[rahul_intlad]

I have tried all possible options in finding out help but found none have found an answer so far,finally I post this query on team-bhp,

Have been using zonealarm security suite as my firewall all along but was not happy with it hogging my system resources and boot time was very high.I have 256MB Ram and am running windows xp home edition.So after hearing about comodo firewall have shifted to comodo recently.Am using NOD 32 antivirus.

Now after shifting to the firewall I am very happy with its performance and other things but after shifting now I find a file is present on my desktop which even after deleting comes back when I surf the internet.

Details of the file:
Type of file-> Windows Script Host Settings File
Description[file name]-> HEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;. WSH
Location->C:\Documents and Settings\Username\Desktop
Size->895 bytes

I don't know what file is this,is it a malware.Here is my HJT log if it helps.

Quote:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:21:49 AM, on 8/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\QuickTime\QuickTimePlayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Wordflash\Wordflash\Wordflash2.5.exe
C:\Documents and Settings\username\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...es/ext360.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/in/securityadvisor...n/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1143404408410
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/in/securityadvisor...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://upload-v5.streamload.com/Upload/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{82E76076-B219-425A-A80B-0F0433A8515C}: NameServer = 59.144.127.16,59.144.127.17
O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - (no file)
O18 - Protocol: vfsp - (no CLSID) - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - F:\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - F:\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6637 bytes

Any suggestions .

[HKP]

Quote:

Description[file name]-> HEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;. WSH

I couldn't get the filename correctly. whats that?

Also, try to keep the HijackThis to some other location and then try.


//hkp

[DriverR]

You can try deleting the comodo firewall, then delete the file and see if it returns once you surf the net.
Normally , such recuring files, non deletable files are either part of some Anti-virus/firewall software, or (more likely) an adware or trojan file. I suggest you use an adware removal tool like AdAware or Spybot. I also do another trick - I go to the Trend Micro online virus scan, as it has helped me many times in detecting and deleting trojan/viruses that Norton and McAfee did not detect. I personally find Kaspersky very effective and it has been my resident AV which has kept me safe every since I installed it.

Lastly, just one advice...please upgrade your RAM!!! I salute your patience for running XP with just 256 MB RAM!!! I would have torn my hair bald by now with the slow processing speeds! Seriously, with just 256 MB RAM, XP eats up into the hard disk space for cache meomory once it uses up the RAM memory.

[filcord]

sounds like a trojan
download avast antivirus , free for 60 days, and it has a search and destroy at boot-up which I found very effective.

[kamy450]

It is malware belongs to ninja virus family very less known and not harmful in nature use AVG free antivirus to remove it. AVG u should keep if u are looking for free AV.

[rahul_intlad]

Thank you guys for your help.

Tried scanning with AVG but it too did not detect anything,have submitted the file to microsoft for analysis and am awaiting their response.

In the initial analysis by microsoft they have not been able to detect what it is so they will analyse it further ,for the time being have disabled the Windows Scripting Host[VBE and VBS].

Quote:

I couldn't get the filename correctly. whats that?

Neither did I understand the file name,but it just says that.