Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Task Manager Not Appearing [RESOLVED]


  • This topic is locked This topic is locked

#16
Jack W-H

Jack W-H

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
[Edit] Ignore this post - accidentally posted twice, sorry.

Edited by Jack W-H, 03 February 2008 - 08:03 AM.

  • 0

Advertisements


#17
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

P.s. you know I just kept default settings on that program? so it didn't scan drivers etc...[

Yes as the areas I was interested in were covered by default scans

OK that file is part of Autoplay media studios and it runs so as to enable you to create autorun menus (have you installed this programme ?)

But winpfind did not show me the registry keys associated with it

Plus it is not running now :)?


Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
    • Do you want to skip supplementary searches?
      click NO
  • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#18
Jack W-H

Jack W-H

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
OK - here is the log file.

I've copied and pasted it into this post but it's also attached.

~ Jack

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"msnmsgr" = ""C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"CoolSwitch" = "C:\WINDOWS\system32\taskswitch.exe" [null data]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"StartCCC" = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [null data]
"Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"BitDefender Antiphishing Helper" = ""C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"" ["BitDefender"]
"BDAgent" = ""C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"" ["BitDefender S.R.L."]
"BOC-425" = "C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" ["COMODO"]
"UnlockerAssistant" = ""C:\Program Files\Unlocker\UnlockerAssistant.exe"" [file not found]
"WinampAgent" = ""C:\Program Files\Winamp\winampa.exe"" [null data]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = "flashget urlcatch"
-> {HKLM...CLSID} = "FGCatchUrl"
\InProcServer32\(Default) = "C:\Program Files\FlashGet\jccatch.dll" ["www.flashget.com"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\(Default) = "NCO 2.0 IE BHO"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll" [file not found]
{69A87B7D-DE56-4136-9655-716BA50C19C7}\(Default) = "Google Web Accelerator Helper"
-> {HKLM...CLSID} = "&Google Web Accelerator Helper"
\InProcServer32\(Default) = "C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll" [null data]
{6D53EC84-6AAE-4787-AEEE-F4628F01010C}\(Default) = "Symantec Intrusion Prevention"
-> {HKLM...CLSID} = "Symantec Intrusion Prevention"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll" [file not found]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FlashGet GetFlash Class"
\InProcServer32\(Default) = "C:\Program Files\FlashGet\getflash.dll" ["www.flashget.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{2F5AC606-70CF-461C-BFE1-734234536262}" = "WindowBlinds CPL Extension"
-> {HKLM...CLSID} = "DisplayCplExt Class"
\InProcServer32\(Default) = "C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbui.dll" ["Stardock.Net, Inc"]
"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager"
-> {HKLM...CLSID} = "Sony Ericsson File Manager"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]
"{709C6E11-538F-4759-86AC-6ACB302AA0DE}" = "Desktop Manager"
-> {HKLM...CLSID} = "Desktop Manager"
\InProcServer32\(Default) = "C:\WINDOWS\system32\msvdm.dll" [null data]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKCU...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKCU...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKCU...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKCU...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" [empty string]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"0aMCPClient" = "{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
-> {HKLM...CLSID} = "MCPShellInstantiator Class"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\Stardock\MCPCore.dll" ["Stardock"]
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> LMIinit\DLLName = "LMIinit.dll" ["LogMeIn, Inc."]
<<!>> MCPClient\DLLName = "C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll" ["Stardock"]
<<!>> WB\DLLName = "C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll" ["Stardock"]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]
TzShell\(Default) = "{B38FE8E9-5DFC-4D58-8459-1E3AC5165E34}"
-> {HKLM...CLSID} = "TzShell"
\InProcServer32\(Default) = "C:\PROGRA~1\TUGZip\TzShell.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]
TzShell\(Default) = "{B38FE8E9-5DFC-4D58-8459-1E3AC5165E34}"
-> {HKLM...CLSID} = "TzShell"
\InProcServer32\(Default) = "C:\PROGRA~1\TUGZip\TzShell.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"ClearRecentDocsOnExit" = (REG_BINARY) hex:00 00 00 00 00 00 00 00
{unrecognized setting}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Jack" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\Jack\Start Menu\Programs\Startup
"AntiCrash" -> shortcut to: "C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Run Google Web Accelerator" -> shortcut to: "C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"Norton Internet Security - Run Full System Scan - Jack" -> launches: "C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe /TASK:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" [file not found]
"Uniblue SpeedUpMyPC Nag" -> launches: "C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s" ["Uniblue Software"]
"Uniblue SpeedUpMyPC" -> launches: "C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s" ["Uniblue Software"]
"Uniblue SpyEraser" -> launches: "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe -s" ["Uniblue Software"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]
000000000005\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 26
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}"
-> {HKLM...CLSID} = "Google Web Accelerator"
\InProcServer32\(Default) = "C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll" [null data]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"
-> {HKLM...CLSID} = "Show Norton Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}" = (no title provided)
-> {HKLM...CLSID} = "Google Web Accelerator"
\InProcServer32\(Default) = "C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll" [null data]
"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet"
-> {HKLM...CLSID} = "FlashGet"
\InProcServer32\(Default) = "C:\Program Files\FlashGet\fgiebar.dll" ["Amaze Soft"]
"{D0943516-5076-4020-A3B5-AEFAF26AB263}" = "Veoh Video Finder"
-> {HKLM...CLSID} = "Veoh Browser Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll" ["Veoh Networks Inc"]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" = "NCO Toolbar 2.0"
-> {HKLM...CLSID} = "Show Norton Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll" [file not found]
"{381FFDE8-2394-4F90-B10D-FC6124A40F8C}" = "IEToolbar"
-> {HKLM...CLSID} = "BitDefender Toolbar"
\InProcServer32\(Default) = "C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll" ["Bitdefender"]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{46F69F1E-044B-4ED8-8CFB-DDE47078444E}\
"ButtonText" = "Add to Local Website Archive"
"Exec" = "C:\Program Files\Local Website Archive\wsarc_add.exe" [null data]

