Not sure what this is! - Page 3

StAnger · #51 July 11th, 2003, 02:04 PM

I apologize for interfering, but shouldn´t that be e2give?
And I think it would be smarter to search for the CLSID.

martindijk · #52 July 11th, 2003, 02:06 PM

you are right

, please search for both,

Been busy with this issue for the last couple of hours.

thanks,
Martin

tragic001 · #53 July 11th, 2003, 02:09 PM

LOL, either way that came up zilch. I mean i did as you instructed but nothing was shown after the search for e2safe and e2give

How do i search for the clsid or whatever.

I do appreciate your help guys. I mean this is beyond the call of duty.

Thanks

martindijk · #54 July 11th, 2003, 02:11 PM

and the clsid??

tragic001 · #55 July 11th, 2003, 02:12 PM

See above. Where or what is clsid?

I have to take my wife out to dinner now, please bare with me and i shall take this up when i get back.

Many thanks guys

martindijk · #56 July 11th, 2003, 02:14 PM

Please download this prog.
It shows what progs. will startup when you start or reboot your pc.

http://www.wilders.org/HTMLobj-1576/startuplist.zip

Would like to take a look at that..

rgds,
Martin

(this issue is a tough one, i hate it when i can't solve it)

tragic001 · #57 July 11th, 2003, 02:16 PM

As requested:

StartupList report, 11/07/2003, 20:14:16
StartupList version: 1.52
Started from : C:\Documents and Settings\Nick\Desktop\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\NSClean\BOClean\BOClean.EXE
C:\PROGRA~1\NSClean\BOClean\BOCSEC.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Nick\Desktop\StartupList.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
SpeedTouch USB Diagnostics = "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
CTDVDDet = C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
nod32kui = C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
BOCleanautostart = BOClean.exe
MBM 5 = "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - (no file) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll - {724d43a9-0d85-11d4-9908-00400523e39a}
(no name) - c:\windows\googletoolbar.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: imon.dll (file MISSING)
Protocol #2: imon.dll (file MISSING)
Protocol #3: imon.dll (file MISSING)
Protocol #4: imon.dll (file MISSING)
Protocol #5: imon.dll (file MISSING)
Protocol #6: imon.dll (file MISSING)
Protocol #7: imon.dll (file MISSING)
Protocol #8: imon.dll (file MISSING)
Protocol #9: imon.dll (file MISSING)
Protocol #10: imon.dll (file MISSING)
Protocol #11: imon.dll (file MISSING)
Protocol #12: imon.dll (file MISSING)
Protocol #13: imon.dll (file MISSING)
Protocol #14: imon.dll (file MISSING)
Protocol #15: imon.dll (file MISSING)
Protocol #16: imon.dll (file MISSING)
Protocol #17: imon.dll (file MISSING)
Protocol #35: imon.dll (file MISSING)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,869 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

martindijk · #58 July 11th, 2003, 02:18 PM

just enter: IeBHOs.dll
and the same for: 3643ABC2-21BF-46B9-B230-F247DB0C6FD6

rgds,
Martin

StAnger · #59 July 11th, 2003, 02:20 PM

Quote:

quoting: tragic001 link=board=25;threadid=11193;start=45#msg72902 date=1057947123]
See above. Where or what is clsid?

CLSID is {E9041F85-3C18-4A7E-A29D-E24F84B79BF1}
You can search the same way you did for e2give.

martindijk · #60 July 11th, 2003, 02:28 PM

Damn, can't seem to find any malware here, accept:

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

Don't know what this file is, can you check properties for this file, to see where it belongs to??

rgds,
Martin

Pieter_Arntz · #61 July 11th, 2003, 02:34 PM

ctfmon.exe:
CTFMon is involved with the language/alternative input services in Office XP. CTFMON.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features. For more info on ctfmon see here . CTFMON can be disabled from Control Panel, Text & Speech Services

Source: http://www.pacs-portal.co.uk/startup_pages/startup_full.htm

martindijk · #62 July 11th, 2003, 02:40 PM

Anybody else a clue, running out of options here and out of forums concerning this issue

rgds,
Martin

martindijk · #63 July 11th, 2003, 02:48 PM

Did you find anything suspicious in his startup list Pieter??

rgds,
Martin

Pieter_Arntz · #64 July 11th, 2003, 02:54 PM

No Martin, I didn´t.

Regards,

Pieter

TonyKlein · #65 July 11th, 2003, 03:36 PM

Quote:

quoting: Martin vDijk link=board=25;threadid=11193;start=0#msg72703 date=1057861725]
Hi Tragic,

A few tips for preventing this ( at least make it more difficult ):

It usually happens because of lax security settings.

Here are a number of recommendations that will help tighten them, and which will contribute to making you a less likely victim:

1) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself.

2) Go to IE > Tools > Windows Update > Product Updates, and install ALL Security Updates listed.
It's important to always keep current with the latest security fixes from Microsoft.
Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.

3) Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.

Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option/security.

So why is activex so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?

And some more advice:

4) Install Javacool's SpywareBlaster

It will protect you from all spy/foistware in it's database by blocking installation of their ActiveX objects.

Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer)
Press "select all", then "kill all checked", and you're done.

The spyware that you told Spywareblaster to set the "kill bit" for wont be a hazard to you any longer.

Don't forget to check for updates every week or so.

There's a small board at Wilderssecurity as well.

It won't protect you from every form of spyware known to man, but it is a very potent extra layer of protection.

Let's also not forget that SpyBot Search and Destroy has the Immunize feature which works roughly the same way.

It can't hurt to use both.

rgds,
Martin

Now where did I read that before...

Aaah, I just remembered, here it is:

http://www.net-integration.net/cgi-b...ST;f=38;t=3051

martindijk · #66 July 11th, 2003, 03:46 PM

correct Tony,

rgds,
Martin

TonyKlein · #67 July 11th, 2003, 04:00 PM

No prob, Martin.

Pieter_Arntz · #68 July 11th, 2003, 04:38 PM

Hi tragic001,

Here´s something that is worth a try:
DRDelete

Regards,

Pieter

tragic001 · #69 July 11th, 2003, 05:53 PM

Hi Guys,

I do appreciate the effort you have put in here, certainly Martin. Thanks buddy.
For all the clsid searches etc. The result is negative.

TonyKlein, thats a name i have met often on my travels, but i can assure you that i am well covered on that respect. I mean, i run spywareblaster, spybot, adaware, Boclean, TH and now TDS. Plus Norton firewall.

I can still call upon this file somewhere on my computer to download it again. That to me is not normal. Its beyond me as to why, and your efforts in this make me want to find out why, before i use Ghost

I mean there has to be a reason.

Anyone got a link for the DrDelete proggy, i cannot find it.

Again guys thanks.

puff-m-d · #70 July 11th, 2003, 09:09 PM

Hi tragic001,

Here is the direct download link:

http://www.dslreports.com/r0/downloa...c/DrDelete.zip

Regards,
Kent

tragic001 · #71 July 12th, 2003, 03:49 AM

Well, i do beleive that DeDelete did the job

Dr Delete said the file was deleted withour a reboot. So went back to windows explorer and try to download the ugo.exe as before, but this time i just get the following page showing. No dowonload dialogue box as before. I do believe the pest has gone. Can you guys confirm that for me?

In any event, what can i say, you all have been outstanding in helping me. For that i sincerely thank you all.

Will run TH to see if it shows again.

http://www.imagestation.com/picture/...c/fbb20bea.jpg

Again sorry for the attach Paul, but its impossible to upload from here?

tragic001 · #72 July 12th, 2003, 03:55 AM

Its gone

TH come up clean now.....once again, many many thanks guys. Really top notch.

martindijk · #73 July 12th, 2003, 04:10 AM

Hi Tragic,

Glad to hear this poltergeist has left the building

rgds,
Martin

Paul Wilders · #74 July 12th, 2003, 04:54 AM

Nice common effort, all

. It's a pleasure to see community members helping one another out, and being successful!

Love it when all works out

regards.

paul

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search