Thread: Cws
-
December 22nd, 2004, 11:59 PM
#11
The 1.exe is referenced with your Epson Stylus Photo R200 Series. The 1.exe file name is commonly associated with the PWSteal Trojan and Win32.Delf Trojan depending on your AV vendors naming convention.
The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!
-
December 23rd, 2004, 12:06 AM
#12
I don't see a 1.exe I see a E_S4I2H1.EXE..... Could be me though, the formatting kind of stinks.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
-
December 23rd, 2004, 12:17 AM
#13
Firstly, you still have this running:-
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H\1.EXE
Bad things love to try to hide themselves in the system32\spool\drivers folders.... I thinkthis one is very suspicious and unless you can ID it I would do anything to get rid of it.... (that's a). Period!
To go on..... ID them if you can.... If you can't.... Get rid of them.... (Google the filename not the path), if there are no results they are bad.... If there are results read them and decide for yourself, (I'm working on instinct here ) :-
1. C:\WINDOWS\AGRSMMSG.exe
2. C:\Program Files\interMute\SpamSubtract\SpamSub.exe
3. C:\WINDOWS\System32\nvsvc32.exe
4. C:\WINDOWS\wanmpsvc.exe
NOTE: Get rid of McAfee.... look at all the "crap" that is running... (personal note)
That's running processes I don't like..... Go to task manager and see if you can kill them... Then we can work from there......
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
December 23rd, 2004, 01:05 AM
#14
AGRSMMSG.exe = "SoftModem Messaging Applet for your AMR modem."
If you have an ARM modem????
interMute\SpamSubtract\SpamSub.exe = Spam filter from interMute...........who also own cws shredder now.
Do you use a spam filter???
nvsvc32.exe = NVIDIA Driver Helper Service
Nothing susspect here.
wanmpsvc.exe = AOL. Wan miniport (ATW) service
Now most of us would like to classify this as malware.............Unfortunatly it's not.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
December 23rd, 2004, 01:17 AM
#15
Dude, you have to be careful when deleting certain registry references. You may mess it up even more then it was previous to your "oh i think i'll delete this one and maybe that one too" get a program called System Mechanic get it at www.iolo.com
-
December 23rd, 2004, 02:15 AM
#16
Member
Firstly, you still have this running:-
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H
\1.EXE
Bad things love to try to hide themselves in the system32\spool\drivers folders.... I thinkthis one is very suspicious and unless you can ID it I would do anything to get rid of it.... (that's a). Period!
So, the end of the rainbow here still isn't definitive about what should go? Should
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H
\1.EXE
go, or not? I have no idea what it is. Plus, I have McAfee Anti-Spyware, as well as McA firewall and virus protection, so I'm not at all sure about getting "rid of McAfee" since I would not have any idea what should be kept, and what should delete.
Finally,
AGRSMMSG.exe = "SoftModem Messaging Applet for your AMR modem." If you have an ARM modem????
I don't have the faintest idea what an ARM modem is! I have a DSL modem and there is another computer networked through a Linksys firewall router...but that exhausts what I know about all this!
That's why this Forum is so valuable to me! At least here there are knowledgeable folks who have some clue what's going! I am extremely cautious about this, since I don't have enough knowledge and only enough of an idea about what I think I should do to bury my whole system, if I mess up!
-
December 23rd, 2004, 03:07 AM
#17
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H
\1.EXE
...........................Leave it alone.
Your ARM modem is probably built on to your mother board....................Leave alone.
As long as your box comes up clean with an uptodate AV scan............Backed up with maybe a couple of good online AV scans, ie trend micros house call, etc.............................Clean scans from Adaware and SBot.
And you are not getting any symptoms of malware infestation, I think you can safely say, your in the clear.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
December 23rd, 2004, 05:32 AM
#18
herron: You can examine some of these from a logical standpoint. A driver under the spools directory would be either a printer or fax/modem, normally. I rarely see an executable here. Usually just DLLs. And, there is rarely anything not malware that goes as deep in the directory structure as this example. A quick check of the file (find it, right click, properties, Version--then check each category) should find the originating company, file version and other information.
If the above doesn't answer your questions, You can check your registry for what applications might reference this particular file/path. Cut and past a portion of the path into the Edit/Find/Find What field in regedit and note what and where this file and path is referenced.
Lastly, you have a lot of things in the ...Microsoft/Windows/Current Version/Run area of the HKLM. This has to have a significant impact on system performance and may be partly responsible for the problems you are having getting a good scan.
I hope this helps.
-
December 23rd, 2004, 07:03 AM
#19
Member
rapier57:
I appreciate your support, but this is the first time -- with your comment -- that I knew that a driver under the spools directory would be either a printer or fax/modem, normally and, although I think I understand what you mean by as deep in the directory structure, I am not at all sure how deep is deep, if you know what I mean...or what should be there.
I am not terribly savvy about the technical side of all this...just how to use it. Which is why I was delighted to find this Forum last summer!
I will try what you suggest, to see if there is something else that really should be eliminated. I can follow direction, at least!
Thanks.
-
December 23rd, 2004, 08:03 PM
#20
Member
After much effort last night, this is what the HJT logfile looks like now:
**********
Logfile of HijackThis v1.98.2
Scan saved at 1:50:30 PM, on 12/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\HIGH JK THS\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.herron.50megs.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [McRegWiz] C:\Program Files\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://socrates.gateway.gm.com/http...com/iNotes.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-12.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1092976554296
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/sh...,2/mcmysec.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
**********
Not a whole lot of difference that I can see. Like, why are there so many instances of:
C:\WINDOWS\system32\svchost.exe?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|