Jump to content


Photo

c:\program.exe


  • Please log in to reply
10 replies to this topic

#1 arnoldijzermans

arnoldijzermans

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 July 2004 - 02:24 AM

Hi all,

The last two days I'm having trouble with my home computer.
A short history of things here.

Last weekend, got myself infected with the PuCe Virus (which is actually win32.hllp.rile.a). took me some time before I got rid of it, but thanks to Kasperski. Anyway. When you think the trouble is over, no way :grrr:

After removal of the virus, decided to do an extra check-up on the old spyware thingies. I'm currrently using spybot S&D, Adaware and Spy blaster (better safe then sorry). After this removal, I created a hijack log and removed all things that looked suspicious to me.
Still, my IE6 ran slow after some time, followed by a complete system halt eventually. :wtf:

Than came the big surprise. My F-secure firewall informed me about a new connection attempt when downloading a definition update. The application that tried to connect was c:\program.exe. Decided to give it permission (God knows why I decided it. :eek: ) Result. system halt. this piec of s**t seemed to use an awfull lot of memory, as I saw the counter run back till 5 (I have 512 available.)

All with all, I decided to run an upgrade install of XP, because my IE got corrupted. After the upgrade install, I downloaded SP 1a and ran it. Just when I decided to download the rest of the programs, the same message popped up again. Of course this time I decided to deny access to the internet, and uptill now, no system halt anymore, allthough the performance is a bit sluggish every now and then. :unsure:

The reason for me posting this here is because I'm desparate.
- I checked my machine with: NAV, McAfee, Online Symantec, Houescall, Kasperski but no virus found.
- checked it for spyware with Spybot, Spy blaster, Adaware and have Spyguard resident. No succes.
- of course, can't find the c:\program.exe but worse,can't find anything on the internet about it.

Is there anybody who can tell me anything more or can give me advise on what to do next. Right now, I'm thinking about completely re´nstalling my computer when I'm back from holiday.

Fyi using a 1,4 ghz computer, 512 RAM, ADSL connected to internet, F-secure firewall.

If I don't react quickly on replies I'll be leaving for holiday this friiday.

Thanks in advance all!!

#2 TonyKlein

TonyKlein

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 1,841 posts

Posted 14 July 2004 - 02:40 AM

Would you please run Hijack This again, and post a fresh log so that we might have a look as well?

It's hard to advise without the slightest idea of what we're dealing with...

Edited by TonyKlein, 14 July 2004 - 02:42 AM.


#3 arnoldijzermans

arnoldijzermans

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 July 2004 - 08:29 AM

Here's my hijack file.

Fyi. I just started using Mozilla as browser. Seemed wise. Next to that. Really great browser.

Cheers

Logfile of HijackThis v1.97.7
Scan saved at 15:26:26, on 14-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\RAM Def XT\ramdef.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MRU-Blaster\scheduler.exe
C:\Program Files\F-Secure\DFW\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Arnold en Grietha\Bureaublad\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.104.94.112:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.rabobank.nl; *.freeler.nl
;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RAMDef] C:\Program Files\RAM Def XT\ramdef.exe -tray
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .tga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} -
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro....er/PROFILER.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...l.CAB?38181.435
O16 - DPF: {A27AD582-5BE5-4C2D-82F0-48B24FE02040} -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} -

#4 TonyKlein

TonyKlein

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 1,841 posts

Posted 14 July 2004 - 08:33 AM

It's a clean log, although you do want to have these fixed:

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - (no file)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE



No sign of your "C:\Program.exe" file either; It could possibly be F-Secure having trouble to fetch the correct file name and therefore replacing it with "Program.exe"

We could have a closer look tho:

In Hijack This, press "Config" > "Miscellaneous Tools".
Under the "Generate Startuplist log" button, check the "List also minor sections" box.

Now press "Generate Startuplist Log"
This will generate a text file that will list all applications that are loaded from practically every known startup location.

Go to Edit > select all, copy it and post its contents here.

#5 arnoldijzermans

arnoldijzermans

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 July 2004 - 10:01 AM

Here it is.

Thanks so far



StartupList report, 14-7-2004, 16:58:12
StartupList version: 1.52
Started from : C:\Documents and Settings\Arnold en Grietha\Bureaublad\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\RAM Def XT\ramdef.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\MRU-Blaster\scheduler.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\F-Secure\DFW\Program\fsdfwd.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\Wisdom-soft ScreenHunter\ScreenHunter.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Documents and Settings\Arnold en Grietha\Bureaublad\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Arnold en Grietha\Menu Start\Programma's\Opstarten]
MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programma's\Opstarten]
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

zBrowser Launcher = C:\Program Files\Logitech\iTouch\iTouch.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
F-Secure Manager = "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
F-Secure TNB = "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
Logitech Utility = Logi_MwX.Exe
RAMDef = C:\Program Files\RAM Def XT\ramdef.exe -tray
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
KAVPersonal50 = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - (no file) - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - (no file) - {EFD84954-6B46-42f4-81F3-94CE9A77052D}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.micros...tes/ieawsdc.cab

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[{093F9CF8-0DE1-491C-95D5-5EC257BD4CA3}]

[{1663ed61-23eb-11d2-b92f-008048fdd814}]

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.syma...bin/AvSniff.cab

[HouseCall Besturing]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[DmiReader Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SYSPRO~1.DLL
CODEBASE = http://support.euro....er/PROFILER.CAB

[InstallShield International Setup Player]
InProcServer32 = c:\windows\DOWNLO~1\isetup.dll
CODEBASE = http://www.installen...gine/isetup.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...l.CAB?38181.435

[{A27AD582-5BE5-4C2D-82F0-48B24FE02040}]

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.syma...n/bin/cabsa.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = https://download.mac...ash/swflash.cab

[{EF86873F-04C2-4A95-A373-5703C08EFC7B}]

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Omgeving voor AFD-netwerkondersteuning: \SystemRoot\System32\drivers\afd.sys (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTsvcCDA.exe (autostart)
Services voor cryptografie: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Service voor het rapporteren van fouten: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
F-Secure File System Filter: \??\C:\Program Files\F-Secure\Common\FSfilter.sys (autostart)
F-Secure Gatekeeper: \??\C:\Program Files\F-Secure\Common\FSgk.sys (autostart)
F-Secure File System Recognizer: \??\C:\Program Files\F-Secure\Common\FSrec.sys (autostart)
F-Secure Authentication Agent: "C:\Program Files\F-Secure\Common\FSAA.EXE" (autostart)
F-Secure Management Agent: "C:\Program Files\F-Secure\Common\FSMA32.EXE" (autostart)
F-Secure Policy Manager: \??\C:\Program Files\F-Secure\Common\FSPM.SYS (autostart)
Help en ondersteuning: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
kavsvc: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
PfModNT: \??\C:\WINDOWS\System32\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC-services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore-service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
SVKP: \??\C:\WINDOWS\System32\SVKP.sys (autostart)
SYMTDI: \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS (autostart)
Thema's: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Uploadbeheer: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
VMware DHCP Service: %SystemRoot%\System32\vmnetdhcp.exe (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Automatische updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration-service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 14.072 bytes
Report generated in 0,656 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

:wave:

#6 TonyKlein

TonyKlein

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 1,841 posts

Posted 14 July 2004 - 10:26 AM

It's a squeaky clean log; no sign of any malware.

You do have F-Secure, Kaspersky AND Symantec services running; are those all necessary?

If F-Secure is your resident antivirus, shut down services belonging to the other 2 applications, if not required.

No idea what this C:\Program.exe could be about; are you sure hidden files are set to show?

You could also launch a command prompt, and do a dir C:\ Some files only become visible that way.

#7 arnoldijzermans

arnoldijzermans

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 July 2004 - 11:03 AM

As Balki would have said in Perfect Strangers 'Get out of the city'

I assume by the way that it has all to do with my e-mail as it is on port 110 (SSL).
I just noticed.

Somehow I'm a bit anxious to allow connection, but going to try.

Thanks anyway for your help mate.

By the way.
F-secure is my firewall
Kasperski virus
Symantec used to be. Could get rid of those.

#8 TonyKlein

TonyKlein

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 1,841 posts

Posted 14 July 2004 - 11:30 AM

OK, do keep us posted!

Groetjes,

#9 arnoldijzermans

arnoldijzermans

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 July 2004 - 01:04 PM

Right,

Seems I've been waisting someone's time here :dumb:

All to do with proper housekeeping.
Downloaded a tool Cleanup from this site http://ourworld.comp...us/cleanup.html
and guess what. Took him 15 minutes to clean up all the temp files.

Very odd considered I was using System works to get it done.
Program.exe indeed is the socket 10057 on port 101 for my email.

Anyway. Tony thanks for your help mate. I won't be this d*ckheaded again in the future.

Zie je nog wel.

#10 TonyKlein

TonyKlein

    Forum Deity

  • Expert
  • PipPipPipPipPip
  • 1,841 posts

Posted 14 July 2004 - 01:07 PM

Don't worry about it, Arnold; it's never a bad idea to doublecheck... :)

Tot horens!

#11 arnoldijzermans

arnoldijzermans

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 July 2004 - 02:49 PM

Thx.

Funny though. The system gets slow after being idle for an hour or so....
Strange

Nothing to do with spyware though




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button