The two files have been deleted and they can't be found in the registry. However the problem still persists. I'm just about to download the new AnalyzerXP and run it. I'll post the log shortly.
Member
The two files have been deleted and they can't be found in the registry. However the problem still persists. I'm just about to download the new AnalyzerXP and run it. I'll post the log shortly.
Member
Here is the log.
[===============] AnalyzerXP by TL - forum.networktechs.com (www.IamNotaGeek.com) [===============]
16/01/2007
19:06
Some of the files listed could be safe and valid, so before you do anything, research further.
You could also submit this log on forum.networktechs.com - Spyware Central for help.
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 16/01/2007 at 19:04:10
RSOP results for DILAN\Dilan Shah on DILAN : Logging Mode
----------------------------------------------------------
OS Type: Microsoft Windows XP Professional
OS Configuration: Standalone Workstation
OS Version: 5.1.2600
Domain Name: DILAN
Domain Type: N/A<Local Computer>
Site Name: N/A
Roaming Profile:
Local Profile: C:\Documents and Settings\Dilan Shah
Connected over a slow link?: Yes
COMPUTER SETTINGS
------------------
Last time Group Policy was applied: 16/01/2007 at 18:40:50
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
NT AUTHORITY\Authenticated Users
USER SETTINGS
--------------
Last time Group Policy was applied: 16/01/2007 at 18:40:50
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
-----------------------------
N/A
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
----------------------------------------------------
None
Everyone
Debugger Users
BUILTIN\Administrators
BUILTIN\Users
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
Volume in drive C has no label.
Volume Serial Number is 20E8-C18D
Directory of C:\WINDOWS\Tasks
04/12/2006 23:34 284 AppleSoftwareUpdate.job
1 File(s) 284 bytes
0 Dir(s) 3,745,669,120 bytes free
TaskName Next Run Time Status
==================================== ======================== ===============
AppleSoftwareUpdate 16:26:00, 19/01/2007
MP Scheduled Scan 02:15:00, 17/01/2007
INFO: No event triggers found.
=====] Looking for suspicious file types in WINDOWS folder:
W32i - - - - 53,248 09-15-2003 c:\windows\apprun.exe
W32i - - - - 129,536 07-23-1999 c:\windows\auhccup1.dll
W32i - - - - 224,256 03-31-1999 c:\windows\comctl32.oca
W32i - - - - 71,749 10-28-2005 c:\windows\hcextoutput.dll
W32i - - - - 43,520 03-31-1999 c:\windows\msmapi32.oca
Volume in drive C has no label.
Volume Serial Number is 20E8-C18D
Directory of C:\WINDOWS
05/12/2002 17:23 19,274 001299_.tmp
02/04/2006 12:37 19,528 003920_.tmp
10/12/2002 16:15 69,632 DUMP478c.tmp
10/12/2002 16:15 69,632 DUMP4b39.tmp
10/12/2002 16:15 69,632 DUMP4c0b.tmp
10/12/2002 16:15 69,632 DUMP4fc3.tmp
10/12/2002 16:15 69,632 DUMP546b.tmp
10/12/2002 16:15 69,632 DUMP57d2.tmp
10/12/2002 16:15 69,632 DUMP59c7.tmp
10/12/2002 16:15 69,632 DUMP60c7.tmp
10/12/2002 16:15 69,632 DUMP6121.tmp
10/12/2002 16:15 69,632 DUMP6199.tmp
10/12/2002 16:15 69,632 DUMP6515.tmp
10/12/2002 16:15 69,632 DUMP66d7.tmp
10/12/2002 16:15 69,632 DUMP6c29.tmp
10/12/2002 16:15 69,632 DUMP6d6a.tmp
10/12/2002 16:15 69,632 DUMP6eb4.tmp
19 File(s) 2,182,803 bytes
0 Dir(s) 3,745,651,712 bytes free
W32i - - - - 262,416 10-17-1999 c:\windows\system32\asfv2.dll
W32i - - - - 2,067,140 11-29-2005 c:\windows\system32\avcodec.dll
W32i - - - - 24,576 08-15-2003 c:\windows\system32\coinst.dll
W32i - - - - 23,040 09-18-2000 c:\windows\system32\cssms_in.dll
DOS - - - - 9,833 09-03-2001 c:\windows\system32\ddmi.vxd
DOS - - - - 9,321 11-11-2001 c:\windows\system32\dlpt.vxd
W32i - - - - 20,480 07-01-2002 c:\windows\system32\mpfapi.dll
DOS - - - - 25,225 11-27-2002 c:\windows\system32\mpfirewl.vxd
W32i - - - - 45,056 09-24-2001 c:\windows\system32\navlogon.dll
DOS - - - - 5,672 08-17-1998 c:\windows\system32\quartz.vxd
DOS - - - - 120,379 09-24-2001 c:\windows\system32\symevnt.386
W16 - - - - 10,240 08-17-1998 c:\windows\system32\vidx16.dll
W16 - - - - 11,776 03-25-2003 c:\windows\system32\zport4as.dll
W32i - - - - 55,936 12-06-2002 c:\windows\system32\drivers\mpfirewall.sys
W32i - - - - 27,440 08-23-2001 c:\windows\system32\drivers\secdrv.sys
SafeDisk Driver (used by games to authenticate CD and prevent burning a copy of protected applications) has been detected on this system! If everything is working fine, ignore this entry.
02/03/2006 11:17 0 02.tmp
10/12/2006 19:50 1,744 d3d9caps.dat
05/09/2006 23:01 2,451,824 ieapfltr.dat
W32i DLL ENU 58.6.0.0 shp 141,424 08-24-2006 c:\windows\downloaded program files\asinst.dll
W32i DLL ENU 6.5.2.7 shp 357,376 02-02-2006 c:\windows\downloaded program files\housecall_activex.dll
W32i DLL ENU 1.0.0.2 shp 113,152 03-17-2005 c:\windows\downloaded program files\msnmessengersetupdownloader.ocx
W32i DLL ENU 2004.3.0.20 shp 124,072 12-22-2004 c:\windows\downloaded program files\naveng32.dll
W32i DLL ENU 2004.3.0.20 shp 685,224 12-22-2004 c:\windows\downloaded program files\navex32a.dll
W32i DLL ENU 5.70.0.1088 shp 435,712 10-03-2005 c:\windows\downloaded program files\xscan53.ocx
=====] List of files located at the root of the C Drive:
Volume in drive C has no label.
Volume Serial Number is 20E8-C18D
Directory of C:\
21/09/2006 08:49 9,820 2EF.tmp
01/12/2002 11:21 245,792 CLASSES.1ST
01/12/2002 11:38 0 CONFIG.BAK
12/01/2007 15:12 0 conmgr.log
02/12/2002 00:09 16 CTJINI.INI
02/01/2007 20:22 192,652 hpfr5550.log
26/12/2004 15:43 348 install.log
01/12/2002 11:10 3,833 RECOVERY.LOG
01/12/2002 15:04 470 SCANDISK.LOG
26/12/2004 15:59 3,723 _NavCClt.Log
24 File(s) 463,324 bytes
0 Dir(s) 3,745,650,176 bytes free
=====] Directory Analysis - PROGRAM FILES:
04/12/2006 23:37 <DIR> iPod
04/12/2006 23:37 <DIR> iTunes
21/08/2006 14:46 <DIR> Windows Defender
17/08/2006 15:46 <DIR> Driving Test Success 2006-2007
24/04/2006 09:23 <DIR> ArcSoft
03/04/2006 12:30 <DIR> Ahead
01/04/2006 15:59 <DIR> SAMSUNG
01/04/2006 09:38 <DIR> Elaborate Bytes
30/03/2006 18:03 <DIR> FileZilla
16/03/2006 22:41 <DIR> WinRAR
(Ignore the ones you know of)
=====] Directory Analysis - COMMON FILES (subfolder of Program Files folder):
04/04/2006 22:21 <DIR> L&H
03/04/2006 12:32 <DIR> Nero
=====] Directory Analysis - WINDOWS folder:
Volume Serial Number is 20E8-C18D
Directory of C:\WINDOWS
10/01/2007 14:42 <DIR> ie7updates
09/12/2006 12:00 <DIR> WBEM
09/12/2006 11:58 <DIR> ie7
03/04/2006 12:33 <DIR> InCD
24/08/2005 19:24 <DIR> report
24/08/2005 19:24 <DIR> AU_Backup
24/08/2005 19:20 <DIR> AU_Log
09/05/2005 17:05 <DIR> Downloaded Installations
15/12/2004 11:25 <DIR> Motive
10/10/2004 18:21 <DIR> occache
31/03/2004 20:55 <DIR> henry screensaver dir
04/12/2002 23:48 <DIR> Minidump
04/12/2002 09:59 <DIR> Modio
0 File(s) 0 bytes
189 Dir(s) 3,745,650,176 bytes free
=====] Process Analysis - User-based processes with their Services:
Image Name PID Services
========================= ====== =============================================
WebClient
sqlservr.exe 196 MSSQL$SQLEXPRESS
AOLDial.exe 500 N/A
AOLSP Scheduler.exe 516 N/A
dslstat.exe 568 N/A
dslagent.exe 652 N/A
fts.exe 748 N/A
MpfTray.exe 1012 N/A
ctfmon.exe 1476 N/A
MpfAgent.exe 1804 N/A
alg.exe 2484 ALG
=====] Process Analysis - Currently running Service based Processes:
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
InCDsrv.exe 1068 Console 0 2,344 K
AOLacsd.exe 1780 Console 0 2,456 K
defwatch.exe 1848 Console 0 1,380 K
ewidoctrl.exe 1896 Console 0 2,056 K
inetinfo.exe 1916 Console 0 9,688 K
mdm.exe 1960 Console 0 3,336 K
MpfService.exe 2000 Console 0 2,984 K
sqlservr.exe 196 Console 0 1,104 K
AOLDial.exe 500 Console 0 1,084 K
AOLSP Scheduler.exe 516 Console 0 1,040 K
dslstat.exe 568 Console 0 784 K
dslagent.exe 652 Console 0 320 K
fts.exe 748 Console 0 1,456 K
MpfTray.exe 1012 Console 0 4,624 K
ctfmon.exe 1476 Console 0 1,824 K
MpfAgent.exe 1804 Console 0 1,060 K
alg.exe 2484 Console 0 3,464 K
[====================] End of Log [====================]
Administratatouille
