Home > Hjt Log > HJT Log And C:\WINDOWS\shell.exe Error On Startup

HJT Log And C:\WINDOWS\shell.exe Error On Startup

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.Press OK to remove them.Download SDFix and save it to your Desktop.Double click SDFix.exe and it will Lawrence Abrams Don't let BleepingComputer be silenced. REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad PostBootReminder REG_SZ {7849596a-48ea-486e-8937-a2a3009f31a9} CDBurn REG_SZ {fbeb8a05-beee-4442-804e-409d6c4515e9} WebCheck REG_SZ {E6FB5E20-DE35-11CF-9C87-00AA005127ED} SysTray REG_SZ {35CEC8A3-2BE6-11D2-8773-92E220524153} !

Navigate to c:\startdreck and double-click on Startdreck.exe4. Double click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix). Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLLO2 - BHO: (no name) - {1A214F62-47A7-4CA3-9D00-95A3965A8B4A} - C:\PROGRAM FILES\POPUP ELIMINATOR\AUTODISPLAY401.DLL (file missing)O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME1.DLLWhat to do:If Adam Smith Glasgow, 1760 Back to top #9 Raiedon Raiedon Member Full Member 4 posts Posted 11 December 2007 - 03:29 PM Thanks for the help nasdaq! check my site

Site Changelog Community Forum Software by IP.Board Sign In Use Facebook Use Twitter Need an account? Register a free account to unlock additional features at BleepingComputer.com Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce


! Here are the other logs you requested: ______________________________________________________________ ComboFix 07-12-19.2 - Matt Hammer 2007-12-18 21:27:46.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.602 [GMT -5:00] Running from: C:\Documents and Settings\Matt Hammer\Desktop\ComboFix.exe Command

  1. Oldsod.
  2. I have Pop-up Hitman, and MS SP2 which, I thought has a pop-up killer, but they seem to have been quieted down in their protection activities.
  3. Completion time: 2007-12-18 20:46:50 - machine was rebooted . 2007-12-14 12:46:47 --- E O F --- ____________________________________________________________ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:54:34 PM, on 12/18/2007 Platform:
  4. Hijackthis log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:25:26 AM, on 7/17/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes:
  5. A Notepad window will open with the contents of this log.
  6. My problem appears solved, thank you very much.
  7. Adam Smith Glasgow, 1760 Back to top #7 Raiedon Raiedon Member Full Member 4 posts Posted 10 December 2007 - 09:43 PM Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:42:02
  8. Also deleted Sdfix and Combofix.
  9. Help us fight Enigma Software's lawsuit! (Click on the above link to learn more) Become a BleepingComputer fan: FacebookFollow us on Twitter!
  10. nasdaq Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ] [ Housecall online virus scan ] [ Bitdefender online virus scan ] [ AVG antivirus ]

C:\WINDOWS\system32\drivers\Wkkl41.sys 185344 bytes executable C:\WINDOWS\system32\drivers\symavc32.sys 185344 bytes executable scan completed successfully hidden processes: 0 hidden services: 1 hidden files: 3 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Common MS MVP 2009-20010 and ASAP Member since 2005 Back to top #12 TheJoker TheJoker Forum Deity Boot Camp Mod 14,362 posts Posted 12 December 2007 - 11:05 AM Since the issue In the Toolbar List, 'X' means spyware and 'L' means safe. I didn't see one in your HijackThis log (the XP SP2 firewall isn't sufficient protection, it only checks incoming data).

Only remove files that you know are malware related. Please perform the instructions in the order listed.One or more of the items you need to remove is a backdoor application can allow attackers to access your computer, stealing passwords and Lawrence Abrams Don't let BleepingComputer be silenced. C:\System Volume Information\ is protected by windows itself, thus stopping these antivirus actions.

I'm carrying on with the rest of your instructions now. Treat with care.O23 - NT ServicesWhat it looks like: O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exeWhat to do:This is the listing of non-Microsoft services. Back to top #8 Grinler Grinler Lawrence Abrams Admin 42,748 posts ONLINE Gender:Male Location:USA Local time:11:16 AM Posted 20 May 2005 - 03:58 PM Ignore those instructions THey were meant Password Site Map Posting Help Register Rules Today's Posts Search Site Map Home Forum Rules Members List Contact Us Community Links Pictures & Albums Members List Search Forums Show Threads

Then click on Edit and then Click on Copy.Create a reply to this post here, and right click in message area and select paste to paste the log into the post.Someone Open My Computer. Several trojan hijackers use a homemade service in adittion to other startups to reinstall themselves. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting

For the 'NameServer' (DNS servers) entries, Google for the IP or IPs and it will be easy to see if they are good or bad.O18 - Extra protocols and protocol hijackersWhat Press any Key and it will restart the PC. Pop-ups, Startup item, viruses Started by jupiter , May 13 2005 05:53 PM Page 1 of 2 1 2 Next Please log in to reply 24 replies to this topic #1 Username Forum Password I've forgotten my password Remember me This is not recommended for shared computers Sign in anonymously Don't add me to the active users list Privacy Policy

So now I have just one new Restore Point. Please post the HJT log as soon as possible. Next create a new system restore point as the previous restore points are all gone and you will need to start creating new restore points to replace the removed points. REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter REG_SZ RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit


!

I have restated the pc at least 6 times since and no sign of any problems. Open the extracted SDFix folder and double click RunThis.bat to start the script. Read the Requirements and Privacy statement, then select "Accept". 2.

Follow the inustrctions there as well as running their uninstall tool ad then try to reinstall.http://service1.symantec.com/SUPPORT/nav.n...nav&svy=&csm=no Lawrence Abrams Don't let BleepingComputer be silenced.

I have a few Tnkpad t60/t61s that about every 10 Logins notng happens ... http://www.beyondlogic.org/consulting/proc...processutil.htm __________________ Microsoft MVP - Consumer Security 2007-2010 12-18-2007, 04:26 PM #3 mphamma9 Registered Member Join Date: Dec 2005 Posts: 19 OS: Win XP ok here are the Now the system restore is bac in place and only the clean files are saved. Hang with us on LockerDomeCircle BleepingComputer on Google+!How to detect vulnerable programs using Secunia Personal Software Inspector Simple and easy ways to keep your computer safe and secure on the Internet

MS MVP 2009-20010 and ASAP Member since 2005 Back to top #8 Large Large Member Full Member 7 posts Posted 27 November 2007 - 02:10 AM Hi and thanks again Joker,AFAIK, Treat with extreme care.O22 - SharedTaskSchedulerWhat it looks like: O22 - SharedTaskScheduler: (no name) - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - c:\windows\system32\mtwirl32.dll What to do:This is an undocumented autorun for Windows NT/2000/XP only, which is check some important areas of your system and produce a report for your analyst to review. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

I'm running WindowsXP Home ed. Open the Command (Start > Run, type in 'cmd' and press [Enter] key and do not use the quotation marks for the 'cmd') Type in regsvr32 /u Efoketa.dll and do not Then fix the items identified in the HijackThis log below. It says in the log: Description Anti-virus attempted but failed to repair a virus or viruses Date / Time 2009-02-24 10:11:44-7:00 Type On-access scan Virus name Backdoor,Win32.Small.hny Backdoor seems to be

Advertisements do not imply our endorsement of that product or service. BackDoor runs in the background on your computer and allows a remote user to connect to and have complete access to your computer.