• Welcome to iHelpForum - the place to get help from knowledgeable techs in all areas of Tech, Home and Auto help. Consider checking out our Guides or Registering an account to post on our forums today.

Solved What is this?

Cameldung

I Like It Here
iHF Veteran
Advisor
WCG Team Member
Can anyone identify this please, Windoze 7 HomeP 32bit. Google gets no results on filename or key.

It's in HKLM/software/microsoft/widows/current version/run

2015-04-05_080603.jpg

Thanks.
 

Cameldung

I Like It Here
iHF Veteran
Advisor
WCG Team Member
Thanks LC, it must be an orphan? It shows both in msconfig, and the registry, but even though the key is in the reg, the file is not in the path. I have just removed heaps of stuff from this old pc, which was one of my business computers, to pass it down to Mrs dung. The 2 pics of the entries are here. Might be best to stop it in msconfig and if all is good for a while cull it from the registry, what do you say?

msconfig entry
2015-04-05_080603.jpg

explorer entry
2015-04-05_114437.jpg

registry entry
2015-04-05_114706.jpg
 
Last edited:

Cameldung

I Like It Here
iHF Veteran
Advisor
WCG Team Member
Don't rule out a hidden file CD. You might check the properties of the files still in the folder to see if it will give you some ideas about the program they associate with.
Thanks LC, unfortunately the other files left there don't give any clue, except for being shared by everyone?
I think it best to temporarily stop it and see what happens? Strange there's no result on a google search though, although I could take that as good news its not a nasty?
 

Malnutrition

Still Hungry
iHF Master Craftsman
Looks like possible malware.... With a name like that and it does not come up on google search neither the clsid or the actual file name...

What scans have you ran ? Mind posting a FRST Log?

Also this is an effective tool. If you suspect malware.

This whole process is only gonna take you about 15 mins, this program is pretty effective at finding many things that others leave...


Download install regrun.
http://greatis.com/security/reanimator.html
Right click run as administrator.
Click check for updates.
Then click on fix problems.
Then click on fix browser redirects.
Then choose to hide good as illustrated in the picture.

Go through each of the 6 tabs and hit the remove checked box for each tab that has bad items checked by default.
When completed click on the last tab named finsh.
Then click on comprehensive scan.
Allow completion then click on fix problems if needed.
Then the program will set a restore point, click on get it out.
Reboot the computer, after bad items are removed.

After the reboot, right click the icon again run as admin.
click Fix problems.
Click on scan windows startup.
Click on use deep level scanning.
Click on make scan now.

Remove anything found by the tool.


After the reboot, right click the icon again run as admin.
click Fix problems.
Click multiengine online scan.
Remove and rogue files.
Reboot the computer.
 

Cameldung

I Like It Here
iHF Veteran
Advisor
WCG Team Member
Hi there Mal, good to see you, and thanks for looking in on my question. The pc in question doesn't have any issues (that I know of) but ill certainly run any scan you recommend. Yeh I thought I used all the correct malware lookup places from malware school, and no its not an exam question. Put the log up shortly.
 

Malnutrition

Still Hungry
iHF Master Craftsman
The randomly named file is a bit fishy to me, and the fact that there is nothing on google is equaly fishy no mention of the CLSID either. Seems a bit odd... The scans should sort the confusion...
 

Cameldung

I Like It Here
iHF Veteran
Advisor
WCG Team Member
Hi Mal logs attached, do you want to check this before i do the rest or not?

I saw a reference to ASPNET in the log and saw it was related to netframework 1.1 and XP. I have now removed netframework 1.1 and the user account it created. It was only installed yesterday as part of a very old greeting card program. My wife cannot survive without her stack of card programs. The suss file was there before netframework and the card programs were installed.
 

Attachments

DCiAdmin

Always room to learn a bit more
Administrator
iHF Legend
WCG Team Member
The randomly named file is a bit fishy to me, and the fact that there is nothing on google is equaly fishy no mention of the CLSID either. Seems a bit odd... The scans should sort the confusion...
Exactly as I had thought - no mention of the file in Google makes it seem too random to be legit.

Hey, Kris!
 

Malnutrition

Still Hungry
iHF Master Craftsman
Run this for me, click on repair then reboot if needed, post the log.
http://www.nicolascoolman.fr/download/zhpcleaner-2/

Go ahead and make a scan with eset online scanner as well.



You will need to disable your antivirus prior to scanning.
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the
    button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the
      to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I
  • accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and Remove Found Threats
  • Click Advanced settingsand select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESET Scan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button
I am tired from work, I will have a fix for FRST later after I get some sleep. I would also run a second opinion scanner with Zemana.
http://www.zemana.us/product/zemana-antimalware/default.aspx
 

Malnutrition

Still Hungry
iHF Master Craftsman
What is this??? Your malwarebytes is outdated, I suggest un install and install latest version and a scan. I am off for the night.
C:\Windows\4û`
 

Cameldung

I Like It Here
iHF Veteran
Advisor
WCG Team Member
Ok installed, updated, and run the first tab test. You say to "hide good" and that leaves 4 items you said if ticked to remove. The SUSS file is there but the other stuff is good guys. Cant just let this thing have its way?? Telling what is good and bad could be hard?

Ill have a look at the other tabs.

2015-04-05_134759.jpg
 
Last edited:

Cameldung

I Like It Here
iHF Veteran
Advisor
WCG Team Member
What is this??? Your malwarebytes is outdated, I suggest un install and install latest version and a scan. I am off for the night.
C:\Windows\4û`
I updated malwarebytes definitions today, ill do program as well. Ill do zhpcleaner and eset as well. When you get around to it is fine. Thanks Mal
 

Malnutrition

Still Hungry
iHF Master Craftsman
Well upload the file to virus total.....
https://www.virustotal.com/

Copy and paste File Path:

C:\Users\John\AppData\Roaming\{F45ACE10-F780-0400-E000-160A7F9F8E}\qvwcdijotu.exe
C:\Windows\4û`



There are a few redundant items in the FRST log that can go, no malware that I see. I did include the suspect file in the fix, if it were my machine it would go, i left it in bold for you.

Also iwin games did you install that? Was going to include that in the FRST fix but was unsure if you installed it.
http://www.shouldiremoveit.com/iWin-Games-71585-program.aspx

Here is your fixlist save it to your desktop open FRST as admin hit fix.


start
CreateRestorePoint:
CloseProcesses:
AlternateDataStreams: C:\Windows:
AlternateDataStreams: C:\Windows:AstInfo
AlternateDataStreams: C:\Windows:nlsPreferences
AlternateDataStreams: C:\ProgramData\TEMP:0888F409
AlternateDataStreams: C:\ProgramData\TEMP:3440EB47
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
AlternateDataStreams: C:\ProgramData\TEMP:66633281
HKU\S-1-5-21-2368525537-1876345335-41732501-1000\...\Run: [{F45ACE10-F780-0400-E000-160A7F9F8E}] => "C:\Users\John\AppData\Roaming\{F45ACE10-F780-0400-E000-160A7F9F8E}\qvwcdijotu.exe"
C:\Users\John\AppData\Roaming\{F45ACE10-F780-0400-E000-160A7F9F8E}\qvwcdijotu.exe

R3 ALSysIO; \??\C:\Users\John\AppData\Local\Temp\ALSysIO.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 HSFHWCD2; system32\DRIVERS\HSFHWCD2.sys [X]
S3 HSF_DP; system32\DRIVERS\HSF_DP.sys [X]
S3 IntcAzAudAddService; system32\drivers\RTKVHDA.sys [X]
S3 Mtlmnt5; system32\DRIVERS\Mtlmnt5.sys [X]
S3 Mtlstrm; system32\DRIVERS\Mtlstrm.sys [X]
S3 PROCEXP151; \??\C:\Windows\system32\Drivers\PROCEXP151.SYS [X]
S0 RecAgent; system32\DRIVERS\RecAgent.sys [X]
S3 Slnt7554; system32\DRIVERS\slnt7554.sys [X]
S3 SlNtHal; system32\DRIVERS\Slnthal.sys [X]
S3 SlWdmSup; system32\DRIVERS\SlWdmSup.sys [X]
S3 TEAM; system32\DRIVERS\RtTeam60.sys [X]
2014-03-06 11:57 - 2014-03-06 11:57 - 0004524 _____ () C:\Users\John\AppData\Roaming\CamStudio.cfg
2013-05-26 13:06 - 2013-05-26 13:06 - 0000098 _____ () C:\Users\John\AppData\Roaming\CamStudio.Producer.command
2011-09-21 11:01 - 2011-09-21 11:11 - 0081920 _____ () C:\Users\John\AppData\Roaming\ezpinst.exe
2011-09-21 11:01 - 2011-09-21 11:11 - 0007176 _____ () C:\Users\John\AppData\Roaming\pcouffin.cat
2011-09-21 11:01 - 2011-09-21 11:11 - 0001144 _____ () C:\Users\John\AppData\Roaming\pcouffin.inf
2011-09-21 11:02 - 2011-09-21 11:12 - 0000033 _____ () C:\Users\John\AppData\Roaming\pcouffin.log
2011-09-21 11:01 - 2011-09-21 11:11 - 0047360 _____ (VSO Software) C:\Users\John\AppData\Roaming\pcouffin.sys
2012-03-09 12:14 - 2012-03-09 12:14 - 0000022 ___SH () C:\Users\John\AppData\Roaming\Sys2662.Config.Repository.bin
2010-09-11 13:16 - 2010-09-11 13:16 - 0000022 ___SH () C:\Users\John\AppData\Roaming\Sys6925.Config Collection.sys
2014-08-03 10:29 - 2014-08-03 10:29 - 0018392 _____ () C:\Users\John\AppData\Roaming\UserTile.png
2014-03-06 11:59 - 2014-03-08 13:27 - 0000096 _____ () C:\Users\John\AppData\Roaming\version2.xml
2010-03-12 14:46 - 2013-10-19 10:33 - 0012800 _____ () C:\Users\John\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-01-09 15:24 - 2014-01-09 15:32 - 0000600 _____ () C:\Users\John\AppData\Local\PUTTY.RND
2013-12-09 11:53 - 2013-02-10 12:51 - 0001231 _____ () C:\Users\John\AppData\Local\recently-used.xbel
2010-01-25 19:39 - 2013-06-28 11:42 - 0007599 _____ () C:\Users\John\AppData\Local\Resmon.ResmonCfg
2010-01-25 12:03 - 2015-03-14 12:06 - 0063301 _____ () C:\ProgramData\hpzinstall.log
C:\Users\John\AppData\Local\Temp\reflectPatch.exe
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state On
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: bitsadmin /reset /allusers
hosts:
Emptytemp:
RemoveProxy:
reboot:
end
 
Last edited:

Malnutrition

Still Hungry
iHF Master Craftsman
I would just as good house keeping run these as well, your choice on these....


Download the eScanAV Anti-Virus Toolkit (MWAV)
http://www.escanav.com/english/conte...dwn&type=alter
Save the file to your desktop.
Right click run as administrator.
A new icon will appear on your desktop.
Right click run as administrator on new icon.
Click on the update tab.

Once you have updated the program, make sure the settings are the same as the picture below.

Once you have made sure the settings match the picture, hit the Scan & Clean button.
Upon scan completion, click View Log.

Copy and paste entire log into your next reply.
Note: Reboot if needed to remove infections.

Junkware Removal Tool. http://thisisudax.org/downloads/JRT.exe
ZHP Cleaner http://www.nicolascoolman.fr/download/zhpcleaner-2/
Adware removal tool http://www.techsupportall.com/adware-removal-tool/
Adware Cleaner https://toolslib.net/downloads/viewdownload/1-adwcleaner/
system ninja https://singularlabs.com/software/system-ninja/
Wipe Privacy root. https://privacyroot.com/software/www/en/wipe.php
Toolwiz defrag. http://www.toolwiz.com/en/products/toolwiz-smart-defrag/
 
Top