Hi Veka..thanks for the clarification about this AOL adware...I will just leave it alone. I am planning on running several additional standard antivirus scanners, just to be absolutely sure everything is OK (since I know each scanner uses a different signature database)...I will of course promptly let you know if I find anything malicious..
One other important note: sometimes (especially during antivirus scans of my machine) my McAfee firewall throws up an alert of the following type:
McAfee has blocked a potentially unwanted program (PUP) on your computer. If you do not recognize it, we recommend that you remove the program. About this Potentially Unwanted Program
Name: Tool-NirCmd
Location: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP599\A0156375.com
Spyware, adware, and other potentially unwanted programs can harm your computer, compromise its security, and damage valuable files.
Then it gives 3 options:
1. Remove this program
2. Trust this program
3. Close this alert
I normally choose option 1, but I keep getting alerts for this "Tool-NirCmd" anyway. After I click "remove this program", a message comes asking if I want to use McAfee's uninstaller to remove the program or if I want to manually remove it using the vendor's own uninstaller. I always choose the former. It is possible that, for each alert, the exact LOCATION of Tool-NirCmd is different. Do you have any advice on all of this?
Hi Veka...thanks for reminding me about cleaning up System Restore..that's one step I forgot to do. I also wanted to mention that there seems to be something wrong with my Java. I installed the latest version that you provided, but I have since received 2 messages pointing to a potential problem with Java:
1. When I ran the Kaspersky online scanner, I initially received a warning box saying "Starting Java Applet has failed...please go online to use program." Then I clicked "OK" and the scanner started working normally.
2. I tried using the Trend Micro Online scanner, and usually I am able to do so using the "Java-based kernel", but this time there was a warning next to this option saying "Java support is disabled on your system or no Java runtime environment is installed. If you want to use the Java-based Housecall kernel, please enable or install a Java runtime environment version 1.4 or higher. If your runtime environment is up-to-date but you are still receiving this message, please close your browser window and reopen Trend Micro Housecall in a new window." I tried this latter piece of advice, to no avail. Do you know what's wrong or how I can fix this problem?
Hi Veka...just to make sure that the occurrances with Kaspersky and Trend Micro Housecall were not just "flukes", do you know of a good direct method I can use to test the condition of my Java?
Hi Veka, thanks so much for that link. It turns out that my Java is functioning properly. I am now running some additional scanners, and I will promptly let you know if they find anything malicious on my system..
According to the Panda scanner, this infection is "Latent" and "non-disinfectable." What should I do about this, if anything?
2. The Avira AntiVir Personal scan flagged a couple of "warnings" (in each case, the "file could not be opened" during the scan):
a. C:\WINDOWS\system32\SsiEfr.exe
b. C:\WINDOWS\system32\wrLZMA.dll
I was curious if these 2 files are malicious or not..I did a little research, and apparently "wrLZMA.dll" should be in the Webroot directory, NOT the WINDOWS directory. Also, if "wrLZMA.dll" is a legit Webroot file, it should be 17 kb..but this one is about 30kb. As a further piece of information, the SsiEfr.exe on my system is about 16 kb. What should I do about these? Both were "created" on a day in which I did NOT have any Webroot software on my system...therefore, I'm a little suspect about these 2 files...
2. The Avira AntiVir Personal scan flagged a couple of "warnings" (in each case, the "file could not be opened" during the scan):
a. C:\WINDOWS\system32\SsiEfr.exe
b. C:\WINDOWS\system32\wrLZMA.dll
I was curious if these 2 files are malicious or not..I did a little research, and apparently "wrLZMA.dll" should be in the Webroot directory, NOT the WINDOWS directory. Also, if "wrLZMA.dll" is a legit Webroot file, it should be 17 kb..but this one is about 30kb. As a further piece of information, the SsiEfr.exe on my system is about 16 kb. What should I do about these? Both were "created" on a day in which I did NOT have any Webroot software on my system...therefore, I'm a little suspect about these 2 files...
Thanks again so much
There is simply test. Just rename these file:
SsiEfr.exe to SsiEfr.0xe wrLZMA.dll to wrLZMA.0ll
Does this cause problems to your Webroot softwares?
Hi Veka...I uninstalled the Webroot Antivirus scanner, and when I did so the Ssiefr.exe and wrLZMA.dll were deleted automatically. So it appears those files were harmless, and everything is OK there. Also, my computer does not appear to be displaying any obvious symptoms at the moment.
As far as the other potential infection found by the PANDA scanner, here is my HJT file that you requested:
Adobe Download Manager 2.2 (Remove Only)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.8
Adobe Shockwave Player
Agere Systems AC'97 Modem
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
Bonjour
CCleaner (remove only)
EasyCleaner
ESET Online Scanner
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Deskjet 3840
HP Help and Support
HP Update
HP Wireless Assistant 1.01 B2
HP_User_Guides_0005
Intel(R) Graphics Media Accelerator Driver for Mobile
InterVideo WinDVD
iTunes
Java(TM) 6 Update 10
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.3)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 4.0 - SE
Panda ActiveScan 2.0
Quick Launch Buttons 5.10 B5
QuickTime
RealPlayer
Registry Mechanic 8.0
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SoundMAX
Texas Instruments PCIxx21/x515 drivers.
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Window Washer
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Zone Deluxe Games
The "data1.cab[wget.exe]" file isn't a security risk as it's archive. You can, however, extract the archive and scan wget.exe by uploading it to VirusTotal if you wanna make it sure.
Hi Veka...I was just wondering how exactly do I extract this particular archive and upload it to VirusTotal (I'm not too experienced with computers)? If you could, I'd really be grateful for some kind of step-by-step approach..
First you need a software that unpacks cab files, like IZArc or 7-Zip. Both are free.
Open the archive file and search out the wget.exe (there can be loads of files). When you manage to find it, just drag and drop the file to your desktop.
Hi Veka...I tried using 7-zip to open the data1.cab file, but it did not work. Here's what happened and what I did: I navigated to the appropriate data1.cab file, then I right-clicked it. Then in the context menu I clicked "7-zip". Then I clicked "open archive." When I did this, I got a message from 7-zip saying "Cannot open [filename] as archive." Did I do something wrong?
Hi Veka...I also downloaded IZArc and tried opening the CAB file using it (by double-clicking the CAB file), but when the IZArc window opened, it was empty. It appears as if this file is totally empty (or somehow I did not use IZArc correctly). But the size of the file is listed as above 2000 kb, so I assumed something would be contained within it. Do you know of what I can do to see the contents of this file? Or would you say that it is okay to maybe just ignore this particular CAB file for now?
Hi Veka...thanks for looking into the situation with the CAB file. I will just leave it alone. Also, I am soon going to be installing some new security software, and I just had a few questions about this:
1. For the antivirus, you recommended Avast or Avira...in your opinion, is one better than the other?
2. If I choose either of the above options, do I need to change any of the default settings once the program is installed?
3. If I pick one of these antivirus programs, will I need a separate antispyware program to go along with it (one that actively protects against spyware infections)? If so, which do you recommend?
4. You also recommended the Comodo Firewall...once I install this, will I need to change any of its default settings?
5. Lastly, another alternative that you mentioned was the Comodo Suite...will this be adequate protection by itself, and will I need to alter any of its default settings after I install it?
Hi Veka..thanks so much for answering those questions. Also thanks for providing the instruction link for AntiVir. Even though I don't understand it, the snapshots of the programme make it easy to follow. I think I will install AntiVir and Comodo..and perhaps some free antispyware programme as well.
I just had a few final questions about certain items:
1. In the SDFix log entry that I posted previously, there are a couple of references to Yahoo Messenger (under the "Remaining Services" section). I used to have this programme, but I uninstalled it a long time ago (even before I ran SDFix). How do I delete these traces of YM that SDFix found?
2. In the log for Combofix that I posted previously, under the "Registry loading points" section, there are the following items listed:
My Securer
Google Web Accelerator
SecureMaker
Symantec Core LC
Symantec AV
Symantec FW
I used to have these on my system also, but I uninstalled them a long time ago. How do I get rid of these traces?
Hi Veka...thanks so much for your assistance in curing my computer..everything seems to be okay at the moment (minus a major problem I'm having uninstalling Adobe Reader, but I'm getting help with that from another forum)...
Also, I just had one last question regarding the new security software I'm going to install. I like to keep the number of programs to a minimum, so I'm going to just install the free Comodo firewall and also the free Avast! (or possibly free AVG) antivirus..would this be adequate protection for me? I decided against AntiVir because it does not include anti-spyware protection and would thus mean I would need to install a separate program for that. I also kept MBAM on my system...
Comments
One other important note: sometimes (especially during antivirus scans of my machine) my McAfee firewall throws up an alert of the following type:
McAfee has blocked a potentially unwanted program (PUP) on your computer. If you do not recognize it, we recommend that you remove the program.
About this Potentially Unwanted Program
Name: Tool-NirCmd
Location: C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP599\A0156375.com
Spyware, adware, and other potentially unwanted programs can harm your computer, compromise its security, and damage valuable files.
Then it gives 3 options:
1. Remove this program
2. Trust this program
3. Close this alert
I normally choose option 1, but I keep getting alerts for this "Tool-NirCmd" anyway. After I click "remove this program", a message comes asking if I want to use McAfee's uninstaller to remove the program or if I want to manually remove it using the vendor's own uninstaller. I always choose the former. It is possible that, for each alert, the exact LOCATION of Tool-NirCmd is different. Do you have any advice on all of this?
Thanks so much once again
You can find instructions on how to disable and enable System Restore from these guides:
Disable And Enable System Restore
Windows XP System Restore Guide
1. When I ran the Kaspersky online scanner, I initially received a warning box saying "Starting Java Applet has failed...please go online to use program." Then I clicked "OK" and the scanner started working normally.
2. I tried using the Trend Micro Online scanner, and usually I am able to do so using the "Java-based kernel", but this time there was a warning next to this option saying "Java support is disabled on your system or no Java runtime environment is installed. If you want to use the Java-based Housecall kernel, please enable or install a Java runtime environment version 1.4 or higher. If your runtime environment is up-to-date but you are still receiving this message, please close your browser window and reopen Trend Micro Housecall in a new window." I tried this latter piece of advice, to no avail. Do you know what's wrong or how I can fix this problem?
Thanks
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:24 PM, on 11/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryMechanic] "C:\Program Files\Registry Mechanic\RegMech.exe" /H
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169784257281
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u10-b92-b/jinstall-6u10-windows-i586-jc.cab?AuthParam=1226469509_1dc8e8ed10a1c83d7a326b29d5e90deb&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD5/JSCDL/jre/6u10-b92-b/jinstall-6u10-windows-i586-jc.cab&File=jinstall-6u10-windows-i586-jc.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 8228 bytes
Thanks
http://www.java.com/en/download/help/testvm.xml?ff3
Thanks again
1. The Panda Online Scanner found the following:
name: Trj/Banker.JER
location: C:\Program Files\InstallShield Installation Information\{76542EE3-5849-11D2-9C18-00609707C0FF}\data1.cab[wget.exe]
According to the Panda scanner, this infection is "Latent" and "non-disinfectable." What should I do about this, if anything?
2. The Avira AntiVir Personal scan flagged a couple of "warnings" (in each case, the "file could not be opened" during the scan):
a. C:\WINDOWS\system32\SsiEfr.exe
b. C:\WINDOWS\system32\wrLZMA.dll
I was curious if these 2 files are malicious or not..I did a little research, and apparently "wrLZMA.dll" should be in the Webroot directory, NOT the WINDOWS directory. Also, if "wrLZMA.dll" is a legit Webroot file, it should be 17 kb..but this one is about 30kb. As a further piece of information, the SsiEfr.exe on my system is about 16 kb. What should I do about these? Both were "created" on a day in which I did NOT have any Webroot software on my system...therefore, I'm a little suspect about these 2 files...
Thanks again so much
It seems this is related to program you have installed. Also the file wget.exe might be a malware. Unfortunately, I can't say more than that.
Post an uninstall list:
There is simply test. Just rename these file:
SsiEfr.exe to SsiEfr.0xe
wrLZMA.dll to wrLZMA.0ll
Does this cause problems to your Webroot softwares?
Do you notice any other symptoms?
As far as the other potential infection found by the PANDA scanner, here is my HJT file that you requested:
Adobe Download Manager 2.2 (Remove Only)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.8
Adobe Shockwave Player
Agere Systems AC'97 Modem
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
Bonjour
CCleaner (remove only)
EasyCleaner
ESET Online Scanner
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Deskjet 3840
HP Help and Support
HP Update
HP Wireless Assistant 1.01 B2
HP_User_Guides_0005
Intel(R) Graphics Media Accelerator Driver for Mobile
InterVideo WinDVD
iTunes
Java(TM) 6 Update 10
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.3)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 4.0 - SE
Panda ActiveScan 2.0
Quick Launch Buttons 5.10 B5
QuickTime
RealPlayer
Registry Mechanic 8.0
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SoundMAX
Texas Instruments PCIxx21/x515 drivers.
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Window Washer
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Zone Deluxe Games
The "data1.cab[wget.exe]" file isn't a security risk as it's archive. You can, however, extract the archive and scan wget.exe by uploading it to VirusTotal if you wanna make it sure.
Thanks very much
First you need a software that unpacks cab files, like IZArc or 7-Zip. Both are free.
Open the archive file and search out the wget.exe (there can be loads of files). When you manage to find it, just drag and drop the file to your desktop.
- Go to VirusTotal
- Search the file using Browse button and then click on the Send File button.
- Save a copy of the Anti-Virus results only. Post the results in your next reply.
Note: If you come to the "File has already been analysed:" page, select "Reanalyse file now" to get a fresh scan.Thanks
Thanks
1. For the antivirus, you recommended Avast or Avira...in your opinion, is one better than the other?
2. If I choose either of the above options, do I need to change any of the default settings once the program is installed?
3. If I pick one of these antivirus programs, will I need a separate antispyware program to go along with it (one that actively protects against spyware infections)? If so, which do you recommend?
4. You also recommended the Comodo Firewall...once I install this, will I need to change any of its default settings?
5. Lastly, another alternative that you mentioned was the Comodo Suite...will this be adequate protection by itself, and will I need to alter any of its default settings after I install it?
Thanks so much
1. Not really. It's a matter of taste, and I just like AntiVir; despite that nag screen. Choose the one that pleases you most.
2. This is matter of taste (and needs), again.
I have made an installation guide for AntiVir, but it's in finnish. Maybe it will help you, however.
http://sites.google.com/site/vekansivu/Home/avira-antivir-personal
3. I can't answer to that, its depend on you. I'm myself using MBAM and a-squared but without a realtime protection.
4. No. I recommend to install Comodo with "Optimum Proactive Defense".
5. Comodo's AntiVirus isn't very effective yet. That's why I recommend something else instead.
Hope these helps you.
I just had a few final questions about certain items:
1. In the SDFix log entry that I posted previously, there are a couple of references to Yahoo Messenger (under the "Remaining Services" section). I used to have this programme, but I uninstalled it a long time ago (even before I ran SDFix). How do I delete these traces of YM that SDFix found?
2. In the log for Combofix that I posted previously, under the "Registry loading points" section, there are the following items listed:
My Securer
Google Web Accelerator
SecureMaker
Symantec Core LC
Symantec AV
Symantec FW
I used to have these on my system also, but I uninstalled them a long time ago. How do I get rid of these traces?
Also, I just had one last question regarding the new security software I'm going to install. I like to keep the number of programs to a minimum, so I'm going to just install the free Comodo firewall and also the free Avast! (or possibly free AVG) antivirus..would this be adequate protection for me? I decided against AntiVir because it does not include anti-spyware protection and would thus mean I would need to install a separate program for that. I also kept MBAM on my system...
Thanks...
This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.
If you are not the user who started this thread, you must start your own Thread instead