Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Disabling right, left and centre [CLOSED]

Started by Nostradamus , Jul 27 2005 07:21 PM

  • This topic is locked This topic is locked

#1
Nostradamus
Posted 27 July 2005 - 07:21 PM

Nostradamus

    New Member

  • Member
  • Pip
  • 6 posts
Hi everybody, :tazz:

I have been experiencing some problems with the following persistent "deep scan" errors picked up by my Ad-Ware Personal SE:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Cache\Paths\path1 [and also paths 2,3 and 4]

Documents and Settings\Djamal\LocalSettings\TemporaryInternetFiles\Content.IE5\Cache1 [and also 2,3 and 4 - Djamal is the name I gave my computer]


and these two "security risks":

HKEY_LOCAL_MACHINE\SOFTWARWE\Microsoft\SecurityCEnter\AntiVirusDisableNotify!...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\FirewallDisableNotify!=d...

(and possibly: Generic Host Process for Win32Services 5.1 - file name svchost.exe)

As a result I panicked and disabled the following entries:

C:\WINDOWS\SYSTEM32\REGSVC.DLL
C:\WINDOWS\SYSTEM32\MPRDIM.DLL
C:\WINDOWS\SYSTEM32\HIDSERV.DLL
C:\WINDOWS\SYSTEM32\CLIPSRV.EXE


My first two questions are:
-How can I cure the above errors and security risks?
-Was it justified in disabling the above four entries or should I quickly enable them again (in manual or automatic mode?)

My other query is: are all the following SYSTEM32 entries safe:
RASAUTODLL
SECLOGON.DLL
W3SSL.DLL
TLNTSVR.EXE
WLTRYSVC.EXE
ALG.EXE
BROWSER.DLL
DLLHOST.EXE

and also:
C:\PROGRA~1\MCAFEE.COM\VSO\MCVSRJE.EXE
C:\Documents and SEttings\Djamal\LocalSettings\TemporaryInternetFiles\Content.IE5\7D20CNC1\wpsetup95a[1].exe

Please help. I have spent numerous sleepless nights and I am not functioning properly any more.. I am a bit lost...Would be immensely grateful.

[One last question: I have reset my internet privacy and security settings, but I keep getting a prompt about allowing ActiveX script and plug-ins, do I always say no?]

Thanks,

Nostradamus ;)
  • 0

Advertisements

#2
Buckeye_Sam
Posted 30 July 2005 - 02:43 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

Please visit this page and scroll down to Step 5. Follow the instructions there to download a tool called Hijackthis and post a log here as a reply to this post.

http://www.geekstogo..._Log-t2852.html


In answer to your questions, none of those files appear to be related to malware. Once I get a look at your hijackthis log I'll have a better feel for what is running on your computer and then we can determine the best course of action for you.
  • 0

#3
Nostradamus
Posted 03 August 2005 - 05:02 PM

Nostradamus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Sam,

Thank you for offering to help me. You will find below the log as saved from HijackThis. Please help me clean up my PC. It is very slow logging on and also logging out. Furthermore, my McAfee Virus Scan, Firewall and Privacy Service no longer come on automatically, I have to enable them manually every time.


Thanks a loot in advance.

Nostradamus :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 23:51:55, on 03/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\DOCUME~1\Djamal\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15014/CTPID.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
  • 0

#4
Buckeye_Sam
Posted 03 August 2005 - 06:33 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
You are currently using hijackthis from a temp directory. This can cause problems. Please create a directory on your c: drive called c:\hijackthis and download and unzip hijackthis into that directory. Run the program from that directory from now on. It is essential that you follow these steps or certain important features of the program will not function correctly.



There's no malware showing up in your log so we're going to take a closer look using some other tools.

Please run this online virus scan.
Make sure it is set to clean automatically

Panda Virus Scan

There may be files that this scan will not remove. Please include that information in your next post.


Reboot and post a new hijackthis log and the info from your virus scan.
  • 0

#5
Nostradamus
Posted 05 August 2005 - 05:23 PM

Nostradamus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Sam,

Sorry for getting back to you so late..I was having problems with PC...

I have run the Panda Virus Scan and the only adware it found (but could not remove) was something called SaveNow with aliases like WhenU, WhenUSsave, Adware-SaveNow. The threat level was ONE red dot, the damage TWO red dots and the distribution ONE red dot.

Here follows the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 00:15:47, on 06/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15014/CTPID.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Thanks a lot
Nostradamus :tazz:
PS: I downloaded Panda Titanium Anti-Virus 2005 but cannot uninstall it - made several attempts through the ADD/Remove facility. Any idea why?
  • 0

#6
Buckeye_Sam
Posted 06 August 2005 - 05:21 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi Nostradamus,

There's a few things that concern me.

1. I don't see the 016 line in your hijackthis log that would have indicated that you ran the Panda online virus scan. Did you actually run it?

2. I don't see any signs of Panda Titanium Anti-Virus 2005 running on your computer. It doesn't appear to be installed. What problems exactly are you having with this?

3. I don't see any signs of malware in your log at all. That is why I asked for the Panda scan log, because it is a very thorough scan that will point out malware on your computer.


Let me know what problems you are currently having.
  • 0

#7
Nostradamus
Posted 06 August 2005 - 06:24 AM

Nostradamus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Sam, ;)

Thank you for your reoly. I can assure you that I ran the Panda OnLine Virus scan and it found one adware/spyware [SaveNow] which it did not remove. I also downloaded the Panda Titanium Anti-Virus 2005 and spent hours trying to uninstall it - I succeeded in the end but at the expense of my sleep.
I might have run the HijackTHis afterwards, and this would explain why the Panda software is not appearing in the log - I am not sure but I am still experiencing these persistent problems:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\Cache\Paths\path1 [and also paths 2,3 and 4]

Documents and Settings\Djamal\LocalSettings\TemporaryInternetFiles\Content.IE5\Cache1 [and also 2,3 and 4 - Djamal is the name I gave my computer]


and these two "security risks":

HKEY_LOCAL_MACHINE\SOFTWARWE\Microsoft\SecurityCEnter\AntiVirusDisableNotify!...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\FirewallDisableNotify!=d.


The two above might explain why my McAfee virus scan, firewall, spam killer and privacy service not longer come on automaticall when I start my PC but I have to enable them manually each time.

Please note also that I have deleted all the above entries from the registry SEVERAL TIMES but they keep coming back. I wonder if this has anything to do with someone using my Internet settings or Explorer to change the values or something.

Please have a closer look at my HijackTHis log and see if there is anything which might suggest a "backdoor" intrusion.

Last but not least, it takes about 4 minutes from the moment I press RESTART to the moment I get a full screen again. A bit slow, don't you agree?


Regards,
Nostradamus :tazz:
  • 0

#8
Buckeye_Sam
Posted 06 August 2005 - 06:58 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
There's nothing malicious about these registry entries. They are perfectly normal. What indication do you get that they signify a security risk?


Is your Mcafee updated and current version?


Mcafee is what's slowing down your reboot. Each time you start your computer Mcafee has to start up 12 processes. Depending on the power of your computer that can easily take several minutes.



Do you run regular maintenance on your computer? Scandisc, defrag, and registry clean? Take a look at Ace Utilities. There's a free trial that you may want to consider running.

http://www.acelogix.com/index.html
  • 0

#9
Nostradamus
Posted 06 August 2005 - 08:27 AM

Nostradamus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Sam,

Thanks again. Yes, I bought my McAfee Internet Security only three months ago and it is updated regularly.
Yes, I also regularly run the Scanfisk and the defragmentation and keep my registry clean... plus regular removal of Internet temporary files, cookies and history.

I run several anti-spywares [Spy & Bot, Ad-Ware Personal 2.0, SpySweeper, SpyDoctor, WinOptimizer and CCleaner plus McAfee].

You have not told me anything about the queries I had regarding the recurrent paths and the two AntiVirusDisableNotify and FirewallDisableNotify entries.
And also why I have to enable my McAfee anti-virus, spamkiller, firewall manually every time.

Thanks a lot. :tazz:

Nostradamus
  • 0

#10
Buckeye_Sam
Posted 06 August 2005 - 08:31 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts

You have not told me anything about the queries I had regarding the recurrent paths and the two AntiVirusDisableNotify and FirewallDisableNotify entries.

Yes, as I stated in my last post, those registry entries are a perfectly legitimate part of Windows. What indication do you get that they are security risks?


And also why I have to enable my McAfee anti-virus, spamkiller, firewall manually every time.

That's a Mcafee issue. If you could not enable them manually then I would be more inclined to believe it was related to malware. I run Mcafee on one of my computers and I notice the same thing from time to time.
  • 0

#11
Buckeye_Sam
Posted 20 August 2005 - 04:09 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP