Opened Window showing D:\Program Files whenever PC is started - With HijackThis Log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

jing13

Thread Starter
Joined
Jan 1, 2004
Messages
18
Hi Guys,

Need some help down here.

Right now I am a victim of the very new and as yet unpatched exploit described by Merijn ( http://www.spywareinfo.com/~merijn/index.html )

But at the same time, I faced another problem, that is, whenever my PC is started, a window would be opened showing D:\Program Files

Please help.

I had installed HijackThis on WinXP Service Pack 1 but I got the following error :
"An unexpected error had occured at procedure : frmMain_LoadSettings() Error #5 - Invalid procedure call or argurment."

However, I was still able to get a copy of the log.

I would really appreciate it if you have any suggestions.

Thanks you in advance
jing


HijackThis Log :

Logfile of HijackThis v1.97.7
Scan saved at 11:53:22 PM, on 4/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\crypserv.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIProviders\HPAlertWMI.exe
C:\Program Files\Hewlett-Packard\TopToolsWMI\WMIWDog.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Documents and Settings\jing\Desktop\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\ICQ\ICQ.exe
D:\Qualcomm\Eudora Mail\Eudora.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\hijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [zSPGuard] d:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\jing\Desktop\FreeRAM XP Pro 1.40.exe" -win
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://127.0.0.1/CFIDE/classes/CFJava.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8C4A2492-3FED-41F2-BBAB-34E802844F8D} (IESettings Class) - http://schdnaweb.schooldna.com/schooldna/login/dnaClientIE.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37598.3783333333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B9B4B22-D2C9-40D8-BF15-EA6F0A70D944}: NameServer = 165.21.83.88 165.21.100.88
 
Joined
Oct 9, 2001
Messages
9,396
Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....
.....then,close all browser and outlook windowsincluding this one and "fix checked"

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

Which site were you taken too?
Have you anything disabled with MSConfig?
 
Joined
Apr 26, 2003
Messages
5,837
Check your Startup folder. In Win98SE it's located here:

C:\Windows\Start Menu\Programs\StartUp

Not sure of the path in XP, but should at least be similar.
 

jing13

Thread Starter
Joined
Jan 1, 2004
Messages
18
Hi $teve and roybro,

Thanks for your quick reply.

Firstly, I have checked my StartUp folder with nothing funny down there.

As for the F2 in the HjackThis, is it safe to fix that? Pardon me for being a newbie, but I thought userinit.exe is a system file that loads different user profile?

Please advice,

Thanks
 
Joined
Oct 9, 2001
Messages
9,396
It can be left if theres nothing disabled with MSConfig.........I take it you have more than one profile?
 
Joined
Dec 9, 2000
Messages
45,855
If the 'd' drive problem is persisting you need to "clean boot" troubleshoot it. This is done easily by running msconfig

Look under the Startup tab for all entries whose paths point to the 'd' drive. Uncheck them all at once and reboot. Does the problem still occur? Re-enable them one at a time, if not, and see which is the culprit.
 

jing13

Thread Starter
Joined
Jan 1, 2004
Messages
18
Hi $teve and Rollin' Rog,

Thanks for the advise,

I managed to trace the root of the problem under msconfig.

It seems to be due to a program that I installed - StartPage Guard v2.5.

I had installed the program to prevent my page from being changed by the start.chm torjan.

Have you guys got any update on that problem? I am still waiting anxiously to get rid of that fully.

Thanks,
jing
 

jing13

Thread Starter
Joined
Jan 1, 2004
Messages
18
thanks Rollin' Rog for your reply,

I had started to instaill in C drive with program, and thats why I move it to D:\

As for the start.chm issue, I had not try the "workaround" as it would affect the rest of the Help files.

I am now trying some other methods to keep it in check, like the StartPage Guard etc.

This morning while running some checks on my registry, i encountered some entries running .exe files. I should have noted down the entries, but I forgot and fixed the problem.

I will mointor and let you know,
Thanks

jing
 

jing13

Thread Starter
Joined
Jan 1, 2004
Messages
18
Hi Rollin' Rog,

Would like to ask you about "F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe"

Is it a safe entry?

Thanks.
Peter
 
Joined
Dec 9, 2000
Messages
45,855
I used to direct people to remove that thinking it might involve a hijack since I rarely saw it in scanlogs; then someone told me they had login problems after doing that. I'm sure it has valid uses. This is really all I know about it:

http://www.liutilities.com/products/wintaskspro/processlibrary/userinit/

You could test remove it and see; if problems result you can either do a System Restore or simply restore the individual entry from the HijackThis > Config > Backups folder
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top