Jump to content
Sign in to follow this  
Wademan

Help, Please secure32 trojan!

Recommended Posts

Hi Huys,..here is my post form syware forums3 weeks ago, same problem, i got host file an it disapeared, well its back...my speed is snails pace now... PLEASE help>>>Hello guys....I just got my pc running good after getting MVP host file, an fixed big problem i had 3 weeks ago. Well, i was googeling for buisness, map search, clicked on a website, then this odd pop up came up, all in german, with red devils on it well i clicked the "x" to close it, an BOOM....my virus scanner went nuts picked up 5 expolits,said 4 disnenfected 1 infected...even though it appeared to be exact same thing...1 showed infected ,very odd. Well so i scanned like like cracy in safe mode an online scanners, plus used Ewidios, a2, adawre, spybot, webroot sypsweeper, mircosodt anti spy, all came up super clean. well pandas online picked this up>>> http://www.pandasoftware.com/virus_info/en...deteccion=98066 an since its spyware, the panda online will NOT remove this. after some research,...this could be nothing or could be a real baddie, what you guys think/advise? other odd thing, housecall wont run now pop up says"files cant be transfered over the internet do you want to try again"..wth? i just used housecall 3 days before, ran fine.,pc seams to run ok,...this just happened 12 hours ago tho. other thing, when this happened 3 boxes poped up, (after i clicked x to close window ) said "download browers hijack, an some other evil thing, hell i unplugged the pc immediatly then i did all the scans above, this is so strange, any help, is so appreicated....TY

PS here is path on panda scanner C:\WINDOWS\SYSTEM32\Drivers\etc\hosts

Ok my HJT log>>>>> Logfile of HijackThis v1.99.1

Scan saved at 1:38:57 PM, on 12/19/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\Dantz\Retrospect\retrorun.exe

C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\WINDOWS\System32\hphmon05.exe

C:\Program Files\2Wire\Gateway\2PortalMon.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\Program Files\Logitech\ImageStudio\LogiTray.exe

C:\WINDOWS\System32\WDBtnMgr.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Memzip\memzipr.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Guard-IE - {D2F719F3-106A-402B-9996-3A5B12ACA564} - C:\Program Files\Failsafe\GuardIE\PnIE.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {37C8204D-97C3-4127-BB28-1BFF3FA2F7DA} - C:\Program Files\Failsafe\GuardIE\PnIE.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe

O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe

O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe

O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [MemoryZipperPlus] C:\Program Files\Memzip\memzipr.exe

O8 - Extra context menu item: &Trace with Visual Trace - C:\PROGRA~1\VISUAL~1\NTXcontext.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll

O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: McAfee Visual Trace - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\VISUAL~1\NTXtoolbar.htm (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com

O16 - DPF: PCPitstop-Tracks-Checker - http://pcpitstop.com/privacy/PCPTracks.cab

O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust.com/Support/PestScanner/pestscan.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124327907000

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005102...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...539/mcfscan.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab

O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29itg.zcce.compaq.com/falco/help...rt/SysQuery.cab

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Edited by Wademan

Share this post


Link to post
Share on other sites

Nothing showing in the log.. The Panda link you posted is not valid...can you give details please.

Also are you saying your hosts file is just gone? Can you not replace it?/ Do you have view hidden files enabled??..If something changed a property on hosts to system and/or Archive you may not see it otherwise.

 

Please temporarily disable MSAS by doing the following:

It may interfere with the fix.

  • Open Microsoft AntiSpyware.

  • Click on Options -> Settings.

  • In the left pane, click on Real-time Protection.

  • Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).

  • Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).

  • After you uncheck these, click on the Save button and close Microsoft AntiSpyware.

  • Restart your computer.

  • Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware
Make sure the settings are changed back when we are done.

 

Please click and download Silent Runners.* Save it to the desktop.

*Double clicking the "Silent Runners" icon on your desktop to run it .

*Now you will see a text file appear on the desktop - t' is NOT done yet, so let it run (it won't appear to be doing anything!)

* After you receive the "All Done!" prompt, double-click on the new text file on the desktop and copy/ paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

 

Download and run F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml

Run the program, accept statment>next>click> scan>next.

If any items are detected have blacklite rename them except for "wbemtest.exe".

Do not rename "wbemtest.exe" its a windows file. If there are any other files you THINK may be valid don't rename them. Help is available HERE

 

The tool will ask if you want to reboot (restart) choose yes.

 

Log will be named fsbl-<date/time>.log eg. fsbl-20051213134642.log

 

 

Also you show as having Ewido installed.. would you update and do a FULL scan in SAFEMODE and then post that; along with the Blacklight and SilentRunners logs. Shouldn't need a new HijackThis yet.

Edited by jwbirdsong

Share this post


Link to post
Share on other sites

Nothing showing in the log.. The Panda link you posted is not valid...can you give details please.

Also are you saying your hosts file is just gone? Can you not replace it?/ Do you have view hidden files enabled??..If something changed a property on hosts to system and/or Archive you may not see it otherwise.

 

Please temporarily disable MSAS by doing the following:

It may interfere with the fix.

  • Open Microsoft AntiSpyware.

     

     

  • Click on Options -> Settings.

     

     

  • In the left pane, click on Real-time Protection.

     

     

  • Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).

     

     

  • Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).

     

     

     

  • After you uncheck these, click on the Save button and close Microsoft AntiSpyware.

     

     

  • Restart your computer.

     

     

  • Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware
Make sure the settings are changed back when we are done.

 

Please click and download Silent Runners.* Save it to the desktop.

*Double clicking the "Silent Runners" icon on your desktop to run it .

*Now you will see a text file appear on the desktop - t' is NOT done yet, so let it run (it won't appear to be doing anything!)

* After you receive the "All Done!" prompt, double-click on the new text file on the desktop and copy/ paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

 

Download and run F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml

Run the program, accept statment>next>click> scan>next.

If any items are detected have blacklite rename them except for "wbemtest.exe".

Do not rename "wbemtest.exe" its a windows file. If there are any other files you THINK may be valid don't rename them. Help is available HERE

 

The tool will ask if you want to reboot (restart) choose yes.

 

Log will be named fsbl-<date/time>.log eg. fsbl-20051213134642.log

Also you show as having Ewido installed.. would you update and do a FULL scan in SAFEMODE and then post that; along with the Blacklight and SilentRunners logs. Shouldn't need a new HijackThis yet.

 

Hi an thank for responding so fast!...Ok...first what Happened amonth ago my dsl was at speed appox 1300k, went down to dial up speed ( 26k ), so, I called my providor, tehy did extensive line an modem testing, an tech support level 3, said"you have something on your pc that is using your bandwith, check your host file, run scans etc"..

well my host file was gone!....so under advice here in spyware/virus section, said get "hoster' run it. then get the MVPS host file. I did all that, an boom, speed was fast again like it should be 1300-1500 k...3 weeks went by, then i was googeling for "maps" for a buisness project, an clicked on a site that "looked" like one I used before..well, this very odd window poped up with red devils all over it,..I clicked the "X" to close that window an boom...3 windows opened with"downloading hijacker" downloading file kidnapper" downloading password seizure"...my virus scanner went nuts, picked up 6 trojan expolits, I immediatly unplugged pc an modem, rebooted...seamed liek virus scanner got em, an saved me...BUT...panda online continus to show secure32 trojan expolit...an now my speed is a mess...OK..

I just updated teh mvps host file, so ITS OK....

an done all u asked....here is what I found..

Ewidos in Safe mode found 0

Adware:0

spybot:0

here is silent runner>>>> "Silent Runners.vbs", revision 39, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"MoneyAgent" = ""c:\Program Files\Microsoft Money\System\mnyexpr.exe"" [MS]

"MemoryZipperPlus" = "C:\Program Files\Memzip\memzipr.exe" ["Systweak"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]

"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]

"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]

"Cpqset" = "C:\Program Files\HPQ\Default Settings\cpqset.exe" [null data]

"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]

"CamMonitor" = "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [empty string]

"eabconfg.cpl" = "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start" ["Hewlett-Packard "]

"RoxioEngineUtility" = ""C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"" ["Roxio"]

"RoxioDragToDisc" = ""C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"" ["Roxio"]

"HPHUPD05" = "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" ["Hewlett-Packard"]

"HPHmon05" = "C:\WINDOWS\System32\hphmon05.exe" ["Hewlett-Packard"]

"2wSysTray" = "C:\Program Files\2Wire\Gateway\2PortalMon.exe" ["2Wire, Inc."]

"ADUserMon" = "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" ["Iomega Corporation"]

"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe" [null data]

"LVCOMS" = "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" ["Logitech Inc."]

"LogitechGalleryRepair" = "C:\Program Files\Logitech\ImageStudio\ISStart.exe" ["Logitech Inc."]

"LogitechImageStudioTray" = "C:\Program Files\Logitech\ImageStudio\LogiTray.exe" ["Logitech Inc."]

"WD Button Manager" = "WDBtnMgr.exe" ["Western Digital Technologies, Inc."]

"CaAvTray" = ""C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"" ["Computer Associates International, Inc."]

"CAVRID" = ""C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"" ["Computer Associates International, Inc."]

"Deskup" = "C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART" ["Iomega"]

"HP Software Update" = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]

"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

 

HKLM\Software\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)

\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{D2F719F3-106A-402B-9996-3A5B12ACA564}\(Default) = "Guard-IE"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Failsafe\GuardIE\PnIE.dll" ["."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll" ["Roxio"]

"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]

"{880E1C60-DBEB-11D3-A4C4-A58C7193AA36}" = "CyberScrub Context Menu Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\CYBERS~1\cybshell.dll" ["CyberScrub LLC"]

"{B446400D-0030-457b-8F64-422A19605186}" = "Logitech Gallery"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Logitech\ImageStudio\NameSpc.dll" ["Logitech Inc."]

"{1CE2AA40-1317-11D3-9922-00104B0AD431}" = "CA_AntiVirus"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" ["Computer Associates International, Inc."]

"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]

"{c7745760-8ead-11ce-b750-02608ca5202c}" = "IomegaWare Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Iomega\Shell\ImgMenu.dll" ["Iomega Corp."]

"{c7745761-8ead-11ce-b750-02608ca5202c}" = "IomegaWare Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Iomega\Shell\ImgProp.dll" ["Iomega Corp."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

 

HKLM\System\CurrentControlSet\Control\Session Manager\

INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e SsiEfr.e" [file not found], [MS], [file not found], [file not found], [file not found]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" [file not found]

 

HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

CA_AntiVirus\(Default) = "{1CE2AA40-1317-11D3-9922-00104B0AD431}"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" ["Computer Associates International, Inc."]

CyberScrub\(Default) = "{880E1C60-DBEB-11D3-A4C4-A58C7193AA36}"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\CYBERS~1\cybshell.dll" ["CyberScrub LLC"]

ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2CONT~1.DLL" [null data]

CA_AntiVirus\(Default) = "{1CE2AA40-1317-11D3-9922-00104B0AD431}"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" ["Computer Associates International, Inc."]

CyberScrub\(Default) = "{880E1C60-DBEB-11D3-A4C4-A58C7193AA36}"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\CYBERS~1\cybshell.dll" ["CyberScrub LLC"]

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Wayne\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"

 

 

Enabled Screen Saver:

---------------------

 

HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ELECTR~1.SCR" (ElectriCalm3D.scr) [null data]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\System32\VetRedir.dll ["Computer Associates International, Inc."], 01 - 03, 25

%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 24

%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{37C8204D-97C3-4127-BB28-1BFF3FA2F7DA}" = "GuardIE"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Failsafe\GuardIE\PnIE.dll" ["."]

 

Explorer Bars

 

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]

 

{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]

 

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKCU\Software\Microsoft\Internet Explorer\Extensions\

{9885224C-1217-4C5F-83C2-00002E6CEF2B}\

"ButtonText" = "McAfee Visual Trace"

"Script" = "C:\PROGRA~1\VISUAL~1\NTXtoolbar.htm" [null data]

 

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

 

{2499216C-4BA5-11D5-BD9C-000103C116D5}\

"ButtonText" = "Yahoo! Login"

"MenuText" = "Yahoo! Login"

"CLSIDExtension" = "{2499216C-4BA5-11D5-BD9C-000103C116D5}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ylogin.dll" ["Yahoo! Inc."]

 

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\

"ButtonText" = "Messenger"

"MenuText" = "Yahoo! Messenger"

"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"

 

{BDD75188-2FC0-4099-909F-AA8D432BE037}\

"MenuText" = "@C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100"

"CLSIDExtension" = "{BDD75188-2FC0-4099-909F-AA8D432BE037}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Failsafe\GuardIE\PnIE.dll" ["."]

 

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

 

 

Miscellaneous IE Hijack Points

------------------------------

 

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

 

Added lines (compared with English-language version):

[strings]: START_PAGE_URL=http://us8l.hpwis.com

 

Missing lines (compared with English-language version):

[strings]: 1 line

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

CAISafe, CAISafe, "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe" ["Computer Associates International, Inc."]

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]

LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]

Retrospect Launcher, RetroLauncher, "C:\Program Files\Dantz\Retrospect\retrorun.exe" ["Dantz Development Corporation"]

Retrospect WD Service, RetroWDSvc, "C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe" ["Dantz Development Corporation"]

SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]

VET Message Service, VETMSGNT, "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe" ["Computer Associates International, Inc."]

WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]

 

 

----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 26 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

took 15 seconds.

---------- (total run time: 147 seconds)

Also backlite rootkit reveler found nothing....I will rerun panda online an post the link again for you, since link is valid for only 24 hours ..THANKS alot.....I appreicate it!...sorry for long story.... :) Ok re-ran panda here is NEW link, wont be avaivable for long so hope you can see it, its secure32 trojan>>>> http://www.pandasoftware.com/virus_info/en...deteccion=98066 an one other>>> http://www.pandasoftware.com/virus_info/en...=114216..THANKS again...

Edited by Wademan

Share this post


Link to post
Share on other sites

Had some issues and was unable to get on here yesterday..Will reply after work today.

 

Ok birdsong TY ;) i will check back through out the day

Share this post


Link to post
Share on other sites

Do you have the copy of the Panda log?? Do you know WHERE Panda is seeing it?? There is ABSOUTLY NO sign of secure32 in any of the logs......Also do a search for secure32 make sure you are set to view hidden files and search in system folders/hidden files

Share this post


Link to post
Share on other sites

Do you have the copy of the Panda log?? Do you know WHERE Panda is seeing it?? There is ABSOUTLY NO sign of secure32 in any of the logs......Also do a search for secure32 make sure you are set to view hidden files and search in system folders/hidden files

 

wel i did already put in my post where panda is seeing it, but ill copyan paste it here again>>> PS here is path on panda scanner C:\WINDOWS\SYSTEM32\Drivers\etc\hosts, an the only "log:" i have already posted here are well...i use panda online scanner NOT the $70 version :blink: guess panda is reporting things that do not exsist, glad i know..its crap.cuz almost bought the dumb thing...just to remoce this stupid secure32......so? Edited by Wademan

Share this post


Link to post
Share on other sites

If you re-read your original post You will notice that secure32 is mentioned once in an obscure title (at best) and then not again. NOWHERE do you say that C:\WINDOWS\SYSTEM32\Drivers\etc\hosts is the path to secure32 It just listed as the "Panda scan path"..the path to what your hosts file that is no longer there?..one of the 5 exploits you mention? Something else??

 

We do NOT read minds.. Sorry to have to inconvenience you to post a little more info to go on...Hopefully you can find and delete the secure32; if not post a reply and I'll get someone else to take over your thread.

Share this post


Link to post
Share on other sites

If you re-read your original post You will notice that secure32 is mentioned once in an obscure title (at best) and then not again. NOWHERE do you say that C:\WINDOWS\SYSTEM32\Drivers\etc\hosts is the path to secure32 It just listed as the "Panda scan path"..the path to what your hosts file that is no longer there?..one of the 5 exploits you mention? Something else??

 

We do NOT read minds.. Sorry to have to inconvenience you to post a little more info to go on...Hopefully you can find and delete the secure32; if not post a reply and I'll get someone else to take over your thread.

 

hum well YES I did post the PATH copy an paste again>>>, any help, is so appreicated....TY

PS here is path on panda scanner C:\WINDOWS\SYSTEM32\Drivers\etc\hosts

Ok my HJT log>>>>> Logfile of HijackThis v1.99.1

Scan saved at 1:38:57 PM, on 12/19/2005

See word PATH^^??its in my post... :blink: an the kapersky scanner founf the virus i also posted..TY :blink: ..so???,..an NO file for secure32....acoording to...File search windows xp...which doesnt mean its not on here...TY

Edited by Wademan

Share this post


Link to post
Share on other sites

Wademan, none of your scans show that you actually have a keylogger. The online virus scans may be picking up definitions from one of your antispyware or antivirus protection programs.

 

Look at this link and do a search on your files and in the registry...do you see anything listed?

http://www.pestpatrol.com/pest_info/Stomp/s/spyagent.asp

Share this post


Link to post
Share on other sites

Wademan, none of your scans show that you actually have a keylogger. The online virus scans may be picking up definitions from one of your antispyware or antivirus protection programs.

 

Look at this link and do a search on your files and in the registry...do you see anything listed?

http://www.pestpatrol.com/pest_info/Stomp/s/spyagent.asp

 

Hiya Jaycee, ty for picking this up :) , well dont see it in regedit, there is some weird stuff there, but iam not messing with things in registry that I dont know what it is.umm,.the Kapersky scan was added to my post...but the maini/original issuse, with Pandas sucure32, an my super slow speeds,etc...are still unresloved..did ya read my LONG post??..sorry its like a novel :blink: ..took me hours to type it too since i type with 2-3 fingers,lol..appreciate if ya would look at my silent runners log an hjt log posted in my thread Jaycee... :xmas-smiley-017: Edited by Wademan

Share this post


Link to post
Share on other sites

Yes, I read it. Did you also see this from Panda?

How to remove Secure32?

 

Keep in mind that Secure32 is not really a virus but a adware

Share this post


Link to post
Share on other sites

Did you ever flush your old restore points and make a new one?

You might want to take a look at this if your ISP can't help:

http://www.duxcw.com/faq/network/slowbb.htm

 

yes i read that from panda but also in 3 other forum sites, LOTS of people have this dumb secure32 crap, an they used hjt to remove it, i wished i saved those posts, maybe i can find one an show you where a site, much like ours here, with trusted hjt helpers,etc, helped theses pople remove that. my speed is now back up again.isp says "its NOT our lines we have triple tested everything, there is a program on YOUR pc that is broadcasting/using your bandwith, we can even see the output from your modem. You have spyware/hacker/virus on your pc that is doing this, run scans etc" its odd this happens every 21 days now :blink: I just think jaycee that that sucure32 or that spyguy/keylogger thing Kapersky found is the reason behind this whole mess.I could be wrong but that is what i think..it makes no sense otherwise..oh, an yes i turned off system restore for like 2 days...an ran scans ( 14 of em _ in safe mode, then finally turned restore back on...i guess "maybe' kapersky is false/postive or as you said maybe picking it up thru all teh anti-spyware i have..? :blink: so uou see nothing in silent runners??what about the few that says " infection warning!! etc?like this in my post>>> INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

...an hjt this all clean huh?..i wanna pull my hair out over this...TY....ill keep checking back here to see your response to the above questions..thanks jaycee

Edited by Wademan

Share this post


Link to post
Share on other sites

http://www.outpostfirewall.com/forum/showthread.php?t=9624

New PLUS Startup Locations Monitored

WinPatrol has also expanded auto-startup locations internal to windows and more likely to be modified by experienced WinPatrol users. WinPatrol PLUS is required for this extended support.

WinPatrol monitors and can remove programs added to these locations if you're really sure they are dangerous

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad

Examples of OK programs include CDBurn, PostBootReminder, SysTray, WebCheck

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler

Examples of OK programs include Browser preloader:UI Library, Component Categories cache daemon

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks

Examples of OK programs include Browser preloader:Shell, Microsoft AntiSpyware Service Hook

Here's a whole Google page with the same results from SilentRunners:

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

 

http://www.google.com/search?hl=en&q=shell...G=Google+Search

Share this post


Link to post
Share on other sites

http://www.outpostfirewall.com/forum/showthread.php?t=9624

Here's a whole Google page with the same results from SilentRunners:

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

 

http://www.google.com/search?hl=en&q=shell...G=Google+Search

 

wow...well i read 'some ' of that huge google forums...an the other link....so, you saying that the silent runners thing "infection warning!." is normal,or OK?.. :xmas-smiley-017: Edited by Wademan

Share this post


Link to post
Share on other sites

Yes, I'm saying you are fine. I believe you are getting what is known as "false/positive" readings, and your ISP tech didn't help matters when he said you were infected....he didn't have a clue :angry:

 

My computer has never been infected...I bought it new in April of this year. I decided to run a scan with a new virus program that others had said was pretty good.....well I couldn't believe what it found on my machine. It said I had 31 CWS infections :laughing: It picked up my other program's definitions and tried to scare me into buying it, with it's report.

Share this post


Link to post
Share on other sites

Yes, I'm saying you are fine. I believe you are getting what is known as "false/positive" readings, and your ISP tech didn't help matters when he said you were infected....he didn't have a clue :angry:

 

My computer has never been infected...I bought it new in April of this year. I decided to run a scan with a new virus program that others had said was pretty good.....well I couldn't believe what it found on my machine. It said I had 31 CWS infections :laughing: It picked up my other program's definitions and tried to scare me into buying it, with it's report.

 

wow jaycee...ok i guess even that dumb panda finding sucure32 is a no big deal?....i know what ya mean by some of these darn antispyware anti virus companies trying to get us to buy things alot...trojanhunter done that to me...TY jaycee....guess the isp guys was nuts/>..lol..?..he showed me in contol panel/network connections/local area conections/then the status window, isp guy said " see packets sent/received"?"..."well the SENT should always be lower than the recived an recieved should be like about 25% higher" in other words if sent is 12,000 packets, recevied shoud say about 14,500"...well when all this crap happened few days ago, the receved was LOWER than the sent...so he said that "proves" something is using your bandwith.. :blink: ...you never been infected? :huh: ..well thats cuz ya super duper smart, hell cia prolly couldnt get in your pc,lol :rofl2: anyways, tY, an again the sucure32crap i should ignore it?.....man..whew...people here prolly think iam nuts after all this crap :xmas-smiley-014: TY TY jacee Edited by Wademan

Share this post


Link to post
Share on other sites

Just keep running your antivirus program, Ad-aware and Spybot s&d <--always look for updates.

 

I don't remember if I gave you the link to this free diskcleaner, but here it is (very small and good!)

DiskCleaner

http://www.robertenfemke.nl/~diskclean/

 

Get to MS and update to SP2, I think you'll be a lot happier if you do that for yourself :mrgreen:

Share this post


Link to post
Share on other sites

Just keep running your antivirus program, Ad-aware and Spybot s&d <--always look for updates.

 

I don't remember if I gave you the link to this free diskcleaner, but here it is (very small and good!)

DiskCleaner

http://www.robertenfemke.nl/~diskclean/

 

Get to MS and update to SP2, I think you'll be a lot happier if you do that for yourself :mrgreen:

 

Ty jaycee...i tried sp2 once,. messed up my pc's bad...long story, many conflicts..but maybe try again...but i doubt that has anything to do with this issue...ty..sure is odd that when my virus scanner went nuts an got 6 virus's, after reboot i cant even find a log, or a quarenteen of em, guess my scanner is lame..since Nortons would save that info...anyways..ty

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...