Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Registry Problem?


  • Please log in to reply
5 replies to this topic

#1 greatermeh

greatermeh

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 24 December 2005 - 03:19 PM

Hello all, Merry X-Mas!!

I use Windows XP Home, and about a week ago I noticed that Add-Watch had detected a registry error when I first started up my computer. (Intel Celeron)
Soon after, when I started up my comp, all the icons on the desktop had to be redirected, as well as all the programs and everything in the start menu, and in My Computer, so everything now has to be redirected, some things don't even work when they are redirected.
I noticed that this might be a good thing (?) because now when I run Ad-Aware, I always get 0 new spyware detected. Could my registry problem mean that Hackers and Spywares cant properly get into my comp?
Anyway, even if that is the case, I cant open things in the Control Panel, or in System Tools. Help would be much appreciated. TY.

Edited by greatermeh, 24 December 2005 - 05:22 PM.


BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:03:03 AM

Posted 24 December 2005 - 03:30 PM

I'm thinking the news ain't good.
Redirection of those applications, parts of the OS itself,
probably means you should post a HJT log to be analysed.
Click link below and read the various pinned topics to assist you in doing that.
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
More specific help for your situation will be forthcoming, please be patient, though.
patiently patrolling, plenty of persisant pests n' problems ...

#3 greatermeh

greatermeh
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 24 December 2005 - 05:07 PM

Ok, I just figured out that the only way to open files that I just Dl'ed (Hijack this) is to make a shortcut, and then redirect the shortcut, anyway heres what hijack this says

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\jules\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [btqgeok] C:\WINDOWS\system32\mgttker.exe r
O4 - HKLM\..\Run: [pejuog] C:\WINDOWS\system32\xhealb.exe r
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [miqegwi] C:\WINDOWS\miqegwi.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FCEngine] "C:\Program Files\FCEngine\FCEngine.exe"
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1098277167703
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DCDA4A1-CC7E-4CE2-907A-B9C977CDD5F0}: NameServer = 206.47.244.12 207.47.244.12
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


also, I dont know if it means anything but when I control alt delete theres the 'system idle process' thing in processes, which showed up once when my comp was filled with spyware and wouldnt even show any desktop items, or the start menu (I ran Ad-Aware and my comp was fine though) but now I don't think its a spyware problem, but what I know...
Also, Add-Watch doesnt start up either when I start my comp, nor do any of the programs that are exposed to show up on my toolbar, all I see on my toolbar is my internet and the volume control (which doesn't even work).
And it might be usefull to know that I see the message of 'Windows cannot open this file because it doesnt know what created it' 'what would you like to do?' -Use the Web service to find appropriate program or select the program from a list when I first log in to my windows.
Another thing is all the shortcuts and every single file that shows (the ones in the System tools folder dont show up) are seen as EXE files.
Thanks for the help!

Edited by greatermeh, 24 December 2005 - 05:14 PM.


#4 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:03:03 AM

Posted 24 December 2005 - 05:25 PM

OK, viewing your log several things come to mind.

1. yes, probable malware is seen
2. you should run the HJT scan again, include everything (the top info is needed by us to do the job right)
3. you should post the new log where it belongs for best attention.
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
4. read the pinned topics before you post.
5. continue to attempt complete scans of spy-bot & ad-adaware. We expect that to be done in advance of analyzing HJT logs
6. FF is in use, did you open TOOLS>options at very top of any FF window and set the downloads to desktop?


More than anything, cleaning up a PC that has "fallen under" malware influence involves following advice, learning and communicating accurately. It takes some time, too.

You do the work, we help. I'm happy you're trying to solve problems.

Keep in mind that once you post in the HJT forum, doing a bunch of things additionally to the PC after that might slow things down.
Experiment a bit more, post when you've done all ya'can and then leave things as they are. OK?
patiently patrolling, plenty of persisant pests n' problems ...

#5 greatermeh

greatermeh
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 24 December 2005 - 05:37 PM

Ok. I posted the hjk log where you said

no I didnt open TOOLS>options,

#6 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:03:03 AM

Posted 24 December 2005 - 05:43 PM

I gotta go on with holiday arrangments soon.
You're making progress.

I've sometimes opened a notepad and typed in things I've done when tackling a problem. It helps sometimes to list stuff to keep it all in order in case you aren't sure if/when someone else asks.

Reading it later can help trigger some avenues to explore, too.
Good luck, be patient. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users