Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Regedit crashes among other things...

Started by Fianke , Dec 15 2004 05:14 AM

  • Please log in to reply

#1
Fianke
Posted 15 December 2004 - 05:14 AM

Fianke

    Member

  • Member
  • PipPip
  • 14 posts
I have a problem with my XP installation. I think there's something damaged in the registry. Here are a few of the sympthoms:

* Regedit closes during a search, no warning, no error it's just gone
* addaware crashes durings the scan
* Bazooka gives an error after hitting the scan button 'Unexpetected exeption. Error while enumerating a registry key using RegEnumKey. Entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects. System error Message: The extended properties are inconsistent'
The system error message is translated from Dutch so this may not be the right wording.
* Cumulus Photo cataloging software will not install. It quit during the installation without warning or error
Windows SP2 will not install. I get some fatal exception. I do not have the details of this now.

All things mentioned above work when the computer is running in save mode.

Can anyone help here?
  • 0

Advertisements

#2
coachwife6
Posted 15 December 2004 - 05:26 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hi Fianke. Welcome to GTG. :tazz:

Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.
  • 0

#3
Fianke
Posted 15 December 2004 - 05:33 AM

Fianke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
here it is:

Logfile of HijackThis v1.98.2
Scan saved at 12:32:48, on 15-12-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\hijack this scanner\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5A398BCD-6F18-4CF6-A443-94C46F68C44A} - C:\WINDOWS\System32\rcpie.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} -
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} -
O16 - DPF: {0E4796D6-A990-4372-9069-72FBDB4AE868} -
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} -
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102969984430
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} -
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} -
  • 0

#4
coachwife6
Posted 15 December 2004 - 09:24 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
It sounds as if you have a virus - not sure though. Needed to know what the error said. But try this in the meantime.

Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

Reboot

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O2 - BHO: (no name) - {5A398BCD-6F18-4CF6-A443-94C46F68C44A} - C:\WINDOWS\System32\rcpie.dll

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll

O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} -
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} -
O16 - DPF: {0E4796D6-A990-4372-9069-72FBDB4AE868} -
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} -
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102969984430
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} -
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} -

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files (if found):

C:\WINDOWS\System32\rcpie.dl

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :tazz:
  • 0

#5
Fianke
Posted 15 December 2004 - 01:25 PM

Fianke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
The problem is still there. I have a feeling that there are loads of spyware active but cannot figure out how to remove it. I ran Adaware and spybot several times but it keeps coming back after rebooting. Anyway here's the new log file:

Logfile of HijackThis v1.98.2
Scan saved at 20:11:26, on 15-12-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\hijack this scanner\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\rcpie.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\rcpie.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\rcpie.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\rcpie.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\rcpie.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\rcpie.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {97686BD2-637A-4120-797C-939BDC65916E} - vxdman.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [install2] TorontoMail.exe
O4 - HKLM\..\Run: [zantu] panel_its.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [UserSp1] StatusCheck.exe
O4 - HKCU\..\Run: [Shaitan1678] MsNetHelper.exe
O4 - HKCU\..\Run: [TorontoMail] MsNetHelper.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} -
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} -
O16 - DPF: {0E4796D6-A990-4372-9069-72FBDB4AE868} -
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} -
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} -
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} -
O18 - Filter: text/html - {530BCE19-898D-4918-9CB0-0D3B2C28E69E} - C:\WINDOWS\System32\rcpie.dll
O18 - Filter: text/plain - {530BCE19-898D-4918-9CB0-0D3B2C28E69E} - C:\WINDOWS\System32\rcpie.dll

I have no idea were the WareOut stuff came from , it popped up after I rebooted. The housecall found 3 virusses and another 37 or so which are related to java and could not be removed. These were rated as not dangerous though.

I hope you can help, cause I get the feeling I'm in for a fresh install of my system.
  • 0

#6
coachwife6
Posted 15 December 2004 - 10:23 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\rcpie.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\rcpie.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\rcpie.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\rcpie.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\rcpie.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\rcpie.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {97686BD2-637A-4120-797C-939BDC65916E} - vxdman.dll (file missing)

O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode

O4 - HKLM\..\Run: [install2] TorontoMail.exe--I could not find anything on these. Please delete if they are not something you want - this one and the zantu file.
O4 - HKLM\..\Run: [zantu] panel_its.exe

O4 - HKCU\..\Run: [UserSp1] StatusCheck.exe
O4 - HKCU\..\Run: [Shaitan1678] MsNetHelper.exe
O4 - HKCU\..\Run: [TorontoMail] MsNetHelper.exe

O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)\

O15 - Trusted Zone: http://*.63.219.181.7

O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} -
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} -
O16 - DPF: {0E4796D6-A990-4372-9069-72FBDB4AE868} -
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} -
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B94B4225-E02E-4D3F-BADB-026F1E2F3AD7} -
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} -

O18 - Filter: text/html - {530BCE19-898D-4918-9CB0-0D3B2C28E69E} - C:\WINDOWS\System32\rcpie.dll
O18 - Filter: text/plain - {530BCE19-898D-4918-9CB0-0D3B2C28E69E} - C:\WINDOWS\System32\rcpie.dll


Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):


go to C:\WINDOWS\System32 and delete

rcpie.dll
ptipbmf.dll
then go to C:\Program Files and delete

WareOut
TorontoMail
panel_its
StatusCheck
MsNetHelper

Please clean out your temp. files and run adaware according to the instructions laid out in my signature.
Run housecall again.


Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :tazz:
  • 0

#7
Fianke
Posted 19 December 2004 - 01:11 PM

Fianke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Here's the new log:

Logfile of HijackThis v1.98.2
Scan saved at 20:06:30, on 19-12-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijack this scanner\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O15 - Trusted Zone: http://*.63.219.181.7

Regedit still exits when searching as does the Cumulus during installation. Adaware freezes when searching the registry. It does work in safe mode. It freezes when searching HKEY_LOCAL_MACHINE\SOFTWARE/.. Anything more I can do?
  • 0

#8
coachwife6
Posted 19 December 2004 - 01:59 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Fianke:

I need you to download the latest version of Hijack This.
  • 0

#9
Fianke
Posted 20 December 2004 - 09:15 AM

Fianke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Thanks that helped to get rid of the trusted zone... The rest remains unchanged. The new logfile:

Logfile of HijackThis v1.99.0
Scan saved at 16:12:23, on 20-12-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijack this scanner\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
  • 0

#10
admin
Posted 20 December 2004 - 09:49 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Download this file rem.zip from
http://forums.skads....hp?showtopic=80
unzip it to the system32 folder, system for win 98 and me
C:\windows\system32
Reboot into safe mode.
Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Run rem.bat, wait untill it closes.

Reboot back to normal, post the log.txt which will be at this location c:\log.txt
And a new Hijackthis log.
  • 0

#11
Fianke
Posted 20 December 2004 - 10:17 AM

Fianke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Microsoft Windows XP [versie 5.1.2600]
C:\WINDOWS\system32
"Files found"
---------------------------------------------------------------------
clfmon.exe
dllhostxp.exe
rdshost32.exe
winsrv32.dll
d3dxov.dll
msacmx.dll
hdr.dll

Zipping files............
---------------------------------------------------------

deleting files........
---------------------------------------------------------

"Files Not Deleted"
---------------------------------------------------------------------

Checking for version 2 files..........
Files Found
------------------------------------------------------------
subsys.exe
sfcver.exe

Zipping files............
---------------------------------------------------------

deleting files........
---------------------------------------------------------

Files Not deleted
------------------------------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\Files]
"service.exe"=""
"msacmx.dll"=""
"d3dxov.dll"=""
"winsrv32.dll"=""
"ie4unit.exe"=""
"ipxroutex.exe"=""
"rdshost32.exe"=""
"rshe.exe"=""
"net2.exe"=""
"mqsvch.exe"=""
"dllhostxp.exe"=""
"extrac16.exe"=""
"mqbckup.exe"=""
"pxhping.exe"=""
"rdpnr.exe"=""
"slservc.exe"=""
"clfmon.exe"=""
"hdr.dll"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\Processes]
"ie4unit.exe"=""
"ipxroutex.exe"=""
"service.exe"=""
"rdshost32.exe"=""
"rshe.exe"=""
"net2.exe"=""
"mqsvch.exe"=""
"dllhostxp.exe"=""
"extrac16.exe"=""
"mqbckup.exe"=""
"pxhping.exe"=""
"rdpnr.exe"=""
"slservc.exe"=""
"clfmon.exe"=""
The rem.bat log:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\RegKeys]
"{98DBBF16-CA43-4c33-BE80-99E6694468A4}"=""
"{A5366673-E8CA-11D3-9CD9-0090271D075B}"=""
"Files"=""
"Ms4Hd"=""
"Processes"=""
"RegKeys"=""
"RegValues"=""
"Vendor"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\RegValues]
"clfmon.exe"=""
"dllhostxp.exe"=""
"pxhping.exe"=""
"service.exe"=""

-----------------------------------------------------------------

Done


The hijack this log:
Logfile of HijackThis v1.99.0
Scan saved at 17:14:04, on 20-12-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\hijack this scanner\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [dllhostxp.exe] dllhostxp.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
  • 0

#12
admin
Posted 20 December 2004 - 11:42 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Almost there!

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe (NOT the legitimate ctfmon.exe)
O4 - HKLM\..\Run: [dllhostxp.exe] dllhostxp.exe

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\WINDOWS\System32\clfmon.exe
C:\WINDOWS\System32\dllhostxp.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :tazz:
  • 0

#13
Fianke
Posted 20 December 2004 - 01:59 PM

Fianke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Well... :thumbsup: a very big thank you! :tazz: My computer now works normal again except the installation of Cumulus. Adaware, regedit etc. all work normal. I was able to install SP2 with any problems. Here is the new log:

Logfile of HijackThis v1.99.0
Scan saved at 20:55:34, on 20-12-2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hijack this scanner\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

Do you have any sugestions on the cumulus case? ;)
  • 0

#14
admin
Posted 20 December 2004 - 02:45 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Sorry to be so dense, what is cumulus?
  • 0

#15
Fianke
Posted 20 December 2004 - 04:46 PM

Fianke

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Cumulus is a photo archieve database. There was something wrong with the zipped file. It works now :woot: as does the rest of my system :cheers: .

:tazz: ;) Thanks for your excellent support :thumbsup: :cheers:
  • 0
Back to Windows XP, 2000, 2003, NT · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Retired Forums
  3. Windows XP, 2000, 2003, NT

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP