2 replies to this topic

[Daman]

I am worried about my computer being accessed from the internet and will ask some questions to determine if I have a problem. These are symptoms that I notice. I have 111 instances of desktop.ini, it is located in one hundred and eleven different files. I have IE 6 but my folders say IE 5. I have internet activity constantly, downloading and uploading. I thought that I was only supposed to have a maintenance download and upload on a cyclicle basis to maintain my page, like refreshing. I have download activity of 3kb per sec and uploads every 2 min. 2 times 50 sec distant. I have windows media player exe with a version for russian use 9.0.0.3250. websites say this is for wmp 6.4. google search. I was going to spin my windows disk but deleted the registry entry pertaining to my cdrom by accident. I deleted the entry in hkcu-installed components. If I reformat will it run from bios with generic driver? I have win tasks pro and and security task manager both of which do not show internet activity only running process, tried to correlate running processes activity to internet activity but have to be in the right place at the right time, and if the process is somehow hidden wouldn't these be unable to show them. I found a file that I created on a russian website, google search, a roxio image file entitled zonalpropest.rd, when I do a search now it is no longer found.

[Daman]

Tonight I found a 180searchassistant with bitdefender, an online scanner. It was installed with rosoft sound recorder. I searched the modified/create date and deleted suspect files. In the process I noticed a .sbe file, it's an exclude list for spybot s&d. I checked the exclude list in spybot and there were items as exclude, 5 items to be exact. The rosoft prog probably added the excludes on install. I don't know what registry keys were affected though. The offender was 180searchassistant 5.11 the file it operated from was rmturad.exe.tfc, a double extention. After deselecting the exclude items I ran spybot and it found the bugger. Sonsab_t_hes. What is desktop.ini and why do I have 111 instances of it? Why did I have a russian windows media player 6.4 as an installed component in my registry? I had searched using *.exe and looked for files that looked like they did not belong, googled them to find out what they were tied to and if it came back unknown I took note for possible deletion. In the process the anomalys downloads/uploads have stopped, well at least the upload portion. I deleted the registry entry in installed components for the wmp 6.4 and the wmiwmpsv.exe and other exe's, inadvertently deleting the component for the cd rom. I was able to reinstall it by uninstalling the driver, reinstall driver and deleting the upper filters and lower filters in the registry and rebooting. Apparently to stop a problem after a program install and when you notice something awry, is by using a baseline or footprint of your registry and windows/system32 areas. From what I read, propper footprinting includes a footprint from your virgin computer, a footprint before program install, and a footprint after a program install. This allows you to see where the changes are taking place so you can undo if you determine you have a problem, because add/remove progs does not get rid of everything.

[wng_z3r0]

Hi and welcome to the forums. It looks like you do have some problems on your computer. Look at my signature below and download hijack this. Please extract it to its OWN folder. A good place to put it would be to make a folder called HJT here: C:\program files

IMPORTANT: MCAFFEE INCORECTLY IDENTIFIES THIS PROGRAM AS A VIRUS UNLESS YOU HAVE THE ABSOLUTE LATEST DATS (4429 OR UP)

Post a log here and we will see what shows up

Thanks wng