Avast WEBforum
Other => Viruses and worms => Topic started by: bug_master on April 08, 2007, 02:46:07 PM
-
Hi I am using Avast home 4.7 and some days ago I had a problem with a virus.
After fixing the problem I run a check with Kaspersky Online Scanner and it found this - C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 .
I ignored it because it sais it is not a virus but today when I ran a new check I got this - C:\System Volume Information\_restore{0C465918-B52E-4BCA-8911-EBDFCE22B207}\RP385\A0502340.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 .
Why is it multiplying, what should I do ???
-
If a virus is replicant (coming and coming again), you should disable System Restore on Windows ME (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q264887) or Windows XP (http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405). System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again.
It won't hurt if you run an avast boot time scanning too.
Welcome to avast forums 8)
-
You don't say what detected it in the C:\System Volume Information folder, but I assume not avast as it didn't detect anything in the C:\Program Files\mIRC\mirc.exe, assuming that this is one and the same file.
There is a possiblilty that it was a fasle positive detection by Kaspersky.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html) I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive. I don't believe you will be able to test the one in the restore point as that will be protected (or should) by windows.
Once you have done that post the results here.
I assume you have this mIRC program ?
I don't think it is multiplying, if something is deleted (and I know you say you ignored it) from the system folders and system restore is enabled it will create a restore point to allow for restoration. This is done by the system restore function and not malware creating a fake restore point in a windows protected area.
-
I detected it with Kaspersky online scanner.
Sunday, April 08, 2007 4:15:21 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/04/2007
Kaspersky Anti-Virus database records: 292519
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Statistics
Total number of scanned objects 56026
Number of viruses found 1
Number of infected objects 2 / 0
Number of suspicious objects 0
Duration of the scan process 00:24:55
C:\System Volume Information\_restore{0C465918-B52E-4BCA-8911-EBDFCE22B207}\RP385\A0502340.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\System Volume Information\_restore{0C465918-B52E-4BCA-8911-EBDFCE22B207}\RP390\A0502749.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
Is it a virus or not ???
Btw I uninstalled Mirc two hours ago.
-
Is it a virus or not ???
The only way to tell is by confirmation (using a multi-engined scan) and that is going to be almost impossible since you have uninstalled it before you even posted here.
Unless you reinstalled it or uploaded the installation file to virustotal, etc. to be scanned I doubt we will ever know.
However, the not-a-virus: prefix in the malware name (not-a-virus:Client-IRC.Win32.mIRC.62) could indicate that it is a tool which could be used for alternative purposes and Kaspersky is saying it is riskware, if you installed it then the purpose is less of a risk.
A google search for not-a-virus:Client-IRC.Win32.mIRC.62 returns many hits
-
The results of virus total on the installation file:
AhnLab-V3 2007.4.7.0 04.06.2007 no virus found
AntiVir 7.3.1.48 04.08.2007 no virus found
Authentium 4.93.8 04.06.2007 no virus found
Avast 4.7.936.0 04.06.2007 no virus found
AVG 7.5.0.447 04.08.2007 no virus found
BitDefender 7.2 04.08.2007 no virus found
CAT-QuickHeal 9.00 04.06.2007 no virus found
ClamAV devel-20070312 04.08.2007 no virus found
DrWeb 4.33 04.08.2007 no virus found
eSafe 7.0.15.0 04.07.2007 no virus found
eTrust-Vet 30.7.3549 04.06.2007 no virus found
Ewido 4.0 04.08.2007 no virus found
FileAdvisor 1 04.08.2007 Not analyzed yet
Fortinet 2.85.0.0 04.08.2007 no virus found
F-Prot 4.3.1.45 04.04.2007 no virus found
F-Secure 6.70.13030.0 04.08.2007 no virus found
Ikarus T3.1.1.3 04.08.2007 not-a-virus:Client-IRC.Win32.mIRC.62
Kaspersky 4.0.2.24 04.08.2007 not-a-virus:Client-IRC.Win32.mIRC.62
McAfee 5003 04.06.2007 no virus found
Microsoft 1.2405 04.08.2007 no virus found
NOD32v2 2173 04.07.2007 no virus found
Norman 5.80.02 04.05.2007 no virus found
Panda 9.0.0.4 04.08.2007 no virus found
Prevx1 V2 04.08.2007 no virus found
Sophos 4.16.0 04.06.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.08.2007 no virus found
TheHacker 6.1.6.085 04.04.2007 no virus found
VBA32 3.11.3 04.07.2007 no virus found
VirusBuster 4.3.7:9 04.07.2007 no virus found
Webwasher-Gateway 6.0.1 04.08.2007 no virus found
Btw yesterday Kaspersky Online Scanner found this - C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\45UVSPEZ\mc2[1].js Infected: Trojan.JS.Agent.b .
