x3)<br/><br/><br/>[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]<br/>AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480<br/><br/><br/><br/><br/>-- End of Deckard's System Scanner: finished at 2008-03-31 20:32:39 ------------<br/><br/>-- Application Event Log -------------------------------------------------------<br/><br/>Event Record #/Type8076 / Error<br/>Event Submitted/Written: 03/31/2008 03:26:10 PM<br/>Event ID/Source: 1802 / SecurityCenter<br/>Event Description:<br/>The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.<br/><br/>Event Record #/Type8070 / Error<br/>Event Submitted/Written: 03/31/2008 09:54:33 AM<br/>Event ID/Source: 1802 / SecurityCenter<br/>Event Description:<br/>The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.<br/><br/>Event Record #/Type8064 / Error<br/>Event Submitted/Written: 03/31/2008 09:43:18 AM<br/>Event ID/Source: 1802 / SecurityCenter<br/>Event Description:<br/>The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.<br/><br/>Event Record #/Type8057 / Error<br/>Event Submitted/Written: 03/30/2008 09:27:38 AM<br/>Event ID/Source: 1802 / SecurityCenter<br/>Event Description:<br/>The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.<br/><br/>Event Record #/Type8051 / Error<br/>Event Submitted/Written: 03/29/2008 06:20:58 PM<br/>Event ID/Source: 1802 / SecurityCenter<br/>Event Description:<br/>The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.<br/><br/><br/><br/>-- Security Event Log ----------------------------------------------------------<br/><br/>No Errors/Warnings found.<br/><br/><br/>-- System Event Log ------------------------------------------------------------<br/><br/>Event Record #/Type27145 / Warning<br/>Event Submitted/Written: 03/31/2008 08:32:23 PM<br/>Event ID/Source: 3004 / WinDefend<br/>Event Description:<br/>%YOUR-4DACD0EA7527 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-4DACD0EA7527 can't undo changes that you allow.<br/><br/>For more information please see the following:<br/>%YOUR-4DACD0EA75275<br/><br/> Scan ID: {845FC4C4-BA02-4C88-8015-5EE9E3F90DA4}<br/><br/> User: YOUR-4DACD0EA75\HP_Administrator<br/><br/> Name: %YOUR-4DACD0EA75271<br/><br/> ID: %YOUR-4DACD0EA75272<br/><br/> Severity: 1.1.1592.05<br/><br/> Category: 1.1.1592.06<br/><br/> Path Found: %YOUR-4DACD0EA75276<br/><br/> Alert Type: %YOUR-4DACD0EA75278<br/><br/> Detection Type: 1.1.1592.02<br/><br/>Event Record #/Type27144 / Warning<br/>Event Submitted/Written: 03/31/2008 08:32:23 PM<br/>Event ID/Source: 3004 / WinDefend<br/>Event Description:<br/>%YOUR-4DACD0EA7527 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-4DACD0EA7527 can't undo changes that you allow.<br/><br/>For more information please see the following:<br/>%YOUR-4DACD0EA75275<br/><br/> Scan ID: {7F6377B1-6235-41EE-8963-C8F60B301E9B}<br/><br/> User: YOUR-4DACD0EA75\HP_Administrator<br/><br/> Name: %YOUR-4DACD0EA75271<br/><br/> ID: %YOUR-4DACD0EA75272<br/><br/> Severity: 1.1.1592.05<br/><br/> Category: 1.1.1592.06<br/><br/> Path Found: %YOUR-4DACD0EA75276<br/><br/> Alert Type: %YOUR-4DACD0EA75278<br/><br/> Detection Type: 1.1.1592.02<br/><br/>Event Record #/Type27143 / Warning<br/>Event Submitted/Written: 03/31/2008 08:32:23 PM<br/>Event ID/Source: 3004 / WinDefend<br/>Event Description:<br/>%YOUR-4DACD0EA7527 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-4DACD0EA7527 can't undo changes that you allow.<br/><br/>For more information please see the following:<br/>%YOUR-4DACD0EA75275<br/><br/> Scan ID: {96DDF3F4-7B44-41B3-9157-84915C72661A}<br/><br/> User: YOUR-4DACD0EA75\HP_Administrator<br/><br/> Name: %YOUR-4DACD0EA75271<br/><br/> ID: %YOUR-4DACD0EA75272<br/><br/> Severity: 1.1.1592.05<br/><br/> Category: 1.1.1592.06<br/><br/> Path Found: %YOUR-4DACD0EA75276<br/><br/> Alert Type: %YOUR-4DACD0EA75278<br/><br/> Detection Type: 1.1.1592.02<br/><br/>Event Record #/Type27142 / Warning<br/>Event Submitted/Written: 03/31/2008 08:32:23 PM<br/>Event ID/Source: 3004 / WinDefend<br/>Event Description:<br/>%YOUR-4DACD0EA7527 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %YOUR-4DACD0EA7527 can't undo changes that you allow.<br/><br/>For more information please see the following:<br/>%YOUR-4DACD0EA75275<br/><br/> Scan ID: {BF51EE34-5010-41C1-AE38-A04F36FE5313}<br/><br/> User: YOUR-4DACD0EA75\HP_Administrator<br/><br/> Name: %YOUR-4DACD0EA75271<br/><br/> ID: %YOUR-4DACD0EA75272<br/><br/> Severity: 1.1.1592.05<br/><br/> Category: 1.1.1592.06<br/><br/> Path Found: %YOUR-4DACD0EA75276<br/><br/> Alert Type: %YOUR-4DACD0EA75278<br/><br/> Detection Type: 1.1.1592.02<br/><br/>Event Record #/Type27141 / Warning<br/>Event Submitted/Written: 03/31/2008 05:17:11 PM<br/>Event ID/Source: 4226 / Tcpip<br/>Event Description:<br/>TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.<br/><br/><br/><br/>-- End of Deckard's System Scanner: finished at 2008-03-31 20:32:39 ------------<br/><br/>Thats not all of the <a href="https://interviewquestions.tuteehub.com/tag/logs-1077946" style="font-weight:bold;" target="_blank" title="Click to know more about LOGS">LOGS</a>. There should have been another hijackthis log along with other information.<br/><br/>Are you the only one who uses this PC?<br/><br/>2008-02-21 17:30:55C:\Documents and Settings\HP_Administrator\Application Data\uTorrent << I asked about torrents....<br/><br/>2008-02-10 21:45:38C:\WINDOWS\system32\zllictbl.dat << Zone Alarm data file<br/><br/>I don't think you have anything to worry about.<br/><br/>Do this.<br/><br/><strong>Create a Startup List</strong><br/><br/>1. Open HijackThis and select <strong>Open the Misc Tools section</strong><br/>2. Click on the button which says <strong>Generate StartupList log</strong><br/>3. Click <strong>Yes</strong> when prompted and a notepad document will open.<br/>4. Save the log to the desktop and attach it in the next post. Forgot that my son DID use this pc a month or so ago when he was home.<br/><br/>After running dss.exe, the only logs I got were main.txt and extra.txt, and I did see it running HJT during the scan, but no log was generated for it that I can find.<br/><br/>StartupList report, 3/31/2008, 9:00:47 PM<br/>StartupList version: 1.52.2<br/>Started from : C:\Hijack This\HijackThis.EXE<br/>Detected: Windows XP SP2 (WinNT 5.01.2600)<br/>Detected: Internet Explorer v7.00 (7.00.6000.16608)<br/>* Using default options<br/>==================================================<br/><br/>Running processes:<br/><br/>C:\WINDOWS\System32\smss.exe<br/>C:\WINDOWS\system32\winlogon.exe<br/>C:\WINDOWS\system32\services.exe<br/>C:\WINDOWS\system32\lsass.exe<br/>C:\WINDOWS\system32\svchost.exe<br/>C:\Program Files\Windows Defender\MsMpEng.exe<br/>C:\WINDOWS\System32\svchost.exe<br/>C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe<br/>C:\WINDOWS\Explorer.EXE<br/>C:\WINDOWS\system32\spoolsv.exe<br/>C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe<br/>C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe<br/>C:\PROGRA~1\Grisoft\AVG7\avgemc.exe<br/>C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe<br/>C:\Program Files\Windows Defender\MSASCui.exe<br/>C:\PROGRA~1\Grisoft\AVG7\avgcc.exe<br/>C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe<br/>C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe<br/>C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE<br/>C:\WINDOWS\system32\nvsvc32.exe<br/>C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe<br/>C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe<br/>C:\WINDOWS\system32\ntvdm.exe<br/>C:\WINDOWS\notepad.exe<br/>C:\WINDOWS\notepad.exe<br/>C:\Program Files\Mozilla Firefox\firefox.exe<br/>C:\Hijack This\HijackThis.exe<br/><br/>--------------------------------------------------<br/><br/>Listing of startup folders:<br/><br/>Shell folders Common Startup:<br/>[]<br/>AUTOEXEC.BAT<br/>boot.ini<br/>cmldr<br/>CONFIG.001<br/>CONFIG.SYS<br/>DEFRAG.bat<br/>devicetable.log<br/>hpWebHelper.log<br/>index.ini<br/>IO.SYS<br/>ipconfig.txt<br/>LOG1.log<br/>MSDOS.SYS<br/>NTDETECT.COM<br/>ntldr<br/>pagefile.sys<br/>run.bat<br/>setup_all.exe<br/>SSPPPoE.log<br/>YServer.txt<br/><br/>--------------------------------------------------<br/><br/>Checking Windows NT UserInit:<br/><br/>[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]<br/>UserInit = C:\WINDOWS\system32\userinit.exe,<br/><br/>--------------------------------------------------<br/><br/>Autorun entries from Registry:<br/>HKLM\Software\Microsoft\Windows\CurrentVersion\Run<br/><br/>Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE<br/>Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide<br/>AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP<br/>nmctxth = "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"<br/>MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto<br/><br/>--------------------------------------------------<br/><br/>Autorun entries in Registry subkeys of:<br/>HKLM\Software\Microsoft\Windows\CurrentVersion\Run<br/><br/>[OptionalComponents]<br/> = <br/><br/>--------------------------------------------------<br/><br/>Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:<br/><br/>Shell=INI section not found<br/>SCRNSAVE.EXE=INI section not found<br/>drivers=INI section not found<br/><br/>Shell & screensaver key from Registry:<br/><br/>Shell=explorer.exe<br/>SCRNSAVE.EXE=Registry value not found<br/>drivers=Registry value not found<br/><br/>Policies Shell key:<br/><br/>HKCU\..\Policies: Shell=Registry value not found<br/>HKLM\..