1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Is this a worm?

Discussion in 'Windows XP' started by foxfire, Feb 16, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. foxfire

    foxfire Malware Specialist Thread Starter

    Joined:
    Jan 14, 2003
    Messages:
    313
    Whilst attempting DIY diagnosis of very slow throughput speed
    (Query posted 14/2/03 which remains unsolved) I checked Google for description of an Autorun entry from registry:-
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

    Google referred me to www.gainsville 2600.org/stuff/rootkit_analysis.htm

    This suggests(as far as I can understand-way above my knowledge) there is a worm lurking somewhere there?

    Is that correct- have I got a worm in my registry?

    Foxfire.
     
  2. Dan O

    Dan O

    Joined:
    Feb 13, 1999
    Messages:
    8,974
  3. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    That Registry key is a default registry entry in Win XP/2000, so there's nothing wrong with its existence.

    It contains a "Userinit" value, which in turn contains the path to userinit.exe, which is responsible for logon script, reestablishes network connections, and runs the program that is specified in the "Shell" string value in that same Registry subkey.

    It is possible to add an application to the userinit value, which will then excecute even before the shell (Explorer) starts.

    However the existence of that subkey itself is completely normal.
     
  4. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    BTW, if you like, do this, and we'll have a look to see whether anything's there that shouldn't be:

    Go to http://www.spywareinfo.com/downloads.php#startup , and download 'Startuplist'.

    Unzip, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

    Go to Edit > select all, copy it and post the contents here.
     
  5. foxfire

    foxfire Malware Specialist Thread Starter

    Joined:
    Jan 14, 2003
    Messages:
    313
    Bravo Tony, I will do that. I must admit I am getting a bit bogged down, its very heavy going...but here goes.

    FoxfireStartupList report, 16/02/00, 17:28:31
    StartupList version: 1.51
    Started from : C:\unzipped\startuplist151-spyware\StartupList.EXE
    Detected: Windows NT 4 SP3 (WinNT 4.00.1381)
    Detected: Internet Explorer v5.51 SP2 (5.51.4807.2300)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\spoolss.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\system32\RpcSs.exe
    C:\Program Files\Visual IP InSight\UK\ARMon32a.exe
    C:\WINNT\system32\tapisrv.exe
    C:\WINNT\system32\rasman.exe
    C:\WINNT\System32\esserver.exe
    C:\WINNT\System32\pstores.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\SENS.EXE
    C:\WINNT\System32\nddeagnt.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\loadwc.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Palm\hotsync.exe
    C:\Program Files\Firenet\firenet.EXE
    C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\startuplist151-spyware\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINNT\Profiles\Administrator\Start Menu\Programs\Startup]
    HotSync Manager.lnk = C:\Palm\hotsync.exe

    Shell folders Common Startup:
    [C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup]
    Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = userinit,nddeagnt.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    SystemTray = SysTray.Exe
    BrowserWebCheck = loadwc.exe
    SchedulingAgent = mstinit.exe /logon
    AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - c:\winnt\googletoolbar_en_1.1.68-big.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    {D34F18B0-576E-11D0-B28C-00C04FD7CD22}_SMITHCOMP_Administrator.job
    {D34F18B1-576E-11D0-B28C-00C04FD7CD22}_SMITHCOMP_Administrator.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [sys Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\PCPitStop.dll
    CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

    [iCC Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\pcpConnCheck.dll
    CODEBASE = http://www.pcpitstop.com/internet/pcpConnCheck.cab

    [MarqueeCtl Object]
    InProcServer32 = C:\WINNT\Downloaded Program Files\marquee.ocx
    CODEBASE = http://activex.microsoft.com/activex/controls/iexplorer/x86/marquee.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINNT\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security1.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab

    [{8EDAD21C-3584-4E66-A8AB-EB0E5584767D}]
    CODEBASE = http://toolbar.google.com/data/GoogleActivate.cab

    [{A1DC3241-B122-195F-B21A-000000000000}]
    CODEBASE = http://vad.mainentrypoint.com/dialer/bin/GB/cmb_210000.cab

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Microsoft Search Settings Control]
    InProcServer32 = C:\WINNT\Downloaded Program Files\searchsettings.ocx
    CODEBASE = http://lg.home.microsoft.com/search/lobby/searchsettings.cab

    --------------------------------------------------
    End of report, 4,953 bytes
    Report generated in 0.500 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running
     
  6. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    What I'd do is go to Start > Programs > Startup and delete the Microsoft Find Fast shortcut.
    All it does is slow you down.

    Also go to Internet Options > Temp. Internet Files > Settings > Show Objects, and locate and remove this dialer:

    [{A1DC3241-B122-195F-B21A-000000000000}]
    CODEBASE = http://vad.mainentrypoint.com/diale.../cmb_210000.cab

    Cheers,
     
  7. foxfire

    foxfire Malware Specialist Thread Starter

    Joined:
    Jan 14, 2003
    Messages:
    313
    Thank you kindly, will start that now & cross my fingers.

    Foxfire
     
  8. foxfire

    foxfire Malware Specialist Thread Starter

    Joined:
    Jan 14, 2003
    Messages:
    313
    Right I have done that, it has very slightly improved
    things but certainly not back to normal
    Connection speed currently 42kbs(OK) but
    throughput/download speed is only 21kbs.

    Can anyone assist please?

    Foxfire.

    CompaqV50 W/station 5000
    Win NT4 SP3
    130K memory
    Modem 56k i pro(Supra Express
    Intel Pentium 166mhz
    File NTFS
    IE5.5
     
  9. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
  10. foxfire

    foxfire Malware Specialist Thread Starter

    Joined:
    Jan 14, 2003
    Messages:
    313
    Tony,

    I will try the patches first......I am very nervous about going into my registry because I have no backup & everyone warns newbies
    about that but I am prepared to tiptoe in if you are standing at my shoulder:D :D .

    Grateful thanks indeed.

    foxfire.

    Ah, Speedwire doesnt do patches for NT4, The registry one will take me some time to absorb ,I will come back later

    foxfire
     
  11. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    No prob.

    Just try one of the patches for Win NT, and tell us whether that makes a difference.
     
  12. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    foxfire, you are on dialup are you not? Have you tried different numbers?
     
  13. foxfire

    foxfire Malware Specialist Thread Starter

    Joined:
    Jan 14, 2003
    Messages:
    313
    RR, Yes I am. I have tried using other ISPs but no basic difference.
    thank you. It does seem to be my computor..I have had my incomingline & house lines all checked out-twice & theyre OK.
    Thank you.

    PS I havent run Scandisc/defrag.Rhettman forums.techguy.org/t115719/s.html. on periodic hard drive maintenance para4 says not to run scandisc or defrag...or am I confused??

    My hard disc is 50% free.

    Foxfire
     
  14. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Is the firenet.EXE running process installed to support you current ISP? From what I can tell it is designed to connect to the best dialup number.

    There are some other running processes which I have not come across before in startups and may or may not be required to support the above application.

    C:\WINNT\System32\SENS.EXE (I think this is)

    C:\WINNT\System32\esserver.exe (I don't know what this is doing, although it is a Microsoft IE file evidently)

    I haven't seen too many NT startups, and I'm not sure whether you need this service or not:

    C:\WINNT\System32\nddeagnt.exe

    And a lot of people like to disable this one:

    http://support.microsoft.com/?kbid=176960

    I don't think a scandisk or defrag will make much difference, but it shouldn't hurt to do the defrag. I avoid scandisk unless the problems are very serious. Of course you also want to ensure that your Temporary Internet Files are flushed occasionally. A disk cleanup should always be done before a defrag.
     
  15. foxfire

    foxfire Malware Specialist Thread Starter

    Joined:
    Jan 14, 2003
    Messages:
    313
    RR the firenet is my ISP, they are small & have a fallback system for busy periods whereby if the dialup number is fully engaged I am automatically redialled to other numbers to reach them.

    I will research the nddgeant programme & delete the other one
    (when I have checked it)

    Thank you for the info on Scandisc/defrag excellent.

    I have pasted the Tweak tests above, in case they are relevant, while I try to decipher them.(On the wrong reply! sorry.)

    Tony Klein suggested a followup patch from there, once I fully understand results I will try & download the relevant one.

    Very grateful thanks for the sustained help,most kind.Tweak Tester II
    results


    Service: isdndslcablewirelesssatellite Speed (advertised) kbit/s: Operating System: win95win98win98SEwinMEwinNTwin2kwinXPMacLinuxFBSDSolaris Connection: normalwinpoetwinXPpppoerouterpppoeraspppoeenternetpppoA



    Your Tweakable Settings:
    Receive Window (RWIN): 18528
    Window Scaling: off
    Path MTU Discovery: ON
    RFC1323 Window Scaling: OFF
    RFC1323 Time Stamping: OFF
    Selective Acks: OFF
    MSS requested: 1460
    TTL:
    (less any hops behind firewall)
    125
    TTL remaining: 113

    Notes and recommendations:
    Enable TCP timestamping (FAQ #706)
    for 'long fat' (high ping) pipes
    We have no recommendations for <64k lines
    Looking good


    Example 146000 byte download
    Actual data bytes sent: 156220
    Actual data packets: 107
    Max packet sent (MTU): 1500
    Max packet recd (MTU): 1500
    Retransmitted data packets: 7
    sacks you sent:
    pushed data pkts: 16
    data transmit time: 10.761 secs
    our max idletime: 1588.1 ms
    transfer rate: 12318 bytes/sec
    transfer rate: 98 kbits/sec
    This is not a speed test!
    transfer efficiency: 93%


    Notes and recommendations:
    Just a few re-transmissions seen (FAQ #705)
    1 second+ stall detected (FAQ #1606)


    ICMP (ping) check
    Minimum ping: 250 ms
    Maximum ping: 323 ms
    Ping stability:
    288 291 255 280 309 312 323 292 270 250


    Notes and recommendations:
    USA based? - ping is high
    Check tweak FAQ



    Still stuck? copy/paste this url:
    http://monitor.dslreports.com/tweak/block:1904864?service=cable&speed=56&os=winNT&via=normal
    if you are seeking forum advice. DO NOT COPY PASTE THE PAGE, JUST THE URL ABOVE.
    (and please don't forget to explain what you've got, cable, DSL, speed it should be etc)


    Recommendation key:
    = something good
    = optional recommendation
    = possible problem
    = problem
    = big problem



    more detail..


    Foxfire
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/119124

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice