View Full Version : System internals query 'win32'
A bit puzzled by an entry that crops up when I run the 'system internals' tool. The entry is:
"An app is registered with windows but could not be found at the given location.
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\appPaths\Win32"
In most cases I am happy to take SD's hint and delete these dead links etc, but as this one appears to relate to windows itself, I'd like to know what exactly this means before I go ahead and delete. Is this just a fake registry path that should be deleted? The remains of some malware? What?
Cheers for any light that can be thrown.
S
You should be a bit careful with the System Internals scan.From the help file:
Warning: Please be aware that changes to these items can corrupt your system! If you are not sure whether a setting is really a problem you´d better leave it alone!
This warning especially applies if you are using Microsoft Office™. This software suite has some registry entries pointing to wrong directories and some even pointing to non-existent help files. I have changed the first, but I would not delete the other one, because they may well point to files that will be installed on that "Install on first use" basis.
For wrong appath:
Application paths – some applications (mostly those registered to a file extension) are registered in the registry. If they are pointing to a program file no longer existing, Spybot-S&D can change their path or delete their entry.
I haven't ran a system internals scan for ages,so I'm a bit rusty on them.
What's the path?
Try this:Go to System Internals,click Check,then click Export,then click Save.Then,go to View Report,click View Previous Report,scroll down and find SpybotSD.System internals.txt,rightclick it,select Open.Next,go to Edit,select all.Return to Edit,select Copy,then Paste it here.
You haven't said what operating system or service pack you are using, however if it is XP-Home then the message "An app is registered with windows but could not be found at..HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\appPaths\Win32" is saying that it didn't find the registry appPaths entry for the application, and neither it should, because I believe it's not normally there in an XP-Home installation.
The problem as I see it, is that it found a reference indicating an app (possibly Win32.exe) is registered, and this may have originally come from malware. In addition to posting the report file Zenobia mentioned, you could also do a search for a file Win32.exe or Win32.dll and if you find it, advise its size, date and path.
Thanks ever so, for tips, and apologies for forgetting the system, this is XP Pro with SP2 and all the updates as received from MS. I'm still using IE6 too.
In the Spybot log the first two 'broken links' are presumably because those items are not connected at the mo.
I don't know what the 'advpack' thing is, so have left it.
Which leaves the 'Win32'
Searching for Win32.exe and dll, yield nothing but just searching Win32 gives a list which I have added below in case it throws any further light.
Thanks once again for your interest:
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2007-06-09 unins000.exe (51.41.0.0)
2008-02-08 unins001.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2008-07-15 Includes\Adware.sbi
2008-07-15 Includes\AdwareC.sbi
2008-06-03 Includes\Cookies.sbi
2008-06-03 Includes\Dialer.sbi
2008-07-07 Includes\DialerC.sbi
2008-07-11 Includes\HeavyDuty.sbi
2008-07-10 Includes\Hijackers.sbi
2008-07-08 Includes\HijackersC.sbi
2008-07-15 Includes\Keyloggers.sbi
2008-07-15 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2008-07-16 Includes\Malware.sbi
2008-07-16 Includes\MalwareC.sbi
2008-07-15 Includes\PUPS.sbi
2008-07-15 Includes\PUPSC.sbi
2007-11-07 Includes\Revision.sbi
2008-06-18 Includes\Security.sbi
2008-07-08 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2008-07-11 Includes\Spyware.sbi
2008-07-15 Includes\SpywareC.sbi
2008-06-03 Includes\Tracks.uti
2008-07-15 Includes\Trojans.sbi
2008-07-15 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Category: Broken link
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
Filename: \\......\My Documents\MyPlacesGE
Data: C:\Documents and Settings\....\Desktop\Shortcut to MyPlacesGE.lnk
Category: Broken link
