Hi again,

Thought I should let you know something possibly important....

Further to my last post, Edit: http://forums.spybot.info/showthread.php?t=47137 I just brought up my INAC "Startup Manager" software and noticed that I had about 3 or 4 instances of msnmsng (MSN Messenger) apparently running.

I know very little about the registry, but saw that each of them were pointing to the registry with "/background" at the end.

As I don't need MSN messenger I've now uninstalled it(only 1 version installed by me of course !) and deleted the 3 or 4 registry entries of Msn "/background" using my startup program.
When I did this I got the message it would be "deleted" and couldn't be undone which I did.

Anyway, from the little I've told you, does this mean I have had some sort of "spyware" related to MSN(or something else) running in the background and do you know how it might have worked ?

Or could spyware still indeed be running even though I have deleted the entries using this stratup program (please note that "deleting" them is not the same option as running/displaying them with the startup program I have)

Finally, I also wish I knew how to check my registry for hidden software.
I'm sure I've seen directories like "C:\ProgramFiles\WinFixer2006" or "C:\Windows\system32\Winfixer2006"(can't remember but can check) being checked when running "Spyware doctor" anti-virus scans even though I can't see these folders in Windows explorer !
Please note: I've got "Show hidden folders" set as ticked under "Folder Options" for the "Program Files" directory.

Many thanks for any light you may be able to shed on all the points I've raised.

Kind regards.

Sorry, just another couple of other things I've noticed too:

1) The startup program I mentioned says:

"Deleting a startup program does NOT delete the actual program from your hard drive. It simply deletes the entry used to start the program with your operating system. To delete the actual program from your computer you must uninstall it or otherwise remove the program itself from your hard drive."

I fairly sure I uninstalled MSN messenger first(I think) and then deleted the other 3 entries in my startup program.

2) I notice I've got a process svchost.exe running under under the username "LOCAL SERVICE" in Task manager.

I try to end the process, click yes, but it won't go and keeps utilizing my CPU.

What is a "LOCAL SERVICE" and could this process be a threat ?

Sorry for so much info at once, but I thought it better to get as much as I knew put down to make you know what's going on.

Thanks again !

Hello mariner77. I'll respond to your first post then continue with your second post.

Actually before I do, I should have mentioned that since I first posted, I've run a couple of scans since and the error doesn't arise - run clean no problem.
This could be a glitch, but what matters is that its resolved.

By the way, may I ask, should I be worried about windows processes running ?
i.e. is it possible windows might track me themselves or pass over my information to potential 3rd parties ?
What do you mean by your first sentence? Which processes are you talking about?

I can tell you that Microsoft (software giant) won't spend time over a random user's personal computer and extract data and share it. It doesn't work like that.

I also got a remnant cookie before from "msnportal"(now removed) - I wonder if this related to my hotmail account.
Tracking cookies pose no harm whatsoever. What they do is store login information. They're not little buggers that invade your PC.

Anyway, from the little I've told you, does this mean I have had some sort of "spyware" related to MSN(or something else) running in the background and do you know how it might have worked ?
As far as I'm aware of MSN does not distribute spyware.

Finally, I also wish I knew how to check my registry for hidden software.
I wouldn't do it if I were you. I really feel there's no need to go through the trouble of looking for potential "hidden" software when it doesn't exist [on your machine].

I try to end the process, click yes, but it won't go and keeps utilizing my CPU.
Why would you want to do that for???
http://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/
-

Hello mariner77. I'll respond to your first post then continue with your second post.
Many thanks for your reply.



This could be a glitch, but what matters is that its resolved.

Forgive me, I'm confused whether your comment indicates you think it IS resolved or whether I need to resolve it by installing the new software.
If the latter, would a clean run with your new version resolve it ?



What do you mean by your first sentence?

Sorry, I mean "system" processes running under Windows. (see my concerns whether founded or unfounded below....)



Which processes are you talking about?

Any that are potentially dangerous or intrusive whether they be "system", "local service" or "network service" ones.

Rightly or wrongly(probably the latter!), that's what I'm trying to assess.
I've been looking at processlibrary.com and seeing that a lot of dangerous processes can appear as harmless system processes ?

I've also read other help notes from my startup software that I should check each process running on his/her PC to see if it is safe.

Is there any chance at all someone can access my computer or the information I've sent or received remotely by using processes ?

Do I need to check processes running on my PC ?



I can tell you that Microsoft (software giant) won't spend time over a random user's personal computer and extract data and share it. It doesn't work like that.

Oh absolutely but is there any chance they could target users ?
I'm slightly concerned that in this age of surveillence and domestic spying, I'm having personal information being shared or reported on the basis of no more than free speech and controversial(i.e anti-government) opinions.
Surely you understand that governments and private companies are sharing private information about UK residents these days ?



Tracking cookies pose no harm whatsoever. What they do is store login information. They're not little buggers that invade your PC.


Sorry I'm a bit confused.
Why would msn be storing login information if they already have it with my hotmail account ?
Could they be trying to track my IP address to locate me ?
Forgive my lack of knowledge - I accept tracking cookies are generally harmless, but if someone is trying to track my usernames, passwords or IP address shouldn't I be concerned ?
By the way, does an IP address give away one's exact location ?



As far as I'm aware of MSN does not distribute spyware.

Thanks.



I wouldn't do it if I were you. I really feel there's no need to go through the trouble of looking for potential "hidden" software when it doesn't exist [on your machine].

Fair enough.
But what about the "WinFixer" directory that I mentioned, that I can see being checked when running an anti-virus scan but not when viewing my files and folders in Windows explorer ?



Why would you want to do that for???
http://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/
-


Thanks for the useful link.

I was just concerned about processes that were "Local Service" processes.
I thought it might mean someone else might have logged on to my machine.(probably totally wrong ?)

If there's nothing to worry about then that's fine but what does "local service" actually mean ?

Many thanks for all your help drragostea.

Apologies for my lack of knowledge and so many questions, it's just that I'm sure I've been spied upon before.
I've already used Spybot to remove keylogger software a while ago.

Kind regards.

Forgive me, I'm confused whether your comment indicates you think it IS resolved or whether I need to resolve it by installing the new software.
If the latter, would a clean run with your new version resolve it ?
I think it is resolved since your the "error" from your original query is not reappearing.

Sorry, I mean "system" processes running under Windows. (see my concerns whether founded or unfounded below....)
What's wrong with the System processes?

Is there any chance at all someone can access my computer or the information I've sent or received remotely by using processes ?

Do I need to check processes running on my PC ?
I think that you're getting a little bit too worried.
It depends on what "process" you are talking about. Malware can sometimes take on name of a legitimate process or... it can have a randomly generated process like "wskf7.exe" or "load [1].exe".

I don't usually rely on ProcessLibrary too much because it sometimes gives results about totally irrelevant processes when I search something up or gives something that doesn't match.

Oh absolutely but is there any chance they could target users ?
Depends on what they (the users) "do". If you are a malware author you are guaranteed to be pursued, etc. If you are download music and movies you are guaranteed to be monitored.

Surely you understand that governments and private companies are sharing private information about UK residents these days ?
I don't really know what this whole "monitoring" thing is that is occurring in the UK, but what I can tell you is that if you do not commit infringement or do anything that'll harm or pose a threat to others chances of official authority on your heels is near 0% (that's the more logical part).

Why would msn be storing login information if they already have it with my hotmail account ?
That's because it is a login session. It wouldn't be fun if you had to login every minute because you drifted away to another site while you were on your email now would it?

but if someone is trying to track my usernames, passwords or IP address shouldn't I be concerned ?
By the way, does an IP address give away one's exact location ?
Major mail servers do not have the time to "track" people.
IP addresses give a rough estimate of the geographical location.

But what about the "WinFixer" directory that I mentionedWinFixer is not active nor is it dormant. What harm would a folder named "WinFixer" pose?

If there's nothing to worry about then that's fine but what does "local service" actually mean ?
Google is your friend.

I think it is resolved since your the "error" from your original query is not reappearing.

Thanks.



What's wrong with the System processes?

I think that you're getting a little bit too worried.

Probably, I'd rather know for sure what's going on though if possible.



It depends on what "process" you are talking about. Malware can sometimes take on name of a legitimate process or... it can have a randomly generated process like "wskf7.exe" or "load [1].exe".

Yeah - that was what I was worried about - malware taking the name of a legitimate process.



I don't usually rely on ProcessLibrary too much because it sometimes gives results about totally irrelevant processes when I search something up or gives something that doesn't match.

Any good sites you recommend ?



Depends on what they (the users) "do". If you are a malware author you are guaranteed to be pursued, etc. If you are download music and movies you are guaranteed to be monitored.

Neither of these - just free speech, nothing more or less.
In the UK free speech is banned outside parliament.
In a dreamworld(sorry to be sarcastic you just sound VERY trusting of government) everyone can say what they want(when they've said absolutely nothing wrong) and not be hassled for it.



I don't really know what this whole "monitoring" thing is that is occurring in the UK

Big brother surveillence society tracking every users e-mail and phone call ?



but what I can tell you is that if you do not commit infringement or do anything that'll harm or pose a threat to others chances of official authority on your heels is near 0% (that's the more logical part).

Suppose it depends on the governments definition of "pose a threat".
We do live in a surveillance society overseen by government.
I don't know where you live but I'd guess you most likely do too.



That's because it is a login session. It wouldn't be fun if you had to login every minute because you drifted away to another site while you were on your email now would it?

Oh sure but why did I only get one remnant cookie one time from "msnportal"?

I don't get any such cookie anymore.....

Sorry to keep asking but how and why do remnant cookies occur and why would I get one from msnportal ?
"msnportal" sounds like someones trying to gain "entry" to my hotmail account or PC ?
Or is just that "bits"(remnant) of cookies are randomly left over ?



Major mail servers do not have the time to "track" people.
IP addresses give a rough estimate of the geographical location.

Ok thanks.



WinFixer is not active nor is it dormant. What harm would a folder named "WinFixer" pose?

I don't even know what "Win fixer" is.
I just wonder why it is there at all and why I can't access it.
Is this normal ?
I've heard about spy software being put on users "system32" folder by scripts which automatically extract...... ?
Thought it might be something like that....(i.e. hidden software)



Google is your friend.

Yeah, bit lazy of me sorry.....

Thanks very much for your help drragostea.

Please forgive my lack of knowledge but I just like to know everything.....

Any good sites you recommend ?
I would just use a Google search and then compare the results that the sites give me about the process side by side and I also compare the symptoms of the process. But hey, we don't know for sure since it is just merely a process name. I would scan the system for baddies as a precaution. If a new process like "load [1].exe" appears immediately after you have just been redirected to a rogue AV site, then you can most likely assume that the process is malware. But I wouldn't suggest you follow that rule (it was just a suggestion).

In a dreamworld(sorry to be sarcastic you just sound VERY trusting of government) everyone can say what they want(when they've said absolutely nothing wrong) and not be hassled for it.
Sorry if I sound that way but to clarify that I don't trust the government about Internet issues. They focus more of their time into what they do, prosecuting cyber criminals and track down problems that spend their time on me. I won't say I trust everyone but I filter and limit the group of people that I trust. If a dreamworld just existed...

Big brother surveillence society tracking every users e-mail and phone call ?
Yes, I did recall an article talking about that issue. I think they archive everything. Maybe they scan every email and phone call for threats... whether that be cyber or terrorist threats. If I were in your shoes... I might keep personal and financial matters away from the electronic party [PCs and phones] for now [hopefully].

I don't know where you live but I'd guess you most likely do too.
Yes but the government doesn't just go prosecuting innocent people.

Oh sure but why did I only get one remnant cookie one time from "msnportal"?
I don't know. You might as well clear it out if you want. Use the browser's options.

why would I get one from msnportal ?
I don't know. (Clear it out using your browser options)
If I got one from GooglePortal it would be merely a cookie, not a threat.
-
I'm not so sure about WinFixer now (it's a trojan)... Tools like FileAssasian can remove locked files... But I'm not sure if this is the case, like is this an active or dead infection.

I've heard about spy software being put on users "system32" folder by scripts which automatically extract...... ?
I would put anti-spyware and AVs on the job to scan that system32 folder, not go out in the wild by myself (removing things manually).

Hi there dr,

Thanks for all you advice, most appreciated.

Apologies I haven't replied for a while.....
(oh no not again I hear you say ! :laugh:)

I hope you don't mind me asking more questions ? (just I'd rather be clean once and for all...)

I'll cover a few of your responses then go on to the "system32" stuff.......

I removed the tracking cookie from "msnportal" using anti-virus software a while ago.
When you say "Clear it out using your browser options" do you mean the "privacy" settings ?
I've now set my computer not to accept cookies. I presume this is ok ?
I don't mind typing in my own usernames and passwords......

You say "archive" e-mails, phone calls, but what about browsing history or posting/blogging on the internet ? Any idea if they or ISP's store ALL this information ?

Anyway, I took your advice and started to scan the "system32" folder using Spybot S&D.

I haven't finished yet(boy it takes so long !) and my PC crashed,
but I've found one file ENLOCSTR.EXE which appears as a "Smitfraud-C" type threat, file modified on 11/08/2006

I did a search on the forum and found several posts relating to the instances of the term "Smitfraud-C".
Could this be a threat ? If so what would you recommend I do ?
Check the forums or talk to to the Spybot team or yourself ?

Also another issue.....
When I run an "AVG Free Edition" anti virus scan I instantly am told there are several files which are changed.

These are: kernel32.dll, wsock32.dll, user32.dll, shell32.dll, ntoskrnl.exe

I first noticed this change a few months ago, when I ran Spybot S&D to remove keylogger software from my PC (I think it was at the same time, but not 100% sure)

Since I guess the above 5 are key files could I still be at risk even if the offending keylogger software (that was possibly caused by the same hijacker ?) was removed ?

You see, I know very little about the registry.
Is there a possible threat and if so, what would you recommend I do ?

May I also ask, what is your opinion of AVG anti virus ?
I keep getting this popup every time I boot up the PC asking me if I want to renew to receive upgrades before 14 April, but with no X in the top right corner. It just looked a bit suspicious.....)
What about "Spyware doctor" ?
Do I need ANY of these other "anti-virus" programs ?
If not, should I uninstall the lot ?

I also looked in my system32 for files that had been recently modified.

I stumbled across a file in system32/wbem/Logs named "wbemprox.log", modified on 31st March 2009 which says:

"(Tue Mar 31 05:05:10 2009.35912828) : ConnectViaDCOM, CoCreateInstanceEx resulted in hr = 0x8007045b
(Tue Mar 31 13:51:27 2009.755140) : ConnectViaDCOM, CoCreateInstanceEx resulted in hr = 0x8007045b"

I'm totally guessing here but I was a little alarmed that it says "ConnectViaDCOM, CoCreateInstanceEx"
Any reason to be concerned about this ?

I've also got a big file named ikhcore.log which contains references to "Security kernel Started", "Security kernel Stopped".
Is this any use ? Could someone be possibly logging on remotely and tampering with my security settings ?

Maybe I'm totally off track here and shouldn't wildly speculate with near zero knowledge, but I just wonder how to locate any possible files that may have been either recently modified or created by another remote user ?

Are people able to remotely log on to my computer ?
Or use my system32 settings to compromise my security or perform dirty deeds ?

I also notice I have 2 system32 folders named "Catroot" and "Catroot2" each with 2 subfolders whose folder names appear to be registry keys but all these Catroot folders and their subfolders all seem to be last modfied in 2003.

Apologies for my lack of knowledge but would it be worth running the registry software tool that spybot offers ?
Bearing in mind of course I probably won't have a clue how to "analyze" the results unless it spoon feeds me ?

Finally what about Windows Updates ?
Not sure I am totally up to date even though I have automatic updates turned on.
Do I ensure I am totally up to date on them before I fix any problems or ensure I fix any problems first ?

Sorry so many questions (and being a probable pain) but any help greatly appreciated.

Many thanks again.

Well, Anti-Virus programs could also offer to clear out cookies for you (haven't heard of one that does, expect anti-spyware programs only).
I've now set my computer not to accept cookies. I presume this is ok ?
I don't mind typing in my own usernames and passwords......
Well, even if you told your browser not to accept cookies it does not mean you are free of them. You could still have a few cookies :oreo: : ), left back from your prior browsing (well, prior to changing your settings not to accept cookies and before clearing them out).

When you want to clear out your cookies manually, you can always clear them out (Privacy settings) in Internet/Browser options. Mozilla Firefox and Microsoft IE have almost identical paths (Tools>Options) so there should be no problems. Then find the cookies tab and clear them all. I recall that in IE there is an option to clear all the tracks at once, that includes history, cookies, cache, and autocomplete forms.

Any idea if they or ISP's store ALL this information ?
No idea. I'm pretty sure they don't store every single blog post. So if I were to made 1 million posts in a forum and they all store them, there wouldn't be any point now would it, since it'll just be countless pages and KBs of posts, information, and quotes. As for browsing history and cookies I don't think they store that. It could be possible that they log down the IP and the sites you visit :fear:. But why would we have to worry about it? Alright, someone has a blog on Twitter or Facebook, that means we're all going to be attacked one minute later? No.

Anyway, I took your advice and started to scan the "system32" folder using Spybot S&D.
:oops: Well, the file scanner was not meant to scan large files... :red: So it might take a long time. Sorry. So I wouldn't suggest you scan again (boy it took so long! :laugh:).

I haven't finished yet(boy it takes so long !) and my PC crashed,
but I've found one file ENLOCSTR.EXE which appears as a "Smitfraud-C" type threat, file modified on 11/08/2006
I'm not sure if this is a threat of not. Can you browse to the file (copy to the desktop) and upload it to VirusTotal (www.virustotal.com) to see if it is flagged? I'm also interested in what section is was flagged in (Malware or Heuristics).

SmitFraud is one of those bad guys who deliver you the utmost nightmares of trojans and rogue AVs. Spybot detects variants of SmitFraud, that I'm sure.


These are: kernel32.dll, wsock32.dll, user32.dll, shell32.dll, ntoskrnl.exe
These files are crucial for Windows since the last file (.exe) has to do with the login during Windows bootup. In AVG 7.5 I was told that these files were changed... even after a full scan from a reformat. So I guess it should be nothing to worry about right now, but more like a heads up. I don't remember if this had to do with Spybot's Immunization, or some other anti-spyware's Resident module.


You see, I know very little about the registry.
Is there a possible threat and if so, what would you recommend I do ?
You scan your machine with an anti-spyware and AV product. Manually searching and removing entries would be going into the middle of a forest with snakes and tigers.

May I also ask, what is your opinion of AVG anti virus ?
I keep getting this popup every time I boot up the PC asking me if I want to renew to receive upgrades before 14 April, but with no X in the top right corner. It just looked a bit suspicious.....)
What about "Spyware doctor" ?
Do I need ANY of these other "anti-virus" programs ?
If not, should I uninstall the lot ?
I can't take sides with any AV that is "better" than the other since no one AV detects everything. One AV might miss an entry another detects but what it matters is the adequate protection they protect you with, free or commercial. AVG has become more bulky now because they have the anti-spyware component attached along with the AV and the LinkScanner has made a home into the product too.

The pop-up you are receiving is probably their ad to advertise their Professional version of the product. It shouldn't be something to worry about since it's just an ad. Spyware Doctor is just another one of those fancy looking commercial anti-spyware programs. For me, I just do well with A-squared, MalwareByte's Anti-Malware, and Superantispyware. I don't like SpywareDoctor that much since it runs some processes on my 512MB of RAM (I plan to upgrade to Windows Seven in the Summer) even when the Resident Shields are disabled and the programs are closed.

Apologies for my lack of knowledge but would it be worth running the registry software tool that spybot offers ?
From the description you can conclude that it'll scan for invalid registry keys.
At the moment, I can't offer any advice or guideline in determining which ones to fix since I don't use it often and I'm not so familiar with it. Don't worry about invalid registry keys : ). I'd rather have a whole army of orphaned registry keys then potentially risking my whole machine to total failure.

Finally what about Windows Updates ?
Not sure I am totally up to date even though I have automatic updates turned on.
Automatic Updates gives you a really good chance of being patched. For me, I don't leave my machine on non-stop, and if you don't you might want to change the time settings earlier than the default 3:00AM. If you doubt Windows Updates, you might as well visit the site itself.

but I just wonder how to locate any possible files that may have been either recently modified or created by another remote user ?
Might not be a good tactic... Its very time consuming. As long you foritify yourself behind a solid AV and firewall (hardware firewall would be best) you're good for now. Unless you deliberately (not saying you would) install malware.

Are people able to remotely log on to my computer ?
Or use my system32 settings to compromise my security or perform dirty deeds ?
Depends on which way they enter your house. If it is a screensharing session used by tech support like from ISPs from Verzion, yes they can view your screen but they can't physically remain there after you've ended the session. I doubt they'll invade your privacy and tamper with your files during the screensharing session since you have full control of the mouse and keyboard.
Not all infected, malicious files have to be installed in the System32 folder all the time. If you are unfortunately infected with a keylogger, you might be unknowingly opening your door ajar to a malware author. He views your screen and logs your keystrokes.

Many thanks for your comprehensive reply drragostea.


Well, Anti-Virus programs could also offer to clear out cookies for you (haven't heard of one that does, expect anti-spyware programs only).
Well, even if you told your browser not to accept cookies it does not mean you are free of them. You could still have a few cookies :oreo: : ), left back from your prior browsing (well, prior to changing your settings not to accept cookies and before clearing them out).
When you want to clear out your cookies manually, you can always clear them out (Privacy settings) in Internet/Browser options. Mozilla Firefox and Microsoft IE have almost identical paths (Tools>Options) so there should be no problems. Then find the cookies tab and clear them all. I recall that in IE there is an option to clear all the tracks at once, that includes history, cookies, cache, and autocomplete forms.

I've gone Tools-> Internet Options and seen the privacy tab but not the cookies tab ?
I think you mean "Delete Browsing History" under Internet Options ?
Anyway, I also have a program called "CCcleaner" which clears many things of the things you talk about - i.e. temporary files, cookies, autocomplete forms etc.
So I presume this is sufficient to clear out all my cookies ?



No idea. I'm pretty sure they don't store every single blog post. So if I were to made 1 million posts in a forum and they all store them, there wouldn't be any point now would it, since it'll just be countless pages and KBs of posts, information, and quotes. As for browsing history and cookies I don't think they store that. It could be possible that they log down the IP and the sites you visit :fear:. But why would we have to worry about it? Alright, someone has a blog on Twitter or Facebook, that means we're all going to be attacked one minute later? No.

Oh sure, worrying never did any good !
Just wondered who was looking at and logging what.....

You may or may not be interested in this article from the Sydney Morning Herald.

http://www.smh.com.au/news/home/technology/banned-hyperlinks-could-cost-you-11000-a-day/2009/03/17/1237054787635.html

Not that it is likely to affect me, but it shows there is an ever increasing clampdown on certain "unacceptable" sites (the ones that tell the truth most probably...)

P.S Is it naughty to post web links ? If so sorry.......



:oops: Well, the file scanner was not meant to scan large files... :red: So it might take a long time. Sorry. So I wouldn't suggest you scan again (boy it took so long! :laugh:).

Glad to raise a smile :o)
Actually I have finished the scan of my system32 folder now.

Apart from the ENCLOSTR.EXE "Smitfraud-C" file(please see below) I also found 2 other possible threats:

1) unicows.dll "SuperYahooMessengerArchiveDecoder"

I have used msn messenger but pretty certain never "yahoo messenger", though I did set up an old yahoo e-mail account a log time ago.

2) msxml3a.dll "WinFixer2005"

Both flagged under "Heuristics"
Can you advise me whether and how I should proceed with these please ?



I'm not sure if this is a threat of not. Can you browse to the file (copy to the desktop) and upload it to VirusTotal (www.virustotal.com) to see if it is flagged? I'm also interested in what section is was flagged in (Malware or Heuristics).
SmitFraud is one of those bad guys who deliver you the utmost nightmares of trojans and rogue AVs. Spybot detects variants of SmitFraud, that I'm sure.

Yes sorry ENLOCSTR.EXE was flagged under "Malware".

I did what you said and uploaded it to the virustotal website.
Here's what I got back....... (presume you can paste the results link below into your browser)

http://www.virustotal.com/reanalisis.html?feb0d1d2b38421a5dd73ee0dd3041aa9

Thanks, results don't mean much to me I have to admit....



These files are crucial for Windows since the last file (.exe) has to do with the login during Windows bootup.
In AVG 7.5 I was told that these files were changed... even after a full scan from a reformat.

Ah well the fact that you use AVG yourself and you've had the same thing is somewhat re-assuring......



So I guess it should be nothing to worry about right now, but more like a heads up.
I don't remember if this had to do with Spybot's Immunization, or some other anti-spyware's Resident module.

When you say "heads up" do you mean it's the price you pay for a cleaning your system with Spybot ?
Could it have happened when Spybot S&D removed a lot of keylogger software ?
You're saying it's Spybot doing it but nothing to worry about ?
If so that's fine.....



You scan your machine with an anti-spyware and AV product. Manually searching and removing entries would be going into the middle of a forest with snakes and tigers.

May I ask why ?
I can of course understand it will not fix a thing to delete it, and only anti-spyware can "fix" the problem, but could deleting it make things worse ?
After all, you asked me to copy the file.
Not the same I know, but both copy and "send to recycle bin" are both actions which do not "execute" the file ?
Sorry, just want to be clear on what you mean here.....



I can't take sides with any AV that is "better" than the other since no one AV detects everything. One AV might miss an entry another detects but what it matters is the adequate protection they protect you with, free or commercial. AVG has become more bulky now because they have the anti-spyware component attached along with the AV and the LinkScanner has made a home into the product too.



The pop-up you are receiving is probably their ad to advertise their Professional version of the product. It shouldn't be something to worry about since it's just an ad.

Yeah, sure you're right.



Spyware Doctor is just another one of those fancy looking commercial anti-spyware programs.
I don't like SpywareDoctor that much since it runs some processes on my 512MB of RAM (I plan to upgrade to Windows Seven in the Summer) even when the Resident Shields are disabled and the programs are closed.

That been my conclusion too.
It runs processes in the background even when there is no user activity. And practically every site I visit, it blocks.



For me, I just do well with A-squared, MalwareByte's Anti-Malware, and Superantispyware.

Thanks for the advice.
I'll check these 3 products out.
You'd still use AVG though?



From the description you can conclude that it'll scan for invalid registry keys.
At the moment, I can't offer any advice or guideline in determining which ones to fix since I don't use it often and I'm not so familiar with it.

I appreciate your honesty thanks.



Don't worry about invalid registry keys : ).
I'd rather have a whole army of orphaned registry keys then potentially risking my whole machine to total failure.

Me too !
And I've spent far to long with registry programs designed to "speed up your machine" but actually end up spending more of your time !
"Orphaned registry keys" - good one ! I like your style.

Suppose I just wondered if a potential hijacker could possibly attack the registry ?
Sounds like it is unlikely even through malware though ?



Automatic Updates gives you a really good chance of being patched. For me, I don't leave my machine on non-stop, and if you don't you might want to change the time settings earlier than the default 3:00AM.
If you doubt Windows Updates, you might as well visit the site itself.

Good and sensible advice, thanks.



Might not be a good tactic... Its very time consuming.
As long you foritify yourself behind a solid AV and firewall (hardware firewall would be best) you're good for now.

Hardware firewall ? That sounds expensive ?
Little chance of me getting that far unfortunately.....



Unless you deliberately (not saying you would) install malware.

You mean if I'm a hacker ?
You can see I don't know my right hand from my left so hardly likely....



Depends on which way they enter your house.
If it is a screensharing session used by tech support like from ISPs from Verzion, yes they can view your screen but they can't physically remain there after you've ended the session.

Actually it's interesting you say that, because I've often had the feeling that I knew when someone was "with me".
I say this because when I click "start" I noramlly can see 3 icons, Internet Explorer, Outlook Express and Wireless Manager.
Sometimes when I have been online before, I've noticed my mouse pointer quickly shooting down the screen moving
by itself(seems to happen only when I'm online), and these 3 options under "start"
suddenly expand to 6 (3 x 2) making me think another user has joined the session.
When I see that I hit the "restart" button on my pc and hope they go away, though often the same pattern happens again....

I know it sounds weird but any ideas ? Could it be my ISP or more likely someone else ?
Why is my mouse pointer sometimes jumping around when I suspect I'm being "joined" ?

It also seems my PC crashes a lot more when I'm online than not. Any ideas about this ?



I doubt they'll invade your privacy and tamper with your files during the screensharing session since you have full control of the mouse and keyboard.

So no-one can control my PC as a "remote user" - great !
Probably a silly question I know but I just don't know what is possible and what isn't these days....





Not all infected, malicious files have to be installed in the System32 folder all the time.
If you are unfortunately infected with a keylogger, you might be unknowingly opening your door ajar to a malware author.
He views your screen and logs your keystrokes.

If I have cleared the keylogger software a while ago, is it possible "the back door" still remains open ?
Where else would you suggest I check using Spybot, if at all ?

Many many thanks dr.
I appreciate your help so much. :bigthumb:

Look forward to your reply.

Cheers.

mariner77

I've gone Tools-> Internet Options and seen the privacy tab but not the cookies tab ?
I was actually referring to cookies button, not tab. There is a Privacy tab though.

So I presume this is sufficient to clear out all my cookies ?
Yes.


You may or may not be interested in this article from the Sydney Morning Herald.
Yes, I've read it before. But as long you know what you're typing there shouldn't be nothing wrong with that. I mean you're not going to post random links to some unknown site on your blog for no reason would you?

Not that it is likely to affect me, but it shows there is an ever increasing clampdown on certain "unacceptable" sites (the ones that tell the truth most probably...)

P.S Is it naughty to post web links ? If so sorry.......
Well, you have a point there. Sometimes you can relate to how the "media" wants you to only know what they want you to know.
Re (P.S): What web links? To what?

Can you advise me whether and how I should proceed with these please ?
I'm not sure what to tell you as it is in the Heuristics, because it could possibly be a false positive. As I said before, run a scan with an anti-spyware program and AV program. Spybot could to miss something that others might find.

When you say "heads up" do you mean it's the price you pay for a cleaning your system with Spybot?
No! Heads up generally meaning like a note.

Could it have happened when Spybot S&D removed a lot of keylogger software ?
I doubt it since I got the same results from AVG (files changed) after a clean reformat.

You're saying it's Spybot doing it but nothing to worry about ?
Nope. My guess was Spybot's Immunization but I am not clear on what is causing this change exactly.

May I ask why ?
I can of course understand it will not fix a thing to delete it, and only anti-spyware can "fix" the problem, but could deleting it make things worse ?
Well to simply put it, the risk of deleting something from the registry key (especially when its in letters and computer terms) can be dangerous because if you were to accidentally remove a registry key (that was infact a Windows core key) thinking it was malware, your machine is toast.

Not the same I know, but both copy and "send to recycle bin" are both actions which do not "execute" the file ?
If you are talking about a malicious file or some sorts, you won't execute it if you merely moving it from one location to another.

And practically every site I visit, it blocks.
Well, that was not the case for me. It supposedly is a HIP shield, so like it'll guard your machine against malicious ActiveXs, visiting malicious sites, BHOs, etc. Personally, I think that SpywareDoctor will run smoothly on a well equipped machine with at least 1GB of RAM.

You'd still use AVG though?
I've moved on to avast! anti-virus around a year ago because AVG now (last checked at Download.com) is relatively huge, a 56MB download which will be some trouble for dial-up users. avast! and Avira Antvir are both roughly 28MB file downloads, including anti-spyware too along with their AV.

I appreciate your honesty thanks.
I wouldn't worry about invalid registry keys.

Suppose I just wondered if a potential hijacker could possibly attack the registry ?
I'm sure your anti-spyware will catch it. I doubt registry "cleaners' will do anything about that :o).

Hardware firewall ? That sounds expensive ?
Hardware firewalls are including with your Internet router.

You mean if I'm a hacker ?
Meaning that you are good for now since you have an active AV and firewall. Malware does not usually attack you unless you welcome them in (using cracks, warez, keygens, etc.). That's not all the situation because you might accidentally encounter them on a malicious webpage.

Sometimes when I have been online before, I've noticed my mouse pointer quickly shooting down the screen moving.
:fear: Do you use a wireless mouse?

suddenly expand to 6 (3 x 2) making me think another user has joined the session.
Meaning that the icons magically expanded in size? I can't explain what might have caused that. When mine are expanded (I changed the settings in the Properties tab) my desktop icons are expanded too.


I know it sounds weird but any ideas ? Could it be my ISP or more likely someone else ?
I don't see why your ISP will purposely attempt to infiltrate your machine for no reason :sad:.

It also seems my PC crashes a lot more when I'm online than not. Any ideas about this ?
What kind of crashes? Freezing? Have you performed a Disk Defragment and Disk Check?

If I have cleared the keylogger software a while ago, is it possible "the back door" still remains open ?
Well, it's unlikely. Usually anti-spyware programs detect all of the baddies at once not just one of out the group. It's possible that if a backdoor was attached to the keylogger it's connection could have been severed when the keylogger was removed.

Where else would you suggest I check using Spybot, if at all ?
Maybe another anti-spyware program to check for things that Spybot might have missed. MBAM, SAS, and A2 and several programs I like, that are light weight (expect A2 since it's a bit heavy on resources during scanning).
:o)

Well, you have a point there. Sometimes you can relate to how the "media" wants you to only know what they want you to know.
Re (P.S): What web links? To what?

Exactly, that's what I mean.
This website www.infowars.com is censored in some places in the UK because it exposes government and worldwide corruption.
It may sound too crazy to be true at first glance but everything is taken from the mainstream media and governments own documents and own admissions(that you won't see reported on TV)
Of course the mainstream media love to talk about "conspiracy theories" even when they admit the facts themsleves in their own documents.
So I'd highly recommend it. (if you're ready to take the red pill of course).



I'm not sure what to tell you as it is in the Heuristics, because it could possibly be a false positive. As I said before, run a scan with an anti-spyware program and AV program. Spybot could to miss something that others might find.

I'll use AVG for now as my anti virus program ?
And Spybot as my an anti spyware program ?



I doubt it since I got the same results from AVG (files changed) after a clean reformat.

Oh yes of course.



Well to simply put it, the risk of deleting something from the registry key (especially when its in letters and computer terms) can be dangerous because if you were to accidentally remove a registry key (that was infact a Windows core key) thinking it was malware, your machine is toast.

If you are talking about a malicious file or some sorts, you won't execute it if you merely moving it from one location to another.

I see what you mean now.
I thought you meant not to send the file itself to the recycle bin but you're talking about moving or delting registry keys.
Don't worry - no chance of me doing that.



I've moved on to avast! anti-virus around a year ago because AVG now (last checked at Download.com) is relatively huge, a 56MB download which will be some trouble for dial-up users. avast! and Avira Antvir are both roughly 28MB file downloads, including anti-spyware too along with their AV.

Thanks for the information - I'll check it out.



I wouldn't worry about invalid registry keys.

I won't ! :)



I'm sure your anti-spyware will catch it. I doubt registry "cleaners' will do anything about that :o).

Thanks.



Hardware firewalls are including with your Internet router.

Apologies, what's a router ? Can you elaborate on how I would set up a hardware firewall ?



:fear: Do you use a wireless mouse?

Yes I do.



Meaning that the icons magically expanded in size? I can't explain what might have caused that. When mine are expanded (I changed the settings in the Properties tab) my desktop icons are expanded too.

The size of the icons(maybe they're not actually icons, they're the rectangle bars that appear when you click start) don't change, I get double the number of bars i.e. 2 for internet explorer, 2 for outlook express, 2 for wireless manager, whereas at startup I only get 1 of each.

Just seemed very strange......



I don't see why your ISP will purposely attempt to infiltrate your machine for no reason :sad:.

Sure, every infiltrator has their own reasons, whether good or bad.



What kind of crashes? Freezing? Have you performed a Disk Defragment and Disk Check?

Yes freezing.
Yes - maybe that could be it, I need to defrag.
I just thought that would mean it would be slower, not that it would freeze.
Maybe it's a memory "overload" thing when several programs are open ?



Well, it's unlikely. Usually anti-spyware programs detect all of the baddies at once not just one of out the group. It's possible that if a backdoor was attached to the keylogger it's connection could have been severed when the keylogger was removed.

Good to know !



Maybe another anti-spyware program to check for things that Spybot might have missed. MBAM, SAS, and A2 and several programs I like, that are light weight (expect A2 since it's a bit heavy on resources during scanning).
:o)[/FONT]

Thanks for the info.

By the way, did you look at the results from the ENLOCSTR "Smitfraud-C" thing ? Any ideas on whether that is a threat or not ?

Well thanks again dr, I feel increasingly confident now.

I guess one or two more posts and everything should be wrapped up.

I'll use AVG for now as my anti virus program ?
And Spybot as my an anti spyware program ?
You're choice. All of them are good.

Apologies, what's a router ? Can you elaborate on how I would set up a hardware firewall ?
A router is usually a box, like a modem, however this box ix unique since it distributes a Internet connection in the room/area. So it'll have an antenna and you'll have to supply with a connection (DSL preferably) and the users who have access to the router can use the connection (wired or wireless).

Yes I do.
That might explain why your mouse was moving by itself like it was taken over. I have a wireless mouse too and it happened a few times in the past (it's rare). I was worried too, but I was suspecting it had to do with the wireless connection that was going on between the USB receiver and the wireless mouse itself. I had a few possibilities of what may could have caused it: the wireless 5.8Ghz handheld phone or my Netgear router.

Sure, every infiltrator has their own reasons, whether good or bad.
Good point. But why a everyday customer?

Maybe it's a memory "overload" thing when several programs are open ?
Well, that could be possible. Like if you performed a virus scan and opened Adobe Photoshop simultaneously, I doubt your system will continue running like nothing happened. Usually the more RAM and faster your processor, the better (your machine can run more applications at once smoothly).

http://spywarefiles.prevx.com/RRJIGJ9816875/ENLOCSTR.EXE.html
I'm not sure if the file is malicious or not.
Can you browse to the file (using the Windows Explorer 'Search' option) and copy it to the desktop? Then upload it to VirusTotal again.

If you have any other questions feel free to ask.

A router is usually a box, like a modem, however this box ix unique since it distributes a Internet connection in the room/area. So it'll have an antenna and you'll have to supply with a connection (DSL preferably) and the users who have access to the router can use the connection (wired or wireless).

I see what you mean.
I'm conncected to the router via a wireless connection.
Does that mean I'm hidden behind a "hardware firewall" that is more difficult to penetrate ?
If not what advantage of protection does a hardware firewall/router give ?



That might explain why your mouse was moving by itself like it was taken over. I have a wireless mouse too and it happened a few times in the past (it's rare). I was worried too, but I was suspecting it had to do with the wireless connection that was going on between the USB receiver and the wireless mouse itself. I had a few possibilities of what may could have caused it: the wireless 5.8Ghz handheld phone or my Netgear router.


Think you're probably right though several strange things seem to happen all at once.
Like my mouse, the icons thing, my PC crashing, and all when I blog or visit a particular website that relates to politics.

Now I'm clean and don't visit the site it never seems to happen.

If I visit a website and "log in" does the site's owner have any additional power/control over me or it's visitors ?
e.g. like being able to get my IP address or anything else ?
It seems highly unlikely but it certainly feels like someone is attempting to strangle my computer whenever I go there because I'm expressing my free speech and they don't like what I'm saying.
Trust me, just contrary opinions, nothing that is libellous or criminal.



Good point. But why a everyday customer?

I thought you were talking about ISP's.

It depends whether you trust government and public and private institutions to snoop on users private information.

It's like CCTV - everyone including the innocent are tracked, traced and filmed. Doesn't mean they have done anything wrong though does it ?

So if ISP's are forced to snoop on innocent people on behalf of government directives then they probably will.

Not saying ISP's are and it's unlikely, but if I WAS (or possibly "targeted") could that explain the strange things I'm seeing and experiencing ?
Or is it more likely to be an outside hacker or the website itself to which I'm logged in to ?
Maybe it's hard for you to judge.....

This article (though not directly related) is an example of governments getting increasing power to spy on and control information
http://www.infowars.com/cybersecurity-bill-gives-obama-dictatorial-power-over-internet/



Well, that could be possible. Like if you performed a virus scan and opened Adobe Photoshop simultaneously, I doubt your system will continue running like nothing happened. Usually the more RAM and faster your processor, the better (your machine can run more applications at once smoothly).

Yes my machine isn't exactly new either - that could well explain it.



http://spywarefiles.prevx.com/RRJIGJ9816875/ENLOCSTR.EXE.html
I'm not sure if the file is malicious or not.
Can you browse to the file (using the Windows Explorer 'Search' option) and copy it to the desktop? Then upload it to VirusTotal again.

I can do it again but won't I get exactly the same result as I got before ?
Sorry, I'm just a bit confused - didn't you see the results link I posted before when I uploaded it ?
And why do I need to "copy it to the desktop" when I know the location ?
You're making me slightly paranoid now ! :D: ;)



If you have any other questions feel free to ask.[/FONT]

Thanks so much dr.
Hopefully (for you) I'm getting really close to the end of so many endless questions now.

Does that mean I'm hidden behind a "hardware firewall" that is more difficult to penetrate ?
If not what advantage of protection does a hardware firewall/router give?
http://computer.howstuffworks.com/firewall.htm

If I visit a website and "log in" does the site's owner have any additional power/control over me or it's visitors ?
e.g. like being able to get my IP address or anything else ?
Well, basically a no because they don't do anything to your machine. They just log down your IP address and maybe the pages you visit on their site.
Like if you login to Yahoo! Mail, they do what they have to do. Provide you for email service. They don't do anything else they did not state they would do (hope that is for most cases, companies like Yahoo! or WellsFargo for example do what they have to do).

So if ISP's are forced to snoop on innocent people on behalf of government directives then they probably will.
ISPs have the account holder's information and they will not release unless they receive a subpoena.

Not saying ISP's are and it's unlikely, but if I WAS (or possibly "targeted") could that explain the strange things I'm seeing and experiencing ?
Most likely no.

I can do it again but won't I get exactly the same result as I got before ?
I can't be sure because it could be possible that the file was not completely uploaded the first time. I am not sure.

This article (though not directly related) is an example of governments getting increasing power to spy on and control information
The story about the kid taking down a whole power grid is pretty impressive. Er, but if Internet never existed then we would be back in the stone ages. Like cavemens. Our society wouldn't be as developed and advanced as it is today.

And why do I need to "copy it to the desktop" when I know the location ?
It was a suggestion, I thought it might have made it easier for you.

Sorry, I'm just a bit confused - didn't you see the results link I posted before when I uploaded it ?
I thought it might help if you gave it another shot.

This link might help clear up your hardware firewall question:
http://www.webopedia.com/DidYouKnow/Hardware_Software/2004/firewall_types.asp

I can't be sure because it could be possible that the file was not completely uploaded the first time. I am not sure.

Are you saying that because of what the results(that you presumably analyzed?) told you the first time ?
If not, then how will you be sure the file will be completely uploaded the 2nd time if I do it again ?
I'm afraid you're not making much sense here......



The story about the kid taking down a whole power grid is pretty impressive.

The story about the kid taking down the whole power grid is complete rubbish, as the article unequivolocally stated.

So why on earth are you seemingly disagreeing with me ?



Er, but if Internet never existed then we would be back in the stone ages.

The internet and net neutrality is one of the best things that has ever happened.
So why are you implying the article and myself are suggesting the opposite ?

I WANT TO PROTECT THE INTERNET AND NET NEUTRALITY - that was the whole point of the article, to educate people that the people in power(like Rockefeller who said the internet should never have existed!) don't want it.

If the power to control the internet is given to the highest people in authority, then who will you blame when it gets taken down ?

Those with the power to take control of the internet or the dreamt up cyber-geek with a laptop in Latvia ?

I'm sorry to say it but judging by your responses, either you are unable to understand the important issues properly or you are being deliberately obtuse.

If you're in any doubt about what it really means, I suggest you read the article again.



It was a suggestion, I thought it might have made it easier for you.

Fair enough.



I thought it might help if you gave it another shot.[/FONT]

Why ?
Unless you explain and maybe elaborate on what was wrong with the same file I presumably and successfully uploaded before(how can one upload part of a file anyway ?) then I won't be able to understand how it can help you to do the exact same thing I did before, again.

You're probably great technically but without wanting to criticize you and without wanting to cause you any offence, like a lot of technical people you seem to be unable to supply a lack of sufficient detail when answering simple questions and seem to have a vacuum of logic.

Thanks for your help anyway - I do appreciate it.

I'm afraid you're not making much sense here......
Then I'm sorry I don't have a solution to that .exe file you are referring to.

So why on earth are you seemingly disagreeing with me ?
I only read the first sentence of the article, not the whole thing.

If you're in any doubt about what it really means, I suggest you read the article again.
Will do.

Then I'm sorry I don't have a solution to that .exe file you are referring to.

Fair enough.



I only read the first sentence of the article, not the whole thing.

I admire your honesty.



Will do.

Anyone who cares about the continuation of the internet and net neutrality really should, otherwise there'll be a fake cyberattack(there may be anyway) and Internet 2 will be introduced.
That will effectively mean chinese style censorship, only a few corporate websites and the effective end of net neutrality.
If you don't understand why that would happen you need to understand why the mainstream media like to label proven facts as "conspiracy theories".

Thanks for all your help dr, I do appreciate it.

http://forums.spybot.info/showthread.php?t=47137