Startups/Windows Processes

[mariner77]

Hi again,

Thought I should let you know something possibly important....

Further to my last post, Edit: http://forums.spybot.info/showthread.php?t=47137 I just brought up my INAC "Startup Manager" software and noticed that I had about 3 or 4 instances of msnmsng (MSN Messenger) apparently running.

I know very little about the registry, but saw that each of them were pointing to the registry with "/background" at the end.

As I don't need MSN messenger I've now uninstalled it(only 1 version installed by me of course !) and deleted the 3 or 4 registry entries of Msn "/background" using my startup program.
When I did this I got the message it would be "deleted" and couldn't be undone which I did.

Anyway, from the little I've told you, does this mean I have had some sort of "spyware" related to MSN(or something else) running in the background and do you know how it might have worked ?

Or could spyware still indeed be running even though I have deleted the entries using this stratup program (please note that "deleting" them is not the same option as running/displaying them with the startup program I have)

Finally, I also wish I knew how to check my registry for hidden software.
I'm sure I've seen directories like "C:\ProgramFiles\WinFixer2006" or "C:\Windows\system32\Winfixer2006"(can't remember but can check) being checked when running "Spyware doctor" anti-virus scans even though I can't see these folders in Windows explorer !
Please note: I've got "Show hidden folders" set as ticked under "Folder Options" for the "Program Files" directory.

Many thanks for any light you may be able to shed on all the points I've raised.

Kind regards.

[mariner77]

Sorry, just another couple of other things I've noticed too:

1) The startup program I mentioned says:

"Deleting a startup program does NOT delete the actual program from your hard drive. It simply deletes the entry used to start the program with your operating system. To delete the actual program from your computer you must uninstall it or otherwise remove the program itself from your hard drive."

I fairly sure I uninstalled MSN messenger first(I think) and then deleted the other 3 entries in my startup program.

2) I notice I've got a process svchost.exe running under under the username "LOCAL SERVICE" in Task manager.

I try to end the process, click yes, but it won't go and keeps utilizing my CPU.

What is a "LOCAL SERVICE" and could this process be a threat ?

Sorry for so much info at once, but I thought it better to get as much as I knew put down to make you know what's going on.

Thanks again !

[drragostea]

Hello mariner77. I'll respond to your first post then continue with your second post.

Actually before I do, I should have mentioned that since I first posted, I've run a couple of scans since and the error doesn't arise - run clean no problem.

This could be a glitch, but what matters is that its resolved.

By the way, may I ask, should I be worried about windows processes running ?
i.e. is it possible windows might track me themselves or pass over my information to potential 3rd parties ?

What do you mean by your first sentence? Which processes are you talking about?

I can tell you that Microsoft (software giant) won't spend time over a random user's personal computer and extract data and share it. It doesn't work like that.

I also got a remnant cookie before from "msnportal"(now removed) - I wonder if this related to my hotmail account.

Tracking cookies pose no harm whatsoever. What they do is store login information. They're not little buggers that invade your PC.

Anyway, from the little I've told you, does this mean I have had some sort of "spyware" related to MSN(or something else) running in the background and do you know how it might have worked ?

As far as I'm aware of MSN does not distribute spyware.

Finally, I also wish I knew how to check my registry for hidden software.

I wouldn't do it if I were you. I really feel there's no need to go through the trouble of looking for potential "hidden" software when it doesn't exist [on your machine].

I try to end the process, click yes, but it won't go and keeps utilizing my CPU.

Why would you want to do that for???
http://www.howtogeek.com/howto/windo...is-it-running/
-

[mariner77]

Hello mariner77. I'll respond to your first post then continue with your second post.

Many thanks for your reply.

This could be a glitch, but what matters is that its resolved.

Forgive me, I'm confused whether your comment indicates you think it IS resolved or whether I need to resolve it by installing the new software.
If the latter, would a clean run with your new version resolve it ?

What do you mean by your first sentence?

Sorry, I mean "system" processes running under Windows. (see my concerns whether founded or unfounded below....)

Which processes are you talking about?

Any that are potentially dangerous or intrusive whether they be "system", "local service" or "network service" ones.

Rightly or wrongly(probably the latter!), that's what I'm trying to assess.
I've been looking at processlibrary.com and seeing that a lot of dangerous processes can appear as harmless system processes ?

I've also read other help notes from my startup software that I should check each process running on his/her PC to see if it is safe.

Is there any chance at all someone can access my computer or the information I've sent or received remotely by using processes ?

Do I need to check processes running on my PC ?

I can tell you that Microsoft (software giant) won't spend time over a random user's personal computer and extract data and share it. It doesn't work like that.

Oh absolutely but is there any chance they could target users ?
I'm slightly concerned that in this age of surveillence and domestic spying, I'm having personal information being shared or reported on the basis of no more than free speech and controversial(i.e anti-government) opinions.
Surely you understand that governments and private companies are sharing private information about UK residents these days ?

Tracking cookies pose no harm whatsoever. What they do is store login information. They're not little buggers that invade your PC.

Sorry I'm a bit confused.
Why would msn be storing login information if they already have it with my hotmail account ?
Could they be trying to track my IP address to locate me ?
Forgive my lack of knowledge - I accept tracking cookies are generally harmless, but if someone is trying to track my usernames, passwords or IP address shouldn't I be concerned ?
By the way, does an IP address give away one's exact location ?

As far as I'm aware of MSN does not distribute spyware.

Thanks.

I wouldn't do it if I were you. I really feel there's no need to go through the trouble of looking for potential "hidden" software when it doesn't exist [on your machine].

Fair enough.
But what about the "WinFixer" directory that I mentioned, that I can see being checked when running an anti-virus scan but not when viewing my files and folders in Windows explorer ?

Why would you want to do that for???
http://www.howtogeek.com/howto/windo...is-it-running/
-

Thanks for the useful link.

I was just concerned about processes that were "Local Service" processes.
I thought it might mean someone else might have logged on to my machine.(probably totally wrong ?)

If there's nothing to worry about then that's fine but what does "local service" actually mean ?

Many thanks for all your help drragostea.

Apologies for my lack of knowledge and so many questions, it's just that I'm sure I've been spied upon before.
I've already used Spybot to remove keylogger software a while ago.

Kind regards.

[drragostea]

Forgive me, I'm confused whether your comment indicates you think it IS resolved or whether I need to resolve it by installing the new software.
If the latter, would a clean run with your new version resolve it ?

I think it is resolved since your the "error" from your original query is not reappearing.

Sorry, I mean "system" processes running under Windows. (see my concerns whether founded or unfounded below....)

What's wrong with the System processes?

Is there any chance at all someone can access my computer or the information I've sent or received remotely by using processes ?

Do I need to check processes running on my PC ?

I think that you're getting a little bit too worried.
It depends on what "process" you are talking about. Malware can sometimes take on name of a legitimate process or... it can have a randomly generated process like "wskf7.exe" or "load [1].exe".

I don't usually rely on ProcessLibrary too much because it sometimes gives results about totally irrelevant processes when I search something up or gives something that doesn't match.

Oh absolutely but is there any chance they could target users ?

Depends on what they (the users) "do". If you are a malware author you are guaranteed to be pursued, etc. If you are download music and movies you are guaranteed to be monitored.

Surely you understand that governments and private companies are sharing private information about UK residents these days ?

I don't really know what this whole "monitoring" thing is that is occurring in the UK, but what I can tell you is that if you do not commit infringement or do anything that'll harm or pose a threat to others chances of official authority on your heels is near 0% (that's the more logical part).

Why would msn be storing login information if they already have it with my hotmail account ?

That's because it is a login session. It wouldn't be fun if you had to login every minute because you drifted away to another site while you were on your email now would it?

but if someone is trying to track my usernames, passwords or IP address shouldn't I be concerned ?
By the way, does an IP address give away one's exact location ?

Major mail servers do not have the time to "track" people.
IP addresses give a rough estimate of the geographical location.

But what about the "WinFixer" directory that I mentioned

WinFixer is not active nor is it dormant. What harm would a folder named "WinFixer" pose?

If there's nothing to worry about then that's fine but what does "local service" actually mean ?

Google is your friend.

[mariner77]

I think it is resolved since your the "error" from your original query is not reappearing.

Thanks.

What's wrong with the System processes?

I think that you're getting a little bit too worried.

Probably, I'd rather know for sure what's going on though if possible.

It depends on what "process" you are talking about. Malware can sometimes take on name of a legitimate process or... it can have a randomly generated process like "wskf7.exe" or "load [1].exe".

Yeah - that was what I was worried about - malware taking the name of a legitimate process.

I don't usually rely on ProcessLibrary too much because it sometimes gives results about totally irrelevant processes when I search something up or gives something that doesn't match.

Any good sites you recommend ?

Depends on what they (the users) "do". If you are a malware author you are guaranteed to be pursued, etc. If you are download music and movies you are guaranteed to be monitored.

Neither of these - just free speech, nothing more or less.
In the UK free speech is banned outside parliament.
In a dreamworld(sorry to be sarcastic you just sound VERY trusting of government) everyone can say what they want(when they've said absolutely nothing wrong) and not be hassled for it.

I don't really know what this whole "monitoring" thing is that is occurring in the UK

Big brother surveillence society tracking every users e-mail and phone call ?

but what I can tell you is that if you do not commit infringement or do anything that'll harm or pose a threat to others chances of official authority on your heels is near 0% (that's the more logical part).

Suppose it depends on the governments definition of "pose a threat".
We do live in a surveillance society overseen by government.
I don't know where you live but I'd guess you most likely do too.

That's because it is a login session. It wouldn't be fun if you had to login every minute because you drifted away to another site while you were on your email now would it?

Oh sure but why did I only get one remnant cookie one time from "msnportal"?

I don't get any such cookie anymore.....

Sorry to keep asking but how and why do remnant cookies occur and why would I get one from msnportal ?
"msnportal" sounds like someones trying to gain "entry" to my hotmail account or PC ?
Or is just that "bits"(remnant) of cookies are randomly left over ?

Major mail servers do not have the time to "track" people.
IP addresses give a rough estimate of the geographical location.

Ok thanks.

WinFixer is not active nor is it dormant. What harm would a folder named "WinFixer" pose?

I don't even know what "Win fixer" is.
I just wonder why it is there at all and why I can't access it.
Is this normal ?
I've heard about spy software being put on users "system32" folder by scripts which automatically extract...... ?
Thought it might be something like that....(i.e. hidden software)

Google is your friend.

Yeah, bit lazy of me sorry.....

Thanks very much for your help drragostea.

Please forgive my lack of knowledge but I just like to know everything.....

[drragostea]

Any good sites you recommend ?

I would just use a Google search and then compare the results that the sites give me about the process side by side and I also compare the symptoms of the process. But hey, we don't know for sure since it is just merely a process name. I would scan the system for baddies as a precaution. If a new process like "load [1].exe" appears immediately after you have just been redirected to a rogue AV site, then you can most likely assume that the process is malware. But I wouldn't suggest you follow that rule (it was just a suggestion).

In a dreamworld(sorry to be sarcastic you just sound VERY trusting of government) everyone can say what they want(when they've said absolutely nothing wrong) and not be hassled for it.

Sorry if I sound that way but to clarify that I don't trust the government about Internet issues. They focus more of their time into what they do, prosecuting cyber criminals and track down problems that spend their time on me. I won't say I trust everyone but I filter and limit the group of people that I trust. If a dreamworld just existed...

Big brother surveillence society tracking every users e-mail and phone call ?

Yes, I did recall an article talking about that issue. I think they archive everything. Maybe they scan every email and phone call for threats... whether that be cyber or terrorist threats. If I were in your shoes... I might keep personal and financial matters away from the electronic party [PCs and phones] for now [hopefully].

I don't know where you live but I'd guess you most likely do too.

Yes but the government doesn't just go prosecuting innocent people.

Oh sure but why did I only get one remnant cookie one time from "msnportal"?

I don't know. You might as well clear it out if you want. Use the browser's options.

why would I get one from msnportal ?

I don't know. (Clear it out using your browser options)
If I got one from GooglePortal it would be merely a cookie, not a threat.
-
I'm not so sure about WinFixer now (it's a trojan)... Tools like FileAssasian can remove locked files... But I'm not sure if this is the case, like is this an active or dead infection.

I've heard about spy software being put on users "system32" folder by scripts which automatically extract...... ?

I would put anti-spyware and AVs on the job to scan that system32 folder, not go out in the wild by myself (removing things manually).

[mariner77]

Hi there dr,

Thanks for all you advice, most appreciated.

Apologies I haven't replied for a while.....
(oh no not again I hear you say ! )

I hope you don't mind me asking more questions ? (just I'd rather be clean once and for all...)

I'll cover a few of your responses then go on to the "system32" stuff.......

I removed the tracking cookie from "msnportal" using anti-virus software a while ago.
When you say "Clear it out using your browser options" do you mean the "privacy" settings ?
I've now set my computer not to accept cookies. I presume this is ok ?
I don't mind typing in my own usernames and passwords......

You say "archive" e-mails, phone calls, but what about browsing history or posting/blogging on the internet ? Any idea if they or ISP's store ALL this information ?

Anyway, I took your advice and started to scan the "system32" folder using Spybot S&D.

I haven't finished yet(boy it takes so long !) and my PC crashed,
but I've found one file ENLOCSTR.EXE which appears as a "Smitfraud-C" type threat, file modified on 11/08/2006

I did a search on the forum and found several posts relating to the instances of the term "Smitfraud-C".
Could this be a threat ? If so what would you recommend I do ?
Check the forums or talk to to the Spybot team or yourself ?

Also another issue.....
When I run an "AVG Free Edition" anti virus scan I instantly am told there are several files which are changed.

These are: kernel32.dll, wsock32.dll, user32.dll, shell32.dll, ntoskrnl.exe

I first noticed this change a few months ago, when I ran Spybot S&D to remove keylogger software from my PC (I think it was at the same time, but not 100% sure)

Since I guess the above 5 are key files could I still be at risk even if the offending keylogger software (that was possibly caused by the same hijacker ?) was removed ?

You see, I know very little about the registry.
Is there a possible threat and if so, what would you recommend I do ?

May I also ask, what is your opinion of AVG anti virus ?
I keep getting this popup every time I boot up the PC asking me if I want to renew to receive upgrades before 14 April, but with no X in the top right corner. It just looked a bit suspicious.....)
What about "Spyware doctor" ?
Do I need ANY of these other "anti-virus" programs ?
If not, should I uninstall the lot ?

I also looked in my system32 for files that had been recently modified.

I stumbled across a file in system32/wbem/Logs named "wbemprox.log", modified on 31st March 2009 which says:

"(Tue Mar 31 05:05:10 2009.35912828) : ConnectViaDCOM, CoCreateInstanceEx resulted in hr = 0x8007045b
(Tue Mar 31 13:51:27 2009.755140) : ConnectViaDCOM, CoCreateInstanceEx resulted in hr = 0x8007045b"

I'm totally guessing here but I was a little alarmed that it says "ConnectViaDCOM, CoCreateInstanceEx"
Any reason to be concerned about this ?

I've also got a big file named ikhcore.log which contains references to "Security kernel Started", "Security kernel Stopped".
Is this any use ? Could someone be possibly logging on remotely and tampering with my security settings ?

Maybe I'm totally off track here and shouldn't wildly speculate with near zero knowledge, but I just wonder how to locate any possible files that may have been either recently modified or created by another remote user ?

Are people able to remotely log on to my computer ?
Or use my system32 settings to compromise my security or perform dirty deeds ?

I also notice I have 2 system32 folders named "Catroot" and "Catroot2" each with 2 subfolders whose folder names appear to be registry keys but all these Catroot folders and their subfolders all seem to be last modfied in 2003.

Apologies for my lack of knowledge but would it be worth running the registry software tool that spybot offers ?
Bearing in mind of course I probably won't have a clue how to "analyze" the results unless it spoon feeds me ?

Finally what about Windows Updates ?
Not sure I am totally up to date even though I have automatic updates turned on.
Do I ensure I am totally up to date on them before I fix any problems or ensure I fix any problems first ?

Sorry so many questions (and being a probable pain) but any help greatly appreciated.

Many thanks again.

[drragostea]

Well, Anti-Virus programs could also offer to clear out cookies for you (haven't heard of one that does, expect anti-spyware programs only).

I've now set my computer not to accept cookies. I presume this is ok ?
I don't mind typing in my own usernames and passwords......

Well, even if you told your browser not to accept cookies it does not mean you are free of them. You could still have a few cookies : ), left back from your prior browsing (well, prior to changing your settings not to accept cookies and before clearing them out).

When you want to clear out your cookies manually, you can always clear them out (Privacy settings) in Internet/Browser options. Mozilla Firefox and Microsoft IE have almost identical paths (Tools>Options) so there should be no problems. Then find the cookies tab and clear them all. I recall that in IE there is an option to clear all the tracks at once, that includes history, cookies, cache, and autocomplete forms.

