PDA

View Full Version : weird crap


Drone
11-09-08, 07:15
what are those files?! (c:/windows/system32)



http://i35.************/33ven9s.gif


viruses? crap?

cheers

EscondeR
11-09-08, 07:23
If you post the contents of the first two here (in code tags), I can tell you more, but at first sight IMO they are a part of some malware :whi:

Drone
11-09-08, 07:25
I think so too. How to post content? Open via notepad?

EscondeR
11-09-08, 07:28
Yup.
Then put it inbetween:


the text



and post.

Drone
11-09-08, 07:35
I can't. Text (if it can be called like that (only squares and other stupid crap)) is too big mweh

Goose
11-09-08, 07:36
I think so too. How to post content? Open via notepad?

I hope you've backed up your stuff. Some viruses get past the anti virus, and you end up having to re-install Windows, prodiving you kept the CD. Somtimes you may have to wipe the hard drive.

Sounds like a long winded thing but takes about 2 hours, and you get a nice fresh feeling computer at the end (back when Kazaa and napster were young i had many a virus).

EscondeR
11-09-08, 07:40
I can't. Text (if it can be called like that (only squares and other stupid crap)) is too big mweh

Well...
1. Boot in the Safe Mode with Networking Support, run ARDiag.exe (http://www.tombraiderhub.com/download/ardiag.exe) and post the report.
2. Run Antivirus/antispyware scan while in Safe Mode.

Drone
11-09-08, 08:10
1. rebooted in s/m with n/w support
2. Norton refused to work in s/m
3. Could not connect even tho n/w support was on
4. what to do now?
5. here is the report tho:



Copy the following text and paste it to your report AS IS!!!

---------------------------------------------------------------
AutoRuns Diagnostics for TRF v 0.5 Developed by EscondeR
---------------------------------------------------------------



Program:
"ATI Smart"
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
ATI Smart
Program path & name:
c:\windows\system32\ati2sgag.exe"
Enabled: [V]


Program:
"Event propagation and logging service"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
ccEvtMgr
Program path & name:
"c:\program files\common files\symantec shared\ccsvchst.exe"
Enabled: [V]


Program:
"Settings storage and management service"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
ccSetMgr
Program path & name:
"c:\program files\common files\symantec shared\ccsvchst.exe"
Enabled: [V]


Program:
"Symantec Lic NetConnect Service"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
CLTNetCnService
Program path & name:
"c:\program files\common files\symantec shared\ccsvchst.exe"
Enabled: [V]


Program:
"Manages Norton product notices."
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
LiveUpdate Notice Ex
Program path & name:
"c:\program files\common files\symantec shared\ccsvchst.exe"
Enabled: [V]


Program:
"Manages Norton product notices"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
LiveUpdate Notice Service
Program path & name:
"c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe"
Enabled: [V]


Program:
"Nero BackItUp Scheduler 3 is responsible to control all jobs created using Nero BackItUp 3. These jobs can create backups of selected files/folders/partitions or complete hard disk to hard disk
Publisher:
network drive disc or FTP."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Nero BackItUp Scheduler 3
Program path & name:
"(Verified) Nero AG""c:\program files\nero 8\nero backitup\nbservice.exe"
Enabled: [V]


Program:
"Symantec Eraser Control Driver"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
eeCtrl
Program path & name:
"c:\program files\common files\symantec shared\eengine\eectrl.sys"
Enabled: [V]


Program:
"Symantec Eraser Utility Driver"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
EraserUtilRebootDrv
Program path & name:
"c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys"
Enabled: [V]


Program:
"CD/DVD Class Filter Driver"
Publisher:
"(Verified) GEAR Software Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
GEARAspiWDM
Program path & name:
"c:\windows\system32\drivers\gearaspiwdm.sys"
Enabled: [V]


Program:
"AV Engine"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
NAVENG
Program path & name:
"c:\program files\common files\symantec shared\virusdefs\20080910.003\naveng.sys"
Enabled: [V]


Program:
"AV Engine"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
NAVEX15
Program path & name:
"c:\program files\common files\symantec shared\virusdefs\20080910.003\navex15.sys"
Enabled: [V]


Program:
"Padus(R) ASPI Shell"
Publisher:
"(Not verified) Padus Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
pfc
Program path & name:
"c:\windows\system32\drivers\pfc.sys"
Enabled: [V]


Program:
"Px Engine Device Driver for Windows 2000/XP"
Publisher:
"(Verified) Sonic Solutions"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
PxHelp20
Program path & name:
"c:\windows\system32\drivers\pxhelp20.sys"
Enabled: [V]


Program:
"SPBBC Driver"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SPBBCDrv
Program path & name:
"c:\program files\common files\symantec shared\spbbc\spbbcdrv.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
sptd
Program path & name:
c:\windows\system32\drivers\sptd.sys"
Enabled: [V]


Program:
"Symantec AutoProtect"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SRTSPL
Program path & name:
"c:\windows\system32\drivers\srtspl.sys"
Enabled: [V]


Program:
"Symantec AutoProtect"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SRTSPX
Program path & name:
"c:\windows\system32\drivers\srtspx.sys"
Enabled: [V]


Program:
"DNS Filter Driver"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SYMDNS
Program path & name:
"c:\windows\system32\drivers\symdns.sys"
Enabled: [V]


Program:
"Symantec Event Library"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SymEvent
Program path & name:
"c:\windows\system32\drivers\symevent.sys"
Enabled: [V]


Program:
"Firewall Filter Driver"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SYMFW
Program path & name:
"c:\windows\system32\drivers\symfw.sys"
Enabled: [V]


Program:
"IDS Filter Driver"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SYMIDS
Program path & name:
"c:\windows\system32\drivers\symids.sys"
Enabled: [V]


Program:
"IDS Core Driver"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SYMIDSCO
Program path & name:
"c:\program files\common files\symantec shared\symcdata\idsdefs\20080909.001\symidsco.sys"
Enabled: [V]


Program:
"NDIS Filter Driver"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SYMNDIS
Program path & name:
"c:\windows\system32\drivers\symndis.sys"
Enabled: [V]


Program:
"Redirector Filter Driver"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SYMREDRV
Program path & name:
"c:\windows\system32\drivers\symredrv.sys"
Enabled: [V]


Program:
"Network Dispatch Driver"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
SYMTDI
Program path & name:
"c:\windows\system32\drivers\symtdi.sys"
Enabled: [V]


Program:
"Microsoft® Document Imaging"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monito rs
Entry name:
Microsoft Document Imaging Writer Monitor
Program path & name:
"c:\windows\system32\mdimon.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authenti cation Packages
Entry name:
C:\WINDOWS\system32\byXPhIxy
Program path & name:
File not found: C:\WINDOWS\system32\byXPhIxy"
Enabled: [V]


Program:
"Symantec User Session"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
ccApp
Program path & name:
"c:\program files\common files\symantec shared\ccapp.exe"
Enabled: [V]


Program:
"Microsoft .NET Runtime Execution Engine"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Filter
Entry name:
application/octet-stream
Program path & name:
"c:\windows\system32\mscoree.dll"
Enabled: [V]


Program:
"Microsoft .NET Runtime Execution Engine"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Filter
Entry name:
application/x-complus
Program path & name:
"c:\windows\system32\mscoree.dll"
Enabled: [V]


Program:
"Microsoft .NET Runtime Execution Engine"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Filter
Entry name:
application/x-msdownload
Program path & name:
"c:\windows\system32\mscoree.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
Entry name:
0
Program path & name:
File not found: About:Home"
Enabled: [V]


Program:
"Microsoft .NET IE SECURITY REGISTRATION"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
Entry name:
n/a
Program path & name:
"c:\windows\system32\mscories.dll"
Enabled: [V]


Program:
"Adobe PDF Helper for Internet Explorer"
Publisher:
"(Verified) Adobe Systems Incorporated"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Adobe PDF Link Helper
Program path & name:
"c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll"
Enabled: [V]


Program:
"Flashget CatchUrl Module"
Publisher:
"(Not verified) www.flashget.com"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
FGCatchUrl
Program path & name:
"c:\program files\flashget\jccatch.dll"
Enabled: [V]


Program:
"Java(TM) Platform SE binary"
Publisher:
"(Verified) Sun Microsystems Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
SSVHelper Class
Program path & name:
"c:\program files\java\jre1.6.0_07\bin\ssv.dll"
Enabled: [V]


Program:
"Flashget GetFlash Module"
Publisher:
"(Not verified) www.flashget.com"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
FlashGet GetFlash Class
Program path & name:
"c:\program files\flashget\getflash.dll"
Enabled: [V]


Program:
"Extensions Manager"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Extensions Manager Folder
Program path & name:
"c:\windows\system32\extmgr.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
WinRAR shell extension
Program path & name:
c:\program files\winrar\rarext.dll"
Enabled: [V]


Program:
"PowerISOShell DLL"
Publisher:
"(Not verified) PowerISO Computing Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
PowerISO
Program path & name:
"c:\program files\poweriso\pwrisosh.dll"
Enabled: [V]


Program:
"Application Deployment Support Library"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
ShellLink for Application References
Program path & name:
"c:\windows\system32\dfshim.dll"
Enabled: [V]


Program:
"Application Deployment Support Library"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Shell Icon Handler for Application References
Program path & name:
"c:\windows\system32\dfshim.dll"
Enabled: [V]


Program:
"Nero Digital Shell Extension"
Publisher:
"(Verified) Nero AG"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
NeroDigitalIconHandler
Program path & name:
"c:\program files\common files\nero\lib\nerodigitalext.dll"
Enabled: [V]


Program:
"Nero Digital Shell Extension"
Publisher:
"(Verified) Nero AG"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
NeroDigitalPropSheetHandler
Program path & name:
"c:\program files\common files\nero\lib\nerodigitalext.dll"
Enabled: [V]


Program:
"AMD Desktop Control Panel"
Publisher:
"(Not verified) Advanced Micro Devices Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Catalyst Context Menu extension
Program path & name:
"c:\program files\ati technologies\ati.ace\core-static\atiacmxx.dll"
Enabled: [V]


Program:
"Nero Digital Shell Extension"
Publisher:
"(Verified) Nero AG"
Entry path:
HKLM\Software\Classes\Folder\Shellex\ColumnHandler s
Entry name:
NeroDigitalColumnHandler Class
Program path & name:
"c:\program files\common files\nero\lib\nerodigitalext.dll"
Enabled: [V]


Program:
"PDF Shell Extension"
Publisher:
"(Verified) Adobe Systems Incorporated"
Entry path:
HKLM\Software\Classes\Folder\Shellex\ColumnHandler s
Entry name:
PDF Shell Extension
Program path & name:
"c:\program files\common files\adobe\acrobat\activex\pdfshell.dll"
Enabled: [V]


Program:
"UIBhoImpl"
Publisher:
"(Verified) Symantec Corporation"
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Toolbar
Entry name:
NCO Toolbar
Program path & name:
"c:\program files\common files\symantec shared\coshared\browser\1.5\uibho.dll"
Enabled: [V]


Program:
"FlashGet"
Publisher:
"(Not verified) FlashGet.com"
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Extensions
Entry name:
FlashGet
Program path & name:
"c:\program files\flashget\flashget.exe"
Enabled: [V]

EscondeR
11-09-08, 12:04
Actually the only crap on your PC is Symantec resource hog ATM :)
Consider changing for KAV or AVG.

Those files can be a part of malware that was successfully deleted before:

Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authenti cation Packages
Entry name:
C:\WINDOWS\system32\byXPhIxy
Program path & name:
File not found: C:\WINDOWS\system32\byXPhIxy"
Enabled: [V]

Drone
11-09-08, 12:07
thanks Alex so I can just delete 'em?

Our firm gotta get KAV soon so I'll definitely switch to that but atm I use Symantec

EscondeR
11-09-08, 12:20
Our firm gotta get KAV soon so I'll definitely switch to that but atm I use Symantec

OK, go on then :tmb:

Drone
12-09-08, 19:43
Got another question. Don't wanna make a new thread.

On one new machine I always notice mscorsvw.exe in taskmanager. It wasn't there b4 formatting. Since everything was reinstalled it appears. I stop it from time to time but it appears again. It's a part of .Net. But do I need it? Why it appears? Should I disable it?

Cheers

spikejones
12-09-08, 19:49
hmm... i dont have that running on my machine

LaraCroft90
13-09-08, 01:44
mscorsvw.exe is part of Microsoft .NET Framework. Only terminate the progress if is bothering you.

Drone
13-09-08, 08:32
I know it LaraCroft90. When I stop it, sometimes it comes again.
Is it safe to go to control panel -> administrative tools -> services and disable it from there? will machine boot normally then?

EscondeR
13-09-08, 11:03
This process is a part of the MS NET Framework Runtime Optimization service. If you're not a .NET developer, you can safely disable this service in Control panel > Administrative tools > Services.

Some software may need it though, like:
Diskeeper
MS SQL Server 2005/2008

if you have this software and it returns some notice/error, then reenable the service.

The main thing - IT'S TOTALLY SAFE.

Drone
13-09-08, 14:02
ah ok thanks :) I might disable it then