\Policies: Shell=Registry value not found<br/><br/>--------------------------------------------------<br/><br/><br/>Enumerating Browser Helper Objects:<br/><br/>(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}<br/>(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}<br/>(no name) - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}<br/><br/>--------------------------------------------------<br/><br/>Enumerating Task Scheduler jobs:<br/><br/>AppleSoftwareUpdate.job<br/>MP Scheduled Scan.job<br/><br/>--------------------------------------------------<br/><br/>Enumerating Download Program Files:<br/><br/>[CKAVWebScan Object]<br/>InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll<br/>CODEBASE = <a href="http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab">http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab</a><br/><br/>[Windows Genuine Advantage Validation Tool]<br/>InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll<br/>CODEBASE = <a href="https://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab">http://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab</a><br/><br/>[Symantec AntiVirus scanner]<br/>InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll<br/>CODEBASE = <a href="https://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab">http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab</a><br/><br/>[Malicious Software Removal Tool]<br/>InProcServer32 = C:\WINDOWS\Downloaded Program Files\WebCleaner.dll<br/>CODEBASE = <a href="https://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-4eec-946b-ffe15472cabc/WebCleaner.cab">http://download.microsoft.com/download/5/c/2/5c2fc4b7-3875-4eec-946b-ffe15472cabc/WebCleaner.cab</a><br/><br/>[Windows Live Safety Center Base Module]<br/>InProcServer32 = C:\WINDOWS\Downloaded Program Files\wlscBase.dll<br/>CODEBASE = <a href="http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab">http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab</a><br/><br/>[WUWebControl Class]<br/>InProcServer32 = C:\WINDOWS\system32\wuweb.dll<br/>CODEBASE = <a href="http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155065900937">http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155065900937</a><br/><br/>[Symantec RuFSI Utility Class]<br/>InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll<br/>CODEBASE = <a href="https://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab">http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab</a><br/><br/>[MUWebControl Class]<br/>InProcServer32 = C:\WINDOWS\system32\muweb.dll<br/>CODEBASE = <a href="http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180620944578">http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180620944578</a><br/><br/>[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]<br/>CODEBASE = <a href="https://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab">http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab</a><br/><br/>[ActiveScan Installer Class]<br/>InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll<br/>CODEBASE = <a href="http://acs.pandasoftware.com/activescan/as5free/asinst.cab">http://acs.pandasoftware.com/activescan/as5free/asinst.cab</a><br/><br/>[McFreeScan Class]<br/>CODEBASE = <a href="https://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5150/mcfscan.cab">http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5150/mcfscan.cab</a><br/><br/>--------------------------------------------------<br/><br/>Enumerating ShellServiceObjectDelayLoad items:<br/><br/>PostBootReminder: C:\WINDOWS\system32\SHELL32.dll<br/>CDBurn: C:\WINDOWS\system32\SHELL32.dll<br/>WebCheck: C:\WINDOWS\system32\webcheck.dll<br/>SysTray: C:\WINDOWS\system32\stobject.dll<br/>WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll<br/><br/>--------------------------------------------------<br/>End of report, 6,839 bytes<br/>Report generated in 0.047 seconds<br/><br/>Command line options:<br/> /verbose - to add additional info on each section<br/> /complete - to include empty sections and unsuspicious data<br/> /full - to include several rarely-important sections<br/> /force9x - to include Win9x-only startups even if running on WinNT<br/> /forcent - to include WinNT-only startups even if running on Win9x<br/> /forceall - to include all Win9x and WinNT startups, regardless of platform<br/> /history - to list version history only<br/>Everything looks normal. You might go to C:\WINDOWS\Downloaded Program Files and look for old folders that might not have been removed when a program was uninstalled and delete any you find.<br/><br/>For investigating startups go <a href="https://www.bleepingcomputer.com/startups/"> HERE</a> and search them out.<br/><br/>I'm at a loss now what to do next for sure.Thanks for your time and help evilfantasy. We gave it our best shot and I learned a few things in the process.<br/><br/>I'll keep checking this post to see if anyone comes up with any other ideas.<br/><br/>I will ck. the Downloaded Program Files and read about investigating startups.<br/><br/>Thanks again.</body></html>

Discussion

No Comment Found

Related InterviewSolutions