Any idea if they or ISP's store ALL this information ?

No idea. I'm pretty sure they don't store every single blog post. So if I were to made 1 million posts in a forum and they all store them, there wouldn't be any point now would it, since it'll just be countless pages and KBs of posts, information, and quotes. As for browsing history and cookies I don't think they store that. It could be possible that they log down the IP and the sites you visit . But why would we have to worry about it? Alright, someone has a blog on Twitter or Facebook, that means we're all going to be attacked one minute later? No.

Anyway, I took your advice and started to scan the "system32" folder using Spybot S&D.

Well, the file scanner was not meant to scan large files... So it might take a long time. Sorry. So I wouldn't suggest you scan again (boy it took so long! ).

I haven't finished yet(boy it takes so long !) and my PC crashed,
but I've found one file ENLOCSTR.EXE which appears as a "Smitfraud-C" type threat, file modified on 11/08/2006

I'm not sure if this is a threat of not. Can you browse to the file (copy to the desktop) and upload it to VirusTotal to see if it is flagged? I'm also interested in what section is was flagged in (Malware or Heuristics).

SmitFraud is one of those bad guys who deliver you the utmost nightmares of trojans and rogue AVs. Spybot detects variants of SmitFraud, that I'm sure.

These are: kernel32.dll, wsock32.dll, user32.dll, shell32.dll, ntoskrnl.exe

These files are crucial for Windows since the last file (.exe) has to do with the login during Windows bootup. In AVG 7.5 I was told that these files were changed... even after a full scan from a reformat. So I guess it should be nothing to worry about right now, but more like a heads up. I don't remember if this had to do with Spybot's Immunization, or some other anti-spyware's Resident module.

You see, I know very little about the registry.
Is there a possible threat and if so, what would you recommend I do ?

You scan your machine with an anti-spyware and AV product. Manually searching and removing entries would be going into the middle of a forest with snakes and tigers.

May I also ask, what is your opinion of AVG anti virus ?
I keep getting this popup every time I boot up the PC asking me if I want to renew to receive upgrades before 14 April, but with no X in the top right corner. It just looked a bit suspicious.....)
What about "Spyware doctor" ?
Do I need ANY of these other "anti-virus" programs ?
If not, should I uninstall the lot ?

I can't take sides with any AV that is "better" than the other since no one AV detects everything. One AV might miss an entry another detects but what it matters is the adequate protection they protect you with, free or commercial. AVG has become more bulky now because they have the anti-spyware component attached along with the AV and the LinkScanner has made a home into the product too.

The pop-up you are receiving is probably their ad to advertise their Professional version of the product. It shouldn't be something to worry about since it's just an ad. Spyware Doctor is just another one of those fancy looking commercial anti-spyware programs. For me, I just do well with A-squared, MalwareByte's Anti-Malware, and Superantispyware. I don't like SpywareDoctor that much since it runs some processes on my 512MB of RAM (I plan to upgrade to Windows Seven in the Summer) even when the Resident Shields are disabled and the programs are closed.

Apologies for my lack of knowledge but would it be worth running the registry software tool that spybot offers ?

From the description you can conclude that it'll scan for invalid registry keys.
At the moment, I can't offer any advice or guideline in determining which ones to fix since I don't use it often and I'm not so familiar with it. Don't worry about invalid registry keys : ). I'd rather have a whole army of orphaned registry keys then potentially risking my whole machine to total failure.

Finally what about Windows Updates ?
Not sure I am totally up to date even though I have automatic updates turned on.

Automatic Updates gives you a really good chance of being patched. For me, I don't leave my machine on non-stop, and if you don't you might want to change the time settings earlier than the default 3:00AM. If you doubt Windows Updates, you might as well visit the site itself.

but I just wonder how to locate any possible files that may have been either recently modified or created by another remote user ?

Might not be a good tactic... Its very time consuming. As long you foritify yourself behind a solid AV and firewall (hardware firewall would be best) you're good for now. Unless you deliberately (not saying you would) install malware.

Are people able to remotely log on to my computer ?
Or use my system32 settings to compromise my security or perform dirty deeds ?