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
Filename: E:\...\My PicturesChrono
Data: C:\Documents and Settings\...\Desktop\Shortcut to My PicturesChrono.lnk
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DECCHECK
Filename: RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\DECCHECK.inf,Uninstall
Data:
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MSTTS
Filename: RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTSa22.inf, Uninstall
Data:
Category: Wrong app path
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\win32
Filename: win32
Data:
Searching 'Win32' with AgentRansack gets no exe but this is the list:
C:\Documents and Settings...\Desktop\Newsgroups Web\System internals query 'win32' - Safer Networking Forums.url (1 KB, 22/07/2008 20:32:47)
C:\Documents and Settings...\My Documents\Security\System internals query 'win32' - Safer Networking Forums.url (1 KB, 22/07/2008 20:32:47)
C:\Documents and Settings...\Recent\Files named Win32.fnd.lnk (1 KB, 23/07/2008 18:06:28)
C:\Program Files\HMRC\Employer CD-ROM 2007\xtras\pc\PrintOMatic MX (Win32) (15/08/2007 17:12:58)
C:\Program Files\Inland Revenue\Employer CD-ROM 2006\xtras\pc\PrintOMatic MX (Win32) (02/09/2006 11:14:00)
C:\Program Files\Java\jre1.6.0_01\lib\images\cursors\win32_CopyDrop32x32.gif (1 KB, 19/04/2007 12:13:09)
C:\Program Files\Java\jre1.6.0_01\lib\images\cursors\win32_CopyNoDrop32x32.gif (1 KB, 19/04/2007 12:13:09)
C:\Program Files\Java\jre1.6.0_01\lib\images\cursors\win32_LinkDrop32x32.gif (1 KB, 19/04/2007 12:13:09)
C:\Program Files\Java\jre1.6.0_01\lib\images\cursors\win32_LinkNoDrop32x32.gif (1 KB, 19/04/2007 12:13:09)
C:\Program Files\Java\jre1.6.0_01\lib\images\cursors\win32_MoveDrop32x32.gif (1 KB, 19/04/2007 12:13:09)
C:\Program Files\Java\jre1.6.0_01\lib\images\cursors\win32_MoveNoDrop32x32.gif (1 KB, 19/04/2007 12:13:09)
C:\Program Files\VideoLAN\VLC\plugins\libglwin32_plugin.dll (22 KB, 01/04/2008 23:41:12)
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\win32k.sys (1794 KB, 02/03/2005 02:11:25)
C:\WINDOWS\$hf_mig$\KB896424\SP2QFE\win32k.sys (1797 KB, 06/10/2005 01:10:04)
C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\win32k.sys (1801 KB, 08/03/2007 14:49:49)
C:\WINDOWS\$hf_mig$\KB941693\SP2QFE\win32k.sys (1803 KB, 19/03/2008 10:40:27)
C:\WINDOWS\$NtServicePackUninstall$\cimwin32.dll (1238 KB, 29/08/2002 11:40:50)
C:\WINDOWS\$NtServicePackUninstall$\cimwin32.mfl (1910 KB, 23/08/2001 13:00:00)
C:\WINDOWS\$NtServicePackUninstall$\cimwin32.mof (2704 KB, 23/08/2001 13:00:00)
C:\WINDOWS\$NtServicePackUninstall$\win32k.sys (1755 KB, 25/09/2003 09:35:48)
C:\WINDOWS\$NtServicePackUninstall$\win32k.sys.000 (1772 KB, 29/08/2002 10:14:20)
C:\WINDOWS\$NtServicePackUninstall$\win32spl.dll (97 KB, 29/08/2002 11:41:18)
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys (1655 KB, 23/10/2002 08:55:02)
C:\WINDOWS\$NtUninstallKB890859$\win32k.sys (1793 KB, 04/08/2004 07:17:40)
C:\WINDOWS\$NtUninstallKB896424$\win32k.sys (1794 KB, 02/03/2005 02:06:57)
C:\WINDOWS\$NtUninstallKB925902$\win32k.sys (1797 KB, 06/10/2005 01:05:59)
C:\WINDOWS\$NtUninstallKB941693$\win32k.sys (1801 KB, 08/03/2007 14:47:48)
C:\WINDOWS\$NtUninstallQ328310$\win32k.sys (1772 KB, 29/08/2002 10:14:20)
C:\WINDOWS\ServicePackFiles\i386\cimwin32.dll (1321 KB, 04/08/2004 08:56:41)
C:\WINDOWS\ServicePackFiles\i386\cimwin32.mfl (1915 KB, 04/08/2004 06:00:40)
C:\WINDOWS\ServicePackFiles\i386\cimwin32.mof (2710 KB, 04/08/2004 06:00:40)
C:\WINDOWS\ServicePackFiles\i386\win32k.sys (1793 KB, 04/08/2004 07:17:40)
C:\WINDOWS\ServicePackFiles\i386\win32spl.dll (100 KB, 04/08/2004 08:56:46)
C:\WINDOWS\system\WIN32CMI.DLL (29 KB, 28/08/1995 14:00:00)
C:\WINDOWS\system32\win32k.sys (1802 KB, 19/03/2008 10:47:00)
C:\WINDOWS\system32\win32spl.dll (100 KB, 04/08/2004 08:56:46)
C:\WINDOWS\system32\dllcache\win32k.sys (1802 KB, 19/03/2008 10:47:00)
C:\WINDOWS\system32\wbem\cimwin32.dll (1321 KB, 04/08/2004 08:56:41)
C:\WINDOWS\system32\wbem\cimwin32.mfl (1915 KB, 04/08/2004 06:00:40)
C:\WINDOWS\system32\wbem\cimwin32.mof (2710 KB, 04/08/2004 06:00:40)
Terminator
2008-07-23, 21:29
You are running an Out-Of-Date version of Spybot, please uninstall (See THIS (http://www.spybot.info/en/howto/uninstall.html) FAQ for the uninstall info) and download and install Spybot 1.6.0.30 and see if that helps.
Service Pack 3 is now out and I would recommend installing both that and IE 7.
Had already proceded to update to the new Spybot and scan this evening.
Interestingly the system internals scan now picks up a different set of wrong uninstallers, but still the same 'Win32'.
I was in the process of tidying up our rather small (40gig) internal hard drive before going ahead with the IE7 & Service Pack3 ~ which is how I came to observe the odd entry on System Internals.
Would you also recommend I ditch McAfee anti vir at the same time and go for a free one? At one time I was advised that McAfee slowed IE down rather more than necessary.
Cheers,
S
Doesn't show or there is no file extension.
Okay,I wouldn't fix that with System Internals just yet.Maybe try this,but please do it carefully:Do a system internals scan,when it's done rightclick and deselect all.Checkmark the win32 entry only,and click Fix selected Problems.In the pull down menu beside New Path,select C:\,and then click Search.Let me know if anything comes up in the Search Results box.There's no log for that,that I know of,so you'll have to jot it down somewhere.Don't click on or accept the new path if anything shows up in Search,just hit the Close button on the window(red X,upper right corner.)It will disappear,but do not worry,it will appear again when you do your next system internals scan.Please post back what you find.
Did you have any recent malware problems before doing the system internals scan?Or,are you having any problems now?
Terminator
2008-07-23, 22:40
I only used McAfee twice though never again, it caused me nothing but grief. I Currently use: Avast! 4.8 Home, Edition (Free), Zone Alarm 7.1 Free Edition (Vista only version), AnalogX Script Defender 1.4, Spybot 1.6.0.30, Windows Defender, Google Toolbar (For the Pop-up Stopper) and Spyware Blaster 4.1. I never had any conflicts with these products:police:.
Hi Zenobia and thanks Terminator,
Running the c:\ search crashed Spybot first go, and found nothing the next.
The new Spybot came with TeaTimer enabled.
Which now explains another puzzle I'd been getting and poses a third.
2 users on this pc, one had been using TT already, I had not. Other user side had been getting 'Hosts-Secure, failure to find JIT debugger' messages on start up. Not mine. Now with new SD I get the message too, so TT is killing Hosts-Secure.
On top of this TT is taking up most of the system resources on start up. I would have killed it then and there except that it suddenly came up with the news that it had 'encountered and terminated Win32.Rbot in C:\windows\system32\winlogon.exe!'
Numerous scans with other gear have never come up with this. What is this, and how did it get past all the scans and antivirus?
Is it coincidental that this has a 'Win32' in it like the odd sys internals entry? Redoing the sys int scan after TT's termination of the offender shows the Win32 entry still there.
Now at rather a loss what to do. TT really resource hogging, but if it is finding stuff that gets past everything else...
Please open Spybot,then go to Tools,then Resident.In the window to the right,please rightclick and select Select All.Rightclick again,select Copy,then Paste it here.
Did you have any recent malware problems before doing the system internals scan?Or,are you having any problems now?
Bit difficult to say if I was having malware problems because that is what I am trying to establish...
I was looking into the problem of the 'Hosts Secure/JIT debugging' messages on start up, and the 'Windows Parking...' messages on shut down. Also the keyboard response has been getting slow, and cancelled windows are remaining as ghosts on the task bar. One user who uses Outlook had also twice had a 'profile not found, building you a new one' scenario when changed to by fast user switching. The first time this happened the Outlook.pst file was lost before I realised what was going on! The second time I pulled the plug just in time!
The pop up messages were at first restricted to one user who was using TT, but after I installed the new SD I started getting them as well. It looks this morning as though TT wasn't causing this: I had previously read about some HP printer files causing the 'parking window' problem and had cancelled the HP progs in the start up analyser - the fresh new version had put them back. Once re cancelled last night, I have my Hosts Back - though this wasn't what I was expecting! It may be that TT does interact with *both* Host Sec and the HP files, because the messages only recently started coming up though we have had the printer and HS a long time; and now the 'fix' of cancelling the HP files seems to have got rid of both the 'Host Sec jit debug' and the 'Parking Window' messages.
But now I notice I don't have an internet connection icon in my 'notification area' any more...
Currently start up processes are taking a long time to complete as TT and Process Explorer between them are taking 100% of the CPU for maybe 10 minutes after start up - in approx 70:30 proportion. Things were already slow enough thanks to both McAfee and MS checking for updates at the same time!
Now I read up on the virus TT found in winlogon and find that it can pretent to be just about anything - including McAfee and Spybot!
The resident log shows the 'virus termination event' (unless this was just another jape of the virus itself and my SD has been compromised by it...), and also the battle to keep ctfmon out of my start up. SD used to list this as possible malware: now your 'lassh' list keeps putting it back. I used to have a similar problem with Quick Time keeping coming back, but curiously, that is not currently in the start up list.
Here is the resident report:
13/02/2008 16:54:06 Allowed (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
19/02/2008 19:27:53 Denied (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
20/02/2008 15:25:39 Denied (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
20/02/2008 17:16:44 Allowed (based on user decision) value "{22BF413B-C6D2-4d91-82A9-A0F997BA588C}" (new data: "") added in Browser Helper Object!
20/02/2008 17:16:57 Allowed (based on user decision) value "Skype" (new data: ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized") added in System Startup user entry!
21/02/2008 17:42:27 Allowed (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
21/02/2008 17:47:56 Denied (based on user decision) value "First Home Page" (new data: "http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1") added in Browser page!
24/02/2008 11:03:18 Allowed (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
27/02/2008 20:36:44 Denied (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
29/02/2008 15:03:18 Allowed (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
03/03/2008 17:45:37 Allowed (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
05/03/2008 15:06:16 Denied (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
06/03/2008 08:50:13 Allowed (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
07/03/2008 18:39:37 Allowed (based on user decision) value "{03A89EFD-E023-5707-A22D-45F77558EB4C}" (new data: "") added in ActiveX Distribution Unit!
16/03/2008 12:11:46 Allowed (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
23/03/2008 17:55:17 Allowed (based on user decision) value "First Home Page" (new data: "http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1") added in Browser page!
23/03/2008 20:47:52 Denied (based on user decision) value "First Home Page" (new data: "") deleted in Browser page!
23/03/2008 20:51:58 Denied (based on user decision) value "First Home Page" (new data: "") deleted in Browser page!
24/03/2008 10:49:21 Allowed (based on user decision) value "First Home Page" (new data: "") deleted in Browser page!
25/03/2008 18:39:05 Allowed (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
27/03/2008 15:25:58 Allowed (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
28/03/2008 15:20:34 Allowed (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
31/03/2008 22:13:20 Denied (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
01/04/2008 17:09:19 Allowed (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
02/04/2008 12:16:47 Allowed (based on user decision) value "Adobe Reader Speed Launcher" (new data: "") deleted in System Startup global entry!
02/04/2008 12:16:51 Allowed (based on user decision) value "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" (new data: "") deleted in Browser Helper Object!
02/04/2008 12:18:45 Allowed (based on user decision) value "Adobe Reader Speed Launcher" (new data: ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"") added in System Startup global entry!
02/04/2008 12:18:48 Allowed (based on user decision) value "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" (new data: "") added in Browser Helper Object!
02/04/2008 12:36:34 Allowed (based on user decision) value "AdobeUpdater" (new data: "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe") added in System Startup user entry!
02/04/2008 13:06:53 Allowed (based on user decision) value "AdobeUpdater" (new data: "") deleted in System Startup user entry!
02/04/2008 20:10:49 Denied (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
05/04/2008 15:51:55 Denied (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
07/04/2008 09:24:17 Allowed (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
09/04/2008 12:06:50 Allowed (based on user decision) value "{5AA8C009-52B9-492D-931A-55F6A1CE17A9}" (new data: "") added in ActiveX Distribution Unit!
23/04/2008 15:26:33 Allowed (based on user decision) value "First Home Page" (new data: "http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1") added in Browser page!
23/04/2008 15:37:53 Allowed (based on user decision) value "First Home Page" (new data: "") deleted in Browser page!
11/05/2008 16:25:13 Allowed (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
17/05/2008 09:18:21 Allowed (based on user whitelist) value "TkBellExe" (new data: "") deleted in System Startup global entry!
23/05/2008 14:52:47 Allowed (based on user decision) value "First Home Page" (new data: "http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1") added in Browser page!
23/05/2008 14:53:47 Allowed (based on user decision) value "First Home Page" (new data: "") deleted in Browser page!
28/05/2008 02:42:08 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk /r \??\C:
autocheck autochk *
SsiEfr.exe
lsdelete
") changed in Session manager!
28/05/2008 11:51:37 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
SsiEfr.exe
lsdelete
") changed in Session manager!
30/05/2008 07:11:59 Allowed (based on user decision) value "*Restore" (new data: "C:\WINDOWS\system32\restore\rstrui.exe -i") added in System Startup global entry!
30/05/2008 07:39:56 Denied (based on user decision) value "First Home Page" (new data: "http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1") added in Browser page!
30/05/2008 14:46:29 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk /r \??\C:
autocheck autochk *
SsiEfr.exe
lsdelete
") changed in Session manager!
30/05/2008 16:18:57 Denied (based on user decision) value "BootExecute" (new data: "autocheck autochk *
SsiEfr.exe
lsdelete
") changed in Session manager!
30/05/2008 19:13:43 Denied (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
31/05/2008 11:14:02 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
SsiEfr.exe
lsdelete
") changed in Session manager!
05/06/2008 21:11:10 Allowed (based on user decision) value "AdaptecDirectCD" (new data: "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe") added in System Startup global entry!
06/06/2008 15:13:10 Denied (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
08/06/2008 13:02:23 Allowed (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
11/06/2008 16:44:14 Allowed (based on user whitelist) value "TkBellExe" (new data: "") deleted in System Startup global entry!
21/06/2008 14:05:32 Denied (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
28/06/2008 12:54:58 Allowed (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
28/06/2008 15:52:17 Allowed (based on user decision) value "TomTomHOME.exe" (new data: ""C:\Program Files\TomTom HOME 2\HOMERunner.exe"") added in System Startup user entry!
29/06/2008 17:00:26 Allowed (based on user decision) value "First Home Page" (new data: "http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1") added in Browser page!
29/06/2008 17:31:41 Allowed (based on user decision) value "First Home Page" (new data: "") deleted in Browser page!
30/06/2008 22:33:11 Allowed (based on user whitelist) value "TkBellExe" (new data: "") deleted in System Startup global entry!
04/07/2008 17:35:44 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe") added in System Startup user entry!
05/07/2008 14:27:27 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
20/07/2008 13:15:35 Allowed (based on user decision) value "MSMSGS" (new data: "") deleted in System Startup user entry!
20/07/2008 13:15:40 Allowed (based on user decision) value "ctfmon.exe" (new data: "") deleted in System Startup user entry!
20/07/2008 13:15:46 Allowed (based on user decision) value "BluetoothAuthenticationAgent" (new data: "") deleted in System Startup global entry!
20/07/2008 13:15:51 Allowed (based on user decision) value "SunJavaUpdateSched" (new data: "") deleted in System Startup global entry!
20/07/2008 13:15:58 Allowed (based on user decision) value "QuickTime Task" (new data: "") deleted in System Startup global entry!
20/07/2008 13:16:00 Allowed (based on user decision) value "AdaptecDirectCD" (new data: "") deleted in System Startup global entry!
20/07/2008 13:37:53 Denied (based on user decision) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
20/07/2008 18:42:41 Denied (based on user decision) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
21/07/2008 07:09:25 Denied (based on user decision) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
21/07/2008 14:17:09 Denied (based on user decision) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
22/07/2008 18:29:34 Denied (based on user decision) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
23/07/2008 15:05:43 Allowed (based on user decision) value "Skype" (new data: "") deleted in System Startup user entry!
23/07/2008 15:06:07 Denied (based on user decision) value "Google Desktop Search" (new data: "") deleted in System Startup global entry!
23/07/2008 15:07:12 Denied (based on user decision) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
23/07/2008 20:30:20 Allowed (based on lassh blacklist) value "Adobe Reader Speed Launcher" (new data: "") deleted in System Startup global entry!
23/07/2008 20:30:35 Allowed (based on lassh blacklist) value "Google Desktop Search" (new data: "") deleted in System Startup global entry!
23/07/2008 20:31:28 Allowed (based on lassh blacklist) value "MSConfig" (new data: "") deleted in System Startup global entry!
23/07/2008 20:31:56 Allowed (based on user decision) value "Gadwin PrintScreen 3.5" (new data: "") deleted in System Startup user entry!
23/07/2008 21:56:55 Allowed (based on lassh blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
23/07/2008 21:57:13 Allowed (based on lassh blacklist) value "HP SchedIndexer" (new data: "C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe") added in System Startup global entry!
23/07/2008 21:57:20 Allowed (based on lassh blacklist) value "HP AutoIndexer" (new data: "C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe") added in System Startup global entry!
23/07/2008 21:57:21 Encountered and terminated Win32.Rbot.bms in C:\WINDOWS\system32\winlogon.exe!
23/07/2008 21:57:31 Allowed (based on lassh blacklist) value "MSConfig" (new data: "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto") added in System Startup global entry!
23/07/2008 21:59:04 Allowed (based on lassh blacklist) value "MSConfig" (new data: "") deleted in System Startup global entry!
23/07/2008 22:17:32 Allowed (based on lassh blacklist) value "HP AutoIndexer" (new data: "") deleted in System Startup global entry!
23/07/2008 22:17:33 Allowed (based on lassh blacklist) value "HP SchedIndexer" (new data: "") deleted in System Startup global entry!
23/07/2008 22:19:42 Allowed (based on lassh blacklist) value "ctfmon.exe" (new data: "") deleted in System Startup user entry!
23/07/2008 22:40:32 Allowed (based on lassh blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
24/07/2008 11:28:18 Allowed (based on lassh blacklist) value "ctfmon.exe" (new data: "") deleted in System Startup user entry!
Now have had to try fast user switching to the other user to retrieve a doc.
The other user does have the network connection symbol in the notification area, but, for that side, the Host Secure still does not get in thanks to the 'debugger' messages, and the 'Windows Form Parking Window' is still left behind on going to log off. This despite having disabled the HP for both users.
The ctfmon file still kept coming back in the process list for this user, and after several goes at killing it, a message popped up:
"Access violation of address 0051FCAF in SpybotSD.exe read of address 6C676E4D"
All this had was an OK button! And it just kept coming back. It also covered the 'ok' button in Process Explorer so that SD could not be turned off there either!
Eventually found that holding down the Esc button for several secs cleared it. Nasty!
Logging off and back onto my side, TT tells me that ctfmon instantly came back when I opened IE.
But now I notice I don't have an internet connection icon in my 'notification area' any more...
Oddly enough,I'd been having the same problem,lol.Don't worry,just commenting on a coincidence. :)
Okay,I'll give it to you straight.Despite everything happening,I suspect this isn't a malware problem.Just call it a gut instinct.
But,better safe than sorry,and there's enough unknowns to justify getting checked out,I think.
So.....
I know you're dealing with some problems.
However,could you get checked out in malware removal?
The instructions are here.Please read and follow them,as they include instructions to download hijackthis and produce the required logfile.
http://forums.spybot.info/showthread.php?t=288
Malware Removal:
http://forums.spybot.info/forumdisplay.php?f=22
When/if you post in malware removal,along with posting the hijackthis logfile,it might be a good idea if you tell them the gist of what's been happening or you could link to this thread if you wish,so any helper that takes your case knows a little background.
Thanks again Zenobia.
I've use HiJack This before, and usually used it in the AumHa forum. Hadn't appreciated until now that there were similarly very helpful people here as well!
I will run this thread by them just in case.
Cheers,
S
You're welcome. :)
If you still are having some problems after getting checked out in malware removal,you can always post back here.But only after your helper is done with you,so nothing here interferes.They let you know when it's done.
If you don't get a response after 4 days,there's a sticky in the malware forum you can post to,to ask someone to check out your hjt log.
Good luck in malware removal. :)
Cheers:bigthumb:
I won't rush them though. It looks like they decidedly have their work cut out with something called 'virtumonde'. Thankfully, something which does not seem to have found us yet!
Yup,Vundo/Virtumonde seems like it has been popping up like a bad rash,lately.
Cheers. :greeting: