|
|
Chris
regular
Reg'd: Thu
Posts: 684
Loc: Kent and the Pas-de-Calais
|
|
Hi, a friend of mine says that his computer has started to run very slowly and that something is changing all his Internet Explorer settings. He says that his antivirus program has identified a virus called MS.EXE but cant get rid of it. Please would a HijackThis expert have a look at his HijackThis log? In my own HijackThis log I have the same reference to "AcroIEHlprObj.....etc.". What is this for and is it necessary? I rarely use Acrobat Reader and wondered if that entry is using up memory that could be freed
Logfile of HijackThis v1.99.0
Scan saved at 21:58:44, on 14/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
d:\Program Files\ewido\security suite\ewidoctrl.exe
d:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
D:\progra~1\softwin\bitdef~1\bdswitch.exe
D:\progra~1\softwin\bitdef~1\bdnagent.exe
D:\PurgeIE\PurgeIE_Service.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
D:\SpywareGuard\sgmain.exe
D:\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
D:\Program Files\Softwin\BitDefender9\vsserv.exe
d:\progra~1\softwin\bitdef~1\bdmcon.exe
D:\Hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - d:\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SmcService] D:\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "d:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKLM\..\Run: [BDMCon] D:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "d:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKCU\..\Run: [PurgeIE] "D:\PURGEIE\PURGEIE.EXE" BOOT
O4 - Startup: ms.exe
O4 - Startup: SpywareGuard.lnk = D:\SpywareGuard\sgmain.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122917590640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: BitDefender Scan Server - Unknown - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: ewido security suite control - ewido networks - d:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - d:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: BitDefender Desktop Update Service - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: PurgeIE XP Service - Assistance & Resources for Computing, Inc. - D:\PurgeIE\PurgeIE_Service.exe
O23 - Service: Sygate Personal Firewall Pro - Sygate Technologies, Inc. - D:\Sygate\SPF\smc.exe
O23 - Service: BitDefender Virus Shield - SOFTWIN S.R.L. - D:\Program Files\Softwin\BitDefender9\vsserv.exe
O23 - Service: BitDefender Communicator - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
|
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 32001
Loc: belfast
|
|
Welcome to the Webuser forum. 
Right click the running icon of Spywareguard, it will open the program. Click Menu, file, exit, and confirm the programs close.
it can stop HJT from working properly.
Rerun HJT,and put a checkmark beside these :-
O4 - Startup: ms.exe
now close all windows and browsers and click FIX CHECKED
Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php
Right Click the Zip Folder and Select "Extract All"
Don't use it yet!
Restart in SAFE MODE
From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"
This program will scan large amounts of files on your computer
for known patterns so please be patient while it works as it can
take a while.
When you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!
copy and paste the log back here.
P.S
the :-
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
entry doesn't use any resourses, but it is up to you if you want to remove it.
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
 
When the only tool you own is a hammer, every problem begins to look like a nail. 
|
Chris
regular
Reg'd: Thu
Posts: 684
Loc: Kent and the Pas-de-Calais
|
|
hi Bricat, thanks for your reply. There are two problems: the first is that the computer with the problem is in Kent and I am in France at the moment. It belongs to a teacher who is very busy with nativity plays (and whinging parents) etc. so it will be a couple of days before I can send any feedback. Meanwhile, I downloaded Winpfind and installed it on my own computer so that I would be prepared for any questions from the teacher. When I ran it, it started off by saying that it was "Checking %SystenDrive% folder...." and at the bottom of the screen it said "Scanning file C:\hiberfil.sys" and there it stuck. It was still saying it 45 minues later, and there was no activity from the HD LED so I tried to close it. CTRL+ALT+DEL wouldn't close it down and neither would it close down the computer. Unplugged the computer from the mains and re-booted. I shut down all running programs (antivirus, firewall etc.) and tried again and the same thing happened. It still got stuck on hiberfil.sys. On checking for hiberfil.sys with "Start>Search" it isn't there. Hopefully, I don't need WinPFind but if the teacher has a problem with it, what should he do?
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 32001
Loc: belfast
|
|
post back here.
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
Chris
regular
Reg'd: Thu
Posts: 684
Loc: Kent and the Pas-de-Calais
|
|
Hi Bricat, here is the HijackThis log and also the WinPFind log:
Logfile of HijackThis v1.99.0
Scan saved at 13:06:23, on 19/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
D:\progra~1\softwin\bitdef~1\bdswitch.exe
D:\progra~1\softwin\bitdef~1\bdmcon.exe
D:\progra~1\softwin\bitdef~1\bdnagent.exe
D:\PurgeIE\PurgeIE_Service.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
D:\SpywareGuard\sgmain.exe
D:\Program Files\Softwin\BitDefender9\vsserv.exe
D:\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - d:\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SmcService] D:\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "D:\progra~1\softwin\bitdef~1\bdswitch.exe"
O4 - HKLM\..\Run: [BDMCon] D:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] "D:\progra~1\softwin\bitdef~1\bdnagent.exe"
O4 - HKCU\..\Run: [PurgeIE] "D:\PURGEIE\PURGEIE.EXE" BOOT
O4 - Startup: SpywareGuard.lnk = D:\SpywareGuard\sgmain.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122917590640
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: BitDefender Scan Server - Unknown - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: BitDefender Desktop Update Service - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: PurgeIE XP Service - Assistance & Resources for Computing, Inc. - D:\PurgeIE\PurgeIE_Service.exe
O23 - Service: Sygate Personal Firewall Pro - Sygate Technologies, Inc. - D:\Sygate\SPF\smc.exe
O23 - Service: BitDefender Virus Shield - SOFTWIN S.R.L. - D:\Program Files\Softwin\BitDefender9\vsserv.exe
O23 - Service: BitDefender Communicator - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
FSG! 15/12/2005 07:24:16 6529 C:\boot.inx
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Checking %System% folder...
PEC2 23/08/2001 12:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 12/07/2005 17:04:22 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
aspack 03/08/2004 23:56:38 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 03/08/2004 23:56:46 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 23/08/2001 12:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Checking %System%\Drivers folder and sub-folders...
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
19/12/2005 11:41:42 S 2048 C:\WINDOWS\bootstat.dat
19/12/2005 11:41:44 S 64 C:\WINDOWS\CSC\00000001
19/12/2005 11:41:44 S 64 C:\WINDOWS\CSC\00000002
17/12/2005 20:25:04 H 10820 C:\WINDOWS\Help\update.GID
19/12/2005 11:41:46 H 12288 C:\WINDOWS\system32\config\default.LOG
19/12/2005 11:41:54 H 1024 C:\WINDOWS\system32\config\SAM.LOG
19/12/2005 11:41:42 H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
19/12/2005 11:42:36 H 110592 C:\WINDOWS\system32\config\software.LOG
19/12/2005 11:41:50 H 835584 C:\WINDOWS\system32\config\system.LOG
19/12/2005 10:53:14 S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
19/12/2005 10:53:14 S 70226 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\F482C95F83F1B59228F1B1E720F2EDF1
19/12/2005 10:53:14 S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
19/12/2005 10:53:14 S 128 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\F482C95F83F1B59228F1B1E720F2EDF1
19/12/2005 11:40:44 H 6 C:\WINDOWS\Tasks\SA.DAT
Checking for CPL files...
Microsoft Corporation 03/08/2004 23:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 26/02/2004 17:40:40 14225408 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 03/08/2004 23:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 03/08/2004 23:56:58 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 03/08/2004 23:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 03/08/2004 23:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 03/08/2004 23:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 03/08/2004 23:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 03/08/2004 23:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 03/08/2004 23:56:58 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 03/08/2004 23:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 23/08/2001 12:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 03/08/2004 23:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 23/08/2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 03/08/2004 23:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 03/08/2004 23:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 23/08/2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 03/08/2004 23:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 03/08/2004 23:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 03/08/2004 23:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 23/08/2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 03/08/2004 23:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 03/08/2004 23:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 03:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 03/08/2004 23:56:58 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 03/08/2004 23:56:58 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 03/08/2004 23:56:58 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 03/08/2004 23:56:58 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 03/08/2004 23:56:58 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 03/08/2004 23:56:58 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 03/08/2004 23:56:58 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 03/08/2004 23:56:58 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 23/08/2001 12:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 03/08/2004 23:56:58 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 23/08/2001 12:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 03/08/2004 23:56:58 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 03/08/2004 23:56:58 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 23/08/2001 12:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 03/08/2004 23:56:58 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 03/08/2004 23:56:58 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 03/08/2004 23:56:58 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 03/08/2004 23:56:58 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 23/08/2001 12:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 03/08/2004 23:56:58 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 03/08/2004 23:56:58 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 26/05/2005 03:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
17/05/2005 22:51:44 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
19/06/2005 17:38:26 836 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DSLMON.lnk
Checking files in %ALLUSERSPROFILE%\Application Data folder...
17/05/2005 23:42:52 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
Checking files in %USERPROFILE%\Startup folder...
17/05/2005 22:51:44 HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini
Checking files in %USERPROFILE%\Application Data folder...
17/05/2005 23:42:52 HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{81559C35-8464-49F7-BB0E-07A383BEF910} = d:\SpywareGuard\spywareguard.dll
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = D:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = D:\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{D653647D-D607-4DF6-A5B8-48D2BA195F7B}
= D:\Program Files\Softwin\BitDefender9\bdshelxt.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu
{AB77609F-2178-4E6F-9C4B-44AC179D937A} = D:\A2FREE~1\A2CONT~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BitDefender Antivirus v8
{D653647D-D607-4DF6-A5B8-48D2BA195F7B} = D:\Program Files\Softwin\BitDefender9\bdshelxt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = D:\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{D653647D-D607-4DF6-A5B8-48D2BA195F7B}
= D:\Program Files\Softwin\BitDefender9\bdshelxt.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = D:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = D:\WINZIP\WZSHLSTB.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= D:\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = D:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}
SpywareGuardDLBLOCK.CBrowserHelper = d:\SpywareGuard\dlprotect.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
VTTimer VTTimer.exe
SoundMan SOUNDMAN.EXE
SmcService D:\Sygate\SPF\smc.exe -startgui
NWEReboot
type32 "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
IntelliPoint "C:\Program Files\Microsoft IntelliPoint\point32.exe"
BDSwitchAgent "D:\progra~1\softwin\bitdef~1\bdswitch.exe"
BDMCon D:\progra~1\softwin\bitdef~1\bdmcon.exe
BDNewsAgent "D:\progra~1\softwin\bitdef~1\bdnagent.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\system32\CTFMON.EXE
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command D:\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch
backup C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
location Common Startup
command D:\Adobe\ACROBA~1.0\Reader\READER~1.EXE
item Adobe Reader Speed Launch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk
backup C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
location Common Startup
command D:\WinZip\WZQKPICK.EXE
item WinZip Quick Pick
backup C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
location Common Startup
command D:\WinZip\WZQKPICK.EXE
item WinZip Quick Pick
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe Photo Downloader
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item apdproxy
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item apdproxy
hkey HKLM
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\rfagent
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item rfagent
hkey HKLM
command "D:\RFA\rfagent.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item rfagent
hkey HKLM
command "D:\RFA\rfagent.exe"
inimapping 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 19/12/2005 11:45:39
There was also a virus in BOOT.INX which the antivirus program (BitDefender) said it could not remove, but which Ewido said that it had removed.
Is there anything in the WinPFind log to suggest why chkdsk runs automatically at every boot up? I had that problem recently and found that it was something to do with the swap file. After I deleted it, re booted and then re-instated the swap file, it booted normally. However, doing that on this machine hasn't worked
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 32001
Loc: belfast
|
|
the winpfind log looks clean, has the MS problem been solved.?
as for chkdsk have a look HERE
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
Chris
regular
Reg'd: Thu
Posts: 684
Loc: Kent and the Pas-de-Calais
|
|
Hi Bricat, yes, the MS.EXE thing has gone. There was a reference to a virus in BOOT.INX earlier but that seems OK now. Thanks for your help.
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 32001
Loc: belfast
|
|
you're welcome.
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
