Help!! i have a red x

[pfat]

just got advanced care and under security analyzer i got the following red x on startup. is this bad and what do i do?

 

 

1) Try Alternative Online Analyzer

 

2) If suspicious files or settings are found, you can use NOD32 Online Antivirus (Top, Free, Scan and Remove)

Type Status Entry Describe

Process System No Record

Process smss.exe Session Manager Subsystem

Process csrss.exe Client/Server Runtime Server Subsystem

Process winlogon.exe Windows Logon Process

Process services.exe Windows Service Controller

Process lsass.exe Local Security Service

Process svchost.exe Service Host Process

Process svchost.exe Service Host Process

Process svchost.exe Service Host Process

Process svchost.exe Service Host Process

Process S24EvMon.exe No Record

Process svchost.exe Service Host Process

Process svchost.exe Service Host Process

Process spoolsv.exe Printer Spooler Service

Process scardsvr.exe No Record

Process explorer.exe Windows Explorer

Process rundll32.exe Windows RUNDLL32 Helper

Process stsystra.exe No Record

Process hkcmd.exe Enables the Intel Hotkey command for graphics driver and keyboard.

Process igfxpers.exe No Record

Process igfxsrvc.exe No Record

Process ZCfgSvc.exe No Record

Process iFrmewrk.exe No Record

Process ZuneLauncher.exe No Record

Process qttask.exe Quick Time Tray Icon

Process ctfmon.exe Alternative User Input Text Processor

Process WinCinemaMgr.exe No Record

Process EasyShare.exe No Record

Process Kodak Software Updater.exe No Record

Process OLFSNT40.EXE No Record

Process svchost.exe Service Host Process

Process svchost.exe Service Host Process

Process EvtEng.exe No Record

Process RegSrvc.exe No Record

Process svchost.exe Service Host Process

Process WLKEEPER.exe No Record

Process ZuneBusEnum.exe No Record

Process unsecapp.exe No Record

Process wmiprvse.exe No Record

Process wscntfy.exe Windows Security Center Notification App

Process wmiprvse.exe No Record

Process alg.exe Application-Level Gateways

Process TeaTimer.exe No Record

Process AWC.exe Advanced WindowsCare

Process is360.exe No Record

Process is360tray.exe No Record

Process is360srv.exe No Record

Process iexplore.exe Internet Explorer

Services EvtEng.exe Related to Intel Corporation

Services IS360srv.exe No Record

Services RegSrvc.exe Related to Intel® PROSet/Wireless Registry Service

Services S24EvMon.exe Related to Event_Monitor from Intel Corporation Supports driver extensions to NIC Driver for wireless adapters. Note: Located in \%Program Files%\Intel\Wireless\Bin\ Supports driver extensions to NIC Driver for wireless adapters.

Services WLKeeper.exe Related to Intel Corporation

Start UP ctfmon.exe CTFMon is involved with the language/alternative input services in Office XP. Ctfmon.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features. For more info on ctfmon see here. Ctfmon can be disabled from Control Panel, Text & Speech Services. Note - the file will al

Start UP TeaTimer.exe TeaTimer is a permanent process and registry monitor of the Spybot S&D system protector which perpetually monitors the processes called/initiated. Detects processes wanting to start and gives you options on how to deal with this process in the future

Start UP startup No Record

Start UP rundll32.exe bthprops.cpl No Record

Start UP Hijacker

Start UP BluetoothAuthenticationAgent No Record

Start UP Reader_sl.exe Speeds up the launch of Adobe (Acrobat) Reader 7

Start UP igfxtray.exe Part of Intels Common User Interface for chipsets with integrated graphics controllers - which allows user to change different driver properties through Windows User Interface. Quick access to the control panel via a System Tray icon. Available via Start -> Settings -> Control Panel

Start UP hkcmd.exe Part of Intels Common User Interface for chipsets with integrated graphics controllers - which allows user to change different driver properties through Windows User Interface. If the user wishes to have "HotKey" access to Intel's customised graphics properties, it is required, otherwise not. It can be disabled via the Display Properties in the Control Panel

Start UP igfxpers.exe Part of Intels Common User Interface for chipsets with integrated graphics controllers - which allows user to change different driver properties through Windows User Interface. Not known exactly what it does but apparently it isn't required

Start UP ZCfgSvc.exe Zero Config MFC Application, part of Intel's ProSET utilities and installed by the drivers for many of Intel wireless network cards - essential to the proper functioning of many of the Intel ProSET utilities (but not all) and these System Tray ProSET utilities are a must if you are using your wireless connection, if only so you know when the signal is fading or dropping. The problem is that, in some PCs, ZCFGSVC can be incredibly badly behaved : taking up to 100% of CPU time and therefore resulting in an ex

Start UP tf Intel Wireless Tray No Record

Start UP ZuneLauncher.exe Only needed if running Microsoft's new Zune software for use with their new Zune music player. Similar to iTunes for the iPod

Start UP qttask.exe -atboottime No Record

Start UP autostart No Record

BHO 06849E9F-C8D7-4D59-B87D-784B7D6BE0B3 AcroIEhelper.ocx, AcroIEhelper.dll - Adobe Acrobat reader, http://www.adobe.com/products/acrobat/readstep2.html

BHO 3CA2F312-6F6E-4B53-A66E-4E65E497C8C0 LinkScannerIE.dll - LinkScanner, http://linkscanner.explabs.com/linkscanner/default.asp

BHO 53707962-6F74-2D53-2644-206D7942484F SDhelper.dll - SpyBot Search&Destroy, http://www.safer-networking.org/index.php

Button {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} No Database

Button {e2e2dd38-d088-4134-82b7-f2ba38496583} No Database

Button {FB5F1910-F110-11d2-BB9E-00C04F795683} No Database

ActiveX 8FFBE65D-2C9C-4669-84BD-5829DC0B603C No Record

[enoskype]

Hi pfat,

 

Please post the HijackThis report of IS360.

 

Thanks and cheers.

[pfat]

Red x

 

the red x says start-up hijacked.

 

Logfile of IObit HijackScan v0.2.0.0

Scan saved at 22:4:42, on 2009-11-12

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\Program Files\Zune\ZuneLauncher.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot

C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\WiFi\bin\WLKeeper.exe

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\IObit\Advanced SystemCare 3\IObitUpdate.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\IObit\IObit Security 360\a_hijackscan.exe

C:\WINDOWS\system32\NOTEPAD.EXE

 

O4 - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [intelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [intelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart

O9 - Extra button: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

O9 - Extra button: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: Intel® PROSet/Wireless Event Log - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe

O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: Intel® PROSet/Wireless Registry Service - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless WiFi Service - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

O23 - Service: Intel® PROSet/Wireless SSO Service - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\WLKeeper.exe

[enoskype]

Hi again,

 

Interesting, as I can't see anything malware for that startup hijack!!!

 

Check those entries, uploading them to VirusTotal .

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

 

Update your Adobe to version 9.2

 

Really, that's all I can say.

 

Which Startup is with Red X?

 

Cheers.

[pfat]

Red X

 

enoskype. not quite sure what u asking me to do. r u askn me 2:

 

1) run whole report through virustotal or

2) cut and paste those entries you had down into virustotal or both.

 

unfortunatley, i need it as simple and as clearly stated as possible

[pfat]

Red X

 

enoskye: i loaded adobe 9.2 and ran scan. it's the same results. i also ran entire report through virustotal but didnt notice any comments of problems. as far as which start up, i just copied it for you

 

Start UP TeaTimer.exe TeaTimer is a permanent process and registry monitor of the Spybot S&D system protector which perpetually monitors the processes called/initiated. Detects processes wanting to start and gives you options on how to deal with this process in the future

Start UP startup No Record

Start UP rundll32.exe bthprops.cpl No Record

Start UP Hijacker

Start UP BluetoothAuthenticationAgent No Record

Start UP igfxtray.exe Part of Intels Common User Interface for chipsets with integrated graphics controllers - which allows user to change different driver properties through Windows User Interface. Quick access to the control panel via a System Tray icon. Available via Start -> Settings -> Control Panel

[wozofoz]

VirusTotal scan

 

How to scan the 3 files enoskype mentioned.

I will use the following file of yours as an example:

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

 

Go to VirusTotal

• Click Browse

• On the left of the window that opens click My Computer

• Open (double click) (C:)

• Open Program Files

• Open SigmaTel

• Open C-Major Audio

• Open WDM

• Double click stsystra.exe (it may just say stsystra in the window)

The window will disappear and C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe will appear in the VirusTotal box.

 

• Click Send File and wait (you may be in a queue)

If it says File has already been analysed: then:

• Click Reanalyse file now and wait

• When the scan has finished copy the address from the address bar to post here. It will look something like this:

[noparse]http://www.virustotal.com/analisis/167bd3282b544c69331c89f83b7788dc4e5c5872a0332ee931a00a2c1a25971d-1258224820[/noparse]

 

Do the same for the other 2 files:

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

 

Post the 3 addresses for the 3 scans in this thread and tell us if anything was found.

 

All the best, woz of oz

[pfat]

wozofoz

 

u must b a teacher. simple, easy to follow steps. thank u. here r the results:

 

http://www.virustotal.com/analisis/0148eeeb474ab4a357edfd97664c63ca011cc946a36b0d92cefa9414b8d54cc0-1258256446

 

http://www.virustotal.com/analisis/b805ddc3e70232deaefe00d79d757aca2459afb68096e8fe1aa97f76a8395bbe-1258256843

 

http://www.virustotal.com/analisis/47e7f4f02c447f98b1608515b4888ba0000418caf38ae898a8180d531a3fb431-1258257065

[enoskype]

Hi pfat,

 

Do you see that startup item in Startup Manager? :

 

ASC=>Utilities=>Admin Tools=>Startup Manager

or

IS360=>Tools=>Hijack Scan=>Startup

 

If you see it, delete it there,

or delete it by checking the checbox in Hijack Scan in either software.

 

Cheers.

[pfat]

enoskype

 

got ur note. what would the start up item say or look like. dont forget, i need as basic as it comes. i do appreciate the time and effort that u and wozofuz have taken to help me work through this. i have actually learned a lot. thank u much

[wozofoz]

Screenshot is good

 

enoskye: i loaded adobe 9.2 and ran scan. it's the same results. i also ran entire report through virustotal but didnt notice any comments of problems. as far as which start up, i just copied it for you

 

Start UP TeaTimer.exe TeaTimer is a permanent process and registry monitor of the Spybot S&D system protector which perpetually monitors the processes called/initiated. Detects processes wanting to start and gives you options on how to deal with this process in the future

Start UP startup No Record

Start UP rundll32.exe bthprops.cpl No Record

Start UP Hijacker

Start UP BluetoothAuthenticationAgent No Record

Start UP igfxtray.exe Part of Intels Common User Interface for chipsets with integrated graphics controllers - which allows user to change different driver properties through Windows User Interface. Quick access to the control panel via a System Tray icon. Available via Start -> Settings -> Control Panel

 

got ur note. what would the start up item say or look like.

 

I would guess enoskype is referring to Start UP Hijacker from the above list

 

I suggest you post a screenshot of ASC Startup Manager. If you are unsure how to do this, go to Usage of IObit Products and click on Post# 12 Screenshots and Attachments in the Forum

 

Did you use the SpyBot Search & Destroy - Startup Manager at some time ?

Have you only recently enabled SpyBot - TeaTimer or have you been using it for a long time ?

I used SpyBot before (but not now) and my research over at the SpyBot forums found many cases of problems with TeaTimer so I never used it, there are however many people who like it.

You could try going to SpyBot options and disabling TeaTimer and from Startup, then Restart and see if that makes a difference.

It's a quick and easy way to see if this is a False Positive created because of TeaTimer :wink:

 

All the best, woz of oz

[enoskype]

Hi wozofoz, thank you for your detailed explanations, can you please take it along from here? :grin:

 

Thank you and cheers.

[pfat]

Wozofoz and Enoskype

 

thank you both for your expertise and your time. i have completed all the steps and when i rechecked the security analyzer it now reports no problems. i also, deleted, spybot. thanks again, and i guess we can consider this case closed :grin::grin::grin:

[wozofoz]

Good news

 

I love a happy ending :grin:

 

All the best, woz of oz

[enoskype]

Thanks for the feedback pfat,

 

It is nice to hear that your problem is solved.

Thanks again wozofoz.:-)

 

Happy hunting in the forum pfat.:lol:

 

Chhers