PNSetupMgr

system · 2007-04-23T17:20:58.000Z

Hello,
Yesterday, when I was shutting down my computer, I got an end task window for a program called Wnd for PNSetupMgr. I was curious as to what this was so I turned my computer back on and did a google search for it. From what I can find with google, it appears to be related to pop not, a supposed anti-popup program which is possibly spyware or viral. I scanned my computer with avast, ad-aware, spybot, AVG antispyware, Windows Defender, and Norton’s online virus scanner and nothing has detected any spyware or viruses. I checked add/remove programs, nothing unusual there. I searched for pop not files and PnSetupMgr on my computer using the search feature, again nothing found. I also used task manager to find any processes by that name, nothing found. Anybody have any idea what this could be? I’m very security minded, and haven’t downloaded or installed anything remotely close to being related to this pop not program, so I really have no idea why my computer was trying to end a program by that name. I haven’t received that end program message again and I have shut down my computer 2-3 times since first receiving the message yesterday. Thanks in advance.

DavidR · 2007-04-23T18:19:14.000Z

It is more likely that it is a browser add-on, what is your browser ?

Program & Tutorial - Also useful as a diagnostic tool - Download HiJackThis.zip HJT has now been sold to Trend Micro inc. but the 1.99.1 version should still be available here or at one of the download sites. - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2 or HiJackThis Tutorial 3
On-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

system · 2007-04-23T23:57:42.000Z

DavidR,
Thank you for your reply. I use Internet Explorer 7 and Firefox as my browsers. Both have McAfee Site Advisor installed and Firefox has Ad Blocker Plus installed. I did a Hijack This scan and here are the results:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Labtec\LABTEC~1\Keyboard.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\DOCUME~1\SfaraB\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

system · 2007-04-23T23:58:19.000Z

DavidR · 2007-04-24T00:22:01.000Z

First I suggest you read one of the tutorials as I’m sure it mentions you should create a folder for HJT and not install in a temporary location (which can be cleaned) as any back-ups for any changes made would also be lost meaning no effective back-up.

Once you have done that, run HTJ again and leave the header information in as this tells us a little about your system.

Then look at this link http://forums.spywareinfo.com/index.php?showtopic=81427# one of the more obvious ones.

system · 2007-04-24T01:13:19.000Z

Castle Cops has that one as a legitimate process

http://www.castlecops.com/o20-all.html

http://img260.imageshack.us/img260/4115/wxvaultuw6.png

DavidR · 2007-04-24T12:55:12.000Z

Strange I found that list but never saw the entry you posted the image for, but there were several other hits that were basically the same as the spywareinfo.com one. So WarHorseXJ would have to confirm if he ever installed or is aware of the Embassy Trust Suite.

He could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner this would at least confirm one way or another.

system · 2007-04-24T16:22:25.000Z

Not related to PNSetupMgr but you might want to get rid of this

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll

http://billpstudios.blogspot.com/2006/09/gateway-advertising-adult-sex.html

system · 2007-04-24T19:21:20.000Z

DavidR,
In response to the Embassy Trust Suite, I did not install it on my computer. It came preloaded with the laptop when I bought it last summer. It’s a Dell Latitude D620. I am a bit confused. Are you saying that O20 - AppInit_DLLs: wxvault.dll caused the PNSetupMgr window I received? Also, I moved the HiJackThis.exe file to a Program Files folder I created for it. Is this correct? I ran the scan again and here it is:

system · 2007-04-24T19:22:20.000Z

Logfile of HijackThis v1.99.1
Scan saved at 3:21:30 PM, on 4/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\HidFind.exe
C:\PROGRA~1\Labtec\LABTEC~1\Keyboard.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

system · 2007-04-24T19:22:48.000Z

DavidR · 2007-04-24T20:27:26.000Z

WarHorseXJ post:9:

DavidR,
In response to the Embassy Trust Suite, I did not install it on my computer. It came preloaded with the laptop when I bought it last summer. It’s a Dell Latitude D620. I am a bit confused. Are you saying that O20 - AppInit_DLLs: wxvault.dll caused the PNSetupMgr window I received? Also, I moved the HiJackThis.exe file to a Program Files folder I created for it. Is this correct? I ran the scan again and here it is:

If as you say it is a known installation of Embassy Trust Suite then no problem, if however you didn’t know about it then it could be very suspicious. I wasn’t saying the it was responsible for the PNSetupMgr window, just that it was suspicious and needed checked, which you have.

It doesn’t matter where you create the folder for HJT, so long as it isn’t in a temporary folder. When you ‘fix’ items HJT will make a back-up of these fixes so they can be restored if required. If HJT was in a temporary folder it could be possible that these would be deleted leaving you no recovery options.

I have to go off-line for a while I will try to get back on the HJT log, or you could one of the On-line analysis sites - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2.

Don’t take anything at face value look at any nasty, possibly nasty and unknown entries and google the file names associated with them and see if there is any information on it.

Announcements