23 replies to this topic

[e-bore]

Hello,

I seem to be having some browser/windows explorer trouble.
I think it might be related to an automatic update from Firefox (only version 2.0.0.4 seems to be reliable).

I get slow tab loading and page loading on Firefox - general slowdown really (but not so much on IE7); I keep getting popups saying something like "error validating certificate" - with an IP address on it.
This morning, all minimised tabs on the windows toolbar vanish when you minimise anything: IE7; Firefox; and Windows explorer file windows.

I've made a HJT log, if someone would be kind enough to give it a quick look:

Logfile of HijackThis v1.99.1
Scan saved at 13:23:20, on 2007.09.30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ctfmon.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PowerArchiver\POWERARC.EXE
C:\DOCUME~1\Jac\LOCALS~1\Temp\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: txthlpBHO Class - {060235DC-6D84-47BD-95D7-A4EF5099A59D} - C:\PROGRA~1\TEXTHE~1\READAN~1\TE3219~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Continue Setup.lnk = D:\Installers\setup.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?705730ea49a84f8b95c4d17da6a13830
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?705730ea49a84f8b95c4d17da6a13830
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159949087452
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159949299061
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/gb/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0D82E07-9576-42BC-9323-C42A62D4BD52}: NameServer = 212.159.6.10 212.159.6.9
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Would it be useful to run a BitDefender scan too?

Thanks in advance,

Jack

[e-bore]

Following a BitDefender (free online) scan, I found "Macro.vba" as a "suspect file" that could not be deleted.. associated with a "Rapid-Pi-Setup.exe" file on my system. Please could someone offer any advice or help?

[Jintan]

Howdy e-bore,

By sheer coincidence your request thread here was the next one I was to respond to, but as i mentioned in that PM patience is required when posting here. No infection showing here though. That one item BitDefender located you may be familiar with as the installer for some Rapid-Pi Math Editing software. From their website:

Rapid-Pi allows you to enter mathematical expressions as easy-to-understand text. For example, you can type "2/3" to create a fraction or type "x^2" to get x-squared.

I sense BitDefender felt part of the installer file was suspect due to the methods it used, but in a quick test trial I did not see any actual infection activity from this software. It does have a very unusual EULA agreement it only displays during install, with no means I found of obtaining a copy after or during the install. I copied off part of it here for display:

7.2 Where C17.1 has been breached, you must, upon request, pay Trident Software Pty Ltd an administration fee in the amount specified by Trident Software Pty Ltd but not exceeding the greater of:

a) $30 US Dollars
b ) 7% of the purchase price

I did check their site again but for the life of me have yet to find anything similar to a "C17.1" to determine exactly what terrible act that refers to. But a hard to copy EULA with hard to understand terms that suggests additional payments to the vendor would really suggest one thing about the software - it can be replaced by some other with less silliness involved.


Your system has that QFX Software KeyScrambler software, which i hadn't seen before. In checking a bit of what that does I can see it obscures login details, and would be a solid candidate on any list related to these problems you are having. If you upgraded FireFox with this installed it may have added to issues, but perhaps you might consider temporarily uninstalling this scrambling software and after a reboot check for improvements.

No infection though, so you might want to follow up on this at the WTT Microsft Windows forum for other ideas.

Edited by Jintan, 02 October 2007 - 03:28 PM.

[e-bore]

Soz about that. Actually my mate is having some trouble too, so I'll explain to him the way it works... I think for some "n00bs" (I'll include myself in this instance), it can seem as though your cry for help is subsumed inamongst old messages. I'm not 100% sure whether BitDefender is especially useful any more. Would a SilentRunners scan yield more info? I have just noticed that this time, on the taskbar, I'm getting the same sort of thing I had before (when I was in touch with you) - the taskbar malfunction where open windows of any kind appear at the right-hand end of the taskbar, but all in the same space, so only one shows at a time, and you're given arrows to cycle through the open programmes/windows:  taskbar_malfunction.bmp   46.73KB   193 downloads I'll reboot anyway, and report back. Are there any FAQs being collate on this type of error? cheers, Jack

[Jintan]

If I understand what you are indicating it is a task grouping setting. Right click Start - Properties - Taskbar tab, and uncheck "Gourp similar taskbar buttons" (Apply/OK). As far as malware is concerned if no infection is being found no need to produce more logs for review. Just should reconsider that Keylogger software and see if things improve after.

[e-bore]

I've removed the keylogger stuff (and rebooted); it's gone back to showing nothing on the taskbar. Firefox is DEFINITELY very very slow and generally "playing up" a bit in small ways... it kind of pauses for a while every time you open a new page really, but a lot at the start... just to type in here, I had to wait for it to "settle down". I have that thing of being unable to drag and select text with the mouse - it won't stay selected if you know what I mean. I also get a couple of popups... i'll try and attach JPEGs I was running the keylogger for a while with none of this. I even loaded a thing to watch online TV, with no ill effects... I dunno what the trigger is, but i suspect it to be the FF updates - version 2.0.0.4 works fine, but every update since then gives me these kinds of problems. IE is less affected, but does give multiple tabs on a single click (maybe I've selected something to open everything in a new tab, but I don't think so). I'll give your suggestions a go and report back.

Edited by e-bore, 03 October 2007 - 09:24 AM.

[e-bore]

If I understand what you are indicating it is a task grouping setting. Right click Start - Properties - Taskbar tab, and uncheck "Gourp similar taskbar buttons" (Apply/OK).

this thing was already "unchecked" (or unticked as we would say )

[Jintan]

Does look like a Firefox issue - possibly your ZA firewall blocking normal web transactions. Not really sure what the Taskbar issue is, since I am not really grasping what is not correct on it. But nothing reflecting malware so far. Some sharp folks assist in the WTT Microsoft Windows forum who might more quickly ID the cause and solution on that, but for the errors you will need to see where ZA is blocking FF access.

[e-bore]

The thing is, as far as I'm aware, I haven't got Zone Alarm despite what it says!

The malfunction on the taskbar is symptomatic of the slowdown in FF, it's a related problem, along with hotkeys (like CTRL+C) not working.

The solution before was that a Panda Tech support man saw my HJT log, and told me to delete these things from the HJT log back then:

Please could you re run hijackthis and place a tick next to the following lines and the click on fix checked.

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O8 - Extra context menu item: &Search - http://edits.mywebse...html?p=ZNfox000 O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoft....com/activescan (file missing) O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

I then came here, and after showing the new HJT log, I apparently resolved by reinstalling FF 2.0.0.4
This new issue I think came about with an auto update to FF 2.0.0.7

I might have some "ZA" detritus in my System32, but it's not a running programme.

Is there any way of cleaning out my system of cobwebs like this?

There is still an issue with the taskbar - although I've managed to drag the minimzed progs to a place where they look normal, there's two taskbar dividers left on the right hand end before the clock and other icons.
FF still takes an age to load up.

Should I link to this thread if I open a new help request on the WTT Windows forum?

[Jintan]

Although there are steps to just remove or disable that existing ZA service showing, the logs would not reflect what else might be left active from the uninstall glitch. Best if you disbale any protective software completely and reinstall ZA, then with the other software still disabled uninstall it to make sure all parts are cleaned out. But for the taskbar issues yes, if you link to the info in this thread in a new Windows forum request perhaps the info will help provide the right fix there.

[e-bore]

so, running a registry cleaner or "cr@p cleaner" wouldn't necessary clean out the residual ZA stuff?

I've found the error code for the pop-ups: -12263
http://www.mozilla.o...ssl/sslerr.html

It seems to be due to blocking counters and maybe anonymisers; dunno what the answer is.

FF2 doesn't seem to be that stable once you start playing around with addons and upgrades; mind you, my IE7 is going spare: when you click in the address bar, the whole top of the GUI window starts flickering wildly... aught seems hypersensitive.

Is this the right thread for this type of error issue?

Edited by e-bore, 04 October 2007 - 08:57 AM.

[e-bore]

...seems I'm not alone...

http://www.velocityr...w...age=2&pp=10

http://www.neowin.ne...howtopic=548141

... and apparently this is the solution



...it seems that following up the link above, my CA package is by the same people who do Zone Alarm, or includes it in some way
http://kb.mozillazin...rsonal_Firewall
http://crm.my-etrust...ED0B9AB718498FA

this feller seems to think it's caused by the addon called no-script:
http://forums.comodo...0.html;msg90519

..but it seems strange that the taskbar and IE7 should go mental too

Edited by e-bore, 04 October 2007 - 09:14 AM.

[Jintan]

Note sure about the ZA and CA ties in those links but it did get me taking a better look at that, and sure enough I see the CA eTrust full software installs all include the Zone Labs TrueVector Internet Monitor service. Makes sense, since there is never indication of a CA firewall service. Really good to know that info so I appreciate that. I had checked out a bit of Mozilla data on this access issue, and can tell there are quite a few success stories related to changes on servers and websites adjusting for virtual hosts settings. The other few I did check suggested still successes with adjustments to the firewall settings, specifically for blocks of certain ports, though this info varied. Not something we might resolve from a malware perspective though. However, in looking back at this CA/ZA firewall info in your log posted I see you have the older and vulnerable Java installed still, and so yes, if you would go ahead and run and post back a Silent Runners scan to double-check issues related to that.

[e-bore]

funny, I've just done Silent Runners twice, and I can't find the file! It says it's in: "Start Up Programs (SNNECCI) 2007-10-05 11.19.43.txt" I've searched so many permutations of this, I dunno where to look! can't bring up the menu on right-mouse click now, except on the form! I'm still getting the -12233 error despite uninstalling the noscript addon too.

Edited by e-bore, 05 October 2007 - 06:12 AM.

[e-bore]

Right, sorry about that, sorted it out by following your instruxions on my first thread:
http://forums.whatth...ion_t80941.html

so, here's the Silent Runners logfile:

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"High Definition Audio Property Page Shortcut" = "HDAShCut.exe" ["Windows (R) Server 2003 DDK provider"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /installquiet" ["NVIDIA Corporation"]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"AzMixerSel" = "C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" ["Realtek Semiconductor Corp."]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [null data]
"PCMService" = ""c:\Apps\Powercinema\PCMService.exe"" ["CyberLink Corp."]
"EEventManager" = "C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" ["SEIKO EPSON CORPORATION"]
"CaISSDT" = ""C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"" ["Computer Associates International, Inc."]
"eTrustPPAP" = ""C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"" ["Computer Associates"]
"QOELOADER" = ""C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"" ["Computer Associates, Inc."]
"CaAvTray" = ""C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"" ["Computer Associates International, Inc."]
"CAVRID" = ""C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"" ["Computer Associates International, Inc."]
"Zone Labs Client" = ""C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"" ["Computer Associates"]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
"DSLSTATEXE" = "C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon" ["GlobespanVirata, Inc."]
"DSLAGENTEXE" = "C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe" [null data]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
										\StubPath   = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{060235DC-6D84-47BD-95D7-A4EF5099A59D}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "txthlpBHO Class"
				   \InProcServer32\(Default) = "C:\PROGRA~1\TEXTHE~1\READAN~1\TE3219~1.DLL" [empty string]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
				   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Google Toolbar Helper"
				   \InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
				   \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll" ["Google Inc."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Windows Live Toolbar Helper"
				   \InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {HKLM...CLSID} = "Display Panning CPL Extension"
				   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
				   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

any clues?

cheers,

Jack