The folders/files on the installation disk are:
FOLDERS: DOCS, I386, SUPPORT, VALUEADD
FILES: AUTORUN.INF, README.HTM, SETUP.EXE, WIN51, WIN51IP
AND I KNOW THIS IS WRONG but I don't know what to do about it!!!
You know <what> is wrong? If you are referring to the content of the disc, it looks normal to me.
*When I start my computer, there are 36 processes running.*
Sounds normal to me.
I downloaded "OnlineArmor, but when I tried to run the setup I got a dialog box that said,
"The publisher could not be verified. Are you sure you want to
run this software?"
Name: OnlineArmorSetup.exe
Publisher: Unknown Publisher
Type: Application
From: C:\Documents and Settings\Dorothy\My Documents\Downloads
Run Cancel
(*When I click on the OnlineArmor file in my folder it says "Emsi Software GmbH"*)
This is normal, all programs downloaded from the internet will have a zone identifier, and when you try to run a program windows looks for that identifier and if present will show the dialog. The reason the publisher field is empty (and technically there is no "verification" ever done anyway so that dialog is misleading at best) is because the setup program doesn't have one- the program run probably does. Or, also possible, it's looking at another field.
Either way- this is not a concern.
SUPERAntiSpyware said "Set up failed"
"Error reading setup data"
*There are two files==SUPERAntiSpyware(1).exe and also
SUPERAntiSpyware(1).exe.part
It didn't finish downloading.
I next went to get the Essential Software Tools, but when I got them onto my computer and ready to install, I got the same "Unknown Publisher" message as above.
Every program you download from the internet is going to show you that dialog. (the reason the SAS setup didn't was because it didn't finish downloading, which is also why the .part file is still there as well as why it fails when it tries to run).
[I'm starting with Registry Entries that I don't understand. Most of these showed up after I downloaded Microsoft Office Small Business 2007, which I have a valid product key for.]
HKEY_CLASSES_ROOT\.htm\OpenWithList\WinWord.exe
HKEY_CLASSES_ROOT\.htm\OpenWithList\WinWord.exe\shell
HKEY_CLASSES_ROOT\.htm\OpenWithList\WinWord.exe\shell\edit
"C:\Program Files\Microsoft Office\Office12\WINWORD.EXE" /n /dde
*====> w_1^VY!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5 /n /dde <====*
HKEY_CLASSES_ROOT\.htm\OpenWithList\WinWord.exe\shell\edit\ddeexec
*====> [REM _DDE_Direct][FileOpen("%1")] <====*
HKEY_CLASSES_ROOT\.htm\OpenWithList\WinWord.exe\shell\edit\ddeexec\Application
*====> WinWord <====*
HKEY_CLASSES_ROOT\.htm\OpenWithList\WinWord.exe\shell\edit\ddeexec\Topic
*====> System <====*
w_1^VY!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5 /e
w_1^VY!!!!!!!!!MKKSkPubPrimary>tW{~$4Q]c@?F@6kxaTO5 %1
w_1^VY!!!!!!!!!MKKSkWORDFiles>tW{~$4Q]c@5d1`,xaTO5 /n /dde
w_1^VY!!!!!!!!!MKKSkPubPrimary>tW{~$4Q]c@?F@6kxaTO5 %1
w_1^VY!!!!!!!!!MKKSkEXCELFiles>tW{~$4Q]c@II=l2xaTO5 /e
w_1^VY!!!!!!!!!MKKSkPubPrimary>tW{~$4Q]c@?F@6kxaTO5 %1
and they're all followed by:
[REM _DDE_Direct][FileOpen("%1")]
w_1^VY!!!!!!!!!MKKSkACCESSFiles>tW{~$4Q]c@jkO)AxaTO5 /NOSTARTUP "%1" %2 %3 %4 %5 %6 %7 %8 %9
[SetForeground][ShellOpenDatabase "%1"]
w_1^VY!!!!!!!!!MKKSkACCESSFiles>tW{~$4Q]c@jkO)AxaTO5 /RUNTIME "%1" %2 %3 %4 %5 %6 %7 %8 %9
*Then a few other odd-ball ones:
(Default) C:\Program Files\Microsoft Office\Office12\REFEDIT.DLL
InprocServer32 w_1^VY!!!!!!!!!MKKSkProductNonBootFiles>Ulbm)HRGc?3.wd-@NBl$
(Default) C:\Program Files\Common Files\Microsoft Shared\INK\INKOBJ.DLL
InprocServer32 w_1^VY!!!!!!!!!MKKSkWISPHidden>+G9P$cp(j=d8+fTjNKNm
Threading Model Apartment
{168FA21B-D0BE-11D1-87C8-00AA00A71E2D},outlmime.dll
w_1^VY!!!!!!!!!MKKSkGimme_OnDemandData<OUTLOOKFiles
msosec,fileVersion="7.10.5077.0",version="7.0.5000.00",culture="neutral",publicKeyToken="B03F
5F7F11D50A3A"
w_1^VY!!!!!!!!!MKKSkWhiteRabbitHidden>3w2x^IGfe?Cxl5heAvK.
These are internal values all used by MS Office 2003 and higher for things like DDE and OLE automation. I recall somebody else complaining about them because they looked funky but they are normal and are present on all my machines that have Office 2003 or later installed; possibly even my ancient Pentium-1 machine (Office 2000) but I never checked.
CD Recorder Drive \\?\Volume{2a801e90-92aa-11e0-b458-806d6172696f}\
This is normal as well. It states the Unicode ARC path to your CD-Burner for the burning facility of windows.
HKCU\Software\Microsoft\Windows\Explorer\User Assist (Two Folders--samples follow):
{5E6AB780-7743-11CF-A12B-00AA004AE837}
Count HRZR_HVGBBYONE (string of numbers)
{75048700-EF1F-11D0-9888-006097DEACF9}
Count HRZR_EHACNGU
HRZR_EHACNGU:P:\Cebtenz Svyrf\Fnsre Argjbexvat\SvyrNylmre 2\SvyrNylmre2.rkr
HRZR_EHACNGU:P:\Cebtenz Svyrf\Urjyrgg-Cnpxneq\UC Qrfxwrg 9800
Frevrf\Gbbyobk\UCJDGOK.rkr
I cannot state with any certainty what these are, but unless they are referring to present files (on a P drive...) they don't do anything at all. Another question might be, how, in either case, you feel these are suspicious? Because you don't know why they are there? My guess would be they are used for Remote Assistance information. Again, all the computers running windows I have access to have these entries. This includes the Virtual Machines, which I've only used for testing my own applications and have never had access to the Internet.
There are many, many of these: {00000000-0000-0000-0000-00000000000}
Empty/null CLSID's are not surprising. They aren't valid so are probably being used to denote that there is nothing there or the entry is a sentinel.
HKEY_USERS are:
.DEFAULT
S-1-5-18
S-1-5-19
S-1-5-20
S-1-5-21-1801674531-220523388-725345543-1003
SPECIALACCOUNTS
UserList
HelpAssistant
IUSR_
IWAM_
NetShowServices
SQLAgentCmdExec
TsInternetUser
VUSR_
_______________________________________ _____________________________
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
ProductSuite
ProductType WinNT
Those are all normal.
Whenever I'm moving from one site to another the address bar says "about:blank"*
Also, Normal. I'm trying to figure out how that could even be construed as malicious activity.
*Whenever I try to open the sidebar in the Network Connection folders, I just get the
directory of stuff on the computer. There are no options available for the connections. If
I click on "Advanced" and "Optional Network Components" I get a dialog box that says:*
"Windows XP Setup"
Invalid program arguments were specified:
/i:<master_oc_inf>-(required) Specifies the name of the master.inf.
The installation source path is taken from here.
/u:<unattend_spec>-Specifies unattended operation parameters.
/r -Suppress reboot (when reboot is necessary).
/z -Indicates that args that follow are not OC args
and should be passed to components
/n -Forces the specified master inf to be treated as new.
/f -Indicates that all component installation states
should be initialized as if their installers had
never been run.
/c -Disallow cancel during final installation phase.
/x -Suppresses the 'initializing' banner.
/q -for use with /u. Runs the unattended installation
without UI.
/w -for use with /u. Runs If a reboot is required, prompt
the user instead of automatically rebooting.
/l -Multi-Language aware installation
and an "OK" button
This is interesting in that it is a common issue pirated copies of Windows XP...
In CONTROL PANEL\SYSTEM\HARDWARE\DEVICEMANAGER\DISK DRIVES the properties lists my WDC WD5000AADS-0059B0 as Volume C: with a capacity of 131060 MB {{Sharing Tab: Share this folder. Share name: C$. Comment: Default share. User Limit: Maximum Allowed
Administrative shares. You can delete them at the command prompt using net share C$ /delete, but they are recreated on reboot. Before anybody can access the shares they need to be able to access the appropriate RPC ports (which are usually masked by a router) as well as have a valid account on the machine; all the accounts listed are part of the default setup from installing windows.
I have: Volume (C:) | Partition Basic | File System NTFS | Status Healthy (System) |
Capacity 127.99 GB | Free Space 110.43 GB |88% Free | No Fault Tolerance | 0% Overhead
In the space below it shows Disk 0; Basic; 465.76 GB; Online
(C:) 127.99 GB NTFS Healthy (System) and then 337.77 GB Unallocated
I tried extend through DiskPart, but I got the message:
DiskPart failed to extend this volume.
Please make sure the volume is valid for extending.
The default size used by windows XP to create a system partition is ~128GB or so. Also, without Service packs XP setup can only see 128GB or so as well. diskpart can only extend data volumes, not system or boot volumes, as detailed
here.
I really hope you can help.
Help with what? Trying to validate what appears to be paranoia? Everything you've detailed seems completely normal, And unless you feel this exact same hacker has taken over every single one of my PCs, (including those which have never been connected to the internet, which would be quite a feat if you ask me). it has absolutely no basis in reality. Just because you don't know what registry key or dll file or something does or is for doesn't automatically mean it's malicious.
