Bit difficult to say if I was having malware problems because that is what I am trying to establish...
I was looking into the problem of the 'Hosts Secure/JIT debugging' messages on start up, and the 'Windows Parking...' messages on shut down. Also the keyboard response has been getting slow, and cancelled windows are remaining as ghosts on the task bar. One user who uses Outlook had also twice had a 'profile not found, building you a new one' scenario when changed to by fast user switching. The first time this happened the Outlook.pst file was lost before I realised what was going on! The second time I pulled the plug just in time!
The pop up messages were at first restricted to one user who was using TT, but after I installed the new SD I started getting them as well. It looks this morning as though TT wasn't causing this: I had previously read about some HP printer files causing the 'parking window' problem and had cancelled the HP progs in the start up analyser - the fresh new version had put them back. Once re cancelled last night, I have my Hosts Back - though this wasn't what I was expecting! It may be that TT does interact with *both* Host Sec and the HP files, because the messages only recently started coming up though we have had the printer and HS a long time; and now the 'fix' of cancelling the HP files seems to have got rid of both the 'Host Sec jit debug' and the 'Parking Window' messages.
But now I notice I don't have an internet connection icon in my 'notification area' any more...
Currently start up processes are taking a long time to complete as TT and Process Explorer between them are taking 100% of the CPU for maybe 10 minutes after start up - in approx 70:30 proportion. Things were already slow enough thanks to both McAfee and MS checking for updates at the same time!
Now I read up on the virus TT found in winlogon and find that it can pretent to be just about anything - including McAfee and Spybot!
The resident log shows the 'virus termination event' (unless this was just another jape of the virus itself and my SD has been compromised by it...), and also the battle to keep ctfmon out of my start up. SD used to list this as possible malware: now your 'lassh' list keeps putting it back. I used to have a similar problem with Quick Time keeping coming back, but curiously, that is not currently in the start up list.
Here is the resident report:
13/02/2008 16:54:06 Allowed (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
19/02/2008 19:27:53 Denied (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
20/02/2008 15:25:39 Denied (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
20/02/2008 17:16:44 Allowed (based on user decision) value "{22BF413B-C6D2-4d91-82A9-A0F997BA588C}" (new data: "") added in Browser Helper Object!
20/02/2008 17:16:57 Allowed (based on user decision) value "Skype" (new data: ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized") added in System Startup user entry!
21/02/2008 17:42:27 Allowed (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
21/02/2008 17:47:56 Denied (based on user decision) value "First Home Page" (new data: "http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1") added in Browser page!
24/02/2008 11:03:18 Allowed (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
27/02/2008 20:36:44 Denied (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
29/02/2008 15:03:18 Allowed (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
03/03/2008 17:45:37 Allowed (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
05/03/2008 15:06:16 Denied (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
06/03/2008 08:50:13 Allowed (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
07/03/2008 18:39:37 Allowed (based on user decision) value "{03A89EFD-E023-5707-A22D-45F77558EB4C}" (new data: "") added in ActiveX Distribution Unit!
16/03/2008 12:11:46 Allowed (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
23/03/2008 17:55:17 Allowed (based on user decision) value "First Home Page" (new data: "http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1") added in Browser page!
23/03/2008 20:47:52 Denied (based on user decision) value "First Home Page" (new data: "") deleted in Browser page!
23/03/2008 20:51:58 Denied (based on user decision) value "First Home Page" (new data: "") deleted in Browser page!
24/03/2008 10:49:21 Allowed (based on user decision) value "First Home Page" (new data: "") deleted in Browser page!
25/03/2008 18:39:05 Allowed (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
27/03/2008 15:25:58 Allowed (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
28/03/2008 15:20:34 Allowed (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
31/03/2008 22:13:20 Denied (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
01/04/2008 17:09:19 Allowed (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
02/04/2008 12:16:47 Allowed (based on user decision) value "Adobe Reader Speed Launcher" (new data: "") deleted in System Startup global entry!
02/04/2008 12:16:51 Allowed (based on user decision) value "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" (new data: "") deleted in Browser Helper Object!
02/04/2008 12:18:45 Allowed (based on user decision) value "Adobe Reader Speed Launcher" (new data: ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"") added in System Startup global entry!
02/04/2008 12:18:48 Allowed (based on user decision) value "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" (new data: "") added in Browser Helper Object!
02/04/2008 12:36:34 Allowed (based on user decision) value "AdobeUpdater" (new data: "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe") added in System Startup user entry!
02/04/2008 13:06:53 Allowed (based on user decision) value "AdobeUpdater" (new data: "") deleted in System Startup user entry!
02/04/2008 20:10:49 Denied (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
05/04/2008 15:51:55 Denied (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
07/04/2008 09:24:17 Allowed (based on user decision) value "TkBellExe" (new data: "") deleted in System Startup global entry!
09/04/2008 12:06:50 Allowed (based on user decision) value "{5AA8C009-52B9-492D-931A-55F6A1CE17A9}" (new data: "") added in ActiveX Distribution Unit!
23/04/2008 15:26:33 Allowed (based on user decision) value "First Home Page" (new data: "http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1") added in Browser page!
23/04/2008 15:37:53 Allowed (based on user decision) value "First Home Page" (new data: "") deleted in Browser page!
11/05/2008 16:25:13 Allowed (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
17/05/2008 09:18:21 Allowed (based on user whitelist) value "TkBellExe" (new data: "") deleted in System Startup global entry!
23/05/2008 14:52:47 Allowed (based on user decision) value "First Home Page" (new data: "http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1") added in Browser page!
23/05/2008 14:53:47 Allowed (based on user decision) value "First Home Page" (new data: "") deleted in Browser page!
28/05/2008 02:42:08 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk /r \??\C:
autocheck autochk *
SsiEfr.exe
lsdelete
") changed in Session manager!
28/05/2008 11:51:37 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
SsiEfr.exe
lsdelete
") changed in Session manager!
30/05/2008 07:11:59 Allowed (based on user decision) value "*Restore" (new data: "C:\WINDOWS\system32\restore\rstrui.exe -i") added in System Startup global entry!
30/05/2008 07:39:56 Denied (based on user decision) value "First Home Page" (new data: "http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1") added in Browser page!
30/05/2008 14:46:29 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk /r \??\C:
autocheck autochk *
SsiEfr.exe
lsdelete
") changed in Session manager!
30/05/2008 16:18:57 Denied (based on user decision) value "BootExecute" (new data: "autocheck autochk *
SsiEfr.exe
lsdelete
") changed in Session manager!
30/05/2008 19:13:43 Denied (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
31/05/2008 11:14:02 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
SsiEfr.exe
lsdelete
") changed in Session manager!
05/06/2008 21:11:10 Allowed (based on user decision) value "AdaptecDirectCD" (new data: "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe") added in System Startup global entry!
06/06/2008 15:13:10 Denied (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
08/06/2008 13:02:23 Allowed (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
11/06/2008 16:44:14 Allowed (based on user whitelist) value "TkBellExe" (new data: "") deleted in System Startup global entry!
21/06/2008 14:05:32 Denied (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
28/06/2008 12:54:58 Allowed (based on user decision) value "TkBellExe" (new data: ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot") added in System Startup global entry!
28/06/2008 15:52:17 Allowed (based on user decision) value "TomTomHOME.exe" (new data: ""C:\Program Files\TomTom HOME 2\HOMERunner.exe"") added in System Startup user entry!
29/06/2008 17:00:26 Allowed (based on user decision) value "First Home Page" (new data: "http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1") added in Browser page!
29/06/2008 17:31:41 Allowed (based on user decision) value "First Home Page" (new data: "") deleted in Browser page!
30/06/2008 22:33:11 Allowed (based on user whitelist) value "TkBellExe" (new data: "") deleted in System Startup global entry!
04/07/2008 17:35:44 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe") added in System Startup user entry!
05/07/2008 14:27:27 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
20/07/2008 13:15:35 Allowed (based on user decision) value "MSMSGS" (new data: "") deleted in System Startup user entry!
20/07/2008 13:15:40 Allowed (based on user decision) value "ctfmon.exe" (new data: "") deleted in System Startup user entry!
20/07/2008 13:15:46 Allowed (based on user decision) value "BluetoothAuthenticationAgent" (new data: "") deleted in System Startup global entry!
20/07/2008 13:15:51 Allowed (based on user decision) value "SunJavaUpdateSched" (new data: "") deleted in System Startup global entry!
20/07/2008 13:15:58 Allowed (based on user decision) value "QuickTime Task" (new data: "") deleted in System Startup global entry!
20/07/2008 13:16:00 Allowed (based on user decision) value "AdaptecDirectCD" (new data: "") deleted in System Startup global entry!
20/07/2008 13:37:53 Denied (based on user decision) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
20/07/2008 18:42:41 Denied (based on user decision) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
21/07/2008 07:09:25 Denied (based on user decision) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
21/07/2008 14:17:09 Denied (based on user decision) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
22/07/2008 18:29:34 Denied (based on user decision) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
23/07/2008 15:05:43 Allowed (based on user decision) value "Skype" (new data: "") deleted in System Startup user entry!
23/07/2008 15:06:07 Denied (based on user decision) value "Google Desktop Search" (new data: "") deleted in System Startup global entry!
23/07/2008 15:07:12 Denied (based on user decision) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
23/07/2008 20:30:20 Allowed (based on lassh blacklist) value "Adobe Reader Speed Launcher" (new data: "") deleted in System Startup global entry!
23/07/2008 20:30:35 Allowed (based on lassh blacklist) value "Google Desktop Search" (new data: "") deleted in System Startup global entry!
23/07/2008 20:31:28 Allowed (based on lassh blacklist) value "MSConfig" (new data: "") deleted in System Startup global entry!
23/07/2008 20:31:56 Allowed (based on user decision) value "Gadwin PrintScreen 3.5" (new data: "") deleted in System Startup user entry!
23/07/2008 21:56:55 Allowed (based on lassh blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
23/07/2008 21:57:13 Allowed (based on lassh blacklist) value "HP SchedIndexer" (new data: "C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe") added in System Startup global entry!
23/07/2008 21:57:20 Allowed (based on lassh blacklist) value "HP AutoIndexer" (new data: "C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe") added in System Startup global entry!
23/07/2008 21:57:21 Encountered and terminated Win32.Rbot.bms in C:\WINDOWS\system32\winlogon.exe!
23/07/2008 21:57:31 Allowed (based on lassh blacklist) value "MSConfig" (new data: "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto") added in System Startup global entry!
23/07/2008 21:59:04 Allowed (based on lassh blacklist) value "MSConfig" (new data: "") deleted in System Startup global entry!
23/07/2008 22:17:32 Allowed (based on lassh blacklist) value "HP AutoIndexer" (new data: "") deleted in System Startup global entry!
23/07/2008 22:17:33 Allowed (based on lassh blacklist) value "HP SchedIndexer" (new data: "") deleted in System Startup global entry!
23/07/2008 22:19:42 Allowed (based on lassh blacklist) value "ctfmon.exe" (new data: "") deleted in System Startup user entry!
23/07/2008 22:40:32 Allowed (based on lassh blacklist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
24/07/2008 11:28:18 Allowed (based on lassh blacklist) value "ctfmon.exe" (new data: "") deleted in System Startup user entry!
Reply With Quote
