PDA

View Full Version : C:\ Opens At Windows Startup.



Jale
February 11th, 2005, 03:25
I checked everything... the startup folder... etc.
When I googled it, I came with a program called HijackThis to check what's going on. I don't know anything about this tool, so I made a log of the scan and post here:


Logfile of HijackThis v1.99.0
Scan saved at 10:16:51 p.m., on 10/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Java\jre1.5.0\bin\jusched.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\ICQLite\ICQLite.exe
C:\WINDOWS\System32\SxgTkBar.exe
C:\Archivos de programa\Shareaza\Shareaza.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
c:\archiv~1\intern~1\iexplore.exe
C:\Archivos de programa\Corel\Graphics9\Register\Remind32.exe
C:\Archivos de programa\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Javier\Escritorio\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Archivos de programa\Shareaza\Plugins\RazaWebHook.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Archivos de programa\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [start axis type the] C:\Documents and Settings\All Users\Datos de programa\teampilestartaxis\SizeEnc.exe
O4 - HKCU\..\Run: [Shareaza] "C:\Archivos de programa\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [Pollchic] C:\DOCUME~1\Javier\DATOSD~1\4WINRU~1\amenopen.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Corel Registration.lnk = C:\Archivos de programa\Corel\Graphics9\Register\Remind32.exe
O8 - Extra context menu item: Download with &Shareaza - res://C:\Archivos de programa\Shareaza\Plugins\RazaWebHook.dll/3000
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Archivos de programa\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Archivos de programa\ICQLite\ICQLite.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab33902.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: Servicio del administrador de discos lógicos - Unknown - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Escritorio remoto compartido de NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
O23 - Service: DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: DSDM de DDE de red - Unknown - C:\WINDOWS\system32\netdde.exe
O23 - Service: Plug and Play - Unknown - C:\WINDOWS\system32\services.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto - Unknown - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Sistema de ayuda de tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Tarjeta inteligente - Unknown - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento - Unknown - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen - Unknown - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe

Which entries should I delete? :huh:

onewecallgod
February 11th, 2005, 04:13
just download spybot and adaware, update them, then boot in safemode and scan there.

Fable
February 11th, 2005, 04:15
yep, try the microsoft beta too.

Robert
February 11th, 2005, 09:38
You got a whole heap of stuff there, unfortunately I don't have XP so cannot advise. Personally I would get rid of the stuff I haven't heard of which is most of it.

Jale
February 11th, 2005, 14:23
Problem solved! It was a Trojan :)

Zach
February 11th, 2005, 14:44
Bet you it came from a no-cd crack :glare:

Jale
February 11th, 2005, 14:54
Umm... no. It doesn't. It was in some strange program called MPEG... ugh... I can't remember. I told Fable...

Robert
February 12th, 2005, 04:44
First time I've seen you lost for words :D

Fable
February 12th, 2005, 07:36
lol brain dead.....

Jale
February 12th, 2005, 15:05
First time I've seen you lost for words :D
You must have seen me the first time I entered here... :biglaugh:

Robert
February 12th, 2005, 23:31
I did. I remember seeing about 50 threads updated, including some really old ones, all with your name on them, and I thought, wtf?? , who is this person?

Jale
February 12th, 2005, 23:53
I didn't even know what I was doing, lol.

Fable
February 13th, 2005, 03:55
hehe, remember the JAPPspam bot avatar? that's basically what happened.

Jale
February 13th, 2005, 04:12
Yes, um... where did I put that avatar? :confused:

Fable
February 13th, 2005, 04:15
YAY!!!! You're Doomed!!!

Jale
February 13th, 2005, 04:16
Well. It's no use to keep this thread alive, now that I solved this f*****g problem. So stay away from it.

the_ghost
April 28th, 2005, 15:21
hijackthis is a great tool identifying malicious progams
it starts up an scans your registry focusing on your startup entries
and your running processes

use with caution one wrong deletion and you could messup your computer
and need to re-format

You could post your log at this forum
http://www.security-forums.com/
or this forum
http://www.bleepingcomputer.com/

they have experts who analyze and inspect hijackthis log(for free) and tell you if have a virus or trojen on your computer and guide you on how to safely
remove them

its a great tool to have, trust me... It has saved comp a couple of times
its freeware
you can get it form >>>HERE<<< (http://www.spywareinfo.com/~merijn/downloads.html)
or
Direct download http://www.bleepingcomputer.com/files/Merijn/HijackThis.zip

Jale
April 28th, 2005, 16:15
Thanks for the LATE info, lol :laugh:
The problem has been solved loooong ago.

the_ghost
April 29th, 2005, 09:36
I came with a program called HijackThis to check what's going on. I don't know anything about this tool, so I made a log of the scan and post here:

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
yeah i know
but i was just letting you how to use it in case you need to do so in the
future

it really is a great tool to have
it finds whatever all the stuff that adaware and spybot S&D doesnt find