You should try cleaning out your Temp Folder. Go to RUN and type in %TEMP% and click OK. Click on Edit in the TEMP Folder window and choose Select All and hit your Delete key. Shut the Temp Folder Window. Go to RUN and Type in MSCONFIG and click on OK. Click on Startup and remove any unwanted applets from loading at Startup. Click on Apply and OK. System will need to be restarted. Check off the box where it says " Don't show this message or launch the System Configuration Utility when Windows Starts". Now go to Start/Programs/Accessories/System Tools and run Disk Cleanup. Now go to RUN and type in SFC /SCANNOW ( There is a space between SFC and / ) and click on OK to run System File Checker. Now Right click on MY Computer and choose Open. Right click on Local disk ( C: ) and choose Properties/Tools. Run Error-Checking and then run Defragmentation.
Resources to Help Troubleshoot Shutdown Problems in Windows XP
http://support.microsoft.com/?kbid=308029
As far as msconfig is concerned, after you have unchecked some item(s) in the startup tab and restart, you do indeed get a notice when you restart, telling you that you are in a selective mode (i.e. it just reminds you that some of the item(s) (the ones you unchecked) did not start. On that notice there is a box you can check. If you are happy that henceforth the items you unchecked will not be loaded, just check that box, click OK. Close msconfig. Next time you restart it won't come up.
To see what the items in the startup list of msconfig are and what they do, see
type in the name as it appears in startup or scroll down to find it. You can then decide whether you need it (for example your Antivirus autoprotect).
You could systematically remove the items one at a time, see if the shutdown poroblem is resolved, if not restart, put a check back in the startup tab, uncheck the next one, etc. that way you would find out which one (if any) is causing the problem.
However, the problem could lie elsewhere. For more information on shutdown problems and how to troubleshoot, see
my guess is that the problem is being caused by the dell support utility.. you could try closing that in task manager and then uninstalling it from add/remove, but if it was me i would reformat the harddrive. that will straighten out any software issues, and clean out unnecessary programs that may have been installed at the factory. all necessary programs can be restored from the backup cd's that came with your computer (however, you may find undated drivers in dell support/downloads).. there are instructions in dell support/solutions/reinstall guide.. the problem may be related to the roxio software:
http://www.aumha.org/win5/a/shtdwnxp.htm if you do reformat, the chipset drivers should be installed first, after installing win xp, and i would turn the computer off and let it sit for a minute after installing them.
Message Edited by redwolfe_98 on 01-10-2004 05:56 PM
Thanks for the help. One additional question. Under MSCONFIG the Startup I have one line that is checked that is blank under Startup Item and blank under Command but has the following under Location - HKLM\SOFTWARE\Microsoft\Windows\Current Ver. Could this be the problem?
Located this information if this is the case. Make sure you read it all because of the need to shut off System Restore before using the removal tool. Good luck
@dfamily wrote:
Thanks for the help. One additional question. Under MSCONFIG the Startup I have one line that is checked that is blank under Startup Item and blank under Command but has the following under Location - HKLM\SOFTWARE\Microsoft\Windows\Current Ver. Could this be the problem?
yes, that could be the problem.. it could be a trojan or some other scumware, autostarting..
If those links don't help, try this:-
-------------------
Use these to remove Malware (Spyware and Adware).
1)
SpyBot Search and Destroy After installing SpyBot Search & Destroy, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all the items it marks in red.
2)
Get Ad-Aware After installing Ad-Aware, and before running the program, first press “check for updates now".
Click "Connect" and install all updated components available. Click 'Finish'.
Press "Scan Now", then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Check all found items, and click 'next' once more.
It will ask you whether you'd like to remove all checked items. Click OK.
Always reboot the computer between each program - both of these may find things that they need to have a reboot of the machine to clear - please reboot and let them finish .
Failing those solving your problems a post of a hijackthis log for the experts to advise.
HijackThis From Here Download, run, scan, save log, then in notepad copy the FULL log by copy and paste as a reply to this post and an expert with HijackThis Knowldge, will have a go at giving advice. Please note the list of experts names below, very few forum regulars here have had this training.
DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.
Known Spyware HijackThis fighters in DellTalk - If you are, and are not on the list please PM Me.
TomCoyote (of
http://tomcoyote.org/forums/index.php fame)
YoKenny (Accredited Expert at TomCoyotes)
baskar1234 (Spyware Classroom Teaching Assistant at TomCoyotes)
ChrisRLG (Spyware Classroom Teaching Assistant at TomCoyotes)
Yellowhammer (In Training at TomCoyotes)
therock247uk (In Training at TomCoyotes)
irelynmisses (In Training at TomCoyotes)
I, and the other hijack experts mentioned above, are in all those sites (and more) with the same login names. You might get one of us at those sites also to anwser your log, but other experts will also be available.
Logfile of HijackThis v1.97.7 Scan saved at 1:44:09 PM, on 1/11/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Hi, you have a very new version of malware in your system.
We need you to zip a copy of the file, you can do it with winXP's, and send to submissions@spywareinfo.com as an attachment for them to anylise before we lose this copy of it. Send with this data :- ---------------- Log File Line : - O4 - Startup: PowerReg Scheduler V3.exe Log file location :- http://forums.us.dell.com/supportforums/board/message?board.id=sw_winxp&message.id=101565 ---------------- The file we need is called :- 'PowerReg Scheduler V3.exe' and you will need to search your c: drive to find it.
The previous version was at this location :- profilepath+\start menu\programs\startup\powerreg schedulerv2.exe Where 'profilepath+' in your case would be 'C:\Documents and Settings\Mike\' so you will probably file it as:- C:\Documents and Settings\Mike\start menu\programs\startup\powerreg scheduler v3.exe although it my be in the 'all users' area instead of 'mike'
I am working on a fix for you - but do this first.
Note for any other hijackthis experts who are reading.
I have made a post, to the classroom for an expert to confirm the instructions I am suggesting for here, please read and advise with any alterations at the tomcoyote classroom
Experts have checked my suggested post, and with corrections here it is. --------------------------- In hijackthis tick these items, AND WITH ALL OTHER WINDOWS CLOSED, fix ticked
Then reboot and delete the files/folders of those 04 items that we have removed in hijackthis. This folder C:\Program Files\RSNet\
And then the problem one:- Please zip copies of all of them (if found) before doing so. Store in a safe place in case the experts need them when they have tested that first file. ----------------------------- Remove these files (if present) with Windows Explorer: profilepath+\start menu\programs\startup\hotsync manager.lnk profilepath+\start menu\programs\startup\powerreg scheduler.exe profilepath+\start menu\programs\startup\powerreg scheduler v3.exe and folder > programfilesdir+\powerreg ----------------------------- Please now reboot your computer and post a fresh log to see if it has all worked.
Please run http://www.safer-networking.net/index.php?lang=en&page=tools/filealyzer on that workflow.exe and copy the report to clipboard, paste it in a reply for me please. Could be anything, might be BellSouth connection manager, for instance. O4 - HKLM\..\Run: [workflo] F:\install\workflow.exe
Sorry it was late for me last night (2am) and I was not thinking right, should have given more instructions, I stayed up to post when the experts had gone over my suggestions, unfortunately only a few experts are registered here to be able to post direct.
With winXp, find the file in windows exporer, right click, choose send to, compressed folder, and it will create a file/folder with the same name but with a zip extension. attach the file/folder to your email.
Thanks and sorry for not giving fuller instructions at the time.
BTW we have now seen this one in the wild a couple of times, and we think that this, although bad, is not your main problem, but that the two redswoosh lines are, they are a known problem though.
LICHE1908
313 Posts
0
January 10th, 2004 20:00
Resources to Help Troubleshoot Shutdown Problems in Windows XP
http://support.microsoft.com/?kbid=308029
JRosenfeld
2 Intern
•
4.4K Posts
0
January 10th, 2004 20:00
As far as msconfig is concerned, after you have unchecked some item(s) in the startup tab and restart, you do indeed get a notice when you restart, telling you that you are in a selective mode (i.e. it just reminds you that some of the item(s) (the ones you unchecked) did not start. On that notice there is a box you can check. If you are happy that henceforth the items you unchecked will not be loaded, just check that box, click OK. Close msconfig. Next time you restart it won't come up.
To see what the items in the startup list of msconfig are and what they do, see
http://www.sysinfo.org/startuplist.php
type in the name as it appears in startup or scroll down to find it. You can then decide whether you need it (for example your Antivirus autoprotect).
You could systematically remove the items one at a time, see if the shutdown poroblem is resolved, if not restart, put a check back in the startup tab, uncheck the next one, etc. that way you would find out which one (if any) is causing the problem.
However, the problem could lie elsewhere. For more information on shutdown problems and how to troubleshoot, see
http://support.microsoft.com/default.aspx?scid=kb;en-us;308029&Product=winxp
The other things that might help are to run disk clean up and defrag.
redwolfe_98
2 Intern
•
1.3K Posts
0
January 10th, 2004 20:00
Message Edited by redwolfe_98 on 01-10-2004 05:56 PM
dfamily
13 Posts
0
January 10th, 2004 22:00
pskelley
933 Posts
0
January 10th, 2004 23:00
Located this information if this is the case. Make sure you read it all because of the need to shut off System Restore before using the removal tool. Good luck
http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html
Windows Xp Professional
5.1.2600 Service Pack Build 2600
Dimension 4550 X-86 based PC
Bios A03, 11/12/2002
Pentium 4 2.0Ghz
256MB RAM
IE 6.0
pskelley
933 Posts
0
January 10th, 2004 23:00
I ran a quick Google search and came up with this information:
http://www.quickheal.com/opserv.htm
Windows Xp Professional
5.1.2600 Service Pack Build 2600
Dimension 4550 X-86 based PC
Bios A03, 11/12/2002
Pentium 4 2.0Ghz
256MB RAM
IE 6.0
redwolfe_98
2 Intern
•
1.3K Posts
0
January 10th, 2004 23:00
yes, that could be the problem.. it could be a trojan or some other scumware, autostarting..
ChrisRLG
3.9K Posts
0
January 11th, 2004 12:00
-------------------
Use these to remove Malware (Spyware and Adware).
1) SpyBot Search and Destroy
After installing SpyBot Search & Destroy, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all the items it marks in red.
2) Get Ad-Aware
After installing Ad-Aware, and before running the program, first press “check for updates now".
Click "Connect" and install all updated components available. Click 'Finish'.
Press "Scan Now", then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Check all found items, and click 'next' once more.
It will ask you whether you'd like to remove all checked items. Click OK.
Always reboot the computer between each program - both of these may find things that they need to have a reboot of the machine to clear - please reboot and let them finish .
Failing those solving your problems a post of a hijackthis log for the experts to advise.
HijackThis From Here
Download, run, scan, save log, then in notepad copy the FULL log by copy and paste as a reply to this post and an expert with HijackThis Knowldge, will have a go at giving advice. Please note the list of experts names below, very few forum regulars here have had this training.
DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.
Known Spyware HijackThis fighters in DellTalk - If you are, and are not on the list please PM Me.
TomCoyote (of http://tomcoyote.org/forums/index.php fame)
YoKenny (Accredited Expert at TomCoyotes)
baskar1234 (Spyware Classroom Teaching Assistant at TomCoyotes)
ChrisRLG (Spyware Classroom Teaching Assistant at TomCoyotes)
Yellowhammer (In Training at TomCoyotes)
therock247uk (In Training at TomCoyotes)
irelynmisses (In Training at TomCoyotes)
You could also go to one of the more specalist forums where more experts will be able to help.
http://tomcoyote.org/forums/index.php
http://forums.spywareinfo.com/index.php
http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi (Home of Spybot S&D)
http://boards.cexx.org/index.php
Do read the sites FAQ before posting, and advise your problem and what steps you have already done to try to cure your problem.
I, and the other hijack experts mentioned above, are in all those sites (and more) with the same login names. You might get one of us at those sites also to anwser your log, but other experts will also be available.
dfamily
13 Posts
0
January 11th, 2004 17:00
Logfile of HijackThis v1.97.7
Scan saved at 1:44:09 PM, on 1/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\RSNet\RSEDNClient.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mike\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://watson.microsoft.com/dw/dcp.asp?CLCID=1033&EXENAME=workflow.exe&BRAND=WINDOWS
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [workflo(1)] F:\install\workflow.exe
O4 - HKLM\..\Run: [workflo] E:\install\workflow.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.us.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,73/mcinsctl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
Thanks for the help!!ChrisRLG
3.9K Posts
0
January 11th, 2004 20:00
Hi, you have a very new version of malware in your system.
We need you to zip a copy of the file, you can do it with winXP's, and send to submissions@spywareinfo.com as an attachment for them to anylise before we lose this copy of it. Send with this data :-
----------------
Log File Line : - O4 - Startup: PowerReg Scheduler V3.exe
Log file location :- http://forums.us.dell.com/supportforums/board/message?board.id=sw_winxp&message.id=101565
----------------
The file we need is called :- 'PowerReg Scheduler V3.exe' and you will need to search your c: drive to find it.
The previous version was at this location :- profilepath+\start menu\programs\startup\powerreg schedulerv2.exe
Where 'profilepath+' in your case would be 'C:\Documents and Settings\Mike\'
so you will probably file it as:-
C:\Documents and Settings\Mike\start menu\programs\startup\powerreg scheduler v3.exe
although it my be in the 'all users' area instead of 'mike'
I am working on a fix for you - but do this first.
ChrisRLG
3.9K Posts
0
January 11th, 2004 21:00
Note for any other hijackthis experts who are reading.
I have made a post, to the classroom for an expert to confirm the instructions I am suggesting for here, please read and advise with any alterations at the tomcoyote classroom
ChrisRLG
3.9K Posts
0
January 11th, 2004 23:00
Experts have checked my suggested post, and with corrections here it is.
---------------------------
In hijackthis tick these items, AND WITH ALL OTHER WINDOWS CLOSED, fix ticked
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - Startup: PowerReg Scheduler V3.exe
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
Then reboot and delete the files/folders of those 04 items that we have removed in hijackthis.
This folder C:\Program Files\RSNet\
And then the problem one:-
Please zip copies of all of them (if found) before doing so. Store in a safe place in case the experts need them when they have tested that first file.
-----------------------------
Remove these files (if present) with Windows Explorer:
profilepath+\start menu\programs\startup\hotsync manager.lnk
profilepath+\start menu\programs\startup\powerreg scheduler.exe
profilepath+\start menu\programs\startup\powerreg scheduler v3.exe
and folder > programfilesdir+\powerreg
-----------------------------
Please now reboot your computer and post a fresh log to see if it has all worked.
Please run http://www.safer-networking.net/index.php?lang=en&page=tools/filealyzer on that workflow.exe
and copy the report to clipboard, paste it in a reply for me please.
Could be anything, might be BellSouth connection manager, for instance.
O4 - HKLM\..\Run: [workflo] F:\install\workflow.exe
dfamily
13 Posts
0
January 12th, 2004 00:00
ChrisRLG
3.9K Posts
0
January 12th, 2004 07:00
Sorry it was late for me last night (2am) and I was not thinking right, should have given more instructions, I stayed up to post when the experts had gone over my suggestions, unfortunately only a few experts are registered here to be able to post direct.
With winXp, find the file in windows exporer, right click, choose send to, compressed folder, and it will create a file/folder with the same name but with a zip extension. attach the file/folder to your email.
Thanks and sorry for not giving fuller instructions at the time.
BTW we have now seen this one in the wild a couple of times, and we think that this, although bad, is not your main problem, but that the two redswoosh lines are, they are a known problem though.
dfamily
13 Posts
0
January 13th, 2004 02:00