{79D7F15A-543C-4F40-ACA5-794107C84E0A}\
"ButtonText" = "Start Local Website Archive"
"Exec" = "C:\Program Files\Local Website Archive\wsarc.exe" [empty string]

{96F9491C-9E03-488E-9100-32AB2C87AECB}\
"ButtonText" = "Start Local Website Archive"
"Exec" = "C:\Program Files\Local Website Archive\wsarc.exe" [empty string]

{C0F7CFFD-04A8-494B-A63E-EF7047F04B5B}\
"ButtonText" = "Add to Local Website Archive"
"Exec" = "C:\Program Files\Local Website Archive\wsarc_add.exe" [null data]

{C5B9C6F9-9350-4C0F-A1C9-62F3C6AB22B6}\
"MenuText" = "Add to Local Website Archive"
"Exec" = "C:\Program Files\Local Website Archive\wsarc_add.exe" [null data]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]

{B205A35E-1FC4-4CE3-818B-899DBBB3388C}\
"ButtonText" = "Encarta Search Bar"

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
"ButtonText" = "FlashGet"
"MenuText" = "FlashGet"
"Exec" = "C:\Program Files\FlashGet\FlashGet.exe" ["FlashGet.com"]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
Ad-Aware 2007 Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft AB"]
Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Belkin Wireless USB Network Adapter, Belkin Wireless USB Network Adapter Service, "C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe" [null data]
BitDefender Communicator, XCOMM, ""C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe" /service" ["BitDefender"]
BitDefender Desktop Update Service, LIVESRV, ""C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe" /service" ["BitDefender S.R.L."]
BitDefender Threat Scanner, scan, "C:\WINDOWS\System32\svchost.exe -kbdx" {"C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\scan.dll" ["BitDefender"]}
BitDefender Virus Shield, VSSERV, ""C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe" /service" ["BitDefender S.R.L."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
BOCore, BOCore, "C:\Program Files\Comodo\CBOClean\BOCORE.exe" ["COMODO"]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
KService, KService, ""C:\Program Files\Kontiki\KService.exe"" ["Kontiki Inc."]
LogMeIn, LogMeIn, ""C:\Program Files\LogMeIn\x86\LogMeIn.exe"" ["LogMeIn, Inc."]
LogMeIn Maintenance Service, LMIMaint, ""C:\Program Files\LogMeIn\x86\RaMaint.exe"" ["LogMeIn, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
Messenger Sharing Folders USN Journal Reader service, usnjsvc, ""C:\Program Files\Windows Live\Messenger\usnsvc.exe"" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
CutePDF Monitor\Driver = "cutemon2k.dll" [null data]
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]
hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]
LogMeIn Printer Port Monitor\Driver = "LMIport.dll" ["LogMeIn, Inc."]


---------- (launch time: 2008-02-03 15:47:47)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 634 seconds.
---------- (total run time: 737 seconds)

Attached Files


  • 0

#19
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Me again :) Looking at all the analysis logs I have used so far I can see no reason why the deletion of the other explorer should have caused the inabilty to start.

Bit of a pain I know but I would now like to do a registry search to see where it is hidden, if at all. Could this have just been a coincidence ?

1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
C:\Windows\system32\updater\explorer.exe


[Options]
Filter=KVDLUI



2. Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch.

Reference the hanging - you could try this clean up routine to see if it helps

Prefetch is clickable for more information

Click start then run, type prefetch then press enter, click edit then select all, (all files will highlight), right click any file, click delete, confirm

Click start then all programmes, accessories, system tools to run disc clean up

Reboot

Click start then all programmes, accessories, system tools to run defragmenter

Download, install and run
Tune Up 2007 Trial

Run Tune Up disc clean up

Run Tune Up registry clean up

Then click Optimize and Improve to run Reg Defrag, the screen will lose colour during the process which can take a few minutes and then needs a reboot

Those will have cleared the drive of obsolete software errors

These are suggestions for making the most of the free trial

Click optimize and improve then system optimizer to optimize the computer, select computer with an internet connection from the drop down menu, this also requires a reboot

After the reboot, click optimize then system optimizer to accelerate downloads, select the speed just above your actual connection speed, this requires a reboot.

After the reboot, click optimize then system optimizer to run system advisor

Edited by Essexboy, 03 February 2008 - 04:08 PM.

  • 0

#20
Jack W-H

Jack W-H

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
OK.. this is what Registry Search gave me:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 04/02/2008 16:59:56 for strings:
; 'c:\windows\system32\updater\explorer.exe'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...


Hmmmph.

I'll let you think about that whilst I try your cleanup routine.

[Edit] I've just noticed that in the Prefetch folder was a .pf file called EXPLORER.EXE then some funny numbers - does the genuine explorer normally show up in the Prefetch folder?

Edited by Jack W-H, 04 February 2008 - 11:07 AM.

  • 0

#21
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Prefetch folder was a .pf file called EXPLORER.EXE then some funny numbers - does the genuine explorer normally show up in the Prefetch folder?

Yes it does.. I appear to be running out of scans now as the last one showed no evidence in the registry . Further research has shown the file to be non-malicious ( I wish they would not use the same file name in the same location, the same size as malware). If you could give me a synopsis of your current problems in your next post. I will see where to go from there.
  • 0

#22
Jack W-H

Jack W-H

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
OK... so we're out of scans. Do we have any idea whatsoever as to what these two odd files might be, explorer and autorun?

Thankfully my Task Manager error has been sorted, so now I'm just left with the copmuting crashing error. However! this may have been fixed after I ran those scans you suggested with TuneUp Utilities. It's just a matter of time, waiting to see if it crashes again. If I go a couple of days without crashing (considering it normally crashes about once every couple of hours (but this time can definitely vary from 2 minute intervals to 5 hour intervals) and I use my computer between 3 and 5 hours per day), then I guess if it survives a couple of days we can call it mission successfull.

So I suppose now it's just a matter of time to see if it crashes again. If it does, I'm popping straight back here with the info... :)

Many Thanks,

~ Jack
  • 0

#23
Jack W-H

Jack W-H

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
OK. Bad news.

I thought everything was OK... but after using my computer for about 45 minutes it hung on me again.

I'm thinking maybe the PC hanging could be caused by this fake explorer/autorun? Perhaps they could be causing it to crash.

Another idea I had was using OTMoveIt to move just one file - first try autorun (move that by itself), reboot, see if it launches correctly. If so, then we know that it's the explorer.exe that's causing the non-reboot problem. Then deal with that one.

or vice versa, so if it refuses to start up then I restore the file in safe mode and try again with explorer removed. If that fails, then we know it's both of them, if you get what I mean?

This computer hanging is really an absolute pain. I need to do important work on this computer, made almost impossible when it just freezes often twice per hour.

~ Jack

P.s. just had a look, this autorun fake file is also "created with AutoPlay Media Studio", which we think is legit...?

Edited by Jack W-H, 05 February 2008 - 11:46 AM.

  • 0

#24
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi Jack I would rather try with this file first as I am fairly happy now that the explorer is a legit file, just in an unusual place.


  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\DOCUMENTS AND SETTINGS\Jack\LOCAL SETTINGS\Temp\ir_ext_temp_6\autorun.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

I would like to rule out all malware before I think about the hardware side

Reboot and let me know the result, if you are prepared to keep trying to resolve this problem dependant on the results of this I might use Icesword a rootkit dtector
  • 0

#25
Jack W-H

Jack W-H

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
OK:

C:\DOCUMENTS AND SETTINGS\Jack\LOCAL SETTINGS\Temp\ir_ext_temp_6\autorun.exe moved successfully.

OTMoveIt2 v1.0.17 log created on 02052008_192827


I'm now gonna restart.

Here goes... wish me luck!
  • 0

Advertisements


#26
Jack W-H

Jack W-H

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
OK! Good news!

I managed to successfully reboot with no safe-mode issues, etc. so it looks like the fake autorun hasn't given us too much grief.

Should we try moving the fake explorer, just once more to see if it was a coincidence or a one-off or something?

I'm happy to do a rootkit scan, etc. Anything to fix this downright pain of a problem!

~ Jack
  • 0

#27
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes please the original one appears to be a spooky coincidence :)

If that goes OK then we will go for Icesword - I will include the instructions

Please download and unzip Icesword to its own folder


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1: Run IceSword. Click the "Processes" tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Note the filenames of processes in red color. Also, make a note of the folders.

Step 2: Click the "Win32 Services" tab and look out for red colored entry in the services list. This red colored service entry indicates that it’s rooted. Note the name of this service.

Step 3: Now, click "SSDT" tab and check for red colored entries. If there are any, note the file and folder names.

Now post all of the data collected under the headings
Processes
Win32 Services
SSDT

  • 0

#28
Jack W-H

Jack W-H

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
More good news!

I managed to successfully remove the fake explorer, and startup without getting any sort of error! Woohoo! Was it just some really weird freak coincidence, or do you think it might have been down to having both files moved at the same time or something?

There's still something called explorer.exe in the Task manager's running processes - I'm guessing that's the real one?

I will now go and download IceSword and run a scan. I'll post the results when it's finished.

Ta,

~ Jack
  • 0

#29
Jack W-H

Jack W-H

    Member

  • Topic Starter
  • Member
  • PipPip
  • 86 posts
OK, no red files were found under Processes and Win32 services.

However there were a few under SSDT:

1) \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys

Name: NtOpenProcess

2) \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys (Yes, same as last one)

Name: NtOpenThread

3) \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys (Again)

Name: NtTerminateProcess


--

That was all it found. If you need any more info, just ask.

So what next? BitDefender is, I'm sure, legitimate...
  • 0

#30
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes it is. Give me a few hours as I feel now we may be looking at a hardware problem, Motherboard or PSU not sure yet
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP