TechSpot

Unknown File on desktop

By rahul_intlad
Aug 21, 2007
  1. Hi,my first post on this forum,I am sorry if I make a mistake here will try and acquaint myself with the forum slowly.

    Have been using zonealarm security suite as my firewall all along but was not happy with it hogging my system resources and boot time was very high.I have 256MB Ram and am running windows xp home edition.So after reading about comodo firewall here have shifted to comodo recently.Am using NOD 32 antivirus.

    Now after shifting to the firewall I am very happy with its performance and other things but after shifting now I find a file is present on my desktop which even after deleting comes back when I surf the internet.

    Details of the file:
    Type of file-> Windows Script Host Settings File
    Description-> HEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    Location->C:\Documents and Settings\Username\Desktop
    Size->895 bytes

    I don't know what file is this,is it a malware.Here is my HJT log if it helps.

    Could you guys please help.
     
  2. rahul_intlad

    rahul_intlad TS Rookie Topic Starter

    Force opened the file with an editor[notepad] and this is what it reads:
    *****************************************************

    Entered: CMyPostMix::CMyPostMix()
    Entered: CMyPostMix::~CMyPostMix()
    Entered: CMyPostMix::CMyPostMix()
    Entered: CMyPostMix::InitPlugin()
    Entered: CMyPostMix::playerCreated()
    Entered: CMyPostMix::CMyPostMix()
    Entered: CMyPostMix::~CMyPostMix()
    Entered: CMyPostMix::CMyPostMix()
    Entered: CMyPostMix::InitPlugin()
    Entered: CMyPostMix::playerCreated()
    Entered: CMyPostMix::CMyPostMix()
    Entered: CMyPostMix::~CMyPostMix()
    Entered: CMyPostMix::CMyPostMix()
    Entered: CMyPostMix::InitPlugin()
    Entered: CMyPostMix::playerCreated()
    Entered: CMyPostMix::CMyPostMix()
    Entered: CMyPostMix::~CMyPostMix()
    Entered: CMyPostMix::CMyPostMix()
    Entered: CMyPostMix::InitPlugin()
    Entered: CMyPostMix::playerCreated()
    Entered: CMyPostMix::CMyPostMix()
    Entered: CMyPostMix::~CMyPostMix()
    Entered: CMyPostMix::CMyPostMix()
    Entered: CMyPostMix::InitPlugin()
    Entered: CMyPostMix::playerCreated()
    ********************************************************
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    See HERE for instructions on how to disable the Windows Scripting Host.

    Then, delete the file on your desktop.

    Can you tell me what this programme is?

    C:\Program Files\Wordflash\Wordflash\Wordflash2.5.exe

    Regards Howard :wave: :wave:
     
  4. rahul_intlad

    rahul_intlad TS Rookie Topic Starter

    As shown in the link,if I delete only VBS does not make any difference,should I remove VBE as well.

    It is a gre tutorial,was running it while I did the HJT.Helps in learning new words[english].
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, try removing VBE as well and see if that helps.

    Regards Howard :)
     
  6. rahul_intlad

    rahul_intlad TS Rookie Topic Starter

    Thanks howard seems to have solved the problem,will post if the problem comes up again for the moment have deleted the file and it has not reappeared on reconnecting to the internet.

    However are there any repercussions on deleting VBE and VBS I need to be concerned/worried of.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    As far as I`m aware, there won`t be any problems. In fact it`s quite a good idea to disable the Windows Scripting Host as it is often used to infect systems.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - (no file)
    O18 - Protocol: vfsp - (no CLSID) - (no file)

    Click on the fix checked button.

    Close HJT.

    Regards Howard :)
     
  8. rahul_intlad

    rahul_intlad TS Rookie Topic Starter

    Howard just to update the thread,the file did come back to my desktop the only difference being now it was a windows unrecognized file.

    I did a HJT again and this time I fixed:


    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...ehicles/2008/corolla/key_features/ext360.html

    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

    O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/in/securityadvisor/pestscan/pestscan.cab

    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/in/securityadvisor/virusinfo/webscan.cab

    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://upload-v5.streamload.com/Upload/XUpload.ocx

    So far file has not come back again,I really feel this has to do with live365.com because I remember this problem started a while after I blocked live365 in by internet explorer.
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Thanks for the update.

    Hopefully, that`ll be an end to your problems.

    Regards Howard :)

    This thread is for the use of rahul_intlad only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...