| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 65378 | 2006-01-16 02:28:00 | Info on Ardmax keylogger | KatiMike (242) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 421589 | 2006-01-16 10:53:00 | Correct that nwiz.exe entry is part of the Nvidia drivers. It isnt needed in startup though. From that HJT log, your system is clean. I can't see any files relating to anything nasty tho. By the looks of it (www.google.com) there's quite a few programs/files webroot detects as trojans etc. When it fact, the file isnt infected with anything at all. I wouldnt worry too much about it. I would either email the guys who make Spysweeper, or see if there's a FAQ on their site with a list of false positives. |
Speedy Gonzales (78) | ||
| 421590 | 2006-01-16 11:10:00 | Thanks for that Speedy , Will let you know the results If Webroot Spy Sweeper is unreliable [ false +ves] we all should know And good to know the Kids HiJack this log looks OK Mike |
KatiMike (242) | ||
| 421591 | 2006-01-16 23:42:00 | ok so I look at the properties of the file in question System: .cb Type : CB file Location c:\Windows Size 116 bytes (116 bytes) 32,768 bytes used So how does 116 bytes = 32,768 bytes ??? Mike A .cab file is usually just a compressed Windows installation file but 116 bytes seems very suspicious. The reason the file uses 32,768 is because every file uses a set amount of disk space or multiples of it. You must have a relatively large hard disk and it is using 32kb chunks. So a file of 5 bytes will stilll use 32kb on you system. As the file would only be used for installation and it isn't on this 98 sytem I am using now it should be safe to delete. |
mikebartnz (21) | ||
| 421592 | 2006-01-17 03:33:00 | Thanks mikebartnz , great explanation So I deleted the file [ system.cab] via windows explorer , ran CCleaner , rebooted [ restarted fine] , checked the file was gone - ran Webroot and it still picked up Ardmax at the same [ non existent] location !!! Very strange indeed From looking around the web it appears Webroot has a tendency to throw up false positives from time to time . Think I might download and install Ardmax and see a] where/ how it installs and b] if my other detection progs then pick it up |
KatiMike (242) | ||
| 421593 | 2006-01-17 03:42:00 | Would probably pay to run Regclean or similar as there may be something in the registry that is being picked up. | mikebartnz (21) | ||
| 421594 | 2006-01-17 03:53:00 | I looks as if we might have been barking up the wrong can of worms. :D System.cb is a file used during a "clean boot" from F5 or F8. It's not a .CAB file. Though the MS pages do refer to only associated with W95. It is used to replace the .ini file and tells what drivers to load. I was confused by the variant spellings .CB is not the same as .CAB. I see that there are programmes which use the .CB extension to, but I doubt if they'd be cheeky enough top make a file called system.cb . This file might be automatically replaced by the OS (during a safe mode boot) if it's removed. But why is it setting off alarms? |
Graham L (2) | ||
| 421595 | 2006-01-17 06:46:00 | Thanks for the replies - so I downloaded and installed the ardamax keylogger 2.4 and let it run Webroot and Winpatrol threw up alerts - I continued and then ran up-to-date Spybot and Adaware [ full scan] - both found the system clean . Ran Spyware sweeper and it found 10 traces this time - prog files/ startup / registry . Then a hijackthis log Logfile of HijackThis v1.99.1 Scan saved at 5:11:37 PM, on 1/17/06 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SOUNDMAN.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE C:\PROGRAM FILES\UIB\UIB.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray O4 - HKLM\..\Run: [UIB] C:\PROGRAM FILES\UIB\UIB.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - HKLM\..\RunServices: [Mass Storage Check Registry] rundll32.exe C:\WINDOWS\SYSTEM\ShellExt\MSDServ.dll,CheckRegist ry O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - housecall60.trendmicro.com O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - 10.0.1.3 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - security.symantec.com O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - www3.ca.com O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - www.pestpatrol.com It shows up as UIB in the above log [ c.f. earlier ] Then I deleted it via add/remove progs [ where it showed up ] and ran Webroot - then manually removed the traces Webroot found My overall impression is that the initial alarm / detection from Webroot was a false positive Thanks Graham L for your thoughts - since removing system.cb I have noted that progs are v slow to load after a reboot - and the system.cb file has not been automatically recreated . Nothing a reformat won't fix I s'pose :badpc: |
KatiMike (242) | ||
| 421596 | 2006-01-18 00:20:00 | Try doing a Safe Mode start. That seems to be when that file is needed, for W95, anyway, and is when it would be replaced. But mikebartz hasn't got that file on his W98 system, so I'm inlcined to think that there might be something else causing slower loading. I don't recall ever seeing a .CB file on my W98 laptop. | Graham L (2) | ||
| 1 2 | |||||