TechSpot

HJT curious signature

By Dayus
Jul 22, 2012
Post New Reply
  1. Just a quick question regarding this piece of software (HiJackThis). What does this signature mean:
    " 04 - Startup: cardisabled "
    I've been using HJT for a few years now, but I've never seen a entry with such a limited description. I can tell it's a clearly a startup entity, but that's about it.

    Thanks.
     
  2. Cobalt006

    Cobalt006 TS Maniac Posts: 1,855   +184

    Have you disable a video card or network card lately to replace them? I have only seen this once when I disable my on board video. To replace it with a new card. Other then that I have no ideal. Hopefully someone else here will know something.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Interesting search on this one! Google kept insisting I wanted to search for "car disabled"!

    Here's what I found finally getting "cardisabled" to stick: It seems to be some kind of>
    Website Health Widget
    Title: FastCursor!>> entries related to this
    Description: tech news and more
    Primary Country: India
    IP-address: 199.85.212.15
    http://www.webstatsdomain.com/domains/www.fastcursor.com/

    Most of the sites with this term are not English speaking. This is red flag right up front. I did find these processes setup for removal in an OTL log:

    ----------------------------------
    Please note: the above is for information only- not action.
    The bottom line is that you have a process running from or by something unidentifiable. (your system is the only one on the internet to have this as an 04 Startup entry.)
    The entries are comparable to the HijackThis log.

    HijackThis alone is not enough to screen for malware. Consider starting a thread in the Virus and Malware Forum: If you decide to do that, please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ------------------------------------------
    Doing the above will save you time and have the information available for the helpers to assist you.
     
  4. Dayus

    Dayus TS Member Topic Starter Posts: 31

    Thank you for the replys. I managed to workout were and what cardisabled was (kind of). For anyone that has a slimier issue, It seems like it was created by Comodo Cleaning Essentials free scanner, if you exit a scan and don't allow a system reboot to continue to the boot/logon section of the scanning phase. I think the reason why the entry in HJT was so limited may have been because the cardisabled folder was a hidden file. Although I always thought that HJT showed the full path of any entry regardless of file type ?

    The cardisabled folder was created in (Windows 7) C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, was hidden + readonly, and was 0kb in size, with 0 entities inside.

    I couldn't replicate the creation of the cardisabled folder after deleting it, by doing another CCE sacn and then aborting. However I believe that CCE was probably the creator of the original file, as when I first checked the file properties of the cardisabled folder and looked at the previous versions tab, it had 2 previous versions showing. Then I went and did another CCE scan, but aborted before the reboot scan, then went back and checked the previous versions for the cardisabled folder again, and saw that another previous version had been added. Then I did the same thing again (CCE scan + abort before reboot scan) and sure enough when I checked the previous versions of the cardisabled folder again, yet another previous version had been added to the list. So most likely the cardisabled folder is a bug/byproduct of aborting a CCE boot/logon scan. Although I can't work out why I can't replicate this bug/byproduct again, after deleting the originla cardisabled folder. Maybe it was just a one off random bug. Anyway hope this helps anyone that comes across a similar issue.

    Dayus.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    If this process is from Comodo, they sure don't give out any info about it! I put CCE+cardisabled in Google and the only thing I could come up with that sounds related was:
    I read this to mean there is an option in CCE to 'disable the card.' But to try and identify 'cardisabled' like this, you have to link it with Comodo in the search. The only setting I see is:
    IF you choose a setting that saves logs, they are here:
    Logs are saved in the folder <Folder containing CCE files>\Data\CCE\Logs:

    The only reference I see in reference to hidden entries is:
    So 'hidden entries' is user invoked.
    Source: http://help.comodo.com/topic-119-1-328-3616-The-Main-Interface.html

    I'd be tempted to email Comodo support and see if they will verify this process as theirs.
     
  6. Dayus

    Dayus TS Member Topic Starter Posts: 31

    My God! I think we've cracked it! I managed to reproduce the creation of the cardisabled entity. It wasn't due to the CCE scanner as I first thought, but was in fact down to the Autoruns tool.

    So heres the gist of it. If you fire up autoruns with "hide safe entries" already enabled > wait for it to finish analyzing > then go to view > un-check hide safe entries (making safe entries now visible) > then select an entry > then disable it > then re-enable it > then go to view again > click hide safe entries > then exit autoruns.

    You will now have created your very own cardisabled file, in the same folder location as whatever entry you disabled then re-enabled in autoruns. The creation of this cardisabled file seems to be a byproduct of conducting the exact series of events outlined above. Why does this happen ? I have no idea. Whether the creation of a hidden duplicate file called cardisabled, of an entry you disabled then re-enabled in autoruns is intended by comodo, I don't know.

    The fact is that although the CCE package is very powerful, considering it's free. It's one of those products that with one stray click, that you don't notice, you can easily mess up your system. A good example of this would be Autoruns itself.

    Here's the scenario, you fire up autoruns with hide safe entries already enabled. This means that now as soon as the program opens, it begins the process of analyzing all the entires it finds and removing them from view if it determines them to be safe. However during this process of analyzing and hiding safe entires, you can actually still select any entry in the list before it has been analyzed fully. This means that you can quite easily, with a single accidental click, disable an entry in the list before it's analyzed, then when it's analyzed, if it's found to be safe, it's removed from view.. and bam! You've just disabled what could be a vital auto executed part of windows or your drivers. That you can now no longer see in the list, because it's been hidden from view, because it was determined to be safe.

    Now if that doesn't sound like a big deal, consider how short a time frame all that can happen in. And also consider that the average user probably isn't going to notice that their single stray click has just disabled some random vital dll or exe, that the system actually needs in order to run properly.

    This however could be easily remedied by just adding a confirmation of disable entry prompt every on un-checking an entry, or better still, just make all the check boxes grayed out. So you can still see what entries are enabled, but if you want to disable one, you have to right-click and choose disable entry in a context menu.

    Anyway, the thanks goes to you bobbye, on this one. Your comment: "So 'hidden entries is user invoked." is what gave me the spark of an idea that autoruns + hide safe entries, might be connected in some way to the cardisabled file creation.

    p.s. Comodo - I charge $50 an hour for product quality testing... and I've spent the better part of over 4 hours on this one, so by that estimate, that'll be $200 please :D I accept cash, direct wire or cheques :D Oh yea, and bobbye gave up some of his time in order to do some valuable research. So I think he should be paid too :D :D And one last thing, what the heck does cardisabled even mean ??

    Dayus.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Let's call it even!!!

    And in answer to your last question> "what the heck does cardisabled even mean??"> My point exactly> legitimate processes can be identified, even if it takes a few different search combinations. You and I have done quite a few and the process is still mystery.

    Maybe I worked in the malware forum too long, but 'mysteries' are always suspicious!
     
  8. Dayus

    Dayus TS Member Topic Starter Posts: 31

    Indeed, a mystery it sure is. I can only assume that cardisabled, and I'm guessing here, could mean Comodo Auto Run Disabled, and the fact that a duplicate of the disabled entry is left behind in the same location, is a just a bug.

    Either way, I found it kind of funny that a tool desgined to help diagnose malware infections, actually creates a file that in itself is highly similar to something that malware would create. Even weirder still, is why using the CCE scanner & aborting before the boot scan, causes previous versions of the cardisabled file to be loged, when it was the autoruns tool that created it in the first pace. Thus is the nature of using pcs today. "Ignorance is bliss, but unsafe - but safety is a pain & hard work" :D

    Anyway, the CCE package is still a nifty little tool set to have, and it's FREE! Also the KillSwitch app has a nice little feature were it logs newly started services, whether they are safe or not. So if you want you can just leave it on in the background and it will notify you with a taskbar popup that a service started. Also you can hide safe processes in it's system processes tab, making it easier ot quickly spot suspicious processes.

    Dayus.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    "Autorun Analyzer - An advanced utility to view and handle services and programs that ...... Disable - If you select this option, CCE will not create any log files."

    If you want to count the process as from this, go ahead. I try not to assume anything when it comes to the internet.

    As for the KillSwitch app running in the background, I would not advise that for most users. I spent years 'unhiding' processes and trying to identify processes. I have always erred on the side of caution.
     
  10. Dayus

    Dayus TS Member Topic Starter Posts: 31

    "I have always erred on the side of caution" - sound advice. Also I should have mentioned that the cardisabled was a folder and not a process.

    Also out of interest, boboye what security solution(s) do you use ? I was reading a few reviews and kaspersky. seems to be abit more preferred than norton now.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I had one year of a pre-loaded 'suite' on a PC years ago. I got rid of it and went to all stand alone security programs- I prefer them over ALL the suites!

    Currently, I use the paid Eset Nod32 antivirus, Windows Firewall+router with hardware firewall, Spybot Search & Destroy, Spywareblaster, Cookies are reset not to accept 3rd party Cookies. It's important that any user accept that they are the first line of security. So no matter what programs are used, practicing 'safe surfing' is always recommended.
     
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.