Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Extensive use of Facebook and viewing other sites slows computer to st


  • Please log in to reply

#31
goodseed

goodseed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Non-Plug and Play Drivers - catchme

I didn't do anything with the Unknown device which still has a big yellow question mark.

Edited by goodseed, 19 January 2013 - 07:40 PM.

  • 0

Advertisements


#32
goodseed

goodseed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Emsisoft Online Armor Free Firewall
wants to know if McciTrayApp.exe autorun and SISAGPX.sys autorun is allowed


Farbar Service Scanner Version: 16-01-2013
Ran by Owner (administrator) on 19-01-2013 at 20:10:18
Running from "C:\Documents and Settings\Owner\My Documents\Downloads"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(8) Gpc(6) IPSec(4) NetBT(5) OAmon(9) PSched(7) Tcpip(3)
0x0700000004000000030000000900000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****
  • 0

#33
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
catchme is left over from Combofix. You can right click on it and Uninstall.

Both of the files Online Armor is complaining about are legitimate files so I suppose it's OK for them to go to the Internet.

Is the Unknown still the ROOT\LEGACY_SASKUTL\0000 ??

See if Revo can uninstall SupearAntiSpyware. Or you can download SuperAntiSpyware again and see if that fixes it.
  • 0

#34
goodseed

goodseed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
catchme uninstalled

Both of the files Online Armor allowed

"Is the Unknown still the ROOT\LEGACY_SASKUTL\0000 ??" yes

downloaded SuperAntiSpyware
  • 0

#35
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
Did that fix the unknown?
  • 0

#36
goodseed

goodseed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Yes it did fix the unknown!! Now it has !
  • 0

#37
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
What is the !
  • 0

#38
goodseed

goodseed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
I must have erased it. !SASKUTIL
  • 0

#39
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
Uninstall SuperAntiSpyware or better yet let the free Revo uninstaller do it. See if that gets rid of it.
  • 0

#40
goodseed

goodseed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Yes is is gone now but the unknown device is back with the same number.
  • 0

Advertisements


#41
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
Copy the next two lines:

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SASKUTL > \junk.txt
notepad \junk.txt

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Right click and Paste or Edit then Paste and the copied line should appear.
Hit Enter. Notepad should open. If it has any text, copy and paste it into a reply.
  • 0

#42
goodseed

goodseed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
I don't have command prompt in accessories
  • 0

#43
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
Start, Run, regedit, OK

or search for regedit and then run it.

Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SASKUTL

Click on the + in front of HKEY_LOCAL_MACHINE which will open up and show you

SYSTEM. Click on its +. Keep going until you get to
CurrentControlSet
Enum
Root
LEGACY_SASKUTL <= if you find this one, right click on it and Delete.


Now look at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SASKUTL

If you find it then right click on SASKUTL and Delete.
  • 0

#44
goodseed

goodseed

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
That fixed it. All is gone.
  • 0

#45
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,799 posts
  • MVP
If there are no other problems then I think we can clean up.


We need to clean up System Restore.

Copy the following:

:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Run OTL. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Special note on Java. Old Java versions should be removed after first clearing the Java Cache by following the instructions in:
http://www.java.com/...lugin_cache.xml
Then remove the old versions by going to Control Panel, Programs and Features and Uninstall all Java programs which are not Java Version 7 update 9 or better. These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE. Get the latest version from Java.com. They will usually attempt to foist some garbage like the Ask toolbar, Yahoo toolbar or McAfee Security Scan on you as part of the download. Just uncheck the garbage before the download (or install) starts. If you use a 64-bit browser and want the 64-bit version of Java you need to use it to visit java.com.
Due to multiple security problems with Java we are now recommending that it not be installed unless you absolutely know you need it. IF that is the case then you should install No-Script (Firefox) or Script-No add-ons (Chrome) and only use Firefox or Chrome to visit the site. You will need to tell No-Script/Script-No that the site is allowed to run Java.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.



Make sure you have Windows update working and preferably on Automatic download and install. There was a September 21 update to Internet Explorer which is very important as it fixes a big security hole. KB2744842. See: http://www.microsoft...201209_oob.aspx
Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP