at a loss to find the virus -- SOLVED!!!

[theladyupstairs]

good morning mrreg.  thanks for your help.  i opened msconfig & scanned the list.  the only suspicious thing i could recognize was "ACDAEMON" a program file in common files, only because sometimes a program called DAEMON takes a long time to close when i shut down.  but then, within a few seconds, i got a notice "genuine host process for win32 services encountered a problem & has to shut down."  i shut it down immediately.  i'm not eager to go back, & anyway, i don't really know what might look strange.

david had asked me to give the addresses of some of the web pages that popped up unrequested.  last night i went on the atkins website - about diet - and this one popped up: hxxp://www.shopica.com/search.php?q=Diet&txn=3480-8A818E92.  (as requested i changed the t's into x's.)  i checked this website at nortons website checker & it came up "safe."

 so, another day has begun & i don't know what to expect, but i'll get back if anything does.  meanwhile, i'd love to hear your or david's ideas.

thank you!

[DavidR]

I don't know why this would be running in msconfig, startup items as these tools aren't in normal use and it may be they are being exploited.

Try this limited analysis tool and we can see if there are any unusual entries:
- Useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.

Download and run HJT and post the contents of the log file (cut and paste or attach the log file, see ### below and image) into this topic, you may need to split it over two or more posts depending on how large it is.

###
- When you click the Reply button, there is an Additional Options link, this expands the options to attach a file, that can be an image file or a text file (.log or .txt). Also see How to post an Image.

[theladyupstairs]

good morning david!  thanks for sticking with me.  i just looked at the tutorial, but haven't started to download anything yet.  when i do, do you suggest i "do a system scan & save a log file?"  the warning scares me, but i trust you won't tell me to do anything beyond my (limited) capacity.  as i understand, hjt will only scan & not delete or do anything to files.  is that correct?  thanks.

[theladyupstairs]

p.s  i went to the link you gave - do you want me to download "latest version of 1.34 mb"  there are other links on the page so i'm not sure.  thanks.

[mrreg]

hijackthis has 2 versions, they say the easy one is the installed version. and yes, it will not delete anything, i think, only log them.


did u try ad aware pro yet, they have a free version, it's very good.

[DavidR]

Hijackthis doesn't actually do anything other than report on what it finds on your system and generates a report file.

This file needs analysed to decide on what action if any needs to be taken, then we can advise on what action to take, so don't act on your own accord about selecting entries and using the Fix selected option.

Filehippo retains links for historic versions (of all software) but you want the Download latest version link (button).

A little info on the acdaemon.exe:

acdaemon is associated with digital imaging and video software, for cameras, printers, scanners, mobile phones etc. it's usually located in the c:/program files/common files directory. if you find it under the windows, windows/system, or the windows/system32 directory it may be malware. run a virus/malware scan.

Does that ring any bells ?

[theladyupstairs]

i gave up adaware in favor of malaware bytes.  i also downloaded the one you suggested yesterday, which is still on my computer.  i'm not in favor of downloading more spyware programs.

i downloaded hijackthis.  i ran a scan & found a long list of stuff, which i did not check, or anything with.  then i asked for a log.  it told me it would go to notepad.  then nothing happened.  i tried again.  nothing happened.  then my computer got glitchy, some things froze.  i tried to open notepad, but it wouldn't open - nothing happened.  then my computer would not restart or shut down.  i had to force a shut down by pressing on the start button for a few seconds.  now i'm up & running again, but don't know what to do.

should i reopen hjt?  run the scan again?  once opened i need more specific instructions as to what to do.

[DavidR]

Yes run it again but just select run the scan no creation of a log file, after the scan there is a button to save the log.

What about the info on acdeamon, are you using any such digital/video imaging software for cameras/printers, etc. (Kodak) and what is the location of acdaemon.exe and daemon.exe ?

