need help as something installed on system

Discussion in 'malware problems & news' started by casey6342, Aug 28, 2008.

Thread Status:
Not open for further replies.
  1. casey6342

    casey6342 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    31
    Hi!

    PC always starts up well goes right to desktop.

    When I turned on pc this morning, the desktop didn't come up first; what I got was what looked like a line of dos in a black screen, and it left the screen very quickly but I saw the word install in the line; was all I could see as left screen quickly.

    It then went to the splash screen said don't shut off computer installing 1 of 3.

    Don't recall anymore than that of the text.

    Then pc started and went to desktop.

    I then ran full scan of norton internet security..which found no problems.

    I searched programs and the updates in control panel looking for what installed; none shown.

    I don't know how to view all files modified on vista, which I used to be able to do no problem on xp, but in vista, can't figure out even though show exactly what i want in advanced search it never shows all the files modified and I do have show all hidden files.

    Then went to search again and without any input from me it started listing some files in c; perhaps all, but didn't seem like it. I beileve it was c; though not sure.

    But where the sys gave me the files which are in c or what I think was c;, I did see one dated today, and alone on start up, should be pages of modified files; but again couldn't get it to search those, but the one I was able to see was:

    ntuser.dat.LOG1.lnk and says is shortcut which appears to be a windows microsoft file.

    I can not read that log.

    I did a restart after trying to locate what installed, which I can not locate, and the system did not start up as normal and is now slow in getting to desktop. Just slower but not real bad; stays on black screen rather than as normal, right to desktop from dell splash screen.

    So, I need help to find out what installed on my system. I didn't download anything.

    I have vista sp1, norton internet security.

    Thanks for any help.
    Casey
     
  2. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Try running a full scan with:

    SUPERAnti Spyware
    MalwareBytes Anti-Malware
    Dr.Web Cure IT
    AVP Tool

    See if anything comes up.
     
  3. casey6342

    casey6342 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    31
    Hi!

    Thank you! So far have run two scans from software list you gave me below and am doing next ones after finish posting.

    Both those came up clean.

    Can you tell me how I can view all modified files in Vista as that way I might be able to see what installed and downloaded?

    In advanced I put it all correctly, but it doesn't bring them up.

    In Advanced search (on vista), I am putting *.* for names of files and not sure if that is why not giving me what I am asking for which is any modified today.

    Also wondering if you might know how I can find out what Norton may have allowed to download, most likely yesterday, as the install came up when turned on system today?

    Norton is the firewall.

    If I can find out what the download was, or what was installed, that might resolve the problem and searching would really help.

    Meanwhile, I'll finish up the scanning with the next 2 software you've shown below.

    I also ran hijack this but no clue on the results.

    I haven't downloaded anything, and before logging of last night I checked norton to see if updates and were none. Norton never installs anything as occurred today. Norton just updates itself after I ck for updates..so is not a norton thing which occurred.

    Thank you so much!
     
  4. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Not a Vista user, so not at all sure, but could it be a MS update? Look in "add/remove programs" (or whatever the Vista equivalent is) and see if any updates were installed at around that time. (Tick the box "show updates" if it's there.)
    "Installing 1 of 3" sounds a bit microsofty...
     
  5. casey6342

    casey6342 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    31
    Hi there!

    I did check that first thing after it occurred as it sure does look like microsoft install, but it wasn't.

    There are no updates there since the last one, and as well, I get prompted on installs from microsoft, but there were not patches showing since the last major updates from microsoft.

    Thanks for trying to help.

    I'm fairly worried. I hope can figure out what was installed.

    Take care,
    Casey
     
  6. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Go to the file ntuser.dat.LOG1.lnk select "properties" (using the right click) and see where it points, then locate the file it's pointing to.
    Chances are, that file won't be readable (much); it is likely to be mainly crypto keys within, but it might give you some clue.
     
  7. casey6342

    casey6342 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    31
    Hi, it's in my (name of computer) directory. There's one yellow folder, and about 8 green folders, and then the two ntuser etc files which show as white paper.

    One has zero kb, the other 256.

    I can't read the file or view it.

    Thanks!
     
  8. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Sorry, can't really help much further.
    From here, and especially having no knowledge of Vista (green/yellow folders are meaningless to me) I don't have enough ability to hunt this down.
    The "white paper" files referred to..(and any of the others recently modified or created), do they have a suffix to give a clue as to what they open with? "White paper" description makes me think notepad. (.txt)
    ntuser files are often .dat files, for which a 3rd party tool such as index data viewer is required to see them.
    It seems possible to me that the update might be something to do with the proprietary programs some manufacturers install on their computers, but that's a stab.
    I'm sure someone wise in the ways of Vista (if that isn't an oxymoron) will help.
     
  9. casey6342

    casey6342 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    31

    Hi, Thanks for writing. The colors of folders are meaningless to me as well. The nt file is a log file and not a text file, and tho on searching on name of file have found it is not a problem so dont' think that file will resolve.

    Just wanted to note, you wrote 'the update'... but was not an update was an install.

    I have not had anything do an install and the way it occurred as shown in my first post was highly unusual and never had it occur.

    Thanks so much for writing again and trying to help.

    Forgot to mention this in first post for any reading; this is a dell pc, windows vista, sp1.. with norton internet security 2008 program.

    Appreciate anyone's help.
    Casey
     
  10. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    go to control panel,secuirty and click on check for updates,click on view update history.
    it will tell you when the windows updates have been installed.
    im almost 100percent sure those files are part of windows update.
    the splash screeen stage1 of 3 please dont not turn off the computer definatly sounds like windows updates.
    the file names seem like they are part of windows update as well.
     
  11. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Could be an update of MS Windows Update service. Should be version 7.2.6001.784. Mine updated (Vista Business Edition) last Wednesday.
     
  12. casey6342

    casey6342 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    31
    Hi, The first thing I checked after sys had booted or 2nd thing I checked was windows updates. The last ones showing were the ones microsoft released on the 12th of August, though I did see on the 27th a windows update agent installed and said installed sucessfully.

    By the way, that came in sys and installed silently and I'm set that windows needs prompt so not sure how that was able to get on my system without me prompting.

    Either way though, it's the 28th that something installed, so the above is not what installed.

    I ran ccleaner last night and see some very odd things never had on system before. Typically is a very short clean, with temp files; firefox and ie7, and cookies and little bit of other data.

    This deletion however, ccleaner did, shows stuff on sys I've never heard of. I don't know if is trojan or what.

    Here's some things that ccleaner removed yesterday which I've no idea what it is:

    a big list of core1, core3 most with country names, and listing all countries.

    there are some lines with chrome in it.

    i looked up core1 on google and could only find it in a kaspersky hit, which I don't have kaspersky.

    Here are a few of the many entries/deletions done by ccleaner which have never seen before.

    AppData\Local\Temp\Temp1_core3.zip\lib\deploy\messages.properties 2.60KB

    AppData\Local\Temp\Temp1_core3.zip\lib\zi\America\Argentina\San_Juan 541 bytes

    AppData\Local\Temp\Temp1_antivirus_3.1.0.5_english_livetri.zip\liveupdt.tri 577 bytes

    AppData\Local\Temp\Temp1_web$20protection$20engine_2008.2.0.84_english_livetri.zip\liveupdt.tri 723 bytes

    AppData\Local\Temp\Temp2_core1.zip\bin\net.dll 76.00KB

    AppData\Local\Temp\Temp2_core3.zip\lib\zi\Europe\Helsinki 1.01KB

    \Local\Temp\Temp2_ffjcext.zip\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js 1.20KB

    AppData\Local\Temp\Temp3_ffjcext.zip\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\install.rdf 667 bytes

    AppData\Local\Temp\Temp1_core2.zip\lib\rt.pack 9.76MB

    AppData\Local\Temp\Temp2_ffjcext.zip\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\chrome.manifest 788 bytes

    I thought the above might be helpful if anyone recognizes what some of these might be.

    Thanks,
    Casey
     
  13. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Are you running a Symantec product? Liveupdt.tri seems related to Symantec.
    Ffjcext.js is related to Java. Did you recently install the latest update?
     
  14. casey6342

    casey6342 Registered Member

    Joined:
    Jan 22, 2008
    Posts:
    31
    Hi! I havn't run any updates nor do any downloads (except after problem on 28th and dowloaded 2 antispyware programs.) I downloaded and ran two yesterday on top of the norton on my sys.

    I do have norton internet security 2008. I manually update that daily.

    If Java updated it did so without prompting.. but am very glad you recognize the Ffjcext.js it as java, so I can have a look at that.

    Any idea what the core1 and core2 and chrome lines might be?

    Also, my os is Vista sp1.

    Thanks,
    Casey
     
  15. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,215
    Hi there,

    I think that if you want know what happened in relation to a Windows update you could try system restore. Vista by default will always set a restore point before any update, unless you have disabled it intentionally.

    I don't know how familiar you are with Vista, but the simplest way to access it is:

    Start/Programs/Accessories/System Tools/System Restore

    I hope this helps.
     
Loading...
Thread Status:
Not open for further replies.