Today it does not find it anymore ;D
I'm begining to doubt the relyability of Kaspersky :)
-
Today it does not find it anymore ;D
I'm begining to doubt the relyability of Kaspersky :)
On contrary, they could have corrected a false positive.
They worked correctly and fast. It tells in favor of Kaspersky, not in contrary.
-
On contrary, they could have corrected a false positive.
They worked correctly and fast. It tells in favor of Kaspersky, not in contrary.
Yeah, I couldn't rest all night thinking I have a virus that is not detected by Avast and suddenly the next day it "magicly" disappears ;D
I used Kaspersky once but when I uninstalled it I found 3 trojans with Avast :o
So Avast rules as always 8)
Btw after disabling system restore I get no more detections from Kaspersky about Client-IRC.Win32.mIRC.62 :D
Thanx alot guys :)
-
However, the not-a-virus: prefix in the malware name (not-a-virus:Client-IRC.Win32.mIRC.62) could indicate that it is a tool which could be used for alternative purposes and Kaspersky is saying it is riskware, if you installed it then the purpose is less of a risk.
That's exactly it.
mIRC can be installed and used by trojans to open a backdoor so if you hadn't installed it yourself it would need further investigation.
-
I used Kaspersky once but when I uninstalled it I found 3 trojans with Avast :o
So Avast rules as always 8)
I doubt that detection rates of Kaspersky are lower than avast... maybe I can't get biased on this point: avast does not have the best detection rates in the antivirus market.
-
I installed mIRC myself.
But I was planing to uninstall it anyway until I got this weird results from kaspersky :-\
Btw could the files of Avast get infected themselves?
-
Btw could the files of Avast get infected themselves?
Themselves... well, avast files could be infected as any other, but, of course, avast does not infect its own files by itself...
-
Themselves... well, avast files could be infected as any other, but, of course, avast does not infect its own files by itself...
I don't mean to infect itself, I suffered heavily some days ago by a trojan infestation so I found that the file ashavast was infected and a bak folder appeared in the avast directory ???
I just wondered if the antivirus can become a virus itself?
-
No problem glad we could help, welcome to the forums.
Disabling system restore and rebooting clears ALL restore points infected or otherwise, so nothing to detect. Re-enabling system restore will create a current restore point.
Re avast getting infected, yes that is possible,avast has an integrity check which should I would hope detect the changes and hopefully the infection and it may well be possible using the repair function to cecover from that. avast 5 is I believe going to include a self protection capability.
-
I don't mean to infect itself, I suffered heavily some days ago by a trojan infestation so I found that the file ashavast was infected and a bak folder appeared in the avast directory ???
That could be an indication of an AWF infection.
Download FindAWF, save it and run it.
Then post the log it creates. (http://noahdfear.geekstogo.com/FindAWF.exe)
-
I have a computer for a 9 months now so I'm a bit uneducated about PC stuff ;)
So thanks for all the help :D
Btw avast sometimes after scan tels me that some files are damaged and cannot be scaned.
Can they be infected?
That could be an indication of an AWF infection.
Download FindAWF, save it and run it.
Then post the log it creates.
I reinstalled avast since then, so do I still have to check it?
-
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\DAEMON~1\BAK
09.11.2005 Ј. 01:00 128я920 daemon.exe
1 File(s) 128я920 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
04.08.2004 Ј. 03:56 15я360 ctfmon.exe
1 File(s) 15я360 bytes
Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK
16.02.2005 Ј. 17:15 81я920 issch.exe
16.06.2004 Ј. 07:03 221я184 isuspm.exe
2 File(s) 303я104 bytes
Directory of D:\CLONECD\BAK
28.09.2006 Ј. 22:21 57я344 CloneCDTray.exe
1 File(s) 57я344 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
128920 Nov 9 2005 "C:\Program Files\DAEMON Tools\bak\daemon.exe"
157592 Sep 14 2006 "D:\DAEMON Tools\daemon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
81920 Feb 16 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
221184 Jun 16 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"
57344 Sep 28 2006 "D:\CloneCD\bak\CloneCDTray.exe"
end of report
-
Btw avast sometimes after scan tels me that some files are damaged and cannot be scaned.
Can they be infected?
Generally not. These files that can't be scanned could have some packing trouble (or are packed in a different way), or are being used, or are password protected by their program themselves, etc.
I reinstalled avast since then, so do I still have to check it?
What do you mean with 'check it'?
-
I suggest you send all bak folders and files to avast Chest during avast scanning...
-
I suggest you send all bak folders and files to avast Chest during avast scanning...
Why ???
I think they are clean.
-
I don't think I see any indication of a current infection in your FindAWF log but just to play it safe upload these two files to Virus Total for anaysis and post the results
D:\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
-
I suggest you send all bak folders and files to avast Chest during avast scanning...
Tech - If there was AWF the bak folders would have the uninfected copies :)
-
I don't think I see any indication of a current infection in your FindAWF log but just to play it safe upload these two files to Virus Total for anaysis and post the results
D:\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
What about the other files ???
-
Why ??? I think they are clean.
To know if a file is a false positive, please submit it to JOTTI (http://virusscan.jotti.org/) or VirusTotal (http://www.virustotal.com/xhtml/index_en.html) (like mauserme said) and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
I said to send the files to Chest because they all seems suspect to me (for the path and name):
C:\PROGRA~1\DAEMON~1\BAK folder
C:\WINDOWS\SYSTEM32\BAK folder
Even a file called ctfmon.exe in this folder is suspect...
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK folder
This file *could* be clean and legit: "C:\WINDOWS\system32\ctfmon.exe"
-
Well, there are only 7 files. Go ahead and scan them all and post results for any that show infection.
-
All clean :D
When I was infected I restored some of the files that had bak folders, becouse I read in this forum that the files in the bak are the clean ones.
So I restored some of the files in the baks.
-
One more scan if you don't mind:
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
-
ashavast was infected and a bak folder appeared in the avast directory
Just out of curiosity, do you know for sure ashavast was infected or did you presume it was? What made the detection?
-
I detected it with kaspersky online scaner, and also find a copy of it in the bak folder.
Btw I got this results after scanning ComboFix :-\
AhnLab-V3 2007.4.7.0 04.06.2007 no virus found
AntiVir 7.3.1.48 04.08.2007 no virus found
Authentium 4.93.8 04.06.2007 no virus found
Avast 4.7.936.0 04.08.2007 no virus found
AVG 7.5.0.447 04.08.2007 no virus found
BitDefender 7.2 04.08.2007 no virus found
CAT-QuickHeal 9.00 04.06.2007 no virus found
ClamAV devel-20070312 04.08.2007 no virus found
DrWeb 4.33 04.08.2007 no virus found
eSafe 7.0.15.0 04.08.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3549 04.06.2007 no virus found
Ewido 4.0 04.08.2007 no virus found
FileAdvisor 1 04.08.2007 no virus found
Fortinet 2.85.0.0 04.08.2007 no virus found
F-Prot 4.3.1.45 04.04.2007 no virus found
F-Secure 6.70.13030.0 04.08.2007 no virus found
Ikarus T3.1.1.3 04.08.2007 Trojan-Dropper.Win32.Delf.FZ
Kaspersky 4.0.2.24 04.08.2007 no virus found
McAfee 5003 04.06.2007 no virus found
Microsoft 1.2405 04.08.2007 no virus found
NOD32v2 2173 04.07.2007 no virus found
Norman 5.80.02 04.05.2007 no virus found
Panda 9.0.0.4 04.08.2007 Suspicious file
Prevx1 V2 04.08.2007 no virus found
Sophos 4.16.0 04.06.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.08.2007 no virus found
TheHacker 6.1.6.085 04.04.2007 no virus found
VBA32 3.11.3 04.07.2007 no virus found
VirusBuster 4.3.7:9 04.07.2007 no virus found
Webwasher-Gateway 6.0.1 04.08.2007 Win32.ModifiedUPX.gen!84 (suspicious)
-
ComboFix is safe to run as long as you downloaded it from one of the links I posted. It will just scan and produce a log which you can post here.
-
Yeah, if you say so but still why does some antivirus programs say it is infected ???
-
Well, you have 27 scanners saying its not infected.
2 scanners say they detect suspicious capability - its the same idea as the "risk ware" discussed earlier. This tool will report a lot of information about your computer.
And 1 scanner, Kasperky, calls it delf. I won't call Kaspersky bad but you've already expressed your opinion of it. I'll just say all scanners are capable of false positives.
But if you're not comfortable with it and you don't see suspicious activity any longer then don't worry about it. I'm not trying to force you into anything.
EDIT: Not Kaspersky but Ikarus. Still, a false positive none the less.
-
Well I'm still a bit freaked out from the last infestation so I'll probably skip the check with ComboFix for now, I don't see any suspicious activity for now (except that my folgers in my documents keep changing from tiles to icons, but that's probably Bill Gates' fault ;))
Btw I got this from FindAWF which I already used :o :
AhnLab-V3 2007.4.7.0 04.06.2007 no virus found
AntiVir 7.3.1.48 04.08.2007 no virus found
Authentium 4.93.8 04.06.2007 no virus found
Avast 4.7.936.0 04.08.2007 no virus found
AVG 7.5.0.447 04.08.2007 no virus found
BitDefender 7.2 04.08.2007 no virus found
CAT-QuickHeal 9.00 04.06.2007 TrojanDropper.QuickBatch.e
ClamAV devel-20070312 04.08.2007 no virus found
DrWeb 4.33 04.08.2007 no virus found
eSafe 7.0.15.0 04.08.2007 no virus found
eTrust-Vet 30.7.3549 04.06.2007 no virus found
Ewido 4.0 04.08.2007 no virus found
FileAdvisor 1 04.08.2007 no virus found
Fortinet 2.85.0.0 04.08.2007 no virus found
F-Prot 4.3.1.45 04.04.2007 no virus found
F-Secure 6.70.13030.0 04.08.2007 no virus found
Ikarus T3.1.1.3 04.08.2007 Trojan.BAT.Small.f
Kaspersky 4.0.2.24 04.08.2007 no virus found
McAfee 5003 04.06.2007 no virus found
Microsoft 1.2405 04.08.2007 no virus found
NOD32v2 2173 04.07.2007 no virus found
Norman 5.80.02 04.05.2007 no virus found
Panda 9.0.0.4 04.08.2007 Suspicious file
Prevx1 V2 04.08.2007 no virus found
Sophos 4.16.0 04.06.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.08.2007 no virus found
TheHacker 6.1.6.085 04.04.2007 no virus found
VBA32 3.11.3 04.07.2007 no virus found
VirusBuster 4.3.7:9 04.07.2007 no virus found
Webwasher-Gateway 6.0.1 04.08.2007 no virus found
I'm not being paranoid, as I said I'm not very into computer knowledge so I just can't open a file that is said to have virus, I'll have nightmares ;)
-
I understand bug_master. It's good to be cautious.
But please, no nightmares - I promise you FindAWF did nothing to infect your computer :)
-
But please, no nightmares - I promise you FindAWF did nothing to infect your computer :)
No worries 8)
What should the suspicious activities be if I'm infected?
-
It could be any number of symptoms but generally unusual system slow downs, your firewall alerting to programs you don't recognize trying the establish an internet connection, additional malware suddenly appearing ...
-
And how do the log files help ???
-
There are several different tools you might be asked to use if you're fighting an infection. The most common is probably HijackThis. It produces a log enumerating the running processes and also atypical registry entries that can show where the malware loads, how a browser hijack was effected, etc. A tool called Deckard's System Scanner does this same thing (installing and running HijackThis for you) but also shows files recently created and some other useful system information.
FindAWF, as you can see in your log, shows files that have matching backups and their locations. This can be used to find infections that create backups as part of the infection process (it actually does sound like you had and agent.awf infection, or similar, that you cleaned by yourself).
ComboFix looks for other types of malware that have rootkit ability and some of the more difficult adware. If you look at this thread
http://forum.avast.com/index.php?topic=27121.msg222054#msg222054
you'll see a HijackThis log and a Combofix log that Matty attached in relation to an agent.awf infection (you need to be logged in to see the attachments). There is also a FindAWF log somewhere in that thread too. Keep in mind that the fixes in that thread are specific to Matty's computer and should not be taken as a general fix.
-
Ok thanx very much for the info :D
Tomorrow I'll run a check with HijackThis and post it :)
-
No problem.
-
From where to download it?
-
Download link and instructions:
Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Doubleclick on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
-
Is Hijack This enough or do I need ComboFix two :-\
-
Both logs would give us a very good look at your system.
-
Logfile of HijackThis v1.99.1
Scan saved at 16:58:50, on 09.4.2007 г.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\DAEMON Tools\daemon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\DC++\DCPlusPlus.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools] "D:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: AGEIA PhysX System Tray Icon.lnk = C:\Program Files\AGEIA Technologies\TrayIcon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D39A1FC5-87CB-48A2-AA99-6CD9E88C23F8}: NameServer =
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O23 - Service: Abiosrvhm - - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
So am I ok ;D
-
Your Java Runtime is out of date and is exploitable. Update this to Version 5 Update 11 or higher
http://www.java.com/en/download/manual.jsp
Then make sure you go into Add/Remove Programs and uninstall any older versions (the update process does not do this).
Other than that I don't see anything terrible in the quick look I gave your log. I'm at work right now so I 'll look a little deeper later on. Did you have an advertising pop up problems in the past?
EDIT: A third party firewall would help you avoid infection. You should consider installing one.
-
Did you have an advertiserising pop up problems in the past?
I have problems with a cookie Tagasaur (or something like that) but I fix it with Spybot.
Can you tell me a good free firewall to use?
-
Can you tell me a good free firewall to use?
Comodo 8)
Personal Firewall Tests & Results. Firewall rating:
http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php#firewalls-ratings
Freeware firewalls:
http://www.firewallleaktester.com/tests_overview.php
http://www.thefreecountry.com/security/firewalls.shtml
http://forum.avast.com/index.php?topic=22742.0;topicseen
-
Can you tell me a good free firewall to use?
Comodo 8)
I second that 8)
-
Thanx alot ;D
I was thinking of getting ZoneAlarm but I know a lot of people who suffered from it :(
So then I decided to let my Windows Firewall do the job but I think he's not doing it right ;)
Do I have to switch off Windows Firewall when I install Comodo?
Is Comodo easy to handle?
-
Hi bug_master,
ZA was the thing to have around 2004, the older versions are still great, but I also experienced some hick-ups with the latest version on my XP SP2, just too restricted to surf. So what the others advise you is from their experience with this program, and you can trust these boys here on the forum. Those that hang in longer here have grown to be experienced users and powerusers, some even grown into geeks. Before installing any FW read the manuals first, so you know what it is all about.
polonus
-
All I see in your log (other than mentioned above) is possible remnants of something like CoolWebSearch or LOP Adware. But it seems to have already been cleaned so unless you're having problems I would leave it alone.
When you install Comodo it will probably turn off the Windows Firewall for you but it can't hurt to double check since you don't want both active at the same time. To tell you the truth, I hate complicated firewalls. I want it to be secure but I don't want to devote my life to fine tuning it. Comodo strikes a nice balance for me.
Ok, now that you've had a chance to ask lots of questions and maybe come to trust us a little more, can I ask you if there's a particular problem we need to address? Maybe you just want to confirm that your system is free of the virus you mentioned in your first post, and that's OK. But if there's something special we need to look at this would be a good time to post the details :)
-
Well as I said I had a serious infestation some days ago, and then I realised I am not awair what to do in such situations :-\
So I needed some help to understand if I'm 100% Ok and secured.
Most of my friends just preinstall Windows when they have a virus but I personaly think that is a wrong aproach.
So thank you alot for all the help and I hope I don't have another infection soon :D
-
Most of my friends just preinstall Windows when they have a virus but I personaly think that is a wrong aproach.
I agree.
So we still have ComboFix we can look at - if you want ...
-
Well as I said I had a serious infestation some days ago, and then I realised I am not awair what to do in such situations :-\
If you have a back-up and recovery plan, you can recover from anything in minutes, not hours or days.
1. back-up all the things that you don't want to lose, data files, like documents, spreadsheets, emails, email account details, registration keys, address book, favourites/bookmarks, downloaded files/programs, etc. the list goes on and on but if you don't want to lose it back it up. There are many back-up programs that can simplify this task and run it every day.
2. Recovery - re-installing your system really is a poor choice and one of last resort. There are tools (Drive Imaging software) that take exact images of your Partitions or Hard Disks and these images can be restored in minutes if you suffer a major catastrophe and that doesn't have to be a virus attack.
I do a weekly image of my partitions and save them to my 2nd hard disk, they can also be saved to off-line storage, DVD, USB external hard disk, etc. as part of my weekly system maintenance.
So if the worst comes to the worst at most I lose:
A. 6 days worth of program updates or new installations, but with my daily back-up I can recover most of that.
B. less than one days data files, emails, etc.
None of these is a problem and much quicker than a system reinstall and I don't have to go on-line to download the myriad of security updates needed to secure my system where there is a chance to get reinfected whilst my system has vulnerabilities because of these missing patches. Not to mention all my system tweaks and program settings are retained and I will have saved myself many hours of work and a huge amount of stress.
Many of these programs cost, there are some free ones, but it will take some research on your part to find these tools and decide on what is best for you from reviews, user feed back, etc. good luck.
-
If you have a back-up and recovery plan, you can recover from anything in minutes, not hours or days.
Following David's advices, I recommend:
1. Partition cloning (backup) with Acronis, Paragon, etc.
2. Use on-line backup as Mozy. Click on my signature for details.
-
Sorry for the delay but here it is:
"user" - 07-04-14 11:39:27 Service Pack 2
ComboFix 07-04-05 - Running from: "D:\software"
((((((((((((((((((((((((((((((( Files Created from 2007-03-14 to 2007-04-14 ))))))))))))))))))))))))))))))))))
2007-04-10 11:53 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Comodo
2007-04-10 11:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-04-10 11:50 51,328 --a------ C:\WINDOWS\system32\drivers\inspect.sys
2007-04-10 11:50 <DIR> d-------- C:\Program Files\Comodo
2007-04-07 13:58 94,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-07 13:58 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-04-07 13:58 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-07 13:58 689,280 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-04-07 13:58 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-07 13:58 31,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-07 13:58 23,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-07 13:33 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-04-07 12:39 <DIR> d-------- C:\kav
2007-04-06 20:47 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Command & Conquer 3 Tiberium Wars
2007-04-06 14:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-05 21:54 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Command & Conquer 3 Tiberium Wars Demo
2007-04-02 21:32 <DIR> d-------- C:\Program Files\Autodesk
2007-04-02 12:05 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\e frontier
2007-03-31 17:22 2,208 --a------ C:\WINDOWS\system32\drivers\nxsIO32.sys
2007-03-30 16:57 93,824 -ra------ C:\WINDOWS\system32\drivers\aeaudio.sys
2007-03-30 16:57 765,952 -ra------ C:\WINDOWS\system\crlds3d.dll
2007-03-30 16:57 53,248 --------- C:\WINDOWS\system32\wdmioctl.dll
2007-03-30 16:57 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2007-03-30 16:57 45,056 --------- C:\WINDOWS\system32\CleanUp.exe
2007-03-30 16:57 392,960 -ra------ C:\WINDOWS\system32\drivers\senfilt.sys
2007-03-30 16:57 229,888 -ra------ C:\WINDOWS\system32\drivers\ADIHdAud.sys
2007-03-30 16:57 1,285,632 --------- C:\WINDOWS\system32\SMMedia.dll
2007-03-30 15:23 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-30 14:53 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-03-26 19:48 <DIR> d-------- C:\Program Files\TrayIconsOK
2007-03-25 15:21 <DIR> d-------- C:\WINDOWS\system32\bak
2007-03-20 21:16 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-03-20 21:16 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-03-20 21:16 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-03-20 21:16 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-03-20 21:16 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-03-20 21:16 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-03-16 06:55 40,960 --a------ C:\WINDOWS\system32\frapsvid.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-14 11:15 -------- d-------- C:\Program Files\dc++
2007-04-12 22:10 -------- d-------- C:\DOCUME~1\user\APPLIC~1\skype
2007-04-07 21:36 -------- d--h----- C:\Program Files\installshield installation information
2007-04-07 12:40 -------- d-------- C:\Program Files\kaspersky lab
2007-04-06 20:31 -------- d-------- C:\Program Files\electronic arts
2007-04-06 14:44 -------- d-------- C:\Program Files\lavasoft
2007-04-06 14:44 -------- d-------- C:\DOCUME~1\user\APPLIC~1\lavasoft
2007-03-31 17:25 49 --a------ C:\DOCUME~1\user\APPLIC~1\com.codenautics.zombies.txt
2007-03-30 16:57 -------- d-------- C:\Program Files\analog devices
2007-03-26 20:00 -------- d-------- C:\Program Files\daemon tools
2007-03-11 19:38 -------- d-------- C:\Program Files\alwil software
2007-03-06 16:15 98304 --a------ C:\WINDOWS\system32\cmdlineext.dll
2007-03-06 14:52 3750400 --a------ C:\DOCUME~1\user\APPLIC~1\engine.bin
2007-02-24 19:28 -------- d-------- C:\DOCUME~1\user\APPLIC~1\my battle for middle-earth(tm) ii files
2007-02-17 13:25 -------- d-------- C:\Program Files\skype
2007-02-17 13:25 -------- d-------- C:\Program Files\Common Files\skype
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"DAEMON Tools"="\"D:\\DAEMON Tools\\daemon.exe\" -lang 1033"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\AutorunsDisabled]
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-14 11:40:48
C:\ComboFix-quarantined-files.txt ... 07-04-14 11:40
Btw I have a folder named QooBox in disk C after using ComboFix should I delete it?
-
Your log looks fine.
And yes, the qoobox folder can be deleted. That's where ComboFix would have quarantined files if it was needed.
-
I also have a file boot.ini.comodofirewall should it be there?
Btw after using ComboFix I tried to use my desktop shortcut to wikipedia.org but I got this: Windows cannot find 'http://wikipedia.org/'. Make sure you typed the name correctly, and then try again. To search for a file, click the start buton, and then click search.
Should I be worried :-\
-
I also have a file boot.ini.comodofirewall should it be there?
It's a clean file from Comodo. If you delete, you won't harm your system but, if you keep them, no trouble too. It has a backup of your boot configurations.
-
It's a clean file from Comodo. If you delete, you won't harm your system but, if you keep them, no trouble too. It has a backup of your boot configurations.
Thanx :)
What should I do with my other problem ???
-
Btw after using ComboFix I tried to use my desktop shortcut to wikipedia.org but I got this: Windows cannot find 'http://wikipedia.org/'.
Try a shortcut to http://en.wikipedia.org/wiki/Main_Page
-
Doesn't help :-\
-
If you click the link you posted does it go the web page?
http://wikipedia.org/
-
If you click the link you posted does it go the web page?
http://wikipedia.org/
Yes, I have the problem only with shortcuts ???
I also saw something strange lately.
When I click on My Documents it always opens as icons even when I make them tiles after time they switch back again ???
-
When I click on My Documents it always opens as icons even when I make them tiles after time they switch back again ???
Close your Windows Explorer with the left mouse button AND the key 'CRTL' being pressed...
-
Yes, I have the problem only with shortcuts ???
Seems like its more likely related to the firewall than to ComboFix. I mean, even if combofix was capable of changing this type of link it didn't actually change anything on your computer (other than making an empty qoobox folder).
What is your default browser (this may differ from the one you most commonly use)? Is it allowed an internet connection in Comodo?
-
I used Opera for couple of days but I returned to Internet Explorer, after that when I click on any internet shortcut it asked me with which program to open the web page.
After I used ComboFix it stopped asking me and only showed the error ???
Today I found that IE is not my default browser and after making it I think the problem is gone.
But when I click on the shortcut the page doesn't open in a new window but uses the page I have already opened, how can I fix that ???
-
Open Internet Explorer
Click Tools > Internet Options... > Advanced tab
Remove the checkmark next to Reuse Windows for Launching Shortcuts
Click Apply > OK
EDIT: While you're in the Internet Explorer tools click on the Privacy Tab > Advanced button. Put a check mark next to Overide Automatic Cookie Handling and click in the radio button to Block Third Party Cookies. Then OK your way out. This may help with the Tagasaur cookie you mentioned earlier (it it doesn't then its coming from a site you're actully visiting).
Also, since I posted the link to update Java, Version 6 Update 1 has been added. You should revisit that site and update again. Don't forget to uninstall the old version.
-
Thanks again :D
Close your Windows Explorer with the left mouse button AND the key 'CRTL' being pressed...
Doesn't help :-\
-
Close your Windows Explorer with the left mouse button AND the key 'CRTL' being pressed...
Doesn't help :-\
Are you using CCleaner or any other cleaner tool that remove windows (of windows explorer) settings?
Did you try Windows Explorer > Tools > Options > Folder options to keep the changes?
-
I have never used such programs.
I tried everything in folder options ???
-
I tried everything in folder options ???
But did you try correctly, what you should, to save the folder options (view and sort) to all folders? The buttons are in the superior part of the window.
-
But did you try correctly, what you should, to save the folder options (view and sort) to all folders? The buttons are in the superior part of the window.
Tried it :'(
Btw I don't have any cookie problems since mauserme told me what to do (thanks man :D) but I was using only Spybot until some days ago when I installed Ad-aware SE Personal and when I ran a check with Ad-aware it showed me that I have about 52 cookies tag 3.
Can I fix them all or should I be carefull?
-
Its OK to delete cookies since they are recreated whenever you visit a web site. I usually clear all my cookies + temporary internet files at the end of every browsing session.
-
How do you delete the temporary internet files manually or with some tool?
-
I like a program called CleanUp
http://www.stevengould.org/software/cleanup/
Others use CCleaner
http://www.ccleaner.com/
If you use CCleaner uncheck the Yahoo Tool Bar option during installation.
With both, leave the option to clean Prefetch files unchecked as deleting these can slow down your computer.
-
Well firefox has this built in, I don't think you can do something similar in IE6 but you have a manual option.
-
Internet Explorer can be set to delete temporary internet files on exit, but not cookies.
-
Internet Explorer can be set to delete temporary internet files on exit, but not cookies.
How exactly ???
-
The same window as before, but a different line
Open Internet Explorer
Click Tools > Internet Options... > Advanced tab
Place a check mark next to Empty Temporary Internet Files folder when browser is closed
Click Apply > OK
-
Does this empty the Temp folder in the Windows folder ???
-
Does this empty the Temp folder in the Windows folder ???
I think not, only the Internet temporary files.
You could use 3rd party tools for that: CCleaner, BeClean, IE Privacy Keeper, ClearProgr, ATF-Cleaner, etc.
-
No, but CleanUp and CCleaner will do that.
EDIT: Or those menitoned by Tech just seconds before :)
-
There's something weird going on with my PC ???
