Suspicious proccesses and more.

Discussion in 'Malware Help (A Specialist Will Reply)' started by Sailor, Jan 6, 2007.

  1. Sailor

    Sailor First Sergeant

    Before new year's I was on Commodo firewall. I kept getting warnings that an a2guard.exe (must be from a-squared anti-dialer) has modified ati2evxx.exe in the memory and that ati2evxx.exe is attemting to connect to the internet. I didn't pay much attention. Now I have duplicates of Cli.exe and ati2evxx.exe running. I haven't been really carefull lately. I ran a program from a DVD on a PC magazine and nothing happened... or at least nothing good. Also I have a file that I can't handle at all. You can find details about it here.
    I guess all I can do now is attach the scans and pray.
    I wasn't able to install counterspy, so here's an AVG-as log. Also when in safe mode (network supported of course) I couldn't connect to the web, so I ran the online scans in normal mode.
     

    Attached Files:

    Sailor, Jan 6, 2007
    #1
  2. Sailor

    Sailor First Sergeant

    getrun, shownew and HJT logs.
     

    Attached Files:

    Sailor, Jan 6, 2007
    #2
  3. Sailor

    Sailor First Sergeant

    I don't mean to bump the thread, I know it won't help me at all, but as I was looking at my own logs I noticed that some folder names are in Greek or appear to be nonsense. If you need me to rename the files and take the scans again or translate what it should say, please let me know.
     
    Sailor, Jan 6, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You don't appear to be having malware problems!

    What is this?
    C:\Program Files\METAFRASHS\polylex.exe

    Why is the below running? Didn't you uninstall Symantec?
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

    You can have HijackThis fix the below lines:
    O2 - BHO: (no name) - {311F9DE8-6126-4eee-B15F-65CBB3B4F9F6} - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

    Where is the file you are trying to delete located? Did you try deleting it in safe mode? How about from the Recovery Console?

    You did not run GetRunKey and ShowNew properly as per the instructions on the download page. You MUST extract all files from the ZIP and you MUST run the .bat files from a Windows Explorer session. You ran them from inside the ZIP file.
     
    chaslang, Jan 7, 2007
    #4
  5. Sailor

    Sailor First Sergeant

    polylex.exe is a file from a dictionary I have, as far as I know it's a clean program. As for runkeys and shownew, you know your own apps better than anyone but I am sure that I did extract all four files of each application to a folder and ran the .bat files with win explorer.
    As for that persistent file it was in the "shared" folder of Limewire :)crap ). I managed to delete it with unlocker
    So, I am clean! (are those duplicate processes alright?) Thanks for analyzing chaslang, I was sure you'd find out if there was anything wrong.:)
     
    Sailor, Jan 7, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then please explain what the below lines are saying because it is not allowing proper information to be restrieved and this normally happens when the .bat files are not run from outside of the ZIP.

    And also in many other places it has the below which seems to indicate the locate.com cannot be found:

    Are you referring to ati2evxx.exe? If so, yes that is how ATI designed it. Goto this link https://support.ati.com/ics/support/default.asp?deptID=894&task=knowledge and type ati2evxx.exe into the Search box and click go.
     
    chaslang, Jan 8, 2007
    #6
  7. Sailor

    Sailor First Sergeant

    I don't know what happened, chaslang. The files where indeed extracted. Just in case I extracted them again in a file on their own and scanned again and again. Same meaningless lines. Anyway it doesn't matter, I was most worried about ati2evxx.exe and that stubborn file. We sorted out both so .... thank you and have a nice day :).
     
    Sailor, Jan 10, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Are those unprintable characters actually Greek Windows messages?
     
    chaslang, Jan 10, 2007
    #8
  9. Sailor

    Sailor First Sergeant

    They make no sense for me either. I tried different fonts and the results are again as meaningless. Has anyone used newfiles in a non English/USA Windows version before? If you want to keep malware forum neat I can open a thread in software.
     
    Sailor, Jan 11, 2007
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes I believe many times and I have not seen this exact problem occur before. Yes some other info in the logs appeared in strange characters (like the uninstall programs list or some misc files and folder names) but no problem like yours that would seem to indicate some kind of problem running some of the processes within GetRunKey.bat and ShowNew.bat


    Not necessary! What would your new thread be anyway?
     
    chaslang, Jan 11, 2007
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds