I have 4 other questions;
1. Is the 01 entry in the below HJT scan legit?
2. Is the 013 entry in the below HJT scan legit?
3. Does the Win32/Rbot.HGO infection below need to be removed/cleaned?
4. Is the process below, C:\Windows\system32\wbem\unsecapp.exe, normal?
The first scan is from the ca.com online scan...
Scan Results: 126287 files scanned. 1 virus was detected.
File Infection Status Path
muveeapp.exe Win32/Rbot.HGO infected C:\Program Files\muvee Technologies\muvee autoProducer 6.0 - SE\
The above was copied and pasted...there was only this info presented, not a more detailed log.
The Trendco Online Scan stated there was nothing detected.
NEXT is the HJT 2.02 scan...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:12 PM, on 8/13/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\WINDOWS\System32\notepad.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Dee
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 5654 bytes

Hi Michael Evans

1. Yes.

2. Yes.

3. It looks like a false positive to me:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Please click this link-->Jotti (http://virusscan.jotti.org/)

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Program Files\muvee Technologies\muvee autoProducer 6.0 - SE\muveeapp.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

4. Yes, link (http://www.liutilities.com/products/wintaskspro/processlibrary/unsecapp/)

Hello Shamba,
Thanks very much for your reply to my post.:)

I used the Jotti site to scan the file several times because I kept missing the status area that says "unknown". It only displayed the word "unknown" for a couple of seconds. I did see the result of "unknown" twice in a row.

The Virustotal site scan display a page that states;
"Bigger than max permited size / Mayor del tamaño máximo permitido"
The file size is 10,608 kb. It came up with this result twice.

This may or may not be revelant:
Using the Add or Remove Program page I removed/uninstalled Vongo, Rhapsody,
Roxio, and muvee autoProducer 6.0 because of the instances of them wanting
me to use them. I set Windows Media Player as the default for music, movies, etc.

Vista's security requested confirmation each time and stated an "unknown installer"
was attempting to access my computer. This may be normal, but does not make sense.
Things were not working right after that, so I performed a factory image recovery.
Again, these actions may not be relavent, I just thought that I would mention them.

Advice would be appreciated.
Thanks for your attention.
Michael E

Hi

Ok, that exe was too big for upload.

"Vista's security requested confirmation each time and stated an "unknown installer"
was attempting to access my computer. This may be normal, but does not make sense."

Actually that sounds normal to me due to UAC (User Account Control)

Please post back a fresh HijackThis log :)

Since the last HJT log that I posted, I restored from the HJT backups the
R0-HKCU\Software\Microsoft\InternetExplorer\Toolbar,LinksFolderName=
and
O13 - Gopher Prefix:

New HJT log since the two above entries restored;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:17 PM, on 8/19/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Dee
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 5464 bytes

Hi

That looks good :)

Any problems?

Hi Shamba,

You asked, "any problems"? I don't know.

I am confused why the virus that was reported to begin with, and then reported as "unknown" by Jotti, is asssumed to not exist. I have found the virus by searching the web, but it has different last three letters. (this one ends with HGO)

How do I know that I do not have a new or different version of the virus/malware?

I am still concerned.

Hi

That file online scan found is a legit program executable.

In other words, that is false positive, nothing to worry about :)

Hi again Shamba,

OK, MUCH Thanks for your help and advice.

I hope you respond to my next problem, hoping though that I don't need to post another!

Good luck and God bless you!

Thanks again.:2thumb:

Hi

Then I just give him some general tips how to stay clean also in the future:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 2 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6u2...allows end-users to run Java applications".
Click the "Download" button to the right.
Read the License Agreement and then check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)


Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean!

Hello,

I did not post the logs requested from the post “Before you post…, because I recently posted those logs in another post regarding this computer. (What is, Win32/Rbot.HGO, and how do I get rid of it? (http://forums.spybot.info/showthread.php?t=16867))

Please advise if I need to re-scan and repost any logs.

I have three issues that may or may not be problems, but I am concerned due to the sometimes strange behavior I have experienced, like my mouse pointer jumping around and such. Twice today Windows Defender gave an alert that my hosts file had changed. I denied the change, since I had not done anything, then opened Spybot and Windows defender alerted that the hosts file had changed again. All I did was open Spybot.

I can’t seem to pinpoint any sources of malware, but had to delete four red entries from the Spybot start up list. Spybot reported the Sidebar from HP and the Welcome Center start up entries to be search centrics and another hijack location. I may not be remembering the search centrics properly.