I installed drives for a printer I bought and ever since whatever program I instal when I restart the PC the icons of these programs (all installed after the drivers) take much more time to refresh than the other icons ???
Also the comp is somehow slower :-\
What can I do ???
-
There's something weird going on with my PC ???
We must know if your computer is clean?
I suggest a full boot time scanning with avast and/or on-line scanning (for instance, Kaspersky (http://www.kaspersky.com/virusscannerl) scanning).
-
No virus found ???
-
No virus found ???
Any info under Control Panel > Administrative Tools > Events
Errors or any info related to the computer weird behavior?
-
Well I don't see anything interesting :-\
What should I be looking for exactly ???
Btw I remembered that this behaviour started after I uninstalled Medieval 2 total war, after uninstal I deleted the remaining files in the game's directory and when I did that there was a warning that deleting these files may cause problems in some programs :-\
-
What should I be looking for exactly ???
There's something weird going on with my PC ???
Well... if something is weird and we don't know what, we must search for errors, alerts, problems...
-
I found only this - The npkcrypt service failed to start due to the following error: The system cannot find the path specified.
And this -
Windows saved user registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.
This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
I also have a lot of Aplication Hang ???
Btw I downloaded an exe file and run some test with virus total:
[ scan result ]
AhnLab-V3 2007.4.21.0/20070420 found nothing
AntiVir 7.3.1.53/20070420 found nothing
Authentium 4.93.8/20070420 found [Not scanned (encrypted)]
Avast 4.7.981.0/20070421 found nothing
AVG 7.5.0.464/20070421 found nothing
BitDefender 7.2/20070421 found nothing
CAT-QuickHeal 9.00/20070421 found nothing
ClamAV devel-20070416/20070421 found nothing
DrWeb 4.33/20070421 found nothing
eSafe 7.0.15.0/20070419 found [Suspicious Archive Structure]
eTrust-Vet 30.7.3585/20070421 found nothing
Ewido 4.0/20070421 found nothing
F-Prot 4.3.2.48/20070420 found nothing
F-Secure 6.70.13030.0/20070421 found nothing
FileAdvisor 1/20070421 found nothing
Fortinet 2.85.0.0/20070421 found nothing
Ikarus T3.1.1.5/20070421 found nothing
Kaspersky 4.0.2.24/20070421 found nothing
McAfee 5014/20070420 found nothing
Microsoft 1.2405/20070421 found [password protected]
NOD32v2 2209/20070421 found [error - password-protected file]
Panda 9.0.0.4/20070421 found nothing
Prevx1 V2/20070421 found nothing
Sophos 4.16.0/20070420 found nothing
Sunbelt 2.2.907.0/20070419 found nothing
Symantec 10/20070421 found nothing
TheHacker 6.1.6.095/20070415 found nothing
VBA32 3.11.4/20070421 found nothing
VirusBuster 4.3.7:9/20070421 found nothing
Webwasher-Gateway 6.0.1/20070421 found nothing
Should I open it ???
I had to send it by the e-mail because the online scanning always stopped at NOD which is strange :-\
-
There's something weird going on with my PC ???
I installed drives for a printer I bought and ever since whatever program I instal when I restart the PC the icons of these programs (all installed after the drivers) take much more time to refresh than the other icons ???
Also the comp is somehow slower :-\
What can I do ???
If the driver came from a trustworthy source (like the installation disk that came with the printer), then its not malware but some sort of conflict. You could try uninstalling the printer software to see if it alleviates the problem.
-
I found only this - The npkcrypt service failed to start due to the following error: The system cannot find the path specified.
Did you use this application the past?
If you uninstalled and you want to get rid of this 'error', you should be able to edit your Windows Registry. Do you know/want to do so?
-
I don't even know for which application the error is ???
I have this error for a long time :-\
-
You should be able to edit your Windows Registry. Do you know/want to do so?
And what about this?
-
I don't know how :-[
-
I don't know how :-[
Please run C:\WINDOWS\regedit.exe
Edit > Search > npkcrypt
Do NOT delete or change anything, just write down ALL keys that it appears (see the status bar of regedit).
-
Next ???
-
Just write down ALL keys that it appears (see the status bar of regedit).
Oh... post the keys names here...
-
Name: 002
Type: REG_SZ
Data: npkcrypt
-
Where you found it is also helpful, e.g. the Key name, see example images.
The bottom (status bar) of the registry also shows this but the copy key name is easier.
-
Name: 002
Type: REG_SZ
Data: npkcrypt
Well, I was expecting something like the full path...
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ ... \ ... \npkcrypt.exe
But I need it completely to guide you... if you're not sure it's better do not touch the Registry...