Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Startup Entry


  • Please log in to reply
9 replies to this topic

#1 marlajm

marlajm

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 21 February 2007 - 03:12 PM

Here is the finding. I couldn't find anything in your start-up files.

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"SsiEfr.e" [file not found]

I was told to check your forum on this.

The original Hijack entry has disappeared from my log without my fixing it.

Also, I have tried to uninstall my HP all-in-one as it caused me many problems after I got a new printer. It won't uninstall and still appears in the startup menu.


Thanks

Edited by marlajm, 21 February 2007 - 04:04 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,572 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:04 PM

Posted 22 February 2007 - 12:46 PM

You should ask about your hp printer in the hardware section. I try to stay away from the questions so I do not give the wrong answer :thumbsup:

As for the SsiEfr.e entry; it is related to SpySweeper and though legitimate is not necessary to have. Are you still using SpySweeper?

#3 marlajm

marlajm
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 22 February 2007 - 10:19 PM

I just started using Spy Sweeper again. I did find, on my own, Windir32.exe....command under Hkey_local_machine\SOFTWARE\microsoft....
It's in the startup....
I continued a search and found limewire there and maybe some other stuff I supposedly eliminated.
I also saw two ad addresses and about:blank fly by on the bottom address as my home page was loading when I signed on.

Bad?

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,572 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:04 PM

Posted 23 February 2007 - 11:00 AM

If you are using spysweeper then there is no harm keeping that entry in the Boot Execute key. As for the other malware, I suggest you either post a HijackThis log in the HJT forum or you can try the Am I infected forum which may give a quicker answer (but not logs are allowed there).

Windir32.exe is definitely not something you want on your system.

http://www.bleepingcomputer.com/startups/w....exe-11732.html

#5 marlajm

marlajm
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 23 February 2007 - 01:23 PM

Many thanks for your kind attention.

Windir32.exe doesn't show up in the HJT, nor does the limewire I keep trying to remove. It is a command line item--
HKEY_LOCAL_MACHINE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Microsoft Windows DLL Services Configuration command Windir32.exe item windir32.exe

There is also messenger in the background, realplayer hideat boot time, quicktime hide at boot time. Somehow these don't seem like ok startup items. Am I paranoid?

Thanks. I have been trying to get help elsewhere also but items like these are not showing up on regular scans of most kinds.

Thanks for your help.

Edited by marlajm, 23 February 2007 - 01:32 PM.


#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,572 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:04 PM

Posted 26 February 2007 - 12:20 PM

No they wouldn't. Those are showing up there because at some point they were disabled using the Msconfig.exe utility.

#7 marlajm

marlajm
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 17 March 2007 - 11:18 PM

Well, I finished with the original tech support group that was helping me and it seems as if all my antispyware, antivirus has been disabled, even though they look as though they might be working. I evidently have something new, involving a keylogger, and probably need to reinstall. I jest checked a list of my startup entries against your lists and hit a run of unknowns. Thoughts?

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,572 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:04 PM

Posted 18 March 2007 - 05:25 PM

At this point I would post a Hijackthis log using the instructions here:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

One of our HJT team members will then help determine what is going on with your computer.

#9 marlajm

marlajm
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 18 March 2007 - 06:45 PM

The Hijack Log doesn't show much although the combo scan is a bit more revealing in that it shows some suspicious files. There are some telltale created files, although the folders often are most oftem but not always empty.

I used IceSword and it showed a lot more in the startup, registry, and processes (?) than anything else I have used. I just don't know what to get rid of and how. I want to keep whatever it is from reinstalling. And actually, I would love to find out what it is. It seems to be changing most of my modified dates to June 5, 2005. Also, I fear I will reinstall my problems, even from disk. I need the best detective you have! : )

I have backed up files to CD but this thing is so bad I fear I will not be able to use any of it for fear of recontaminating my machine.

Thanks

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,572 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:04 PM

Posted 18 March 2007 - 08:01 PM

This forum is really not the place for your problem. I see that you posted a log here:

http://www.techsupportforum.com/security-c...installing.html

I did not read through the whole log, but was it not cleaned to your satisfaction? I would continue with cleaning your infections as suggested in that log. If you are still having a problem please post a new log here with a link to this topic so people know your history.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users