need help clearing xrun.exe etc

[eedmonds]

Hi,

This is a second post including the kapersky log which I did not realize you wanted. So this has the hjt and kapersky. My other thread titled same is on about page 3 now. Im at the end of what I can do myself and will be waiting for assistance.

What occured is this -zonealarm starts asking for several things to be approved. I say no, it asks again I say no. Then boxes start coming up (about 6) saying such and such files are not valid win32 files. Some of the file names are yazzlesnet.exe - is68089.exe- snapsnet.exe. Read around, saw what I had, found and threw yazzlesnet and xrun into recycle bin for the moment. Updated avg and spybot, both come up clean. Tried to remove old java to update, it wont allow me to saying that windows installer isnt installed properly. Cant get old java out, cant download update.

I resort to system restore, it wont work, went to safe mode and successfully did a system restore 2 weeks back.

After system restore, yazzlesnet gone out of recycle bin, xrun still there, I dumped it. I have redownloaded AVG updated, spybot is updated however isnt the 1.5 I can not see how to get the 1.5, I need to somehow manage to update java, and I was previously having problems updating zonealarm so that isnt updated either.

I tried cleaning the Kapersky log up with wordwrap but it just looks the same.

I appreciate any help -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:48 PM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mybluelight.com/s/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goodsearch.com/?charityid=542921
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F5136B4-4FAE-456F-AF15-3D99E9BAF2DE}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{6F5136B4-4FAE-456F-AF15-3D99E9BAF2DE}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5137 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, September 15, 2007 2:13:14 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 15/09/2007
Kaspersky Anti-Virus database records: 419050
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 44257
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:42:06

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AVG7\Log\emc.log Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\gather-now.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\ie7conflict.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\notes.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\partner-700.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\subscrip-2000.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\survey.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\updates-300.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\urgent-800.dat Object is locked skipped
C:\Program Files\BigFix\__Data\__Global\Logs\20070914.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP556\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\MARANN.ldb Object is locked skipped
C:\WINDOWS\ModemLog_SoftV92 Data Fax Modem with SmartCP.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\Software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\System Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT00ecf.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

[little eagle]

Close all programs leaving only HijackThis running. Place a check against each of the following,

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - Startup: PowerReg Scheduler.exe

Click on Fix Checked when finished and exit HijackThis.

----------------------------------------

Be sure to keep SunJava, updated
In Add/Remove programs click on these and press *remove* if listed:
J2SE Runtime Environment 5.0 - 97.99Mb
J2SE Runtime Environment 5.0 Update 2 - 143.00Mb
J2SE Runtime Environment 5.0 Update 4 - 144.00Mb
J2SE Runtime Environment 5.0 Update 5- 151.00Mb
Java 2 Runtime Environment, SE v1.4.2_04 - 130.00Mb
Or any other outdated J2SE
It is important to remove older versions as these are the ones with the holes in them.
You will be surprised when you go to add/remove to see all of the versions sitting there.
Download Newest >>>> http://www.java.com/en/download/index.jsp
Once installed you can test to see that it is in fact installed >>>>
Sun Java Test

-----------------------

Download and run - ATF Cleaner instructions here.


Then go HERE to run Panda's ActiveScan

* You need to use IE to run this scan
* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send
* Select either Home User or Company
* Click the big Scan Now button
* If it wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on My Computer to start the scan
* When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

 

[eedmonds]

Java

Hi and thank you so much for your help.

I did the first hijack this step, found the files, that worked fine. I rechecked it and they did not appear.

I go to remove java in add/remove programs - it tells me that windows installer isnt working and that it can be caused by computer being in safe mode (no) or windows installer is not properly installed. I do not recall having this problem before. I have 3 versions in there 1.4 5-9 and 6 but not 6u2.

I will begin to download the new java to desktop so its ready and waiting and do the panda scan as requested. Might take a bit. (dial up )

Have to find a way to get this old java out......

 

[eedmonds]

I do see windows installer in the add/remove programs, it is there but I do not see any memory listed next to it.

windows installer 3.1

 

[eedmonds]

java/panda

Ok heres where we are at

Hijackthis, done
ATF, done

java - Will not allow me to remove old files from add/remove and blames windows installer. Will not allow me to begin to download update 6u2 and again blames windows installer.

