dweb937
asked on
Windows Error - System32
Hello,
We have a software application that we use for accounting/manufacturing business operations. It is loaded on the server. One of the users can no longer access the application. When she double clicks on the shortcut, the following message is displayed, "C:\windows\system32\autoe
I have no clue what this means or how to resolve. Any suggestions?
Thanks for your time!
-dweb937
We have a software application that we use for accounting/manufacturing business operations. It is loaded on the server. One of the users can no longer access the application. When she double clicks on the shortcut, the following message is displayed, "C:\windows\system32\autoe
I have no clue what this means or how to resolve. Any suggestions?
Thanks for your time!
-dweb937
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
SheharyaarSaahil -
Thanks for your response. I tried your suggestion about deleting out the 2 files from the System32 folder and copying back in the same files from the Repair Folder. Unfortunately it didn't work. Every time after I copied the Autoexec.NT file and restarted the PC, the Autoexec.NT file disappeared from the System32 folder. I tried copying it back in several times. Then I tried copying over the two files from my workstation via the network over to the users System32 folder. Same thing happened again. And, I still keep getting the same error.
Any more suggestions?
-dweb937
Thanks for your response. I tried your suggestion about deleting out the 2 files from the System32 folder and copying back in the same files from the Repair Folder. Unfortunately it didn't work. Every time after I copied the Autoexec.NT file and restarted the PC, the Autoexec.NT file disappeared from the System32 folder. I tried copying it back in several times. Then I tried copying over the two files from my workstation via the network over to the users System32 folder. Same thing happened again. And, I still keep getting the same error.
Any more suggestions?
-dweb937
means your system is infected with a worm, most likely the Worm Agobot one =\
plzz run stinger in safemode >> http://vil.nai.com/vil/stinger
If it comes as clean, then Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe
Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!
HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php
CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
plzz run stinger in safemode >> http://vil.nai.com/vil/stinger
If it comes as clean, then Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe
Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!
HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php
CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
ASKER
SheharyaarSaahil -
I'll try this and let you know. Thanks!
-dweb937
I'll try this and let you know. Thanks!
-dweb937
sure.... :)
ASKER
SheharyaarSaahil -
Here's a copy of the log file from HijackThis. I know I can delete the Web_Rebates folder but I'm unsure of the others. Would you mind taking a look at it and letting me know what you think I can delete? Also Once I delete whichever files I need to, then what do I do - recopy the Autoexec.NT and Config.NT files back into System32, Restart and try to open the application again?
Thanks!
-dweb937
Entry
Logfile of HijackThis v1.98.2
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec_Client_Secu
C:\Program Files\Dell\OpenManage\Clie
C:\Program Files\Symantec_Client_Secu
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\DSentr
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Symantec_Client_Secu
C:\WINDOWS\System32\hpnra.
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionSca
C:\Program Files\Web_Rebates\WebRebat
C:\Program Files\Windows AdControl\WinAdCtl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Windows AdControl\WinAdAlt.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\PVSW\Bin\W3dbsmgr.exe
C:\Program Files\Web_Rebates\WebRebat
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EX
C:\Program Files\Microsoft Office\Office10\WINWORD.EX
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\Documents and Settings\ksherk.MIRACLE\De
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-0
O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-5
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentr
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Secu
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionSca
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebat
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3dbsmgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\T
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-9
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
Here's a copy of the log file from HijackThis. I know I can delete the Web_Rebates folder but I'm unsure of the others. Would you mind taking a look at it and letting me know what you think I can delete? Also Once I delete whichever files I need to, then what do I do - recopy the Autoexec.NT and Config.NT files back into System32, Restart and try to open the application again?
Thanks!
-dweb937
Entry
Logfile of HijackThis v1.98.2
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec_Client_Secu
C:\Program Files\Dell\OpenManage\Clie
C:\Program Files\Symantec_Client_Secu
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\DSentr
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Symantec_Client_Secu
C:\WINDOWS\System32\hpnra.
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionSca
C:\Program Files\Web_Rebates\WebRebat
C:\Program Files\Windows AdControl\WinAdCtl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Windows AdControl\WinAdAlt.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\PVSW\Bin\W3dbsmgr.exe
C:\Program Files\Web_Rebates\WebRebat
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EX
C:\Program Files\Microsoft Office\Office10\WINWORD.EX
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\Documents and Settings\ksherk.MIRACLE\De
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-0
O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-5
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentr
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Secu
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionSca
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebat
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3dbsmgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\T
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-9
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
ASKER
Sorry - didn't copy the analysis part.
Logfile of HijackThis v1.98.2
Safe. Shows the version of HijackThis an. The newest version is: v1.98.2! This should be the newest version. (v1.98.2)
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Safe. Shows the version of your Internet Explorer. Newest Version is: 6.00.2800.1106! This should be the newest version. (6.00.2900.2180)
C:\WINDOWS\System32\smss.e
Safe. running process. (smss.exe)
Systemprozess - Anwendung, die benutzt wird um Sitzungen zu starten, verwalten und löschen.
C:\WINDOWS\system32\winlog
Safe. running process. (winlogon.exe)
Systemprozess - Windows Login Routine
C:\WINDOWS\system32\servic
Safe. running process. (services.exe)
Systemprozess - Verwaltet die Systemdienste.
C:\WINDOWS\system32\lsass.
Safe. running process. (lsass.exe)
Systemprozess
C:\WINDOWS\system32\svchos
Safe. running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste.
C:\WINDOWS\System32\svchos
Safe. running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste.
C:\WINDOWS\system32\spools
Safe. running process. (spoolsv.exe)
Systemprozess
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
Unknown running process. (ASFAgent.exe)
This is a unknown process.
C:\Program Files\Symantec_Client_Secu
Safe. running process. (DefWatch.exe)
C:\Program Files\Dell\OpenManage\Clie
Unknown running process. (Iap.exe)
This is a unknown process.
C:\Program Files\Symantec_Client_Secu
Safe. running process. (Rtvscan.exe)
Symantec Corporate Edition
C:\WINDOWS\System32\svchos
Safe. running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste.
C:\WINDOWS\System32\DSentr
Safe. running process. (DSentry.exe)
Application provided by Dell that is anti-spyware. The application blocks other applications that send vital information to other computers.
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
Safe. running process. (DirectCD.exe)
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Safe. running process. (atiptaxx.exe)
ATI Desktop Control Panel from ATI Technologies
C:\Program Files\Symantec_Client_Secu
Safe. running process. (vptray.exe)
C:\WINDOWS\System32\hpnra.
Safe. running process. (hpnra.exe)
HP Network Registry Agent
C:\Program Files\QuickTime\qttask.exe
Safe. running process. (qttask.exe)
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionSca
Safe. running process. (hplamp.exe)
HP Scanner Utility that controls your scanner’s light bulb. Needed if its switched on. Also refer here for troubleshooting
C:\Program Files\Web_Rebates\WebRebat
Nasty running process. (WebRebates0.exe)
TrojanDownloader.Win32. Agent.y This is a nasty process! You should fix it and try to delete it manually!
C:\Program Files\Windows AdControl\WinAdCtl.exe
Unknown running process. (WinAdCtl.exe)
This is a unknown process.
C:\Program Files\Messenger\msmsgs.exe
Safe. running process. (msmsgs.exe)
MSN Messenger
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Safe. running process. (AcroTray.exe)
C:\Program Files\Windows AdControl\WinAdAlt.exe
Unknown running process. (WinAdAlt.exe)
This is a unknown process.
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
Unknown running process. (ISATRAY.EXE)
This is a unknown process.
C:\PVSW\Bin\W3dbsmgr.exe
Safe. running process. (W3dbsmgr.exe)
PracticeWorks (Kodak)
C:\Program Files\Web_Rebates\WebRebat
Nasty running process. (WebRebates1.exe)
TrojanDownloader.Win32. Agent.y This is a nasty process! You should fix it and try to delete it manually!
C:\Program Files\Windows Media Player\wmplayer.exe
Safe. running process. (wmplayer.exe)
C:\WINDOWS\explorer.exe
Safe. running process. (explorer.exe)
Systemprozess für Desktop und Taskleiste.
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EX
Safe. running process. (OUTLOOK.EXE)
E-Mail Client für Windows.
C:\Program Files\Microsoft Office\Office10\WINWORD.EX
Safe. running process. (WINWORD.EXE)
Microsoft Word
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
Safe. running process. (Photoshop.exe)
Adobe Photoshop
C:\Documents and Settings\ksherk.MIRACLE\De
Safe. running process. (HijackThis.exe)
Tool, mit dem sie dieses Logfile erzeugt haben. Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!
R1 - HKCU\Software\Microsoft\In
Possibly nasty This page could possibly be nasty. If you do not know the entry 'http://smbusiness.dellnet.com/', delete it.
R0 - HKCU\Software\Microsoft\In
Safe. This page has been identified as safe.
R0 - HKLM\Software\Microsoft\In
Possibly nasty This page could possibly be nasty. If you do not know the entry 'http://smbusiness.dellnet.com/', delete it.
R1 - HKCU\Software\Microsoft\In
Possibly nasty This page could possibly be nasty. If you do not know the entry 'http://smbusiness.dellnet.com/', delete it.
R1 - HKCU\Software\Microsoft\Wi
Safe. This entry has been identified as safe.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
Safe. Entries found in this registry zone are potentially nasty. This application ([06849E9F-C8D7-4D59-B87D-
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-0
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([83DE62E0-5805-11D8-9B25-
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-5
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([96DA5BEE-4ACC-476C-B3EC-
Unnecessary (deactivated) entry that can be fixed.
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr
Safe. The entered application IgfxTray was identified: igfxtray. Hit rate: 82 % (result) Not dangerous, but unnecessary.
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.
Safe. The entered application HotKeysCmds was identified: HotKeysCmds. Hit rate: 99 % (result)
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentr
Safe. The entered application DVDSentry was identified: DVDSentry. Hit rate: 99 % (result)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
Safe. The entered application AdaptecDirectCD was identified: AdaptecDirectCD. Hit rate: 99 % (result)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Safe. The entered application ATIPTA was identified: AtiPTA or AtiPTAAA or atiptaxx. Hit rate: 39 % (result)
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Secu
Safe. The entered application vptray was identified: vptray. Hit rate: 94 % (result)
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.
Safe. The entered application HP Network Registry Agent was identified: HP Network Registry Agent. Hit rate: 99 % (result)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
Safe. The entered application QuickTime Task was identified: QuickTime Task. Hit rate: 99 % (result) Not dangerous, but unnecessary.
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionSca
Safe. The entered application HP Lamp was identified: HpLamp. Hit rate: 42 % (result)
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebat
Nasty The entered application WebRebates0 was identified: WebRebates0. Hit rate: 99 % (result) Must be fixed!
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
Unknown The entered application Windows AdControl was identified: Windows Load. Hit rate: 46 % (result) Unknown application.
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
Safe. The entered application MSMSGS was identified: MSMSGS. Hit rate: 94 % (result)
O4 - Startup: PowerReg SchedulerV2.exe
Safe. The entered application 'PowerReg SchedulerV2.exe ()' was identified: 'PowerReg SchedulerV2 (PowerReg SchedulerV2.exe )'. Hit rate: 44 % (result) Not dangerous, but unnecessary.
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Safe. The entered application 'Acrobat Assistant.lnk (AcroTray.exe)' was identified: 'Acrobat Assistant (ACROTRAY.EXE )'. Hit rate: 55 % (result)
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
Safe. The entered application 'Adobe Gamma Loader.lnk (Adobe Gamma Loader.exe)' was identified: 'Adobe Gamma Loader (Adobe Gamma Loader.exe )'. Hit rate: 91 % (result)
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
Safe. The entered application 'Firewall Client Connectivity Monitor.LNK (ISATRAY.EXE)' was identified: 'MICROSOFT FIREWALL CLIENT (ISATRAY.EXE )'. Hit rate: 52 % (result)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Safe. The entered application 'Microsoft Office.lnk (OSA.EXE)' was identified: 'Microsoft Office or Microsoft Office Startup (Osa.exe Osa9.exe)'. Hit rate: 32 % (result) Not dangerous, but unnecessary.
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3dbsmgr.exe
Safe. The entered application 'Pervasive.SQL Workgroup Engine.lnk (W3dbsmgr.exe)' was identified: 'Pervasive.SQL Workgroup Engine (W3dbsmgr.exe)'. Hit rate: 95 % (result)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
Safe. The entry E&xport to Microsoft Excel has been identified as safe. If the entry 'E&xport to Microsoft Excel ' is not needed anymore, it should be fixed.
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\T
Nasty The entry Web Rebates has been identified as nasty.
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
Safe. The entry Messenger has been identified as safe. If the entry 'Messenger ' is not needed anymore, it should be fixed.
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
Safe. The entry Windows Messenger has been identified as safe. If the entry 'Windows Messenger ' is not needed anymore, it should be fixed.
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
Safe. Most of the entries present in this registry area are safe. Only OnFlow adds an unwanted plugins can be found here. OnFlow-Plugins have the following extension *.ofb.
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-9
Nasty This entry is possibly nasty. Should be fixed.
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.
O17 - HKLM\System\CCS\Services\T
Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain 'Admin.MiracleCorp.com'? If not, fix this entry.
O17 - HKLM\Software\..\Telephony
Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain 'Admin.MiracleCorp.com'? If not, fix this entry.
O17 - HKLM\System\CS1\Services\T
Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain 'Admin.MiracleCorp.com'? If not, fix this entry.
O17 - HKLM\System\CS2\Services\T
Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain 'Admin.MiracleCorp.com'? If not, fix this entry.
This log has been checked automatically.
Check your log file automatically at www.hijackthis.de.
Logfile of HijackThis v1.98.2
Safe. Shows the version of HijackThis an. The newest version is: v1.98.2! This should be the newest version. (v1.98.2)
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Safe. Shows the version of your Internet Explorer. Newest Version is: 6.00.2800.1106! This should be the newest version. (6.00.2900.2180)
C:\WINDOWS\System32\smss.e
Safe. running process. (smss.exe)
Systemprozess - Anwendung, die benutzt wird um Sitzungen zu starten, verwalten und löschen.
C:\WINDOWS\system32\winlog
Safe. running process. (winlogon.exe)
Systemprozess - Windows Login Routine
C:\WINDOWS\system32\servic
Safe. running process. (services.exe)
Systemprozess - Verwaltet die Systemdienste.
C:\WINDOWS\system32\lsass.
Safe. running process. (lsass.exe)
Systemprozess
C:\WINDOWS\system32\svchos
Safe. running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste.
C:\WINDOWS\System32\svchos
Safe. running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste.
C:\WINDOWS\system32\spools
Safe. running process. (spoolsv.exe)
Systemprozess
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
Unknown running process. (ASFAgent.exe)
This is a unknown process.
C:\Program Files\Symantec_Client_Secu
Safe. running process. (DefWatch.exe)
C:\Program Files\Dell\OpenManage\Clie
Unknown running process. (Iap.exe)
This is a unknown process.
C:\Program Files\Symantec_Client_Secu
Safe. running process. (Rtvscan.exe)
Symantec Corporate Edition
C:\WINDOWS\System32\svchos
Safe. running process. (svchost.exe)
Systemprozess - Allgemeiner Hostprozessname für Dienste.
C:\WINDOWS\System32\DSentr
Safe. running process. (DSentry.exe)
Application provided by Dell that is anti-spyware. The application blocks other applications that send vital information to other computers.
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
Safe. running process. (DirectCD.exe)
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Safe. running process. (atiptaxx.exe)
ATI Desktop Control Panel from ATI Technologies
C:\Program Files\Symantec_Client_Secu
Safe. running process. (vptray.exe)
C:\WINDOWS\System32\hpnra.
Safe. running process. (hpnra.exe)
HP Network Registry Agent
C:\Program Files\QuickTime\qttask.exe
Safe. running process. (qttask.exe)
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionSca
Safe. running process. (hplamp.exe)
HP Scanner Utility that controls your scanner’s light bulb. Needed if its switched on. Also refer here for troubleshooting
C:\Program Files\Web_Rebates\WebRebat
Nasty running process. (WebRebates0.exe)
TrojanDownloader.Win32. Agent.y This is a nasty process! You should fix it and try to delete it manually!
