Google Answers Logo
View Question
 
Q: Is this a virus/trojan/worm and, if so, what can I do to uninstall it? ( Answered 4 out of 5 stars,   0 Comments )
Question  
Subject: Is this a virus/trojan/worm and, if so, what can I do to uninstall it?
Category: Miscellaneous
Asked by: jetdrvr-ga
List Price: $20.00
Posted: 07 Jul 2004 19:13 PDT
Expires: 06 Aug 2004 19:13 PDT
Question ID: 371098
I hae a program installed on my computer.  The path is
Windows\System32\drivers\scrambler.sys.  I can only find one reference
to it on a Google search, and that is somewhere on a French language
bulliten board.  Once directed there, I can't locate the reference.

It has no documentation in Task Manager.  When I delete the file and
the registry entries with CyberScrub and Reg Seeker, on reboot it
replicates itself and reinstalls itself .  Norton Anti Virus does not
recognize it as a worm or trojan, but it behaves exactly like one. 
What should I do?
Answer  
Subject: Re: Is this a virus/trojan/worm and, if so, what can I do to uninstall it?
Answered By: aceresearcher-ga on 08 Jul 2004 15:25 PDT
Rated:4 out of 5 stars
 
Greetings, jetdrvr!

Unfortunately, your computer has been infested by a nasty Trojan virus
called Scrambler. This Trojan is most commonly spread by attachments
sent via e-mail and IRC (Internet Relay Chat) programs such as MSN
Messenger and AOL Messenger.

You can read a little bit about it at Boston University's website:
http://www.bu.edu/computing/virus/scrambler.html


Please download, install, and run the following free utilities:

Spybot Search & Destroy
http://security.kolla.de/index.php?lang=en&page=download 

AdAware
http://www.lavasoft.de/support/download

*** IMPORTANT ***
The first time you run them, or if you already have Spybot and/or
AdAware installed on your PC, be sure to download the latest updates
first **each time you run them**.
*****************

Something to keep in mind is that even if these programs give your
system a "clean bill of health", it does *not* mean that you can be
absolutely sure that your system is clean. It is only a *reasonable
assurance* that it is clean.


You don't say what AntiVirus program you are running. You will want to
be sure to get the latest detection updates for your AntiVirus program
by running your system's LiveUpdate process.

In addition, here are instructions for making sure you've eradicated
the virus from your system:

If you've got Norton AntiVirus:
http://www.symantec.com/avcenter/venc/data/w32.hllp.scrambler.html

If you've got McAfee AntiVirus:
http://vil.nai.com/vil/content/v_98665.htm


Scrambler is an old virus (circa 2000), and I'd say it's pretty likely
that your operating system  needs to have some security patches
applied. Go to the following site and download and install any
critical updates which it may say that you need:
http://v4.windowsupdate.microsoft.com/en/default.asp

It's VERY important to continue to check with Microsoft periodically
and make sure that you have installed any new security-related patches
that have been released.


Before Rating my Answer, if you have any Questions about the above
information, please post a Request for Clarification, and I will be
glad to see what I can do for you.

Please let me know whether you are able to resolve your problem, or
whether you need more assistance.


I hope that this Answer provides exactly the information you were seeking!

Regards,

aceresearcher

Request for Answer Clarification by jetdrvr-ga on 08 Jul 2004 20:12 PDT
Thanks for the help.  I had Spybot and downloaded Ad-aware. Neither
detected the target files.

I also have a current version of Norton Anti Virus, updated through
today.  This does not detect W32.HLLP. Scrambler or VBS.scrambler on
the machine.

I have all Windows patches and updates installed through yesterday.

Norton's page on W32.HLLP says the virus occupies 72,800 bytes.  My
scrambler.sys file contains 151,552 bytes.

I have AntiKeylogger installed.  This program occasionally fails to
load at startup.  Prior to reinstalling it, I checked Security Task
Manager for running processes and scrambler.sys is not listed.  After
reinstalling Anti-Keylogger, it is then listed. This occurs each time
I find it necessary to reinstall the keylogger. Is it possible that
scrambler.sys is a process of Anti-Keylogger instead of a trojan?

Many thanks for your information.

Fred Moore
Miami

Clarification of Answer by aceresearcher-ga on 08 Jul 2004 21:17 PDT
Fred,

It's possible that scrambler.sys is part of Anti-Keylogger, though I
would highly doubt it.

I have a minor in French, so I took a look at the pages which refer to
"scrambler.sys" (you can see the version at the time of Google's
indexing by clicking on "Cached":
://www.google.com/search?q=%22scrambler.sys%22
The posts on these pages are quite recent (the end of June); they call
scrambler.sys part of a virus, and the person having the problem
reports that AdAware 6.0 with the latest detection update will resolve
the problem.

Before you ran AdAware and Spybot, did you make sure that you have the
latest versions plus the latest updates?

Start up AdAware. In the bottom right-hand corner, it should say
"AdAware 6.0 Personal, Build 6.181". Up above, under "Initialization
Status", it should say "Reference file 01R331 08.07.2004 loaded". If
your settings for either of these do not match, click "Check for
updates now". Once the update has completed, if one or both of these
still doesn't match the settings I listed, you may need to uninstall
AdAware, and then download and install the latest version from
http://www.lavasoft.de/support/download
Once that's installed, be sure to click "Check for updates now" to get
the latest reference files.

Once you have the latest Build and Reference file, try running AdAware
again and remove any recommended items.


Then, start up Spybot Search & Destroy. Pull down the "Help" menu and
select "About". You should see
Spybot Search & Destroy 1.3
Latest detection update: 2004-06-23.
If your settings for either of these do not match, click the "Update"
icon menu on the left-hand side of the screen, and then click on
"Search for Updates" near the top of the page.  You'll need to exit
Spybot and restart it to check the "About" information page. If this
doesn't work, you may need to uninstall Spybot, and then download and
install the latest version from
http://www.safer-networking.org/index.php?page=mirrors

Once you have the latest Version and Detection Update, try running
Spybot again and remove the recommended items.

*** IMPORTANT ***
Each time you run Spybot and/or AdAware, be sure to download the
latest updates first!
*****************

Then shut down your computer and restart.

Once you've done those, download and run CoolWebShredder (scroll down):
http://www.spywareinfo.com/~merijn/downloads.html
When you start up CoolWebShredder, it should say Version 1.59.1 .

Then shut down your computer and restart.

Once you've done that, download and run HijackThis!, and post your
scan log here. We'll go from there.
http://www.spywareinfo.com/~merijn/downloads.html

ace

Request for Answer Clarification by jetdrvr-ga on 09 Jul 2004 02:10 PDT
Ace...

Did as instructed. All program updates are installed and run.

While you were working on this, I did a complete uninstall on
Anti-Keylogger and rebooted. I then ran Safety Task Manager and
scrambler.sys was not listed as a running process.

I then checked the driver directory and the file was gone.

I then reinstalled Anti-Keylogger, performed the same checks, and
there she was.  scrambler.sys is back in the driver directory and
shows as a running process on Safety Task Manager.  This leads me to
believe that it is part of the Anti-Keylogger.

Here's the log:

Logfile of HijackThis v1.98.0
Scan saved at 4:53:50 AM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Documents and Settings\Owner.YOUR-W92P4BHLZG.001\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
= http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -
c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Anti-Keylogger 5.0] C:\Program Files\Anti-Keylogger\ak5_load.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp
center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp
center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft
Office\Office\OSA.EXE
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA}
- C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser -
{17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program
Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21}
- c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight
Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) -
https://webresponse.one.microsoft.com/OAS/ActiveX/winrep.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI
Registry Information Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo
Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj
Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

I really appreciate your efforts.

Fred

Request for Answer Clarification by jetdrvr-ga on 09 Jul 2004 12:32 PDT
Ace,

I just got an answer from Anti-Keylogger tech support, finally, after
three days.  Scrambler.sys *is* a part of Anti-Keylogger.  Thanks for
all the help.  You get five stars.

Best,
Fred

Clarification of Answer by aceresearcher-ga on 09 Jul 2004 14:42 PDT
It looks to me as though your system is clean, although you may want
to consider using HijackThis! to remove the following optional items
if you don't use them frequently:

Microsoft Money Quick Launch Toolbar
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -
c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21}
- c:\Program Files\Microsoft Money\System\mnyviewer.dll


Windows Media Player
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx

Norton Antivirus
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
SystemWorks\Norton Antivirus\NavShExt.dll

(I don't have either of the above 2 items in my setup, and my Media
Player and Norton AntiVirus work just fine.)


S3 Video card display configuration taskbar utility for S3 chipset
based graphics cards (can be run from the Control Panel "Display"
section if needed)
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
Ditto, for Intel 81x graphics chipset
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

Quick Time spyware (not necessary)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime

Only needed if you use the special programmed keys on your HP keyboard
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

HP Printer Toolbox 
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

MSN Messenger 
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

HP Instant Support 
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe

User Interface for HP Center (a.k.a. HP's spyware)
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp
center\137903\Shadow\ShadowBar.exe

Automatically detects an internet connection and downloads any
available HP driver updates (I'd disable this, but if you do, you'll
need to remember to check for driver updates at the HP site a couple
of times a year)
O4 - Global Startup: hp center.lnk = C:\Program Files\hp
center\137903\Program\BackWeb-137903.exe

MS Office resource hogs which does not substantially improve searching
for files or starting programs on your system
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft
Office\Office\OSA.EXE

MarketBrowser - get rid of if you don't use this often
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA}
- C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser -
{17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program
Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy


Something else to consider is this:
If you use HP's Search function, you are probably getting results that
have been manipulated to give priority to websites which have paid for
higher placement. It's also possible that some of the HP programs
contain spyware (as alleged by various postings on the Internet). If
you want to get rid of HP's search, try removing:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
= http://srch-us4.hpwis.com/

If you decide to remove any of these, afterwards shut down and restart
your computer; then please run and post a fresh version of your
HijackThis! log.

Request for Answer Clarification by jetdrvr-ga on 09 Jul 2004 21:16 PDT
Ace...

I deleted the files you indicated.  Here's the current log after reboot.
You're doing a lot of work for twenty bucks.  Wish I was rich but I'm
on disability and this computer is my lifeline.  I'm sick of getting
attacked constantly, but I guess that's the way things are these days.

Logfile of HijackThis v1.98.0
Scan saved at 11:36:19 PM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
C:\Documents and Settings\Owner.YOUR-W92P4BHLZG.001\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Anti-Keylogger 5.0] C:\Program Files\Anti-Keylogger\ak5_load.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp
center\137903\Shadow\ShadowBar.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight
Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) -
https://webresponse.one.microsoft.com/OAS/ActiveX/winrep.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI
Registry Information Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo
Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj
Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab


Best,
Fred

Clarification of Answer by aceresearcher-ga on 10 Jul 2004 12:20 PDT
Fred,

It looks to me as though we've gotten most of the superfluous stuff
off of the list, so your system should hopefully be starting up faster
as well as processing a little faster.

I see that some of the HP stuff has come back; it's not terribly
malignant, just things you don't need using some system resources. I
don't want to attack the HP stuff any further though, because while my
research indicates that your system should work fine without them
running, there is a possibility we could cause problems with your
other HP functions if we insist on removing them.


Even if you know these things already, I'd like to give you a list of
"risky" activities associated with infection by adware, spyware,
Trojans, and viruses:

- not running behind a Firewall, such as Zone Alarm
- not running with a good AntiVirus program, such as Norton or McAfee
- not running the AntiVirus LiveUpdate once a week
- not periodically checking Microsoft's site for Critical Security
Updates for Windows
- opening an attachment to e-mails -- even from people you know -- if
you aren't expecting it without checking with the sender first
- setting Outlook's e-mail to preview e-mails (malicious scripts can
take advantage of this)
- opening Spam (these can contain blank hyperlinked gifs or scripts
which tip off the sender that your e-mail address is a valid one)
- not setting your Firewall to block pop-up ads
- clicking on pop-ups (never answer yes or no to a pop-up ad; close it
by going to the toolbar along the bottom of your screen,
right-clicking on the button for that window, and selecting "Close".
- clicking "Yes" or "No" on any dialog box which pops up without first
reading the dialog carefully
- surfing porn sites
- downloading any "helpful" programs such as calendars, download
"accelerators", programs to manage bookmarks/Favorites, any kind of
search toolbar other than Google Toolbar, etc., without first Googling
on the program name + spyware to see if it contains malware, for
example:

Gator spyware
://www.google.com/search?q=Gator+spyware

If you engage in an of these risky activities (and sometimes you have
to), you should probably run both AdAware and Spybot at least once a
week; if not, once or twice a month (make sure to check for updates
first).

Best Wishes!

ace

Request for Answer Clarification by jetdrvr-ga on 10 Jul 2004 19:45 PDT
ace...

Request for Answer Clarification by jetdrvr-ga on 10 Jul 2004 19:52 PDT
ace...

I've been running Zapro for years, although the current update locks
up every computer it's been installed on, so I'm running 4.5xxx.  I
update my Norton definitions daily, check for Windows updates daily,
and run Spybot and Adaware daily.

I've been under attack since April and am aware of the other cautions
you mentioned, such as not opening attachments and the others.

Thanks for all your help.  I spent 80 bucks with HP's tech people and
got nothing.  Norton told me to reformat.  They couldn't even come up
with what you did.

I sent AntiKeylogger a nastygram about naming one of their files the
same as a virus.  Stupid, or unaware, to say the least.

Glad to know there are people like you out there to assist in
emergencies.  My thanks again.

Best,
Fred

Clarification of Answer by aceresearcher-ga on 13 Jul 2004 10:34 PDT
Fred,

I'm *so* glad that you feel that I was able to help you. It sounds
like you are doing all the right things.

Anytime you have a question about what a specific program does, a good
place to start is at AnswersThatWorks' tasklist:
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

and a Google on 
"progname.ext" spyware
://www.google.com/search?q=%22progname.ext%22+spyware
OR
progname spyware
://www.google.com/search?q=progname+spyware

is often helpful.

Best wishes for a system that runs quickly and smoothly!

ace
jetdrvr-ga rated this answer:4 out of 5 stars
Good job, but I still have a question about the answer and have posted it.  Thanks.

Comments  
There are no comments at this time.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy