1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

ScanDisk can't scan to the end

Discussion in 'Virus & Other Malware Removal' started by Mapoleon1er, Sep 10, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Mapoleon1er

    Mapoleon1er Thread Starter

    Joined:
    Jul 12, 2003
    Messages:
    21
    Since a few days I'm not able to have ScanDisk finishing his work. He always launch the scanning and then begin again and again, etc. etc. I can't neither defrag the system. As ScanDisk tell me there are other programs writting on the disk, I've made a few scans with the last versions of Spybot and Ad-Aware, found many spywares and deleted them. But my problem is not solved : ScanDisk still can't finish his work. I watched the list of programs that have tried to connect to the internet in my ZoneAlarm firewall and I see some entries that I find strange : what are "C:\WINDOWS\LOADER.EXE", "C:\PROGRAM FILES\RSNET\RSEDNCLIENT.EXE" and "C:\PROGRAM FILES\DIVX\DIVX PRO CODEC\GAIN_TRICKLER_3202.EXE" ?

    Here is the log of HIJACK if it helps...

    Logfile of HijackThis v1.97.0
    Scan saved at 16:38:15, on 10.09.2003
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\FICHIERS COMMUNS\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\MSREXE.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\MYIE2\MYIE.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    F2 - REG:system.ini: Shell=
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O7 "EPUSB1:" /M "Stylus C42"
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Ouvrir l'image dans &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\OFFICE\1036\PHDINTL.DLL/phdContext.htm
    O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
    O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
    O8 - Extra context menu item: Ajouter au tueur de pub - C:\PROGRAM FILES\MYIE2\config/blacklist.htm
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Organise-notes (HKLM)
    O9 - Extra button: Finagle (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/fr/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Environnement d'exécution Java 1.4.1_01) -
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37768.4173148148
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/217c1129a7919ab8ef05/netzip/RdxIE601_fr.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    run hijackthis again and put a checkmark against these entries....
    .....then,close all browser and outlook windows and "fix checked"

    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/217c1129a7919a...RdxIE601_fr.cab


    other than these 2 your log is clean.......maybe this is better posted in our hardware forum?

    take care;)
     
  3. Mapoleon1er

    Mapoleon1er Thread Starter

    Joined:
    Jul 12, 2003
    Messages:
    21
    OK, thank you, I deleted these two entries. But ScanDisk still isn't able to finish his work. I don't know what to do next. No idea about what this LOADER.EXE is ? I don't think my problem is a hardware one coz my hard drive is not that old or that full.
     
  4. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,241
    Hi Steve and Mapolean1er,

    Steve, what does the F2 entry refer to? I've got both Merijn and Brendan's HJT tutorials here and it doesn't mention them, and Google doesn't seem to have anything about it. :confused:

    Cheers

    Liam
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    good spot liam....i must admit i rushed by the item without noticing.
    and i havent seen that one before.

    F0 - system.ini: Shell=
    is more like it.


    AHA!.............take a look at the H/T version number.
    probably an updated scan engine....no doubt we will be informed
    of any changes.
     
  6. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,241
    Cheers Steve,

    V 1.97. We're going to have to find out soon, :) I'm half way through a log in a different thread, also with an F2 entry; and there's enough going on with out having to relearn HJT entries.. :D

    I'll go and see what I can find out, otherwise it's going to be a long night ahead.. :)

    Cheers

    Liam
     
  7. VirtualMe

    VirtualMe

    Joined:
    Sep 27, 2002
    Messages:
    867
    How about theses two?

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    If that still don't work, try running scandisk in safe mode.

    How to start Windows 95/98/Me in Safe mode
     
  8. Mapoleon1er

    Mapoleon1er Thread Starter

    Joined:
    Jul 12, 2003
    Messages:
    21
    Should I delete them ?
     
  9. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,241
    Hi Steve,

    Just been over to Spyware info, and Merijn has this to say...

    Load and Run keys from Registry in Windows NT/2k/XP are now listed as F2 and F3.

    So I guess we just treat F0 as F2 and F1 as F3.

    Cheers

    Liam
     
  10. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396

    NO.............spybot has set those restrictions for you.
     
  11. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    i did the same:D and also asked rollin`rog who is going to take a look in here.
     
  12. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  13. Mapoleon1er

    Mapoleon1er Thread Starter

    Joined:
    Jul 12, 2003
    Messages:
    21
    I downloaded the anti-virus program AVG free version and I installed it. Then I had to reboot and ARGGG : I had a red screen with "BackDoor.Jeem" virus found in msrexe.exe ! I had to choose between : Yes, No and Heal. I tried Heal and my computer crashed. I had to reboot again and again and everytime it freezed my computer. So I rebooted in Safe Mode and removed the antivirus. Then I was able to boot normally. The fact is, now I know I have a virus, I can't install the antivirus because when I reboot it crashes and on the symantec website they just explain how to remove the virus with their antivirus...

    How shoud I remove it ?

    Please Help !
     
  14. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Actually what might have been better would have been to run AVG in Safe Mode.

    When prompted, you can delete that file, it cannot be healed and it is not a system file.

    Otherwise, you can manually delete it: C:\WINDOWS\SYSTEM\MSREXE.EXE

    You will probably have to restart in Safe Mode to delete msrexe.exe in c:\windows\system

    And when you do first install AVG, make sure you do NOT have the option selected to scan on startup.
     
  15. Mapoleon1er

    Mapoleon1er Thread Starter

    Joined:
    Jul 12, 2003
    Messages:
    21
    Okay I'll try that thank you !
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/163706

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice