Yeah I just got the same results when I looked it up. Alot of the sites were saying its not a nessasary program but it interacts with multimedia programs and so forth.
I did DL the Trend Micro RookitBuster and had it scan as well.
It brought up a bunch of old temp files for Photoshop 7.0
I went in an tried to manualy delete them and it says something to the effect that one file is protected or in use. I NO LONGER have photoshop 7 though.
Ive also noticed on a temporary file scan; McAfee is erroring out and shuting down when it tries to scan those files.
Your move general
Edit: RAR
I just DL’ed a file shredder and tried it on the photoshop 7 files. Came back with an error message saying “Cant shred files in use”
RookitBuster log:
±---------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 2.2.0.1014
±---------------------------------------------------
–== Dump Hidden MBR and Hidden File on C:\ ==–
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 2 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo!
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 2 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo\I
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 2 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 2 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 2 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 3 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo!
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 3 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo\I
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 3 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 3 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 3 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 4 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo!
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 4 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo\I
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 4 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 4 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 4 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 7 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo!
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 7 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo\I
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 7 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 7 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 7 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 8 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo!
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 8 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW Cutline Demo\I
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 8 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 8 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
[HIDDEN_FILE]:
FullPath : C:\Documents and Settings\RKJ\Local Settings\Temp\Temporary Directory 8 for Adobe Photoshop 7.0 FULL (+serial).zip\ADOBE PHOTOSHOP 7.0 FULL [RETAIL] +serial\Third Party Products\Andromeda\Andromeda Photoshop 7 Demos\Artistic Screening Tools\NEW EtchTone Demo
FullPathLength: -1
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x21
ShareAccess : 0x0
Type : 0x0
25 hidden files found.
–== Dump Hidden Registry Value on HKLM ==–
No hidden registry entries found.
–== Dump Hidden Process ==–
No hidden processes found.
–== Dump Hidden Driver ==–
No hidden drivers found.
Boot into safe mode you should be able to remove them then.
Another tools which would remove them on the next boot or remove what is locking them allowing for deletion:
- MoveOnBoot http://www.snapfiles.com/get/moveonboot.html
- Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.
The MoveOnBoots link no longer has the file and the Unlocker said it deleted the files but infact didnt move them at all.
I went to Safe Mode and at frst wasnt able to delete the files for th same reason I cuoldnt in reg. mode. But I renamed the files and put them through my shredder that I found today; then rescanned with Rootkitbuster and they are no longer there.
The Autoplay bit unfortunantly still is…
Like I stated earlier in post my rundll32.exe runs like a mad man. Sometime it will be listed 2-3 times in the task manager and it seems to stay running during the AutoPlay.
Could that be the problem instead?
Im just throwing things out there b/c I just dont have a clue :I
Maybe its a malfunctioning program?
Edit: Since I took out the corrupt Adobe 7.0 Files; McAfee is able to complete its temperary file scan and is now working its mojo to kill kill kill. crosses fingers for cure
Can you try to get a screenshot of this autoplay when it is running, I still don’t really know what you mean by it.
Another link for move-on-boot, http://www.download.com/EMCO-MoveOnBoot/3000-2094_4-10397293.html.
It took forever to get a screenshot of it b/c it happend so fast, but I finally got one and when its at its worst at that: http://i140.photobucket.com/albums/r17/RoseStone1/AutoPlayBullshit.jpg
All the folders on the right are all labled AutoPlay and they dont just appear when IE is on if thats your next process of thought.
Look for autorun.inf files in the root folder of your Hard Disk Partitions, in reality they shouldn’t be there as they would normally only be on removable media like CD/DVDs etc.
http://www.google.com/search?q=autoplay+virus
http://en.wikipedia.org/wiki/Autorun
They might be hidden, so ensure you have the settings in the image, Explorer, Tools, Folder Options, View. Once you unhide files, etc. do a search for autorun.inf and report any findings. Right click on one of the copies and select Open With, select notepad. Inside will be a number of commands, copy and paste the contents into a post.
This may have come from an infected USB drive so avoid their use until you can confirm they aren’t infected.
I would suggest a forum search for autorun.ini as this has cropped up before and you may glean some useful information.
Well I did a search for autorun files and got these out of it; not sure if they are what we want or not but yeah: http://i140.photobucket.com/albums/r17/RoseStone1/iunno.jpg
And this is what they all said:
[autorun]
open=setup.exe
icon=btw.ico
label=BTW
[autorun]
OPEN=Setup.exe
Icon=QuickPlay.ico,0
[autorun]
open = setup.exe
[autorun]
OPEN=setup.exe
ICON=\Setup\artwork\setup.ico
defaulticon=setup.exe,2
shell\LVIPCAP\command=techsupt\CaptureTest\Amcap8.exe
shell\LVIPCAP=Tool - Amcap&8.exe
shell\LVIPCAP\command=Drivers\Bin\setup.exe techsupt
shell\LVIPCAP=Tool - TechSupt Tools
[autorun]
OPEN=setup.exe
ICON=icon\ispsetup.ico
[autorun]
OPEN=CDSTART.EXE
[cdstart]
TITLE=“Norton Internet Security”
HOTKEYTITLE=“&Install Norton Internet Security”
[autorun]
OPEN=SETUP.EXE
[Unpasteable]
[autorun]
OPEN=setup.exe
ICON=icon\ispsetup.ico
[autorun]
open = setup.exe
[autorun]
OPEN=SETUP.EXE /AUTORUN
ICON=SETUP.EXE,1
shell\configure=&Configure…
shell\configure\command=SETUP.EXE
shell\install=&Install…
shell\install\command=SETUP.EXE
[AUTORUN]
OPEN=AUTO_RUN.EXE
The one that I put in brackets as unpastable is gigantic and in russian and giberish D;
Microsoft works says there is about 14000 words in it alone which makes it practicaly impossible to paste here.
