Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Registry Problems


  • This topic is locked This topic is locked
4 replies to this topic

#1 .Prodigy.

.Prodigy.

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:06:14 PM

Posted 22 June 2006 - 11:34 AM

I've been having some assorted problems with my registry. Keys not being found or simply disappearing... stuff like that. I'm not sure if there's malware on my computer or not. I try to maintain my computer as much as I can, to keep it in top running order, so I'm almost sure there's nothing running that I don't know about, but I can never be sure.

I followed all the directions in the "Preparation Guide", scanning with Ad-Aware, Spybot, Trend Micro HouseCall and McAfee Stinger (as well as with my AV, NOD32). The only thing that came up on Adaware & Spybot are tracking cookies... no big deal.

This isn't a high-priority case, such as some other people I see on these forums with no access to their computers. All I'm asking for is a quick look at my HJT log to let me know if there's something obviously wrong or not.

Logfile of HijackThis v1.99.1
Scan saved at 12:32:09 PM, on 6/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\imapi.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
H:\PROGRA~1\Aston\aston.exe
C:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Rainlendar 0.22.1\Rainlendar.exe
H:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\TrayIt\trayit!.exe
C:\Program Files\Winamp\winamp.exe
H:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
H:\Workspace\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe ,svchost.exe
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - H:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - H:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "H:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Rainlendar.lnk = H:\Program Files\Rainlendar 0.22.1\Rainlendar.exe
O4 - Startup: Stardock ObjectDock.lnk = H:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: TrayIt!.lnk = C:\Program Files\TrayIt\trayit!.exe
O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O8 - Extra context menu item: Download All by FlashGet - H:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - H:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - H:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: acaptuser32.dll
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: iPodService - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - H:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Some notes for whoever reads this:
I use Aston Shell, a windows shell replacement. This is probably in the logfile somewhere, just incase it looks like a virus to somebody.

Posted Image


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:14 PM

Posted 30 June 2006 - 06:49 AM

Hi there and welcome to Bleeping Computer !
As you may have noticed already, the forums are very busy at the moment and i have noticed your log has gone unanswered so far!
We look at the oldest logs first, and we were wondering that if you still need help, please start by posting a new HijackThis log in this topic and i will then be able to take a look!

Thanks very much :thumbsup:
David

#3 .Prodigy.

.Prodigy.
  • Topic Starter

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Location:New York
  • Local time:06:14 PM

Posted 30 June 2006 - 10:51 AM

Thanks for the reply, I suppose it's better late than never. Here's my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:50:19 AM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\winlogon.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
H:\PROGRA~1\Aston\aston.exe
H:\PROGRA~1\Aston\XP\internat.exe
C:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
H:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
H:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
H:\Program Files\Rainlendar 0.22.1\Rainlendar.exe
H:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\TrayIt\trayit!.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
H:\Program Files\HijackThis v1.99.01\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe ,svchost.exe
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - H:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - H:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "H:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "H:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Rainlendar.lnk = H:\Program Files\Rainlendar 0.22.1\Rainlendar.exe
O4 - Startup: Stardock ObjectDock.lnk = H:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: TrayIt!.lnk = C:\Program Files\TrayIt\trayit!.exe
O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
O8 - Extra context menu item: Download All by FlashGet - H:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - H:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - H:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: acaptuser32.dll
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - H:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Posted Image


#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:14 PM

Posted 01 July 2006 - 03:39 AM

I notice aston.exe is a shell replacement for explorer, so this is normal to have this entry. However svchost.exe may be a trojan. Can you check your computer for ALL copies of this filename. If one exists in the Windows folder (C:\Windows) please let me know - There should be a real svchost.exe, the real file exists in Windows\System32 - this is normal. If you find the file elsewhere also just paste the path names. I looked around on the net and got some information from the support centre at the Aston Shell website, and it seems that the F2 entry in your log is normal, but we had better make sure. One other thing that I noticed from Hijackthis logs using the Ashton Shell was this entry:

F0 - system.ini: Shell=C:\PROGRA~1\Aston\aston.exe ,svchost.exe

That seemed to be in every log with the Ashton Shell? Does that mean anything to you? I'm sure the F2 entry is fine, but like I said it is better to be safe than sorry. On the other hand your Hijackthis log is completely clean, with no visible malware. I want to do one more scan before I give you the all clear for malware troubles, and we can address what may causing your problems. Download http://www.bleepingcomputer.com/files/winpfind.php

Extract WinPFind.zip to your c:\ folder.
Reboot your computer into Safe Mode
Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

So please post back with the Pfind log and also, please can you expand on the problems you are having - I need as much detail as possible for me to determine what the cause is.
David

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:14 PM

Posted 09 July 2006 - 07:39 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users