C:\Program Files\Windows AdControl\WinAdCtl.exe
Unknown running process. (WinAdCtl.exe)
This is a unknown process.
C:\Program Files\Messenger\msmsgs.exe
Safe. running process. (msmsgs.exe)
MSN Messenger
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Safe. running process. (AcroTray.exe)
C:\Program Files\Windows AdControl\WinAdAlt.exe
Unknown running process. (WinAdAlt.exe)
This is a unknown process.
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
Unknown running process. (ISATRAY.EXE)
This is a unknown process.
C:\PVSW\Bin\W3dbsmgr.exe
Safe. running process. (W3dbsmgr.exe)
PracticeWorks (Kodak)
C:\Program Files\Web_Rebates\WebRebat
Nasty running process. (WebRebates1.exe)
TrojanDownloader.Win32. Agent.y This is a nasty process! You should fix it and try to delete it manually!
C:\Program Files\Windows Media Player\wmplayer.exe
Safe. running process. (wmplayer.exe)
C:\WINDOWS\explorer.exe
Safe. running process. (explorer.exe)
Systemprozess für Desktop und Taskleiste.
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EX
Safe. running process. (OUTLOOK.EXE)
E-Mail Client für Windows.
C:\Program Files\Microsoft Office\Office10\WINWORD.EX
Safe. running process. (WINWORD.EXE)
Microsoft Word
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
Safe. running process. (Photoshop.exe)
Adobe Photoshop
C:\Documents and Settings\ksherk.MIRACLE\De
Safe. running process. (HijackThis.exe)
Tool, mit dem sie dieses Logfile erzeugt haben. Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!
R1 - HKCU\Software\Microsoft\In
Possibly nasty This page could possibly be nasty. If you do not know the entry 'http://smbusiness.dellnet.com/', delete it.
R0 - HKCU\Software\Microsoft\In
Safe. This page has been identified as safe.
R0 - HKLM\Software\Microsoft\In
Possibly nasty This page could possibly be nasty. If you do not know the entry 'http://smbusiness.dellnet.com/', delete it.
R1 - HKCU\Software\Microsoft\In
Possibly nasty This page could possibly be nasty. If you do not know the entry 'http://smbusiness.dellnet.com/', delete it.
R1 - HKCU\Software\Microsoft\Wi
Safe. This entry has been identified as safe.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
Safe. Entries found in this registry zone are potentially nasty. This application ([06849E9F-C8D7-4D59-B87D-
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-0
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([83DE62E0-5805-11D8-9B25-
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-5
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([96DA5BEE-4ACC-476C-B3EC-
Unnecessary (deactivated) entry that can be fixed.
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr
Safe. The entered application IgfxTray was identified: igfxtray. Hit rate: 82 % (result) Not dangerous, but unnecessary.
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.
Safe. The entered application HotKeysCmds was identified: HotKeysCmds. Hit rate: 99 % (result)
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentr
Safe. The entered application DVDSentry was identified: DVDSentry. Hit rate: 99 % (result)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
Safe. The entered application AdaptecDirectCD was identified: AdaptecDirectCD. Hit rate: 99 % (result)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Safe. The entered application ATIPTA was identified: AtiPTA or AtiPTAAA or atiptaxx. Hit rate: 39 % (result)
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Secu
Safe. The entered application vptray was identified: vptray. Hit rate: 94 % (result)
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINDOWS\System32\hpnra.
Safe. The entered application HP Network Registry Agent was identified: HP Network Registry Agent. Hit rate: 99 % (result)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
Safe. The entered application QuickTime Task was identified: QuickTime Task. Hit rate: 99 % (result) Not dangerous, but unnecessary.
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionSca
Safe. The entered application HP Lamp was identified: HpLamp. Hit rate: 42 % (result)
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebat
Nasty The entered application WebRebates0 was identified: WebRebates0. Hit rate: 99 % (result) Must be fixed!
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
Unknown The entered application Windows AdControl was identified: Windows Load. Hit rate: 46 % (result) Unknown application.
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
Safe. The entered application MSMSGS was identified: MSMSGS. Hit rate: 94 % (result)
O4 - Startup: PowerReg SchedulerV2.exe
Safe. The entered application 'PowerReg SchedulerV2.exe ()' was identified: 'PowerReg SchedulerV2 (PowerReg SchedulerV2.exe )'. Hit rate: 44 % (result) Not dangerous, but unnecessary.
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Safe. The entered application 'Acrobat Assistant.lnk (AcroTray.exe)' was identified: 'Acrobat Assistant (ACROTRAY.EXE )'. Hit rate: 55 % (result)
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
Safe. The entered application 'Adobe Gamma Loader.lnk (Adobe Gamma Loader.exe)' was identified: 'Adobe Gamma Loader (Adobe Gamma Loader.exe )'. Hit rate: 91 % (result)
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
Safe. The entered application 'Firewall Client Connectivity Monitor.LNK (ISATRAY.EXE)' was identified: 'MICROSOFT FIREWALL CLIENT (ISATRAY.EXE )'. Hit rate: 52 % (result)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Safe. The entered application 'Microsoft Office.lnk (OSA.EXE)' was identified: 'Microsoft Office or Microsoft Office Startup (Osa.exe Osa9.exe)'. Hit rate: 32 % (result) Not dangerous, but unnecessary.
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3dbsmgr.exe
Safe. The entered application 'Pervasive.SQL Workgroup Engine.lnk (W3dbsmgr.exe)' was identified: 'Pervasive.SQL Workgroup Engine (W3dbsmgr.exe)'. Hit rate: 95 % (result)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
Safe. The entry E&xport to Microsoft Excel has been identified as safe. If the entry 'E&xport to Microsoft Excel ' is not needed anymore, it should be fixed.
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\T
Nasty The entry Web Rebates has been identified as nasty.
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
Safe. The entry Messenger has been identified as safe. If the entry 'Messenger ' is not needed anymore, it should be fixed.
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
Safe. The entry Windows Messenger has been identified as safe. If the entry 'Windows Messenger ' is not needed anymore, it should be fixed.
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
Safe. Most of the entries present in this registry area are safe. Only OnFlow adds an unwanted plugins can be found here. OnFlow-Plugins have the following extension *.ofb.
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-9
Nasty This entry is possibly nasty. Should be fixed.
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.
O17 - HKLM\System\CCS\Services\T
Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain 'Admin.MiracleCorp.com'? If not, fix this entry.
O17 - HKLM\Software\..\Telephony
Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain 'Admin.MiracleCorp.com'? If not, fix this entry.
O17 - HKLM\System\CS1\Services\T
Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain 'Admin.MiracleCorp.com'? If not, fix this entry.
O17 - HKLM\System\CS2\Services\T
Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain 'Admin.MiracleCorp.com'? If not, fix this entry.
This log has been checked automatically.
Check your log file automatically at www.hijackthis.de.
well the log doesn't show any sign of worm dweb, just two BHOs,
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-0
O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-5
So who is deleting the Autoexec.NT file from the Ssystem32 folder :-?
tell is the problem only with this particular user or system ??
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-0
O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-5
So who is deleting the Autoexec.NT file from the Ssystem32 folder :-?
tell is the problem only with this particular user or system ??
how about enabling auditing, and audit the file?
Hello,
I have a problem similar to yours. And I follow SheharyaarSaahil solution but WITHOUT RESTARTING THE PC, and it worked fine.
hope this will solve yours.
I have a problem similar to yours. And I follow SheharyaarSaahil solution but WITHOUT RESTARTING THE PC, and it worked fine.
hope this will solve yours.
ASKER
Hello,
Sorry I haven't responded earlier but I have been out of the office. That's good to hear that it's not a worm. What is a BHO?
This is only happening to my knowledge with this particular workstation/user. She's not able to get into one of our software applications because of this.
How do you enable auditing? And what would I do?
So, are there any entries in the log file that need to be fixed?
Thanks,
-dweb
Sorry I haven't responded earlier but I have been out of the office. That's good to hear that it's not a worm. What is a BHO?
This is only happening to my knowledge with this particular workstation/user. She's not able to get into one of our software applications because of this.
How do you enable auditing? And what would I do?
So, are there any entries in the log file that need to be fixed?
Thanks,
-dweb
>> What is a BHO?
BHO = Browser Helper Objects..... means those files which are attached to IE and helps if toperform a certain action.... like Acrobat BHOs help IE to open pdf documents and google BHOs support google toolbar and etc etc!!
>> This is only happening to my knowledge with this particular workstation/user
can you try this,,,,, create another local user account on the system with Administrative rights and check there if the same problem..... coz someitmes the problems are just profile related..... :-?
BHO = Browser Helper Objects..... means those files which are attached to IE and helps if toperform a certain action.... like Acrobat BHOs help IE to open pdf documents and google BHOs support google toolbar and etc etc!!
>> This is only happening to my knowledge with this particular workstation/user
can you try this,,,,, create another local user account on the system with Administrative rights and check there if the same problem..... coz someitmes the problems are just profile related..... :-?
ASKER
I tried doing what Affar suggested - following the steps for deleting the Autoexec.NT and Confit.NT files out of the System32 folder and recopying in good ones. However, this time I did not restart the computer before trying to open the application. And it worked! However, I'm wondering if the fix is just temporary until the computer is shut down or restarted?
-dweb937
-dweb937
try this, create a new user account from control panel>user accounts and restart to login with the new user
check there for the problem, if same error, then copy the two files and restart again to check if its disappearing here also?
check there for the problem, if same error, then copy the two files and restart again to check if its disappearing here also?
ASKER
SheharyaarSaahil -
I've tried creating a new user account on the PC - my own and I can get into the software application prior to Restarting and afterwards. I don't get the System32 error.
Then when I logged back into the other user's account, I could still get into the software application. I shutdown the PC and tried again with success. I don't believe that I've done anything permanent to fix the problem.
Thanks,
-dweb937
I've tried creating a new user account on the PC - my own and I can get into the software application prior to Restarting and afterwards. I don't get the System32 error.
Then when I logged back into the other user's account, I could still get into the software application. I shutdown the PC and tried again with success. I don't believe that I've done anything permanent to fix the problem.
Thanks,
-dweb937
great news dweb :)
and now as the problem has solved, you can close this question, as you can see the Accept button infront of each comment which you got, you have to hit the button for that comment which solved your problem, and then assign a grade according to the quality of help you got,,, that's all :)
for more info. on how to close a Question, plzz refer here >> https://www.experts-exchange.com/help.jsp#hs5
Thanx & Cheers ^_^
and now as the problem has solved, you can close this question, as you can see the Accept button infront of each comment which you got, you have to hit the button for that comment which solved your problem, and then assign a grade according to the quality of help you got,,, that's all :)
for more info. on how to close a Question, plzz refer here >> https://www.experts-exchange.com/help.jsp#hs5
Thanx & Cheers ^_^
ASKER
SheharyaarSaahil -
I'm not so sure that it has been resolved or I would have immediately excepted your response. I didn't do anything to have resolved it. I think it's going to be a wait and see over the next few days. If looking still good, I'll be sure to accept and grade.
Thanks for all your help and not sure if this applies but if it does, Happy Holidays!
-dweb937
I'm not so sure that it has been resolved or I would have immediately excepted your response. I didn't do anything to have resolved it. I think it's going to be a wait and see over the next few days. If looking still good, I'll be sure to accept and grade.
Thanks for all your help and not sure if this applies but if it does, Happy Holidays!
-dweb937
lol.... no problem at all.... that was just my general tip for closing the questions after a problem is solved.... hope you didn't mind :)
and yes the Happy Holidays is not applied for me as im in middle east.... but yes i do celebrate the New year and its holiday...... so Happy New Year in advance! ^_^
and yes the Happy Holidays is not applied for me as im in middle east.... but yes i do celebrate the New year and its holiday...... so Happy New Year in advance! ^_^
http://support.microsoft.com/default.aspx?scid=kb;en-us;314106