riddled with malware?

finally got it!

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3551 (20081024)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=7fc86484ca65b54da76c071c51c8d7b3
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-10-24 02:10:19
# local_time=2008-10-24 03:10:20 (+0000, GMT Daylight Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=287495
# found=0
# scan_time=13645
 
hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:30:14, on 24/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\IBM\Updater\jre\bin\javaw.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{951AC99B-C831-46E9-A999-D129F4179D24}: NameServer = 212.139.132.36 212.139.132.37
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe

--
End of file - 9080 bytes

look forward to your response: where is hte malware?
sarah
 
Hi Sarah.

The ESET log came back clean and your latest HJT log looks to be clean as well. All the scans with the different tools we've done haven't found any malware. It looks like Malware may not be the cause of your Hard Drive filling up.

I can you some tips to see if it helps speed up your computer and get back some HD space. I'll also give you some links to some general troubleshooting forums.

1. But, first since you mention troubles loading ZA and your computer crashing while using it, here are a few alternatives (all free) to ZA for you to use:

Whatever one you choose from the list below, download its setup file first, disconnect from the net, then uninstall ZA, then install the new firewall, then reconnect to the Internet.


Please download and install only one!

Once the firewall is installed, check to see that the Windows Firewall is disabled. To do so follow these steps:

1. Click Start, click Run, type Firewall.cpl, and then click OK.
2. On the General tab, check to see if Off (not recommended) is checkmarked/ticked, if it is not, then checkmark/tick the box and click OK


2. Go to Add/Remove Programs and uninstall any programs/games you are no longer using, this will give some HD space back.

3. For the slow computer, try the tips at the website here.

4. And here at the general trouble shooting forums where you can get more help:

Computer Trouble here: http://forum.computertrouble.co.uk/index.php
or
TechSupportGuy here : http://forums.techguy.org/21-windows-nt-2000-xp/
or
VirtualDr here: http://discussions.virtualdr.com/forumdisplay.php?f=48
or
PCPitStop here : http://forums.pcpitstop.com/index.php?showforum=3

All may require free registration before posting for help.
 
Thanks very much.

I have been told that Malware can hide as normal programs and the fact that everything comes back completely clean struck me as strange. As in: surely its strange that I dont have ANY malware?? also winword and engine.exe (IBM voice recognition prog) keep trying to "act as a server", according to zonealarm (when I'm using Word), so could some malware be hiding there?

Although I am aware I can delete programs and files to make more space, the puzzle is that I dont have any big progs or files on there eg I have no games except any that hte laptop came with. I am puzzled by the dissapearance of GB regularly but not relating to me using gb and its been going on for nearly a year. Do you know if the sites you have recommended are reliable and I can trust them?

thanks again for taking me through every thing. would you suggest I leave all the programs that we have downloaded on?

best wishes sarah
 
ecosarah said:
Thanks very much.

I have been told that Malware can hide as normal programs and the fact that everything comes back completely clean struck me as strange. As in: surely its strange that I dont have ANY malware?? also winword and engine.exe (IBM voice recognition prog) keep trying to "act as a server", according to zonealarm (when I'm using Word), so could some malware be hiding there?
Click to expand...

It is strange that you reported at the beginning of the thread that SpyBot found some malware, but all the scans we've done have found none. Have you run SpyBot lately and has it found anything?

Also, I'd like to look closer at winword and engine.exe due to ZA saying they are trying act as a server. There may be something more there.


Although I am aware I can delete programs and files to make more space, the puzzle is that I dont have any big progs or files on there eg I have no games except any that hte laptop came with. I am puzzled by the dissapearance of GB regularly but not relating to me using gb and its been going on for nearly a year. Do you know if the sites you have recommended are reliable and I can trust them?
Click to expand...

Do you have any idea what you were doing a year ago to start this? Did you use any P2P programs during that time? You can get infections from files you download from P2P programs that if not removed can fill up your HD with lots and lots of files.

Yes, those forums I linked you to last post are very reliable and you can trust them. :)

thanks again for taking me through every thing. would you suggest I leave all the programs that we have downloaded on?
Click to expand...

I'll show you how to get rid of OTMoveIT3 before we are done here at Safer Networking. I would keep MalwareBytes' Anti-Malware. Be sure to update it whenever you do a scan with it.

=========================

Step # 1: Download and Run FileFind

Download FileFind by Atribune.
  • Extract FileFind.zip by double-clicking the file.
  • Double click on FileFind.exe to open the program.
  • Enter winword.exe into the File: box.
  • Click on the Search button.
  • After a while a list of file locations will appear in the List of Files: box.
  • Click on the Export button.

This will create a Notepad file named Export.txt located in the C:\ folder, copy and paste it to your next post please.

Repeat the above steps, putting engine.exe in the File: box.

Post back both engine.exe and winword.exe logs and we'll go from there.
 
Hi there,
I think there must have been some misunderstanding with what I first posted.

I wrote "SB shows all sorts of programs when its scanning that seem dodgy eg AdMoke, *.*.casino.PT, Goldeneye, Virtumonde.dll, Hacker.ag, Eros Paradise, Win32.Tool Hack.Aid(might have got that one bit wrong) etcetc. I have never been on any porno or gambling sites. Also my laptop is now very slow."

The problem for me was that SB didn't pick up on these programs, just scanned through them.
 
on 24th Oct I reported to you that my laptop had 23gb on it, an increase of 3 gb since I had last looked. On the 25th I checked it and it had increased to 24.8GB. The only thing I have downloaded is what you have asked me and I didn't add any music or photos. So what is going ON?!

I checked some files by hand (I have still to go through my docs to check that) and the most suspicious ones are what I collectively call the NODs. here is the pathway of one file: C:\Documents and Settings\1 Sarah\Local Settings\temp\NOD1251.tmp the rest are NOD then a number (some with a letter at the end).tmp

there are 9 in total and 7 have 300mb 1 has 174mb and the last one 17.6mb -they take up 2.2gb in total! they were last modified on 24th October 08 starting at 9.50am and the 10th one was modified on the same day at 10.13am. At those times I was trying to get the eset online scan to work. I continued to get that scan to work for several hours after that so I dont know if it is connected to that. I dont think I have run disk cleanup since but didn't want to incase it gave you an insite to some thing.

I've also noticed that my windows file is now 4Gb and ibm tools 1.1gb. when I first got going they were 3gb in total and I dont think I have added much since. could the windows updates be taking up that extra space?

I haven't had a chance to folow all the links for slow computers that you gave me or follow your last instructions. will get onto that asap.

thanks sarah
 
I think there must have been some misunderstanding with what I first posted.

I wrote "SB shows all sorts of programs when its scanning that seem dodgy eg AdMoke, *.*.casino.PT, Goldeneye, Virtumonde.dll, Hacker.ag, Eros Paradise, Win32.Tool Hack.Aid(might have got that one bit wrong) etcetc. I have never been on any porno or gambling sites. Also my laptop is now very slow."

The problem for me was that SB didn't pick up on these programs, just scanned through them.
Click to expand...

Thanks for the clairification, I understand now. :)

Did these items (AdMoke, Golderneye, Hacker.ag, etc) that SpyBot was scanning did they appear at the bottom of the screen during the scan? And did they go by really fast? Whenever SpyBot does a scan it lists the infections it scans for/has in its database and if it finds a match, it will pick up on it. Since Spybot didn't pick up on any of these as you said, then you're ok in that regard. :)

I checked some files by hand (I have still to go through my docs to check that) and the most suspicious ones are what I collectively call the NODs. here is the pathway of one file: C:\Documents and Settings\1 Sarah\Local Settings\temp\NOD1251.tmp the rest are NOD then a number (some with a letter at the end).tmp

there are 9 in total and 7 have 300mb 1 has 174mb and the last one 17.6mb -they take up 2.2gb in total! they were last modified on 24th October 08 starting at 9.50am and the 10th one was modified on the same day at 10.13am. At those times I was trying to get the eset online scan to work. I continued to get that scan to work for several hours after that so I dont know if it is connected to that. I dont think I have run disk cleanup since but didn't want to incase it gave you an insite to some thing.
Click to expand...

Did some quick research on those and they do seem to be related to the ESET scan. You can go ahead and delete those files and run diskcleanup as well. :)

I've also noticed that my windows file is now 4Gb and ibm tools 1.1gb. when I first got going they were 3gb in total and I dont think I have added much since. could the windows updates be taking up that extra space
Click to expand...

The Windows updates are taking up some space, but I don't think they are taking up a whole lot, you need them to keep your computer safe and updated, so I wouldn't remove any.

what is P2P progs? dont remember doing anything different when it started but will think about this further...
Click to expand...

It stands for Peer to Peer. Programs that are used to download files from one computer to another across the Internet, as long as both computer have the same P2P program (there are many).

Have you ever downloaded/installed/used any of the programs in the link below:

http://www.malwareremoval.com/p2pindex.php

If not, then P2P infections are not the cause of your Hard Drive filling up.

I haven't had a chance to folow all the links for slow computers that you gave me or follow your last instructions. will get onto that asap.
Click to expand...

Ok. :) Let me know how things go with those.
 
do not recognise any P2P progs listed.

Yes the items (admoke etc) appeared at bottom of screen. a lot of them didn't go by very fast but then my sb scan is always very slow. that wasn't always the case. I am just remembering that I may have loaded spybot around the time the problem started and also adaware. but I might have done it several months before - I cannot remember exactly when??! and I have re-installed sb since due to it crashing lots.

am very concerned that the eset scan downloaded 2.2 gb because we have a limit of 3 gig a month from our internet server and I know I have downloaded several other progs with you. as I am not the only user and we get charged a lot if we go over 3 gb, can you advise please. I wont go ahead with downloading filefind until I hear from you. the rest of our traffic is looking on ebay and emails.

thanks
 
Since you are not the only person that uses the computer have you asked the others what they have been downloading lately? If they have downloaded any large programs recently?

Go ahead and download FileFind. It's a small program (the .zip is about 19KB and the .exe itself is 69KB). The only really large download we had was ESET. We won't be downloading anything near that large the rest of the time I'm helping you. :)
 
I am trying to update Adaware and keep getting the msg:

ERROR

cannot connect to the Web update Server.
Server is busy.

even though I am a) connected to the internet
b) tried turning off Zonealarm (turned on MS firewall)
c)Laversoft website is up and running.

shall I post a mail with them to try to sort separately to here or do you think it is connected?

I have downloaded filefind and will get back to you when I have followed your instructions

thanks
 
It sounds like a seperate issue with Ad-Aware. I would post in their Support Forum and let them know about your problem with updating there.
 
I'll sort out adaware with them, thx.

deleted NOD files and did disk cleanup. ActiveX in there had 13 files depending upon it-so I've written them down incase you want to know. I am wondering if I can del them too?

meanwhile my computer is doing funny things: I found it with a flat battery only hours after I had left battery full. then I hybernated it& left it charging. But later when I pulled the plug it bleeped at me - something it only does when switched on! It didnt seem to have hybernated properly, but the screen wasn't on. got the screen to come on by fiddling and then couldn't get it to hybernate or shut down - it would get nearly there (very slowly) and then stop. pulled the plug in the end last night and today its fine again!


C:\Program Files\Microsoft Office\Office\WINWORD.EXE - 8798260 Bytes
C:\Program Files\ViaVoice\BIN\engine.exe - 974848 Bytes


Javaw wants to access internet regularly, do I let it?

thx again sarah
 
realise in the previous post I've got slightly muddled. it was I think Onlinescanner Control not ActiveX Control that had the dependant programs (under properties; dependancy). but am bit unclear as I have written ActiveX Control down...
 
I would leave the ActiveX files there, they should be a small size. What size are they? (KB, MB?)

The problem with the battery sounds like it could be a one time thing or a problem with hardware on your computer. Hence its out of the scope of this forum and would be best be answered at a general troubleshooting/hardware forum.

Let's take scan those two files more closely. Winword.exe might too big for the scanner, but try it anyway.

Javaw is part of Java. Yes allow it access to the Internet. :)

Have you gone to the My Computer is running slow link yet that I posted earlier? And if so, has that helped?

Step # 1 Upload Files

Go to Jotti
Copy the following line into the white textbox:
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
Click Submit.
Please post the results of this scan to this thread.

Repeat the above steps with the following files:

C:\Program Files\ViaVoice\BIN\engine.exe

If Jotti is busy, Go to VirusTotal and scan the file(s) there.

I believe both files (if not too big for the scanner) should come back clean, we'll see what the log says. :)

All in all, I think your problem(s) are not malware-related and can best be taken care/getting further help at the general troubleshooting forums that I posted at Post #23 of this thread.
 
thanks,

"The problem with the battery sounds like it could be a one time thing or a problem with hardware on your computer."

I wasn't clear enough with you on that- you called it a battery problem but what I meant was that the shutting down function was not working properly! the battery is fine, it just showed that the laptop had been on for those hours by running down. I was trying to say that the computer wasn't shutting down or hibernating completely, just going most of the way but the laptop was still on (hense running by battery). If there is a prob with hardware I'll have to send laptop back!

"Have you gone to the My Computer is running slow link yet that I posted earlier? And if so, has that helped?"

I went through the list of things for computers running slowly until I got to lite startup -a prog. to down load. My landlord is very concerned that I downloaded something of 2.2gig and is looking into how much we have left. After that is Do You Have Host Files Installed. Well I have no idea! so I haven't disabled my DNS. I did check my indexing service and it was already disabled. Lastly I dont want to remove all but the last restore point as I may need to go back.(I'd be happy to remove some but there isn't that option).

do you know if I have host files installed from my logs? Shall I disable DNS?
I would like to disable startup progs manually so I dont have to download any more!-hoping I've got instructions somewhere.

How do I find out ActiveX size? - I was Disk Cleanup and Onlinescanner Control was in there, with only 3 other files. I del all of them as they were temporary. that is where the dependant ones were shown. If they are dependant and I have del Onlinescanner, then do I have a use for those dependant temp files?

will upload as per your instructions, when i know where we are with our internet limit. meanwhile I want to expand on those two - whenever I open a word doc that is an attachment (from different sources) there are several ports involved in those 2 progs trying to act as servers. 3 or 4 or maybe more ports or destinations, the same ones I think for both. so I have to click deny 6-8 times. It takes quite a long time as it goes quite slowly.

thanks for your help and patience, sarah
 
just checked - when I open word from my computer, it happens too. and it is at least 8 times I have to click Deny - maybe ten?
 
I wasn't clear enough with you on that- you called it a battery problem but what I meant was that the shutting down function was not working properly! the battery is fine, it just showed that the laptop had been on for those hours by running down. I was trying to say that the computer wasn't shutting down or hibernating completely, just going most of the way but the laptop was still on (hense running by battery). If there is a prob with hardware I'll have to send laptop back!
Click to expand...

When you booted the laptop back up after this episode, has it happened again? Or has it been a one time thing so far? And did any error messages pop-up when the computer was booting up and any messages show when the Desktop was loading? We are getting out of my area of expertise here, the best thing would be to mention this at one of the hardware/general troubleshooting forums, they can help you out further if this happens again. :)


Lastly I dont want to remove all but the last restore point as I may need to go back.(I'd be happy to remove some but there isn't that option).
Click to expand...

The reason we (malware fighters/removers) suggest that you clear all old restore points and set a new one is that at the end of the fix, those who were infected often have infected restore points. So, we have them remove them so there is not a chance to have the person go back and use that system restore point and get their computer reinfected. Since you don't appear to be infected, you probably don't have any infected restore points. I would still remove old ones every once in awhile as they do take up space on the computer.


do you know if I have host files installed from my logs? Shall I disable DNS?
Click to expand...

No, I do not see any thing in any of your logs that says you have host files installed on your computer. No need to disable DNS right now.


How do I find out ActiveX size? - I was Disk Cleanup and Onlinescanner Control was in there, with only 3 other files. I del all of them as they were temporary. that is where the dependant ones were shown. If they are dependant and I have del Onlinescanner, then do I have a use for those dependant temp files?
Click to expand...

I was unaware or missed that you had deleted the Onlinescanner. Since you don't have that anymore you can delete those files.

whenever I open a word doc that is an attachment (from different sources) there are several ports involved in those 2 progs trying to act as servers. 3 or 4 or maybe more ports or destinations, the same ones I think for both. so I have to click deny 6-8 times. It takes quite a long time as it goes quite slowly.

just checked - when I open word from my computer, it happens too. and it is at least 8 times I have to click Deny - maybe ten?
Click to expand...

Does it happen with any other program or just Word and IBM Viavoice(Engine.exe)? Do you have the latest version of Zone Alarm installed? Acorrding to Zone Alarm's Release History the latest version is 7.0.483.000. If you don't have that, you should upgrade to see if that fixes the problem.

When the message comes up again about Word trying to act like a server, can you click the More Info button and post back here what it says. That is if you are able to click that button or get more information from the pop-up.


will upload as per your instructions, when i know where we are with our internet limit.
Click to expand...

Ok, no worries there. Get the reports for those two files when you can. :)
 
When you booted the laptop back up after this episode, has it happened again? Or has it been a one time thing so far? And did any error messages pop-up when the computer was booting up and any messages show when the Desktop was loading?

Yes it happened again, the next time. there was an error msg, but that always happens if I pull the plug eg when it crashes. no msg when desktop was loading that I remember. and its closing down ok now. also adaware is undating again.

Since you don't appear to be infected, you probably don't have any infected restore points. I would still remove old ones every once in awhile as they do take up space on the computer.

Could the restore points be what's eating up my space? bearing in mind that the last 2gigs was from ESET and so not included in the problem? I will del restore points.

Does it happen with any other program or just Word and IBM Viavoice(Engine.exe)?

I haven't opened many other progs, so so far only those two. In fact I dont open Viavoice, so it must be opening on its own

Do you have the latest version of Zone Alarm installed?

yes

If you don't have that, you should upgrade to see if that fixes the problem.

I'm confused, I thought the problem was word acting as a server, not ZA??

When the message comes up again about Word trying to act like a server, can you click the More Info button and post back here what it says.

Microsoft Word for Windows wants to accept connections from the Internet or your local network
ZoneAlarm is asking you whether to allow this program to act as a server--that is, to accept connection requests from other computers. No breach in your security has occurred. Your computer is safe.

Inside the program alert


Alert property Alert property value Technical explanation
Program Name Microsoft Word for Windows A program running on your computer, which either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
Filename WINWORD.EXE The filename of the program that ZoneAlarm found on your computer.
Program Version 9.0.2717 The version of Microsoft Word for Windows running on your computer.
Program Size 8798260 The size of the program executable file in bytes.
Program MD5 b6720721182610d39a6a9b9306a8cba4 The MD5 hash, or number, that uniquely identifies the executable.
Smart Checksum 33cf3fa3c69fc3edd72c59599c810db2 The SKIMP hash, or number, that uniquely identifies the executable.
Date Modified Mar-18-1999 05:38:10 AM The date when WINWORD.EXE was most recently modified.
Connect Type Server This value can be either Access, which is an Internet connection attempt by Microsoft Word for Windows or Server, which indicates that Microsoft Word for Windows is waiting for connections coming in from the Internet.
Local Port 1978 The port Microsoft Word for Windows is using to receive packets on the local computer.
Remote IP Address 0.0.0.0 The IP address of the remote computer that caused the alert.
Alert Date Oct-31-2008 03:25:08 AM PDT The time when ZoneAlarm detected the alert on your computer.



ZoneAlarm security enforcement at time of alert


Alert property Alert property value Technical explanation
Program Status Repeat Program Microsoft Word for Windows has requested Internet or local network access before and is currently requesting access again.
Zone Internet Zone This ZoneAlarm zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.


That doesn't help you I dont think! here is the link:
http://pralerts.zonelabs.com/pranal...17-1025/214f6b011d5153b8dc00729f&tab=techinfo

and the link for the first engine.exe:
http://pralerts.zonelabs.com/pranal...7-1025/1d74c03011d5118ab7c0070e8&tab=techinfo

2nd Word;
http://pralerts.zonelabs.com/pranal...17-1025/214f6b011d5153b8dc007259&tab=techinfo

2nd engine:
http://pralerts.zonelabs.com/pranal...17-1025/214f6b011d5153b8dc007247&tab=overview

3rd engine:
http://pralerts.zonelabs.com/pranal...17-1025/214f6b011d5153b8dc00723a&tab=overview

3rd Word:
bit confused was word..., its now another engine.exe:
4th engine:
http://pralerts.zonelabs.com/pranal...17-1025/214f6b011d5153b8dc007231&tab=overview

5th engine:
http://pralerts.zonelabs.com/pranal...17-1025/214f6b011d5153b8dc00721c&tab=overview

6th engine:
http://pralerts.zonelabs.com/pranal...7-1025/1d74c03011d5118ab7c00708a&tab=techinfo

still waiting for word to open...Ah just realised that I have to press new, but I dont usually need to cos I've set it up to just open a new doc straight.

Does it happen with any other program or just Word and IBM Viavoice(Engine.exe)?

windows media trys to access the trusted zone and , but I assume that is to link up with online stores and fill in details of cds if I'm ripping any? I cant think of any other prog to try?
 
You must log in or register to reply here.
Back
Top