|
Windows Vista Problem solving for the Windows Vista Operating System. Please remember to state which edition of Vista you are using - Home Basic, Home Premium, Business, Ultimate etc. and whether you are using the 32-bit or 64-bit version if you know. |
|
Topic Tools |
#1
|
|||
|
|||
Have I got some sort of virus ?? - moved by Tom
Hi Folks,
I've just had a security alert in my toolbar, anyway windows security centre is telling me that my windows defender is turned off (it isn't) and also that I'm not running an anti virus program (I am, AVG). Anyway, I'm a bit worried that I may have some sort of virus ? Any help please would be greatly appreciated. Regards Ian |
#2
|
||||
|
||||
Howdy The Hornmeister,
Let's take a look at things and see what is there. Please download HijackThis from Here. Then click on the downloaded file to install HijackThis. After it is installed open HijackThis and select Do a system scan and save logfile. Use copy/paste and post that log back here for review. Also go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here. You can use separate posts here if needed. |
#3
|
|||
|
|||
My Hi jack log
Hi Tom,
Thanks for your help, heres my Hijack Log, Silent Runners to follow : Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:47:41, on 13/09/2007 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Java\jre1.6.0\bin\jusched.exe C:\Windows\sttray.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe C:\Program Files\Grisoft\AVG7\avgcc.exe C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Windows\System32\spool\drivers\w32x86\3\E_FATIB GE.EXE C:\Program Files\Nero\Nero PhotoShow 4\data\Xtras\mssysmgr.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Windows\ehome\ehmsas.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Windows\system32\taskeng.exe C:\Program Files\Internet Explorer\IEUser.exe c:\program files\common files\installshield\updateservice\isuspm.exe C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\PhotoDownloader.exe O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [EPSON Stylus D78 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIB GE.EXE /FU "C:\Users\Ian\AppData\Local\Temp\E_S18EF.tmp" /EF "HKCU" O4 - HKCU\..\Run: [EPSON Stylus D78 Series (Copy 1)] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIB GE.EXE /FU "C:\Windows\TEMP\E_S9FD7.tmp" /EF "HKCU" O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll O13 - Gopher Prefix: O15 - Trusted Zone: http://www.google.co.uk O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...PUplden-gb.cab O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://thehornmeister.spaces.live.co...PUplden-gb.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- End of file - 9791 bytes |
#4
|
|||
|
|||
Silent Runners (part 1)
Hi Tom,
This is in 2 parts as its so big : "Silent Runners.vbs", revision 52, http://www.silentrunners.org/ Operating System: Windows Vista Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++} "Sidebar" = "C:\Program Files\Windows Sidebar\sidebar.exe /autoRun" [MS] "WindowsWelcomeCenter" = "rundll32.exe oobefldr.dll,ShowWelcomeCenter" [MS] "DellSupport" = ""C:\Program Files\DellSupport\DSAgnt.exe" /startup" ["Gteko Ltd."] "MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS] "ehTray.exe" = "C:\Windows\ehome\ehTray.exe" [MS] "swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" ["Google Inc."] "WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS] "EPSON Stylus D78 Series" = "C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATI BGE.EXE /FU "C:\Users\Ian\AppData\Local\Temp\E_S18EF.tmp" /EF "HKCU"" ["SEIKO EPSON CORPORATION"] "EPSON Stylus D78 Series (Copy 1)" = "C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATI BGE.EXE /FU "C:\Windows\TEMP\E_S9FD7.tmp" /EF "HKCU"" ["SEIKO EPSON CORPORATION"] "Nero PhotoShow Media Manager" = "C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe " ["Nero AG / Nero Inc."] "MsgCenterExe" = ""C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++} "Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide" "SunJavaUpdateSched" = ""c:\Program Files\Java\jre1.6.0\bin\jusched.exe"" ["Sun Microsystems, Inc."] "SigmatelSysTrayApp" = "sttray.exe" ["SigmaTel, Inc."] "IAAnotif" = ""C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"" ["Intel Corporation"] "ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"" [null data] "Corel Photo Downloader" = "C:\Program Files\Corel\Corel Snapfire Plus\PhotoDownloader.exe" [file not found] "ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["Macrovision Corporation"] "(Default)" = "(empty string)" [file not found] "RoxWatchTray" = ""C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"" ["Sonic Solutions"] "Google Desktop Search" = ""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup" ["Google"] "ECenter" = "c:\dell\E-Center\EULALauncher.exe" [null data] "ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM .exe -startup" ["Macrovision Corporation"] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "Ulead AutoDetector v2" = "C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" ["Ulead Systems, Inc."] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] "eBayToolbar" = "C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" ["eBay Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {22D8E815-4A5E-4DFB-845E-AAB64207F5BD}\(Default) = (no title provided) -> {HKLM...CLSID} = "eBay Toolbar Helper" \InProcServer32\(Default) = "C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll" ["eBay Inc."] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "c:\Program Files\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."] {CA6319C0-31B7-401E-A518-A07C3DB8F777}\(Default) = "Browser Address Error Redirector" -> {HKLM...CLSID} = "CBrowserHelperObject Object" \InProcServer32\(Default) = "C:\Program Files\BAE\BAE.dll" ["Dell Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{E7DE9B1A-7533-4556-9484-B26FB486475E}" = (no title provided) -> {HKLM...CLSID} = "Network Map" \InProcServer32\(Default) = "C:\Windows\system32\shdocvw.dll" [MS] "{4A1E5ACD-A108-4100-9E26-D2FAFA1BA486}" = "IGD Property Sheet Handler" -> {HKLM...CLSID} = "IGD Property Page" \InProcServer32\(Default) = "C:\Windows\System32\icsigd.dll" [MS] "{8856f961-340a-11d0-a96b-00c04fd705a2}" = "Microsoft Web Browser" -> {HKLM...CLSID} = "Microsoft Web Browser" \InProcServer32\(Default) = "C:\Windows\system32\ieframe.dll" [MS] "{3050f3d9-98b5-11cf-bb82-00aa00bdce0b}" = "MSHTML Document" -> {HKLM...CLSID} = "MHTML Document" \InProcServer32\(Default) = "C:\Windows\system32\mshtml.dll" [MS] "{25336920-03f9-11cf-8fd0-00aa00686f13}" = "HTML Document" -> {HKLM...CLSID} = "HTML Document" \InProcServer32\(Default) = "C:\Windows\system32\mshtml.dll" [MS] "{74246bfc-4c96-11d0-abef-0020af6b0b7a}" = "Device Manager" -> {HKLM...CLSID} = "Device Manager" \InProcServer32\(Default) = "C:\Windows\System32\devmgr.dll" [MS] "{44f3dab6-4392-4186-bb7b-6282ccb7a9f6}" = "MyDocuments menu and properties" -> {HKLM...CLSID} = "MyDocuments menu and properties" \InProcServer32\(Default) = "C:\Windows\system32\mydocs.dll" [MS] "{D34A6CA6-62C2-4C34-8A7C-14709C1AD938}" = "Common Places Folder" -> {HKLM...CLSID} = "Common Places FS Folder" \InProcServer32\(Default) = "C:\Windows\System32\shdocvw.dll" [MS] "{865e5e76-ad83-4dca-a109-50dc2113ce9a}" = "Programs Folder and Fast Items" -> {HKLM...CLSID} = "Programs Folder and Fast Items" \InProcServer32\(Default) = "C:\Windows\system32\shell32.dll" [MS] "{21ec2020-3aea-1069-a2dd-08002b30309d}" = "Control Panel" -> {HKLM...CLSID} = "Control Panel" \InProcServer32\(Default) = "shell32.dll" [MS] "{25585dc7-4da0-438d-ad04-e42c8d2d64b9}" = "Client application shell extension" -> {HKLM...CLSID} = "Client application shell extension" \InProcServer32\(Default) = "C:\Windows\system32\shell32.dll" [MS] "{4d5c8c2a-d075-11d0-b416-00c04fb90376}" = "Microsoft CommBand" -> {HKLM...CLSID} = "Microsoft CommBand" \InProcServer32\(Default) = "C:\Windows\system32\browseui.dll" [MS] "{92337A8C-E11D-11D0-BE48-00C04FC30DF6}" = "OlePrn.PrinterURL" -> {HKLM...CLSID} = "prturl Class" \InProcServer32\(Default) = "C:\Windows\system32\oleprn.dll" [MS] "{16C2C29D-0E5F-45f3-A445-03E03F587B7D}" = "group_wab_auto_file" -> {HKLM...CLSID} = ".group shell context menu" \InProcServer32\(Default) = "C:\Program Files\Common Files\System\wab32.dll" [MS] "{CF67796C-F57F-45F8-92FB-AD698826C602}" = "contact_wab_auto_file" -> {HKLM...CLSID} = ".contact shell context menu" \InProcServer32\(Default) = "C:\Program Files\Common Files\System\wab32.dll" [MS] "{90b9bce2-b6db-4fd3-8451-35917ea1081b}" = "Search Execute Command" -> {HKLM...CLSID} = "CLSID_SearchExecute" \InProcServer32\(Default) = "ExplorerFrame.dll" [MS] "{1a184871-359e-4f67-aad9-5b9905d62232}" = "Microsoft Windows Font File Context Menu Handler" -> {HKLM...CLSID} = "Microsoft Windows Font Context Menu Handler" \InProcServer32\(Default) = "fontext.dll" [MS] "{8a7cae0e-5951-49cb-bf20-ab3fa1e44b01}" = "Microsoft Windows Font Previewer" -> {HKLM...CLSID} = "Microsoft Windows Font Preview Handler" \InProcServer32\(Default) = "fontext.dll" [MS] "{BC65FB43-1958-4349-971A-210290480130}" = "Network Explorer Property Sheet Handler" -> {HKLM...CLSID} = "Ncd Property Page" \InProcServer32\(Default) = "C:\Windows\System32\NcdProp.dll" [MS] "{0a4286ea-e355-44fb-8086-af3df7645bd9}" = "Windows Media Player" -> {HKLM...CLSID} = "&Windows Media Player" \InProcServer32\(Default) = "C:\PROGRA~1\WI4EB4~1\wmpband.dll" [MS] "{BB6B2374-3D79-41DB-87F4-896C91846510}" = "EMDFileProperties" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "emdmgmt.dll" [MS] "{7A0F6AB7-ED84-46B6-B47E-02AA159A152B}" = "Sync Center Simple Conflict Presenter" -> {HKLM...CLSID} = "Simple Conflict Presenter" \InProcServer32\(Default) = "C:\Windows\System32\SyncCenter.dll" [MS] "{BE122A0E-4503-11DA-8BDE-F66BAD1E3F3A}" = (no title provided) -> {HKLM...CLSID} = "Windows Anytime Upgrade" \InProcServer32\(Default) = "C:\Windows\System32\shdocvw.dll" [MS] "{00f20eb5-8fd6-4d9d-b75e-36801766c8f1}" = "PhotoAcqDropTarget" -> {HKLM...CLSID} = "PhotoAcqDropTarget" \InProcServer32\(Default) = "C:\Program Files\Windows Photo Gallery\PhotoAcq.dll" [MS] "{91ADC906-6722-4B05-A12B-471ADDCCE132}" = "Touch Band" -> {HKLM...CLSID} = "Touch Pointer" \InProcServer32\(Default) = "C:\Windows\System32\TouchX.dll" [MS] "{7D4734E6-047E-41e2-AEAA-E763B4739DC4}" = "Windows Media Player Play as Playlist Context Menu Handler" -> {HKLM...CLSID} = "WMP Play Folder As Playlist Launcher" \InProcServer32\(Default) = "C:\Windows\system32\wmpshell.dll" [MS] "{4E5BFBF8-F59A-4e87-9805-1F9B42CC254A}" = "GameUX.RichGameMediaThumbnail" -> {HKLM...CLSID} = "RichGameMediaThumbnail Class" \InProcServer32\(Default) = "C:\Windows\System32\gameux.dll" [MS] "{15D633E2-AD00-465b-9EC7-F56B7CDF8E27}" = "Tablet PC Input Panel" -> {HKLM...CLSID} = "Tablet PC Input Panel" \InProcServer32\(Default) = "C:\Program Files\Common Files\microsoft shared\ink\TipBand.dll" [MS] "{6b9228da-9c15-419e-856c-19e768a13bdc}" = "Windows gadget DropTarget" -> {HKLM...CLSID} = "Windows gadget DropTarget" \InProcServer32\(Default) = "C:\Program Files\Windows Sidebar\sbdrop.dll" [MS] "{8A734961-C4AA-4741-AC1E-791ACEBF5B39}" = "Windows Media Player Shop Music Context Menu Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Windows\system32\wmpshell.dll" [MS] "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders" -> {HKLM...CLSID} = "My Sharing Folders" \InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS] "{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension" -> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Roxio\Drag-to-Disc\Shellex.dll" ["Roxio"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {HKLM...CLSID} = "AVG7 Find Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."] "{92085AD4-F48A-450D-BD93-B28CC7DF67CE}" = "eBay Toolbar" -> {HKLM...CLSID} = "eBay Toolbar" \InProcServer32\(Default) = "C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll" ["eBay Inc."] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <<!>> "AppInit_DLLs" = "C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL" ["Google"] HKLM\Software\Classes\Folder\shellex\ColumnHandler s\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."] EPPShellEx\(Default) = "{509FE1AF-ADD5-49EC-BC55-7CF81FD16E78}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\EPSON\Creativity Suite\Easy Photo Print\EPPShell.dll" ["SEIKO EPSON CORPORATION"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\ "ConsentPromptBehaviorAdmin" = (REG_DWORD) hex:0x00000002 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode} "ConsentPromptBehaviorUser" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Standard Users} "EnableInstallerDetection" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Detect Application Installations And Prompt For Elevation} "EnableLUA" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Run All Administrators In Admin Approval Mode} "EnableSecureUIAPaths" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Only elevate UIAccess applications that are installed in secure locations} "EnableVirtualization" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Virtualize file and registry write failures to per-user locations} "PromptOnSecureDesktop" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Conrol: Switch to the secure desktop when prompting for elevation} "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} |
#5
|
|||
|
|||
And the second part :
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} "FilterAdministratorToken" = (REG_DWORD) hex:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Admin Approval Mode for the Built-in Administrator Account} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\Windows\system32\config\systemprofile\AppData\ Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Users\Ian\AppData\Roaming\Microsoft\Window s Photo Gallery\Windows Photo Gallery Wallpaper.jpg" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\Windows\system32\logon.scr" [MS] Startup items in "Ian" & "All Users" startup folders: ----------------------------------------------------- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS] 000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS] 000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 22 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."] "{F2CF5485-4E02-4F68-819C-B92DE9277049}" -> {HKLM...CLSID} = "&Links" \InProcServer32\(Default) = "C:\Windows\system32\ieframe.dll" [MS] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."] "{92085AD4-F48A-450D-BD93-B28CC7DF67CE}" = (no title provided) -> {HKLM...CLSID} = "eBay Toolbar" \InProcServer32\(Default) = "C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll" ["eBay Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}" -> {HKLM...CLSID} = "Java Plug-in 1.6.0" \InProcServer32\(Default) = "c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll" ["Sun Microsystems, Inc."] HOSTS file ---------- C:\Windows\System32\drivers\etc\HOSTS maps: 2 domain names to IP addresses, 1 of the IP addresses is *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati External Event Utility, Ati External Event Utility, "C:\Windows\system32\Ati2evxx.exe" ["ATI Technologies Inc."] AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."] AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Resident Shield Service, AvgCoreSvc, "C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."] Intel(R) Matrix Storage Event Monitor, IAANTMON, "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe" ["Intel Corporation"] IP Helper, iphlpsvc, "C:\Windows\System32\svchost.exe -k NetSvcs" {(missing data)} Network Store Interface Service, nsi, "C:\Windows\system32\svchost.exe -k LocalService" {(missing data)} Roxio Hard Drive Watcher 