Depends on which way they enter your house. If it is a screensharing session used by tech support like from ISPs from Verzion, yes they can view your screen but they can't physically remain there after you've ended the session. I doubt they'll invade your privacy and tamper with your files during the screensharing session since you have full control of the mouse and keyboard.
Not all infected, malicious files have to be installed in the System32 folder all the time. If you are unfortunately infected with a keylogger, you might be unknowingly opening your door ajar to a malware author. He views your screen and logs your keystrokes.

[mariner77]

Many thanks for your comprehensive reply drragostea.

Well, Anti-Virus programs could also offer to clear out cookies for you (haven't heard of one that does, expect anti-spyware programs only).
Well, even if you told your browser not to accept cookies it does not mean you are free of them. You could still have a few cookies : ), left back from your prior browsing (well, prior to changing your settings not to accept cookies and before clearing them out).
When you want to clear out your cookies manually, you can always clear them out (Privacy settings) in Internet/Browser options. Mozilla Firefox and Microsoft IE have almost identical paths (Tools>Options) so there should be no problems. Then find the cookies tab and clear them all. I recall that in IE there is an option to clear all the tracks at once, that includes history, cookies, cache, and autocomplete forms.

I've gone Tools-> Internet Options and seen the privacy tab but not the cookies tab ?
I think you mean "Delete Browsing History" under Internet Options ?
Anyway, I also have a program called "CCcleaner" which clears many things of the things you talk about - i.e. temporary files, cookies, autocomplete forms etc.
So I presume this is sufficient to clear out all my cookies ?

No idea. I'm pretty sure they don't store every single blog post. So if I were to made 1 million posts in a forum and they all store them, there wouldn't be any point now would it, since it'll just be countless pages and KBs of posts, information, and quotes. As for browsing history and cookies I don't think they store that. It could be possible that they log down the IP and the sites you visit . But why would we have to worry about it? Alright, someone has a blog on Twitter or Facebook, that means we're all going to be attacked one minute later? No.

Oh sure, worrying never did any good !
Just wondered who was looking at and logging what.....

You may or may not be interested in this article from the Sydney Morning Herald.

http://www.smh.com.au/news/home/tech...054787635.html

Not that it is likely to affect me, but it shows there is an ever increasing clampdown on certain "unacceptable" sites (the ones that tell the truth most probably...)

P.S Is it naughty to post web links ? If so sorry.......

Well, the file scanner was not meant to scan large files... So it might take a long time. Sorry. So I wouldn't suggest you scan again (boy it took so long! ).

Glad to raise a smile :o)
Actually I have finished the scan of my system32 folder now.

Apart from the ENCLOSTR.EXE "Smitfraud-C" file(please see below) I also found 2 other possible threats:

1) unicows.dll "SuperYahooMessengerArchiveDecoder"

I have used msn messenger but pretty certain never "yahoo messenger", though I did set up an old yahoo e-mail account a log time ago.

2) msxml3a.dll "WinFixer2005"

Both flagged under "Heuristics"
Can you advise me whether and how I should proceed with these please ?

I'm not sure if this is a threat of not. Can you browse to the file (copy to the desktop) and upload it to VirusTotal to see if it is flagged? I'm also interested in what section is was flagged in (Malware or Heuristics).
SmitFraud is one of those bad guys who deliver you the utmost nightmares of trojans and rogue AVs. Spybot detects variants of SmitFraud, that I'm sure.

Yes sorry ENLOCSTR.EXE was flagged under "Malware".

I did what you said and uploaded it to the virustotal website.
Here's what I got back....... (presume you can paste the results link below into your browser)

http://www.virustotal.com/reanalisis...73ee0dd3041aa9

Thanks, results don't mean much to me I have to admit....

These files are crucial for Windows since the last file (.exe) has to do with the login during Windows bootup.
In AVG 7.5 I was told that these files were changed... even after a full scan from a reformat.

Ah well the fact that you use AVG yourself and you've had the same thing is somewhat re-assuring......

So I guess it should be nothing to worry about right now, but more like a heads up.
I don't remember if this had to do with Spybot's Immunization, or some other anti-spyware's Resident module.

When you say "heads up" do you mean it's the price you pay for a cleaning your system with Spybot ?
Could it have happened when Spybot S&D removed a lot of keylogger software ?
You're saying it's Spybot doing it but nothing to worry about ?
If so that's fine.....

You scan your machine with an anti-spyware and AV product. Manually searching and removing entries would be going into the middle of a forest with snakes and tigers.

May I ask why ?
I can of course understand it will not fix a thing to delete it, and only anti-spyware can "fix" the problem, but could deleting it make things worse ?
After all, you asked me to copy the file.
Not the same I know, but both copy and "send to recycle bin" are both actions which do not "execute" the file ?
Sorry, just want to be clear on what you mean here.....

I can't take sides with any AV that is "better" than the other since no one AV detects everything. One AV might miss an entry another detects but what it matters is the adequate protection they protect you with, free or commercial. AVG has become more bulky now because they have the anti-spyware component attached along with the AV and the LinkScanner has made a home into the product too.

The pop-up you are receiving is probably their ad to advertise their Professional version of the product. It shouldn't be something to worry about since it's just an ad.

Yeah, sure you're right.

Spyware Doctor is just another one of those fancy looking commercial anti-spyware programs.
I don't like SpywareDoctor that much since it runs some processes on my 512MB of RAM (I plan to upgrade to Windows Seven in the Summer) even when the Resident Shields are disabled and the programs are closed.

That been my conclusion too.
It runs processes in the background even when there is no user activity. And practically every site I visit, it blocks.

For me, I just do well with A-squared, MalwareByte's Anti-Malware, and Superantispyware.

Thanks for the advice.
I'll check these 3 products out.
You'd still use AVG though?

From the description you can conclude that it'll scan for invalid registry keys.
At the moment, I can't offer any advice or guideline in determining which ones to fix since I don't use it often and I'm not so familiar with it.

I appreciate your honesty thanks.

Don't worry about invalid registry keys : ).
I'd rather have a whole army of orphaned registry keys then potentially risking my whole machine to total failure.

Me too !
And I've spent far to long with registry programs designed to "speed up your machine" but actually end up spending more of your time !
"Orphaned registry keys" - good one ! I like your style.

Suppose I just wondered if a potential hijacker could possibly attack the registry ?
Sounds like it is unlikely even through malware though ?

Automatic Updates gives you a really good chance of being patched. For me, I don't leave my machine on non-stop, and if you don't you might want to change the time settings earlier than the default 3:00AM.
If you doubt Windows Updates, you might as well visit the site itself.

Good and sensible advice, thanks.

Might not be a good tactic... Its very time consuming.
As long you foritify yourself behind a solid AV and firewall (hardware firewall would be best) you're good for now.

Hardware firewall ? That sounds expensive ?
Little chance of me getting that far unfortunately.....

Unless you deliberately (not saying you would) install malware.

You mean if I'm a hacker ?
You can see I don't know my right hand from my left so hardly likely....

Depends on which way they enter your house.
If it is a screensharing session used by tech support like from ISPs from Verzion, yes they can view your screen but they can't physically remain there after you've ended the session.

Actually it's interesting you say that, because I've often had the feeling that I knew when someone was "with me".
I say this because when I click "start" I noramlly can see 3 icons, Internet Explorer, Outlook Express and Wireless Manager.
Sometimes when I have been online before, I've noticed my mouse pointer quickly shooting down the screen moving
by itself(seems to happen only when I'm online), and these 3 options under "start"
suddenly expand to 6 (3 x 2) making me think another user has joined the session.
When I see that I hit the "restart" button on my pc and hope they go away, though often the same pattern happens again....

I know it sounds weird but any ideas ? Could it be my ISP or more likely someone else ?
Why is my mouse pointer sometimes jumping around when I suspect I'm being "joined" ?

It also seems my PC crashes a lot more when I'm online than not. Any ideas about this ?

I doubt they'll invade your privacy and tamper with your files during the screensharing session since you have full control of the mouse and keyboard.

So no-one can control my PC as a "remote user" - great !
Probably a silly question I know but I just don't know what is possible and what isn't these days....

Not all infected, malicious files have to be installed in the System32 folder all the time.
If you are unfortunately infected with a keylogger, you might be unknowingly opening your door ajar to a malware author.
He views your screen and logs your keystrokes.

If I have cleared the keylogger software a while ago, is it possible "the back door" still remains open ?
Where else would you suggest I check using Spybot, if at all ?

Many many thanks dr.
I appreciate your help so much.

Look forward to your reply.

Cheers.

mariner77