| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 64499 | 2005-12-17 01:02:00 | Unknown pop-up during logging in | zahmad (8963) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 413330 | 2005-12-17 01:02:00 | Recently when I started signing in (all users), the usual programs would load to system tray etc, with them a sort of ms-dos pop-up with the title C:Windows/System32/cmd.exe, and then in the window it says Internal File error every time and goes away. This is really annoying, and then sometimes because of this when i try doing anything, it says Run dll as a program as encountered an error and can't run........and asks me if i should send a report to microsoft etc...... What is this, and how can I fix this? |
zahmad (8963) | ||
| 413331 | 2005-12-17 02:27:00 | I would post a hijackthis (www.spywareinfo.com) log here. Whatever you have, it doesnt sound friendly. |
Speedy Gonzales (78) | ||
| 413332 | 2005-12-17 04:08:00 | I would post a hijackthis (www.spywareinfo.com) log here. Whatever you have, it doesnt sound friendly. Speedy..what's the chances that if they ran CrapCleaner that it'd remove that broken .dll?...just a thought. |
SurferJoe46 (51) | ||
| 413333 | 2005-12-17 07:18:00 | You could try that Surfer, but that command loading on bootup, I dont think its normal. Sounds likie something is making it load on startup, but what. A HJT log may show us whats doing it, if its a virus/worm/trojan. |
Speedy Gonzales (78) | ||
| 413334 | 2005-12-18 04:46:00 | Here's the logfile: Logfile of HijackThis v1.99.1 Scan saved at 5:42:51 PM, on 12/18/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\LXSUPMON.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\AGC\agc.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\Khalid\Local Settings\Temp\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/ R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [ScanRegistry] C:\W O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe O4 - HKLM\..\Run: [WB5Hack] HackIt.cmd O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O4 - Global Startup: AGC.lnk = C:\Program Files\AGC\agc.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{8F0EA395-CA14-473E-B0EA-B3327884F3A2}: NameServer = 202.27.158.40 202.27.156.72 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\fastload.dl l O20 - Winlogon Notify: WBSrv - C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll O21 - SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - C:\WINDOWS\system32\iprepair.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe |
zahmad (8963) | ||
| 413335 | 2005-12-18 04:53:00 | check it out for yourself here (www.hijackthis.de) | Prescott (11) | ||
| 413336 | 2005-12-18 06:07:00 | You may not have to boot into safe mode, or disable system restore. Tick these in HJT. And tick fix checked. And do another log. If these entries are still there, do the above. R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [ScanRegistry] C:\W - dont know what this is, some of this entry is missing. O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" Not nasty but not needed in startup O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE Not needed in startup O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU) - this is spyware/adware. Go here (securityresponse.symantec.com) for info. O4 - HKLM\..\Run: [WB5Hack] HackIt.cmd - this may or may not be nasty. I wouldnt trust it. It looks like a hack for the new version of Windowblinds. But if you delete the above entry, it may kill Windowblinds. Or use Adaware, or Ewido (http://www.ewido.net) to see if this removes it. |
Speedy Gonzales (78) | ||
| 413337 | 2005-12-18 20:30:00 | Thanks, I'm pretty sure it was the windoblinds hack, and i'll get rid of the adware as soon as possible, it seems like adaware missed those :). | zahmad (8963) | ||
| 413338 | 2005-12-18 23:50:00 | You've probably got a trojan horse, but you may not. For example, some PC's will use small batch or command files in the startup folder. Look in this folder: "C:\Documents and Settings\All Users\ Start Menu\Programs\Startup" If you try Start...Run...Msconfig, you'll see a list of program flagged to start up. Also if you use Start...Run...gpedit.msc, Local Computer Policy... Administrative Templates... System... Script Run Startup script visible "enabled" Run login script asynchronously "disabled" |
kingdragonfly (309) | ||
| 1 | |||||