Panda - Found bug YAY! Um, didnt I just remove that file with HJT? lol As tempting as it was I did not "disinfect".
Incident Status Location Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20070919-225432-140-PowerReg Scheduler.exe
Thanks

 

[eedmonds]

Ok heres where we are at

Hijackthis, done
ATF, done

java - Will not allow me to remove old files from add/remove and blames windows installer. Will not allow me to begin to download update 6u2 and again blames windows installer.

Panda - Found bug YAY! Um, didnt I just remove that file with HJT? lol As tempting as it was I did not "disinfect".
Incident Status Location Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20070919-225432-140-PowerReg Scheduler.exe
Thanks

 

[little eagle]

You can re-download it here.

 

[eedmonds]

downloaded, removed, installed windows installer. Done, no problem. ty

Removed all java's from add/remove

Then I tried to download java 6u2 from your link, kept getting error messages on different msi25.tmp files while trying to download. Finally gave that up, went to main "howd I get infected" sticky post, used that link, did the offline install. Looks done I see 6u2 in add/remove.

 

[little eagle]

Reset your restore points then I think we are done, please note that you will need to log into your computer with an account
which has full administrator access. You will know if the account has administrator access because
you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

 

[eedmonds]

System restore points done

Should Java be trying to access things when Im only on this page? Zonealarm wants approval for jusched.exe- just now.

If I may just ask,
I cant find a way to uninstall msn messenger, do you know how? I need to update it.

 

[eedmonds]

jusched- java update scheduler? lol
Maybe im paranoid now....
Ok im going to just start trying to update and replace things firewall, anti virus, and I found spybot 1.5.

Will check back here later to see if you want a log.

 

[eedmonds]

When I search files and folders the things that came up on panda scan are showing up. Thought id let you know. Trying to update is slowww going here.

??

 

[little eagle]

You con remove the backups in hijackthis.

When you start it click view a list of backups then place a check mark in the box and delete it.

 

[eedmonds]

ok well thank you. Couldnt have done it without you.
I had wanted to do another panda scan but it wont work when I click scan now. I think it must be sunbelt firewall but even disabling it doesnt work. Little frustrated about that, but I guess if you say im clean, Im clean.

 

[eedmonds]

To Tashi

Hi,

My thread
http://forums.spybot.info/showthread.php?t=17970

I really appreciate little eagles help no doubt, I would have had no hope without him/her. But Im feeling left hanging. I do see and realize I had something fairly easy to fix compared to others. But I got no communication going here.

Like one question I have is im having a problem with shutting down my computer, it takes forever. Im not sure whether that had anything to do with anything, and it started exactly after I did a system restore (mistaken at time I didnt need it) about 2 months ago. But makes me wonder if my restore points werent infected then.

As well as is there anything off the top of head that would help me do the panda scan again. It started not working after I installed sunbelt (because i couldnt get zonealarms huge update downloaded), info on post.

I dont expect to be coddled or for anyone to help me work out non malware issues. I know youre busy here. But would be nice to be treated like a human being and at least be told for sure I am clear of the issue I was working on.:red:

 

[little eagle]

Lets try this one go HERE and do a online scan.
Let me know what is found.

Should not find anything

 

[eedmonds]

*spins* 22 mb!
Gonna be awhile, get back to you tomorrow with it.
And ty.

 

[eedmonds]

Regarding my post above that got merged- if you can easily answer either of those questions great. If you think they have nothing to do with malware thats fine too.

 

[little eagle]

Regarding my post above that got merged- if you can easily answer either of those questions great.

Sorry I'm a little lost with the threads that got merged, please let me know what what questions you have?

 

[eedmonds]

2 months ago I did a system restore for no good reason, exactly after that and ever since when i go to shut down my computer it takes forever. Its still happening. Could this have had something to do with malware and my restore points?

Why wont panda scan work on either of my computers after I installed sunbelt personal firewall? I tried changing various settings and even disabling, still wont work.