holy god...Did I hear someone say new "Read Me" Thread?
steosaur(oWn) 0 Junior Poster
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
Sorry Geezer. I deleted the log. What you posted is actually the script from the program :D.
Did the file download as a vbs file? Delete the one you downloaded already, then go to the site and right click on the link and select *Save As* and save it to your desktop.
Run it from there by double (or single) clicking on it. When it has finished a log will be produced (a lot shorter than that one). Please post it here.
geezer 0 Junior Poster in Training
Ay up, Crunchie!
Back again, sorry I didn't reply sooner but it's been a bit of a mad weekend. Lots of kids and helping a friend move house...
Anyway I sussed the silent runners thing and heeeeeeer's the log :confused:
"Silent Runners.vbs", revision 30
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"CPQEASYACC" = "C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe" ["Compaq Computer Corporation"]
"srmclean" = "C:\Cpqs\Scom\srmclean.exe" [null data]
"Smapp" = "C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" ["Analog Devices"]
"Microsoft Works Portfolio" = "C:\Program Files\Microsoft Works\WksSb.exe /AllUsers" ["Microsoft® Corporation"]
"Microsoft Works Update Detection" = "C:\Program Files\Microsoft Works\WkDetect.exe" ["Microsoft® Corporation"]
"AutoLogon" = (no data)
"Share-to-Web Namespace Daemon" = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"NAV Agent" = "C:\PROGRA~1\NORTON~1\navapw32.exe" ["Symantec Corporation"]
"WinampAgent" = ""C:\Program Files\Winamp\Winampa.exe"" [null data]
"MediaFace Integration" = "C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" ["Fellowes, Inc."]
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs Inc."]
"WinPatrol" = "C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe" ["BillP Studios"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0\bin\jusched.exe" ["Sun Microsystems, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{6E3C607A-B99C-4FA8-98F5-1AC1ADF7F5B9}" = "MediaFace extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fellowes\MediaFACE 4.0\MFShlExt.dll" ["Fellowes, Inc."]
Startup items in "ebennew" & "All Users" startup folders:
---------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader.exe" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]
Enabled Scheduled Tasks:
------------------------
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Norton AntiVirus Auto Protect Service, navapsvc, "C:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs Inc."]
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
One other thing... Ifound my four year old sprog and his six year old cousin messing with the computer on satuday evening :( I don't know what they did but 7 firefox windows were open, CCleaner was open, Zone alarm had 2 windows open, a cd rom game was on demo mode, and a window I'd never seen before about UPLOADING TO WEB!
Nothing seems to have changed apart from my cute opening wav didn't play on starting windows. Hopefully this is due to CCleaner and maybe they actually helped out a bit... Hmmmm. Another lesson learned there.
PS Steosaur, what's a read me thread and does it have ecumenical significance? ;)
Slan abhaile!
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
Steosaur was commenting on the length of your previous silent runners log :D.
There is nothing bad to report in your newest log Geezer.
I had a hectic one too!. My youngest daughter turned 14 on Saturday, my eldest daughter turned 16 today, my son turns 26 tomorrow, and my sister's birthday is also tomorrow :D.
Yuuummmmm....CAKE.
geezer 0 Junior Poster in Training
Nice one crunchie!
Does this mean I'm clean now? I can hardly believe it , it seems like a LONG time since all this started...
Thanks for all the patience and help and happy birthday to all you family. Enjoy the cake! :D
Slan abhaile agus go raibh mile maith agat!! :cheesy:
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
Looks all clear to me :). Thank you :D.
chound 1 Junior Poster
You could try disabling startup items that are not essential and those which are infected with viruses. Then you can restart and scan ur pc again. Now you'll be able to remove it!
geezer 0 Junior Poster in Training
Uh oh...
I was checking system 32 for suspicious dlls by arranging them bt date modified and came up with vsconfig.xml...
I googled it and symantec seem to think its to do with backdoorIRC aladinz.
Itried deleting it but can't access as something's using it. Deleted it in safe mode but it was back agin on reboot.
I tried symantecs removal instructions in normal and safe modes. Also I can't back up the registry either ( Iget an error message )
Sorry about this now but I need to know if there's still a problem or if vsconfig.xml should be doing what its doing... Even though symantec know about the trojan nothing showed up on the scan ( in either mode) but vsconfig.xml is still there...
Sorry again. I'm REALLY NOT an attention-seeking, bunny-boiling, psychotic IT forum addict...
Gabh mo leithsceal agus slan! :o
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
That file belongs to Zone Alarm :D.
caperjack 875 I hate 20 Questions Team Colleague
Uh oh...
I was checking system 32 for suspicious dlls by arranging them bt date modified and came up with vsconfig.xml...
I googled it and symantec seem to think its to do with backdoorIRC aladinz.
Itried deleting it but can't access as something's using it. Deleted it in safe mode but it was back agin on reboot.
I tried symantecs removal instructions in normal and safe modes. Also I can't back up the registry either ( Iget an error message )
Sorry about this now but I need to know if there's still a problem or if vsconfig.xml should be doing what its doing... Even though symantec know about the trojan nothing showed up on the scan ( in either mode) but vsconfig.xml is still there...
Sorry again. I'm REALLY NOT an attention-seeking, bunny-boiling, psychotic IT forum addict...
Gabh mo leithsceal agus slan! :o
I think it time to stop worring about what not on you computer and try using and enjoying you machine !LOL
geezer 0 Junior Poster in Training
:o Ah... Ahem!... Er sorry about that... my computer is my friend,my computer is my friend,my computer is my friend,my computer is my friend,my computer is my friend,my computer is my friend, (repeat until funny) :lol:
Ok got a little paranoid there, lads! Time to hide HJT and all that from my desktop and get on with life. :)
Adh mor ort agus slan abhaile!!
mifa 0 Newbie Poster
heey
A bit late, but download stinger, (http://download.nai.com/products/mcafee-avert/stinger.exe)
Ad-aware, cws shredder, spybot search & destroy, and even a free anti- virusprogram like Grisoft AVG "or" antivir
Install all and update defenitions.
Then reboot in safe mode (press f8 during boot) and do all scans.
The msmsgs.exe is in your case a virus! It's in the wrong folder. search google for it.
Restart again and grant no program access except firefox, zonealarm itself and the svchost file. (needed for win xp to go on internet). Then run the scans again.
For the rest of your computer usage, make a user with limited access. http://support.microsoft.com/default.aspx?scid=kb;en-us;279783&sd=tech
Much safer to work in.
good luck.
Mifa
kuowang 0 Newbie Poster
Any of ye caped crusader's able to help me out here? Norton anti virus told me Ive got this trojan but didn't seem to be able to do anything about it. It's Lurking around in MESSENGER\MSMSGS.EXE. Please tell me this is easier to cure than blooming spyware! :confused:
:cool: well, that's my plight. Who's got an answer
caperjack 875 I hate 20 Questions Team Colleague
:cool: well, that's my plight. Who's got an answer
Hi ,welcome to Daniweb ,we ask that you not piggieback another thread ,please start your own ,with a better explanation of you problem and what you have done so far to correct it ,thanks
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.