I deleted the Spybot red startup entries per instructions from “before you post”, and therefore cannot produce the exact information. The red entries mentioned were identical on two New HP Pavillion dv9000 computers.

I previouly mentioned that I made a post earlier regarding a virus called W32/Rbot.HGO detected from a www ca com and was advised by Shamba that it was a false positive. I am trying to make sure that the below issues are not a problem, or are problems. I apologize in advance if this is a waste of advisors time.

My curser has jumped to lines above the spot that I am typing many times while writing the above information. I am online and sometimes do not appear to be alone!:sad:

The first two issues that I am concerned about are from HJT 2.02 Start up entries, and the third issue is from HJT ADS scan with the “Ignore safe system info streams” left checked.

OS: Windows Vista (WinNT 6.00.1904)
Internet Explorer v7.00 (7.00.6000.16512)

First Perceived Problem: Is it normal for only the few running processes being listed when there are 51 listed in the Task Manager as processes?
----------------------------------------------------------------------------------------
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
This lists all processes running in memory, which are all active
programs and some non-exe system components.
---------------------------------------------------------------------------------------
Second Perceived Problem: Is it a problem that the Registry check failed?
---------------------------------------------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\Windows
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename NOT OK: 'REGEDIT.EXE.MUI'
- File description: 'Registry Editor'
Registry check failed!
--------------------------------------------------------------------------------------
Third Perceived Problem:
The below two ADS entries show up (Ignore Safe System Info Streams was left checked) along with several others. I selected to remove all of them, but these two will not be removed.
Is this a problem?
C:\Users\Dee\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\5FBB466A-00000001.eml : OECustomProperty (820 bytes)
C:\Users\Dee\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\399F1F63-00000002.eml : OECustomProperty (861 bytes)

Advise would be greatly appreciated.:red:

This adds to my perception of an intruder or something...

Today, I noticed the Teatimer Icon missing in my taskbar. Task Manager showed teatimer.exe as a running processs. I opened Spybot and the Resident tab and the Teatimer checkbox was checked. This was while I was posting this threads post earlier.

As advised in a previous thread, I uninstalled Java and installed the newest version of Java and restarted my computer. I had to try several times to be able to download the Java file. This is not uncommon for things like this.

After restart, Spybot's Teatimer screen popped up and asked me if I wanted to add Teatimer as a start up entry, with the current and previous entry as being blank. These issues are common with my XP2 now my 2 Vistas.

Are my computers possessed?:sad:

:oops: Sorry to post again, but forgot something...

I forgot to mention that the small pop up screen that HJT uses to have you to confirm "yes" or "no" when attempting to remove the two last ADS items does not have the normal text in the box. It is blank and has only the yes or no buttons to click on. This has happened before with Spybot and other Security related screens.

A Best Buy employee admitted to putting some type of Trojan on my Windows XP Computer while working on my network at by business over 2 yrs ago. He stated he was just messing with my son in the office. I did not know of all the malware, etc. that I am aware of now. May or may not be related, but I have had security issues every since, such as trying several different Firewalls and Anti-Virus Programs, only to have all of them have settings changed and issues coming back, even after system factory recoveries.

I am really fed up and do not know what to do! I also posted about the AGOBOT-KU WORM (http://forums.spybot.info/showthread.php?t=17018) on my son's laptop, JasonE (username here). I was told that was also a false alarm.

Spybot has detected the same AGOBOT-KU WORM on my last 5 computers, which is why I recently purchased the 2 Vista computers I currently use. I keep deleting the entries, but much crap keeps going on.

I sure could use some peace and privacy!!!

Hi Michael Evans and sorry that I haven't noticed these replies

"Is it normal for only the few running processes being listed when there are 51 listed in the Task Manager as processes?"

Well list all processes in Task Manager that we can find out.

"Is it a problem that the Registry check failed?"

No.

"The below two ADS entries show up (Ignore Safe System Info Streams was left checked) along with several others. I selected to remove all of them, but these two will not be removed.
Is this a problem?"

Those are legit ADS so they should not be removed at all.

"Today, I noticed the Teatimer Icon missing in my taskbar. Task Manager showed teatimer.exe as a running processs. I opened Spybot and the Resident tab and the Teatimer checkbox was checked. This was while I was posting this threads post earlier."

You may try uninstall & re-install spybot. I also encounter sometimes missing icons (I have XP) so that's nothing big as long as TeaTimer is on running processes.

AGOBOT-KUs are likely all false positives.

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.