Lakers some files are either malware (or high suspicious and better of deleting) while some others could be but generally unknown and hard to tell which could be renamed first to take them out of the loop. Also if renamed files re-appear that means they were not only malware related but the mothership is still hidden somewhere in the system re-spawning its little helpers.
In short, would you rather have the instructions to remove some files and rename others and also manually search certain ones in the registry or would you prefer me creating a small script to remove (in Safe mode) the identified malware files and renamed the unknowns for safe keeping which would automate things and making things easier for you.
Your call, let me know.
Member
I think the script you create would be easier. However I have a new keyboard and the F8 button doesn't work. How do I boot into safe mode without using the keyboard?
Administratatouille
This is a new keyboard and the most critical Function button is kaputt???
I would advise you to exchange the keyboard to begin with...
To bypass the startup processes, right at the user login window, you could press and hold the SHIFT button but since I need you to bypass the services as well the .ini files, go ahead and open up MSConfig panel:
START > RUN > type > msconfig > OK
Examine the WIN.INI and SYSTEM.INI tabs to make sure there are no funky entries that refers to if you are not sure or do see some odd lines, let me know and we could have you run a different tool to capture the info in these 2 files but assuming they are clean:
~ Select the SELECTIVE STARTUP and uncheck only the boxes next to Load System Services and Load Startup Items.
~ Click OK and at the next prompt click REBOOT/RESTART button.
I will start working on the script and attach it when it is ready.
~TL
Member
The other keyboard I have doesn't work very well, I think theres too much dust under the keys. This new one is one of those "ergonomic keyboards." I just put the wire's into the computer without installing it or anything(I'm not sure if you have to install drivers or anything with keyboards). Thanks for the script.
Administratatouille
The 104 standard keys should work regardless of that keyboards software installed or not. F (function) keys being some of the 104 Standard key set, it is not normal for any of them to be not working. If the key is not stuck or something similarly simple then replacing the keyboard would be the next step.Originally Posted by lakers
Anyhow, I am a bit swamped at work and probably will not get to finish it till I get home but I will try...
Something in the Task List caught my attention though: mdm.exe (Machine Debug Manager) services was running, do you use it? If you do not know what it is for then very safe to say stop it and also change its Startup Type to disabled in the Services Control Panel: Start > Run > services.msc > OK
Also please tell me names of the programs you have currently installed on your system in the following software groups:
~ Anti-Virus Scanner (not the online scans but the ones you actually installed)
~ Firewall (and is Windows Firewall disabled?)
~TL
Last edited by TurcoLoco; 01-17-2007 at 03:57 PM.
Member
I just realised why the F-Keys weren't working. It's because I had the "F-Lock" on.
Also, I don't use the debugger so would it be safe to stop it? Do I do it by typing "services.msc" in the run box?
I have Ewido Anti-virus scanner, Windows Defender(although for the past few days it hasn't been working). I have a McAfee firewall and Norton AV initially came with the computer although it's never been used and I can't find it! The windows firewall is also enabled!
Thanks for the effort TL, please take your time, theres no rush! To be honest I'm also swamped with revision for exams!
Administrator
Are you certain you have Ewido Anti-Virus and not anti-spy? Just checking.
Administratatouille
Ok, here we go...I am attaching the script, even though I tested it on my own system and it is safe, effective, etc., I can not guarantee that it will indeed resolve your issue but it will not make anything worse either.
I am also putting additional notes for your review and also some open-ended suggestions for everyone but I am not saying you must do those as they are only suggestions.
I will also let Jholland take it from here unless you have a question specificly for me.
Overview of my analysis and what the attached script will do:
*** For a typical home user, the following services are not needed therefore could be disabled:
Delete all Internet cache, cookies, history, etc. as well as the common Temp folders, system Prefetch folder, all downloaded installers.
And:
======== RENAME ========
Note: For unknown files, the program will rename them instead of permanently deleting them.
This way, should we discover that a particular file is legit or needed by a legit program or system, it will be possible to locate and recover the file.
I always place an undescore (_) in front of the files when renaming that way they appear at the very beginning of the list when sort by name.
c:\windows\apprun.exe --> _apprun.eee
c:\windows\system32\asfv2.dll --> _asfv2lld
c:\windows\auhccup1.dll --> _auhccup1.lld
c:\windows\hcextoutput.dll --> _hcextoutput.lld
c:\windows\system32\zport4as.dll --> _zport4as.lld
c:\windows\system32\d3d9caps.dat --> _d3d9caps.tad
======== DELETE ========
c:\windows\downloaded program files\asinst.dll
c:\windows\downloaded program files\housecall_activex.dll
c:\windows\downloaded program files\naveng32.dll
c:\windows\downloaded program files\navex32a.dll
c:\windows\downloaded program files\xscan53.ocx
C:\CTJINI.INI
All files with .TMP extension Various types of temporary files, should always be safe to delete as long as no programs are running.
If any of the temp files are in use, it will not be deleted but skipped instead.
All files starting with ~ (tilde) If there are no documents are open, files starting with a ~ sign should not exist so this ghost files should be deleted.
=====] Process Analysis - Currently running Service based Processes:
To disable any of these services that you do NOT need: START > RUN > services.msc > OK
Then locate the service in question, double-click on it to open its properties window and change the Startup to 'disabled'.
WebClient --> Another service that is normally not used or needed, further more it is a security risk if not needed.
inetinfo.exe --> IIS Admin Server Helper, is it used or needed?
mdm.exe --> Machine Debug Manager needed?
sqlservr.exe --> SQL Server running, is it needed?
alg.exe --> Used for connection sharing and/or Windows Firewall, if another Firewall program is used, this should be disabled!
MpfAgent.exe & MpfTray.exe --> It appears that you have McAfee Internet Security Suite which also bundles the Firewall utility. You will have to pick which one to use,
to get rid of McAfee: START > RUN > appwiz.cpl > OK and uninstall McAfee Internet Security Suite
If you decide to use McAfee or another 3rd party firewall Internet Security utility then you will need to disable Windows Firewall.
- Alerter (Performance gain)
- Error Reporting Service (Performance gain)
- Indexing Service (Performance gain)
- Messenger (Security)
- Netmeeting Remote Desktop Sharing (Security)
- Portable Media Serial Number Service (Performance gain)
- Remote Registry (Security)
- Routing and Remote Access (Security)
- Smart Card
- Smart Card Helper
- Telnet
- Universal Plug and Play Device Host
- Upload Manager
- WebClient
*** Additionally:
IF a 3rd Party Firewall, Internet Security program is installed, disable:
- Application Layer Gateway Service (Performance gain)
- Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) (Performance gain)
IF a connection (to or from this PC) for Remote Desktop Support not needed, disable:
- Remote Desktop Help Session Manager (Performance gain)
- Routing and Remote Access (Performance gain)
IF this PC is NOT part of a domain (Home Networks is not a domain), disable:
- Net Logon (Performance gain)
IF this is a single PC not part of a domain or even Home Network, disable:
- Computer Browser (Performance gain)
- Server (Performance gain)
IF there is no UPS (Uninterruptible Power Supply) unit is connected through a Serial cable to provide monitoring, disable:
- Uninterruptible Power Supply (Performance gain)
IF There is NO Printer, disable:
- Print Spooler (Performance gain)
IF There is NO Scanner or a digital camera (connected directly to the PC), disable:
- Windows Image Acquisition (WIA) (Performance gain)
IF There is no Wireless Router, or the Wireless service is not used, disable:
- Wireless Zero Configuration (Performance gain)
Important: If this is NOT your own PC or not sure any of the 'IF' conditions mentioned aboveis applicable to you, disregard and skip it.
I hope this info help you and others who might be interested. If you have any questions, let us know.
~TL
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote