1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Opened Window showing D:\Program Files whenever PC is started - With HijackThis Log

Discussion in 'Virus & Other Malware Removal' started by jing13, Apr 23, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. jing13

    jing13 Thread Starter

    Joined:
    Jan 1, 2004
    Messages:
    18
    Hi Guys,

    Need some help down here.

    Right now I am a victim of the very new and as yet unpatched exploit described by Merijn ( http://www.spywareinfo.com/~merijn/index.html )

    But at the same time, I faced another problem, that is, whenever my PC is started, a window would be opened showing D:\Program Files

    Please help.

    I had installed HijackThis on WinXP Service Pack 1 but I got the following error :
    "An unexpected error had occured at procedure : frmMain_LoadSettings() Error #5 - Invalid procedure call or argurment."

    However, I was still able to get a copy of the log.

    I would really appreciate it if you have any suggestions.

    Thanks you in advance
    jing


    HijackThis Log :

    Logfile of HijackThis v1.97.7
    Scan saved at 11:53:22 PM, on 4/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\crypserv.exe
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe
    C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIWDog.exe
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
    C:\Documents and Settings\jing\Desktop\FreeRAM XP Pro 1.40.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Program Files\ICQ\ICQ.exe
    D:\Qualcomm\Eudora Mail\Eudora.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\Program Files\hijackThis\HijackThis.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [zSPGuard] d:\program files\pjw\spguard\spguard.exe /s /r
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\jing\Desktop\FreeRAM XP Pro 1.40.exe" -win
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://127.0.0.1/CFIDE/classes/CFJava.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
    O16 - DPF: {8C4A2492-3FED-41F2-BBAB-34E802844F8D} (IESettings Class) - http://schdnaweb.schooldna.com/schooldna/login/dnaClientIE.CAB
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37598.3783333333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0B9B4B22-D2C9-40D8-BF15-EA6F0A70D944}: NameServer = 165.21.83.88 165.21.100.88
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Run hijackthis again and put a checkmark against these entries....double check
    in case you miss anything....
    .....then,close all browser and outlook windowsincluding this one and "fix checked"

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

    Which site were you taken too?
    Have you anything disabled with MSConfig?
     
  3. raybro

    raybro

    Joined:
    Apr 26, 2003
    Messages:
    5,836
    Check your Startup folder. In Win98SE it's located here:

    C:\Windows\Start Menu\Programs\StartUp

    Not sure of the path in XP, but should at least be similar.
     
  4. jing13

    jing13 Thread Starter

    Joined:
    Jan 1, 2004
    Messages:
    18
    Hi $teve and roybro,

    Thanks for your quick reply.

    Firstly, I have checked my StartUp folder with nothing funny down there.

    As for the F2 in the HjackThis, is it safe to fix that? Pardon me for being a newbie, but I thought userinit.exe is a system file that loads different user profile?

    Please advice,

    Thanks
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    It can be left if theres nothing disabled with MSConfig.........I take it you have more than one profile?
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    If the 'd' drive problem is persisting you need to "clean boot" troubleshoot it. This is done easily by running msconfig

    Look under the Startup tab for all entries whose paths point to the 'd' drive. Uncheck them all at once and reboot. Does the problem still occur? Re-enable them one at a time, if not, and see which is the culprit.
     
  7. jing13

    jing13 Thread Starter

    Joined:
    Jan 1, 2004
    Messages:
    18
    Hi $teve and Rollin' Rog,

    Thanks for the advise,

    I managed to trace the root of the problem under msconfig.

    It seems to be due to a program that I installed - StartPage Guard v2.5.

    I had installed the program to prevent my page from being changed by the start.chm torjan.

    Have you guys got any update on that problem? I am still waiting anxiously to get rid of that fully.

    Thanks,
    jing
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I'm not really familiar with the program and don't know why it is behaving badly. I'd try removing and reinstalling it, perhaps on the c: drive this time.

    As for the start.chm issue, did you try the "workaround"? I haven't seen anything more on the issue.

    http://www.securityfocus.com/bid/9658/solution/
     
  9. jing13

    jing13 Thread Starter

    Joined:
    Jan 1, 2004
    Messages:
    18
    thanks Rollin' Rog for your reply,

    I had started to instaill in C drive with program, and thats why I move it to D:\

    As for the start.chm issue, I had not try the "workaround" as it would affect the rest of the Help files.

    I am now trying some other methods to keep it in check, like the StartPage Guard etc.

    This morning while running some checks on my registry, i encountered some entries running .exe files. I should have noted down the entries, but I forgot and fixed the problem.

    I will mointor and let you know,
    Thanks

    jing
     
  10. jing13

    jing13 Thread Starter

    Joined:
    Jan 1, 2004
    Messages:
    18
    Hi Rollin' Rog,

    Would like to ask you about "F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe"

    Is it a safe entry?

    Thanks.
    Peter
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I used to direct people to remove that thinking it might involve a hijack since I rarely saw it in scanlogs; then someone told me they had login problems after doing that. I'm sure it has valid uses. This is really all I know about it:

    http://www.liutilities.com/products/wintaskspro/processlibrary/userinit/

    You could test remove it and see; if problems result you can either do a System Restore or simply restore the individual entry from the HijackThis > Config > Backups folder
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/223178

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice