4
Contributors
44
Replies
45
Views
8 Years
Discussion Span
Last Post by hiberya
0

There is usually NO need to do anything to the registry. Using registry fixers is generally not advised. One wrong click in the registry and the operating system can be totally disabled. WHY do you want to do something to the registry?

0

i had issues with trojans and i was told that my pc could be running slow now because the registery could have issues now that need to be fixed

0

How did you remove these trojans? The BEST way is to use MBA-M to remove them, which also will take care of any registry entries created by them.
Do the following:
Please Download ATF-Cleaner.exe by Atribune Save it to the desktop for easy access.
Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

If you use Firefox browser, do this also:

* Click Firefox at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, click No at the prompt.

If you use Opera browser, do this also:

* Click Opera at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, click No at the prompt.

Click Exit on the Main menu to close the program.

Next please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer
Finally download HiJackThis. Do a Full System scan with it and save the log.
Post back here and copy/paste the MBA-M log and the HJT log.

0

i have pc cillin and had them remove the trojans then went to geek squad and they said that my puter could be running slow because of possible damage to registry and they wanted to do there fixing but its just to much for me to pay so i opted out and was going to reinstall but was hoping to fix instead so it gos back to running faster again

0

Just try the steps I have given you and let's see what shows OK? I bet we can get this thing speeded back up but I need to see exactly what shows on these logs.

What was the name of the trojans removed? Do you have the Pc-cillin logs?

0

ALSO MY PC LOADS VERY SLOW WHEN I FIRST TURN IT ON, THIS IS MY MAIN CONCERN. THANK YOU
______________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:16 PM, on 5/12/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\IOI\ButtonMonitor.exe
C:\Windows\CNYHKey.exe
C:\Windows\ModLEDKey.exe
C:\Program Files (x86)\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files (x86)\Internet Explorer\IEUser.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5678
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5678
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5678
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5678
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ButtonMonitor] C:\Program Files (x86)\IOI\ButtonMonitor.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [MoLed] ModLEDKey.exe
O4 - HKLM\..\Run: [NapsterShell] "C:\Program Files (x86)\Napster\napster.exe" /systray
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files (x86)\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: *.west.com
O15 - Trusted Zone: *.westathome.com
O15 - Trusted Zone: *.westathome.net
O15 - Trusted Zone: *.workathomeagent.net
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files (x86)\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files (x86)\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)

--
End of file - 9412 bytes
_________________________________________________

Malwarebytes' Anti-Malware 1.37
Database version: 2235
Windows 6.0.6001 Service Pack 1

6/5/2009 10:11:53 PM
mbam-log-2009-06-05 (22-11-20).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 250139
Time elapsed: 33 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
__________________________________________________

Malwarebytes' Anti-Malware 1.37
Database version: 2235
Windows 6.0.6001 Service Pack 1

6/5/2009 10:12:13 PM
mbam-log-2009-06-05 (22-12-13).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 250139
Time elapsed: 33 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

0

geek squad found wma downloader trojan then when i called trend micro they found some things also, where would i find the log files from pc cillin if they are still in my computer?

0

I don't see PCillin running when this scan was done. BUT you are running Napster, a P2P program. Very dangerous. Napster is loading at start up.

This is a Vista 64bit system?

0

i dont have napster i removed lime wire and also my triend micro is set up to run at start up because it does show on my task bar when my pc loads, yes it is vista that im running

0

This shows Napster set to run at start up and place an icon in the System Tray:
O4 - HKLM\..\Run: [NapsterShell] "C:\Program Files (x86)\Napster\napster.exe" /systray

Have you done a defrag and cleaned out temp files recently?
What was the name of the trojans removed? Do you have the Pc-cillin logs?

0

sync center is running on task bar for my dash is that what you might be seeing, i also have a web cam on task bar along with my trend micro, i clean out and do disk clean every day sometimes more then once a day i have not done a defrag in bout a month i do have a program called a defragler that i was going to install and run would that be ok

0

Your HJT log also shows you have a Norton service auto starting on there
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_4.EXE

Go in and Uninstall this. Rule is ONE anti virus program on a computer. This is probably an old entry that wasn't removed when you installed the PCillin. The Norton files need to go.
Look in Add/Remove first if you don't find it there then do a search on the computer for Norton and delete all you find. Then do a search for Symantec and delete all you find. Reboot.
If you have to do this search in Safe Mode.

0

i uninstalled live update and i am going to run auslogic defrag, how do i see where u are seeing napster? i dont see it in program files and i have never installed napster but i have had lime wire and removed it

0

i uninstalled live update and i am going to run auslogic defrag, how do i see where u are seeing napster? i dont see it in program files and i have never installed napster but i have had lime wire and removed it

It may not still be ON the computer but it is still listed under Auto Starting programs as indicated by this entry in the log;
O4 - HKLM\..\Run: [NapsterShell] "C:\Program Files (x86)\Napster\napster.exe" /systray

If it is NOT on the computer at all then just looking for this auto start would slow the start up somewhat. Do a file search for Napster.
Look in C:Program files first. If you don't see a Naptster folder in there then search the C drive itself using Search. If you find any then remove them.

0

i deleted all i found of napster and symantec and also did defrag

0

i still am very slow whe it is starting up, it takes a long time to get to my desk top, it wasnt like this till about 2 months ago, its fine as far as IE opening and getting to web sites, its just slow when its booting up it sticks on this one screen for a long time before my desk top finally shows up, how can i find out what is doing this

0

Did you add anything new two months ago? Do any big updates two months ago? It is just going to take some detective work really since you can pin down the time to two months ago.
From what I have found this can be a problem on Vista 64bit systems

0

i do updates all the time i really dont remember most of the time they are automatic updates

0

Problem is HJT doesn't really give good read out of Vista 64bit. So you cannot really tell for sure what is running at boot up. I CAN tell you the following are not necessary and CAN slow the boot time:
SSBkgdUpdate>>>ScanSoft OmniPage auto updater
OpwareSE4>>>ScanSoft's OmniPage_Pro
QuickTime Task>>>System Tray access to Apple's "Quick Time" viewer
Adobe Reader Speed Launcher>>>supposedly speeds the time Adobe Reader needs to start. Doesn't do a thing really.
SunJavaUpdateSched>>>Sun Java update checker. Do it manually
RoxWatchTray>>>Related to Roxio_easy_CD_creater System Tray icon installed by Roxio Easy Media Creator 8 and which allows you to configure your watched folders
Messenger (Yahoo!)>>>exactly what it says. Can be launched manually
WMPNSCFG>>>Windows Media Player. Can be launched manually
WindowsWelcomeCenter>>>exactly what it says it is.

0

when i do msconfig the only thing checked in start up is trend micro, im not sure where u are saying i should look for these things that are not needed to be running

0

F2 - REG:system.ini: UserInit=userinit.exe
This entry appears wrong to me. The now defunct system.ini: Userinit entry was to point the system to the userinit files to use.. this is now done by registry keys, not an ini file.
That entry points to a particular key's value [name, if you like], userinit. The relevant part of the key is [should be in this case]:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
If hijackthis displayed the correct values instead of ignoring them if not abnormal, the log entry would look like this:
F2 - REG:system.ini: UserInit=userinit,
What i mean is the sys is getting userinit.exe when it should receive C:\Windows\system32\userinit.exe. The path variable should take the sys to the correct file immediately... but I don't know if paths are loaded at this stage... :(
Perhaps export and post the key . This will do it:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as showkey.bat to your desktop; dclick it to run, then post the file showkey.txt

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V "Userinit" >>showkey.txt
start showkey.txt
pause

I may be so far up the wrong tree, but it's all fun.

0

its not allowing me to save anything it just flashes on the screen and thats it, btw i cannot dclick mouse i have not ever been able to since i got this pc i think something is wrong with the settings on mouse

0

Hmm. the cmd.exe window should remain open... that is the purpose of the pause command. And showkey.txt should pop to your desktop. Is it not in C:\desktop? Find it there with Explorer, and open it.
You can save that batch file to anywhere.. eg C: root, I just put it to your desktop for the sake of ease. You could instead try this:
=save this as C:\showkey.bat

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /V "Userinit" >>C:\showkey.txt
start C:\showkey.txt
pause
0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\Windows\system32\userinit.exe,

0

Well, there ya go, just as it should be. I don't know why hijackthis picked it up.... perhaps a Vista64 compatibility issue. I'll butt out, now. but first I shall insult you by asking if you have played with mouse setttings in control Panel?
Back to you, Judy.

0

no... i havent really messed with the mouse lately, i did try to get it to work when i had a wireless one but now i have a wire mouse and i guess i have gotten used to not being able to left dclick lol, ill take a look and get right back to u

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.