I see Nortan in one of these and I uninstalled that the day I got this laptop.
I can send you the text out of the forum if youd like?
I think we got something here >;
Where did you find these autorun.inf files ?
Some look like legitimate program setup routines.
It looks like they come from CDs (or Program folders) and not from your HDD root folders, e.g. C:, D:, or any other HDD partition. The location they are found is almost as important as to what is in the file.
Edit, Sorry, I have now looked at the image link you gave and it confirms what I said about their coming from program folders I will copy the image so it appears here, so no need to load another image.
You should also set your folder options to display known file types. Windows Explorer, Tools, Folder Options, View, see second image and ensure the ‘Hide extensions for known types is unchecked.’
Hi guys. It seems some thing is living here. Let’s see if we can find something in the autoruns.
I’ll give you a couple of programs to run. Please post the results of clean autoruns as attachments, as they will be quite long.
Download and Install Microsoft’s TweakUI: http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
Obtain and install TweakUI (right hand panel, 147kb in size), and then start TweakUI.
Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
Turn off the checkbox next to every drive letter to disable AutoPlay – except your CD/DVD drive letters
This will prevent autoruns from running on your computer. Make sure you uncheck all drive letters in the list, except your cd/dvd.
Download “Clean Autoruns”:From HERE
http://forums.techguy.org/attachments/103397d1176780296/clean-autoruns.zip
Save and extract its contents to the desktop. It is a folder containing a Batch file, Clean autoruns.bat, Written by Mosaic1. Once extracted, open the folder and double click on the Clean autoruns.bat to run the fix.
If any autoruns are found, the fix will move them to a backup folder.
If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoint(s) key are fixed.
It will produce two files, Part1.txt and Part2.txt , that will show the state before and after the cleaning.
Please post those as attachments, using the additional options button on the reply page.
Also run this one. This will give us a look at some different things.
Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Please note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.
I set the files options the way you said DavidR
Heres all the info you wanted oldman all attached files. ALSO; when I disabled the autoruns like you said oldman… they still ran. Does that mean the CD/DVD drive is corrupted?
Ive clicked on the properties of my CD/DVD drive and it says all the space is used up and Ive noticed be4 this autoplay bit that sometimes the eject options dont work when I have a disc in the drive.
More bad news?
Im also sending out the massive autorun as an attachment seeing as posting it was impossible and I now know about attached files.
Hi
Hmm… no malicious autoruns, not much of interest in your DSS log either.
Let’s back track a little. You said you started getting these autoruns after avast detected a rootkit. What was the detection? And what did you do?
Do you happen to have a CD in the drive when this happens?
Eloborate on this please
the rundll32.exe stays in the manager and switched from my drive "RKJ" to "System" then vanishes as the pop up vanishes.
The image you posted, is autoplay. Plus it looks like it is searching for a file.
Theres a couple of tools that can be used to try to repair the autoplay function of cd drives, but that’s for later.
Let’s start with these questions so we can get a better feel for what you are seeing.
Did you use the norton removal tool? There is one autorun pointing at what looks like a norton intsall.
The last attachment, was it also the one you said was unpastable? It’s related to HP, perhaps a network driver.
I had the autoplay b4 avast upgraded but as soon as the upgrade happen happend is when the rootkit was identified. I let avast go into boot mode? and delete it like it promted me to.
I never leave CD’s in my drives after I turn a comp off and always remove them when Im not using them. At the time the rootkit was ID’ed there was no disc in my drive b/c it was right when I just turned the comp on and avast prompted me for new upgrade.
I have never used norton for any form of repair or mantainace. I have not had norton since 3 months after I bought the laptop and was able to get on the internet; which was when I then replaced it with Avast.
The last attachment is the one that was to large to past; Microsoft Works says that particular auto play is 86 pages long. With all the language changes and odd symbols that are not used in any of the other smaller autoplay files I figures it was an obvious problem. I would of posted it sooned but its obviously to big for posting and again this was be4 I knew about attachment files.
Your move mate.
Sorry for the questions, but I’m trying to get a feel for what is happening.
This is random? Not related to startup, opening certain folder. I’m goin to look at DSS again.
Be back
If I just let the comp idol after signing in it the autoplay will play yes.
Ive noticed that for about the first couple hours of opperation its really bad but after that I wont see it again and then if I turn off the comp and come back in a couple or so hours; it will play a couple times but never be as bad as it was on the first time I started up that day.
Come night time and the restart after 8+ hours it will be back to spazing though.
Ask all the questions you want. I dont mind; I just want this gone.
all right let’s give this a whirl.
Grab a copy of process explorer
http://ask-leo.com/d-procexp and perhaps even add it
to your startup group so it also starts automatically
when you log in. It has tools that will allow you to
see what program is creating that window. Or, alternately,
you can wait until the window goes away, and procexp will
highlight for a few second the name of the program that
just closed.
I dont know how to set it up to start up automaticaly.
So basicaly Im waiting for the autoplay to show up and see what it says on this?