9, RoxWatch9, ""C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe"" ["Sonic Solutions"] RoxMediaDB9, RoxMediaDB9, ""C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe"" ["Sonic Solutions"] SigmaTel Audio Service, STacSV, "C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe" ["SigmaTel, Inc."] TCP/IP NetBIOS Helper, lmhosts, "C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted" {(missing data)} UPnP Device Host, upnphost, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\System32\upnphost.dll" [MS]} Windows Driver Foundation - User-mode Driver Framework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]} Windows Event Log, Eventlog, "C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" {(missing data)} Windows Image Acquisition (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]} Windows Media Player Network Sharing Service, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monito rs\ Epson Inbox Language Monitor\Driver = "EP0SLM00.DLL" ["SEIKO EPSON CORPORATION"] EPSON Stylus D78 Series 32MonitorBE\Driver = "E_FLBBGE.DLL" ["SEIKO EPSON CORPORATION"] ---------- (launch time: 2007-09-13 20:03:13) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 52 seconds, including 12 seconds for message boxes) |
#6
|
||||
|
||||
No infection showing here, so perhaps it is a need to tweak some Vista or application setting. I'll move this request to our Vista forum where others can provide input on this.
|
#7
|
||||
|
||||
Hi The Hornmeister. Try the below fix. It seems to have worked for others in your situation. Set a restore point first please. Open a command prompt. Go to Start Search and type cmd.exe. You will see the file appear at the top of the Menu. Rightclick on it and choose "Run as administrator" and copy and paste the below commands after the prompt and hit enter after each line.
net stop winmgmt cd /d %windir%\system32\wbem ren repository repository.old net start winmgmt It may take a minute or so to complete while the database is rebuilt. Once the commands have run, reboot and let us know if this helped. |
#8
|
|||
|
|||
Firstly, Thanks Tom for your help, much appreciated.
Hi Ann Marie, I've saved a restore point, when I type in cmd.exe, it doesnt return any results...am I doing something wrong ? If poss, could you talk me through it piece by piece as I'm not the most computer literate person in the world. Once I've saved a restore pont, I've gone straight to "start" and search" (open a command prompt ?, dunno if I've missed this out) Thanks for your help Ann Marie, Ian |
#9
|
||||
|
||||
No problem Ian, I've changed my mind regarding those instructions anyway. I would like you to try something else first.
Go to Start > All Programs > Accessories and open the Command Prompt by rightclicking on it and choosing "Run as Administrator". Type or copy and paste the below command after the prompt and hit enter. winmgmt /verifyrepository If your system returns a "WMI repository is not consistent" message, copy and paste the below command and hit Enter. winmgmt /salvagerepository You may have to run this command two or three times before it will succeed. Reboot afterwards and let us know if this helped. |
#10
|
|||
|
|||
Thanks :o)
Hi AnnMarie,
Thanks for your advice, I've done as you've said and its all working fine now, Thanks again, Much appreciated Ian |
#11
|
||||
|
||||
That's good news Ian and you are very welcome.
|
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
Some sort of Virus or something | Newbkins | Malware Removal | 31 | October 9th, 2008 08:09 PM |
Some sort of virus help | whytewolf05 | Malware Removal | 18 | November 13th, 2005 04:28 AM |
some sort of virus... | davidianstyle | Windows XP | 1 | August 25th, 2005 04:55 AM |
some sort of virus!! help!! | mayelf | Malware Removal | 1 | March 1st, 2005 04:20 PM |
Some sort of virus | Twendy | Malware Removal | 5 | February 28th, 2004 09:38 PM |
All times are GMT +1. The time now is 04:46 PM.