[theladyupstairs]

yes, i use a camera download program (cannon) to download pics from my camera.  i also use adobe photoshop.  i also have a printer, of course, connected wirelessly. 

furthermore, i just did the msconfig & looked at the list.  i found ACDaemon on c:\programfiles\commonfiles\arcsoft\connection\service\bin\acdaemon   and the location is: HKLM\software\microsoftwindows\currentversion\run

did i find the location for acdaemon.exe and daemon.exe?  if not, how can i find it.

i'm going to wait for your reply before i start running hjt, in case it acts up again. 

thank you.

[theladyupstairs]

searched for acdaemon.exe & found 2 files: acdaemon.exe in c:\windows\prefetch - 16 kb, pf file, as well as the arcsoft one mentioned in my last letter. 

search for daemon.exe turned up both above PLUS cidaemon in c:\windows\system32  - 8 KB application.

is that my villain?

not doing any hjt scan until i hear more from you.



acd

[DavidR]

Well your copy of acdaemon.exe appears legit and in the correct location (where it is in the hard disk, not the registry), arcsoft being the company that created this software. However, there really is no need for it to run on startup only when you might be going to transfer files from your camera, etc.

So you could run msconfig again and uncheck the box to the left of this startup entry (don't delete the entry completely) and click Apply, this won't take effect until your next boot. You could also open the Task Manager, right click on the Taskbar/Notification area, see image and select Task Manager; you can find the Programs/processes and end the acdaemon process before you shutdown that may well resolve the shutdown issue. If it does hopefully not starting it on every boot will also help, though I really don't know if this will help with any redirects.

So we need to know when it is set to run and if other software (possible malware) might be misusing it and for that hopefully HJT will be able to show that.

What is your OS ?
The daemon.exe being in the c:\windows\system32 area is strange (not in my system32 folder with XP Pro) the cidaemon.exe file is in that area.

Is there a daemon.exe process running in the task manager ?

[theladyupstairs]

i have xp pro. 

i did the thing with the taskbar & when i checked the box to stop the process i got such a scary warning that i aborted.  if it's not going to help my problem, i'd rather wait until another time to do that. 

also, i didn't understand:  was that an either/or?  either "run msconfig again and uncheck the box to the left of this startup entry" or do the task bar thing?

so, the location of daemon.exe in the windows\system32 is strange... but i don't understand what you said about the cidaemon.exe file in that area. 

not doing anything now until i hear from you.  i'm sweating bullets here.

thanks

[theladyupstairs]

did not do either of your previous suggestion - yet.

meanwhile, i did the hijack scan & saved the log.  seems it was already there from the first scan i did earlier, but i didn't know that.  anyway, here it is:

 i appreciate all your help.

awaiting your diagnosis....

[DavidR]

i have xp pro. 

i did the thing with the taskbar & when i checked the box to stop the process i got such a scary warning that i aborted.  if it's not going to help my problem, i'd rather wait until another time to do that. 

Stopping that process will have no lasting effect, it is just saying that ending it might have an affect on any other process using it and with this one I don't see that being an issue, even if you were transferring images from your camera.

also, i didn't understand:  was that an either/or?  either "run msconfig again and uncheck the box to the left of this startup entry" or do the task bar thing?

You are to uncheck the option to run it on startup in msconfig, startup tab. I was quite specific I didn't mention anything about HJT

so, the location of daemon.exe in the windows\system32 is strange... but i don't understand what you said about the cidaemon.exe file in that area. 

not doing anything now until i hear from you.  i'm sweating bullets here.

My reference to the cidaemon.exe in my system32 was more to reassure you that it is in a legit location.

There is no need to sweat bullets as you say, read any instruction (or copy and paste or print it out) and follow it as instructed, we won't (I certainly won't) be telling you to do anything dangerous any thing with any element of risk of getting it wrong would carry a warning as I mentioned earlier about using HJT.

I will have a look at the HJT log and get back to you.

[theladyupstairs]

thanks!  i believe i'm in good hands with you, david.

i'm going out for about an hour & will be back at my desk afterward, watching for your reaction to the hjt file. 

meanwhile, i downloaded a bunch of pictures from my canon & searched all over the canon utilities zoom browser to find a way to shut it off at start-up, but couldn't find any.  i guess it's not there.  that daemon thing must be something else. 

i must say, i'm learning a lot about computers with you.