Hjt log

[jornsen]

Hi

My PC has recently and what feels like from day-to-day become rather slow, so I ran through the procedure in the "README before..." post.

My log from that:
---------------
(During Item 2 and 6, McAffee found a couple of infections – for the first time recently..!!??)

Item 4:

Removed:
- CCleaner
- Forté Agent
- QBees 2 free trial

NOT removed:
-ConnectionServices (Change/Remove navigates to a website http://notetol.com/uninstall.php with only an “Uninstall” button on the page – nothing else. Looks nasty!! (Button NOT pressed)
- LinkOptimizer (same as Connection Services)

Item 6,7,8:
Found nothing!!!
---------------

After completion, the "nasty" programs in "Ad/Remove Programs" are still there. I have still done nothing about them...

Performance is still somewhat the same - taskmanager-processes says 70-95% system idle process CPU usage. The rest taken primarily by services.exe, explorer.exe, Generix.exe, taskmgr.exe(!!)... looks OK, I guees...

I attach a hjt log.

Hope some of you guys can help me out - my daughter is screaming my head off because I have denied her access to the PC.. :-)

Thanks in advancd
/Jornsen

[PhilliePhan]

NOT removed:
-ConnectionServices (Change/Remove navigates to a website http://notetol.com/uninstall.php with only an “Uninstall” button on the page – nothing else. Looks nasty!! (Button NOT pressed)
- LinkOptimizer (same as Connection Services)

You were right Not to click that "Uninstall" botton - It IS Nasty!

-- I do not see much in your HJT Log. I do not know what this is:
O2 - BHO: Class - {B9AE75D1-F00C-69A5-C748-26D2448F8738} - C:\WINDOWS\fseku1.dll (file missing)

You can FIX that with HijackThis.


These look like they allow remote access to your computer - But I imagine you installed them?
O23 - Service: MReg Service (MReg) - Ementor Danmark A/S - C:\WINDOWS\system32\MReg.exe
O23 - Service: M·RemoteUser (MRemoteUser) - Ementor Danmark A/S - C:\WINDOWS\system32\MRemoteUser.exe
O23 - Service: M·SoftwareScan (MSoftwareScan) - Ementor Danmark A/S - C:\WINDOWS\system32\MSoftwareScan.exe

O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe (file missing)


Did the Kaspersky Online scan find Nothing at all? It should catch that LinkOptimizer
The same for the AVG Anti-spy....
They both came up completely clean?



There are a few more scans I'd like to see....

FIRST:
Download WinPFind2 by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind2 on your desktop.
-- Open the WinPFind2 folder and DoubleClick winpfind2.exe to start the program.
-- Keep the Standard Settings.
-- In the AddOn Options section (Far Right of GUI) Check the Boxes for the following:

--> Policies.def
--> SID_Run_Policies.def

THEN:
Click the Run All Scans button.
When the tool has finished running, select the Simple Report Button in the lower right. Notepad shoud open with a Log.
Please submit that Log for me.


THEN:
Let's get a StartupList.
Run HijackThis and open the Misc Tools section.
-- Check the boxes to List minor sections & List empty sections
-- Click Generate StartupList & Yes
-- Please submit that log for me


And, we'll go from there.

Best
PP


EDIT PP:
It might also be a good idea to run the following:
http://www.prevx.com/gromozon.asp

Let me know how that shakes out.....

PP

[PhilliePhan]

I added a step - I meant to list it with the LinkOptimizer stuff, but it slipped my mind. See Edit to previous post.

Will check back as time permits.
PP

[jornsen]

Hi PP

In order of execution:

WinPFind2:
Log attached

http://www.prevx.com/gromozon.asp:
Luckily, I chose “continue anyway” when it promptly said “xxx-gromozon-xxx not found” – see attached log.

Startuplist:
Attached

After this, I ran a fresh hjt log. the gromozon tool actually claims to have removed the "C:\WINDOWS\fseku1.dll (file missing)-issue", but it was still there in the fresh log (not attached), so i removed it using hjt - that was my debut using that button - scary!
Fresh Hjt log (after removal) attached.

The "Ementor Danmark A/S": Yes, I guess they are here for a reason - remote access. I don't need them anymore and they should be deleted, but I'll do that controlled later...

hope everything is there..

Rgds
/Jornsen

[jornsen]

----> Notice Update <-----
Wrong gromozon log file attached by mistake... :-(
Fixed now

[PhilliePhan]

After this, I ran a fresh hjt log. the gromozon tool actually claims to have removed the "C:\WINDOWS\fseku1.dll (file missing)-issue", but it was still there in the fresh log (not attached), so i removed it using hjt - that was my debut using that button - scary!

Shouldn't be scary - If you are running HJT Properly (and you are), then there will be backups stored when you make changes. No worries. (you can manage them via the Misc Tools section of HJT - Though it tries to delete files related to 02 entries)

Navigate to C:\WINDOWS\fseku1.dll and make sure it is gone. I have a feeling it is part of Gromozmon, but was not able to download the components of the baddie. (be sure to enable the viewing of hidden files as per my Read Me post)
Let me know if it remains - I doubt it'll be there, but better safe than sorry!

Give me some time to go over those logs - I'm a bit tied up at the moment.

Also, (and I keep doing this for some reason) I asked for a startuplist. While no harm done there, I really meant to ask for an Uninstall List
Since I am active in so many Forums, I copy and paste a lot! Just copied the wrong thing....

Anyhoo, please open Hijackthis.
Click the Open the Misc Tools section Button.
Click the Open Uninstall Manager Button.
Click the Save list... Button.
Save it to your desktop and submit that for me.


I will peruse the logs and check back as soon as I can-- probably Wednesday (EST)

Judy may weigh in before then.

Best
PP

[jornsen]

Hi PP

The fseku1.dll isn't there - and I'm 99.9½ % sure it wasn't before removal either. I checked before anything else.... Thought it was strange, but heck... a lot of all this is beyond my understanding... :-)
Both tools both say "file missing" anyway...

Startup/Uninstall:
No harm done - uninstall list attached... :-)

I'm a litle "tiered up" also, so wednesday is fine... it's around 1:30 here in the not-so-cold-anymore northern europe, and I have to get my kids to school at 8 tomorrow... So, I'm off...

"Judy" - that's jholland, right? I'm a big fan of her!!! :-)
What does "weigh in" mean? Give her opinion?

Goodnight!
/Jornsen

[jholland1964]

Hi jornsen, "Not so cold Northern Europe"...lucky you! Here in the absolutely unbearably cold midwestern US we are freeeeezzzzing...right now temp is 14 F or -10C....windchill is below zero no matter how you say it!
I am at somewhat a disadvantage here as some of the programs you have running I am unfamiliar with, though research says they are ok.
I don't see much in your HJT log except this one which I could find absolutely nothing about;
O4 - HKLM\..\Run: [After] c:\MNet\after.vbs
Do you know what this is?
Do you know; stibo.com ?

You show some items running at Start up which can easily be run manually but other than that I don't see much there except some clean ups.
In the uninstall list I don't see much either. Few programs I had to look for but they seem on the "up and up" also.
A few "file missing" entries in your HJT log can be cleaned with another run of the scan but wait for PP to check back after he looks at the logs too.
Judy

[jornsen]

Hi Judy and PP

Here, we miss the cold weather very much - heat and/or rain records every month since October - we are getting nervous. Even our - QUITE conservative - government are looking more and more in the direction of people like Al Gore...

I don't know what c:\MNet\after.vbs is, but MNet is a system for centralized PC maintenance installed by my my former employers IT department, so I guess it is OK. I don't use it any more, so I can remove that also, if I can find an entry point.. :-)
stibo.com is my former employer.
(The PC is installed by my former imployers IT dep.)

I'll wait for PP before I do anything...

Best regards
/John

[TurcoLoco]

I see that you are using an IBM Thinkpad laptop, from the fingerprint scanner utility, I am guessing it is a T4x series or newer, right?
My employer uses the same model so I am familiar with it quite a bit.

I just wanted to comment on the following startup entries that could be disabled from the startup group:

O4 - HKLM\..\Run: [After] c:\MNet\after.vbs

<< You already mentioned you were not using this.

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\Go ogleToolbarNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

~ And the following too if you really do not need them (see notes):

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

<<< If you are not connecting/disconnecting peripheral to the laptop all the time.

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray

<<< Your call, not critical.

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

<<< for MS Office Language related functionality but this also could be a disguised Trojan.

O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

<<< Your call, not critical.

O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup

<<< Disabled this if you are not using the fingerprint scanner on the laptop which 99% of the people do not.

O4 - HKLM\..\Run: [WinVNC] C:\Program Files\ORL\VNC\WinVNC.exe -
servicehelper

<<< Your call, not critical.

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

<<< If you are not using the touchpad. For those who arew using the finger-stick or an external mouse it makes sense to disable this.

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

<<< If you are not using the touchpad. For those who arew using the finger-stick or an external mouse it makes sense to disable this.

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

<<< Your call, not critical.

O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBa ttLog

<<< Your call, not critical.

You could easily disable/enable these entries using StartupControlPanel, so reverting changes (even if deleted instead of being disabled first) would be easy.

Anyhow, this is all I wanted to say, please wait for PP's follow-up.

~TL