Problems, Episode II: Attack of the Crash

[Imperial]

((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 04:25]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WUSB54Gv4"="C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 10:19]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 11:06]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-19 14:57]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 08:20]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-05-23 14:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Mom^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\22a71def.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bacstray]
BacsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1147121811\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
"C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc   usnsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a24a335b-6d11-11db-a66d-001217a32aff}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d52f7fee-311f-11db-a65a-000f1f9c5bc5}]
AutoRun\command- E:\JDLightning\Windows\JDLightning.exe
   
*Newly Created Service* -GTNDIS5

Contents of the 'Scheduled Tasks' folder
2007-05-24 15:13:01  C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-26 21:34:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


********************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"
[HKEY_LOCAL_MACHINE\system\Services\SharedAccess]
"File"="C:\Program Files\Kodak\Kodak EasyShare software\bin\KDCImagePath.esx"

Completion time: 2007-05-26 21:39:16 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-26 21:38

   --- E O F ---

I'll go upgrade Java and things now.

If I remember properly, I gave this system a good dust a couple weeks ago when I placed the stick in it.  Also, the tower feels around room-temperature. Would this give information on if my fans are working properly?

I'll be sure to make HJT it's own special folder

[soybean]

I left out one important step...
You need to move HijackThis off of your desktop and into its own folder.  Create a special folder for HijackThis and move it there.  And if it created a backup folder, move that also.

CB, what's the reason for this?

[soybean]

Also, the tower feels around room-temperature. Would this give information on if my fans are working properly?

That's a good sign.  But, if you want to get some actual temperature data, download and install SpeedFan. 

[Imperial]

I have that running, but what exactly do I do with it?

[patio]

I left out one important step...
You need to move HijackThis off of your desktop and into its own folder.  Create a special folder for HijackThis and move it there.  And if it created a backup folder, move that also.

CB, what's the reason for this?

Because certain malware out there is programmed to look for HJT in the obvious places and cancel out an effective scan...

Yes they are that insidious !

[CBMatt]

I can't help you with SpeedFan, as I've only used it once, so I'm not too familiar with it.  I prefer PC Wizard.  I think it's a bit easier to use/understand.  Look for the Voltage, Temperatures, and Fans button.

Have you been sharing your flash drive or borrowing someone else's?  Download Flash Disinfector and run it in Safe Mode with your flash drive connected (if you have more than one, repeat this with each one).  Then, enable hidden files and folders and use the Windows Search tool to search for RavMonE.  Delete any instances of it found on your computer.  Use Pocket KillBox if you have to.  Go ahead and restart back into Normal Mode.  Note: this is an infection that travels via flash drive, so you might want to walk someone through this process if you have shared a flash drive with them.

While in normal mode, open up the search and look for 22a71def.exe.  If you find its location, upload the file to VirusTotal and post the results here.

I left out one important step...
You need to move HijackThis off of your desktop and into its own folder.  Create a special folder for HijackThis and move it there.  And if it created a backup folder, move that also.

CB, what's the reason for this?

You mean, what's the reason for the backup folder?  HijackThis creates backups of everything you fix/remove with it.  It's a powerful little tool and it can do some damage if misused.  So, it creates these backups so you can restore things you've fixed/removed, just in case it was something important that needs to be restored.

[soybean]

I left out one important step...
You need to move HijackThis off of your desktop and into its own folder.  Create a special folder for HijackThis and move it there.  And if it created a backup folder, move that also.

CB, what's the reason for this?

Because certain malware out there is programmed to look for HJT in the obvious places and cancel out an effective scan...

Yes they are that insidious !

Gotcha.  Thanks.

[soybean]

I have that running, but what exactly do I do with it?

Ummm, well, look at it to see the temps, voltages, etc.  What else?   

[Imperial]

I left out one important step...
You need to move HijackThis off of your desktop and into its own folder.  Create a special folder for HijackThis and move it there.  And if it created a backup folder, move that also.

CB, what's the reason for this?

Because certain malware out there is programmed to look for HJT in the obvious places and cancel out an effective scan...

Yes they are that insidious !

Gotcha.  Thanks.

Likewise.

But, uh, would this file not need to be named "HJT"?

And, Soybean, what good is it to know the temperature, volts, etc., if I don't know what they mean and what I should do to modify something incase I know that one of the temps, volts, etc. is too high or low.

Thanks a bunch for all of the help guys.

[CBMatt]

But, uh, would this file not need to be named "HJT"?

And, Soybean, what good is it to know the temperature, volts, etc., if I don't know what they mean and what I should do to modify something incase I know that one of the temps, volts, etc. is too high or low.

Actually, it is a good idea to rename HijackThis.exe to HJT.exe, or better yet, give it a completely random name, as this will help make it less likely to be detected by certain infections.

As for your temperatures, you can post them here and we can let you know if they're normal or not.

[Imperial]

Um, well, i have an icon on my taskbar that says HD0: 36C

would that be it?

It has gone up since last night, it was 33 before I went to bed.

I'm looking for the 22a71def.exe file right now.

[soybean]

HD0 indicates a hard drive temperature.  What other temps is it reporting?  You really need to identify the CPU temp.  SpeedFan's default labeling of various temps is often not clear as to what component it represents.  Most likely the highest temp SpeedFan shows will be the CPU temp.

SpeedFan's generic labels can be changed to something more meaningful.  If you are not sure what the various temps represent, you might access your BIOS and see whether it shows any temps; matching that to what SpeedFan reports would be a way of identifying the temps.  Or, you could download EVEREST Free Edition 2.20 and run it once to help identify SpeedFan temps. 

[TrapperX]

Try SIW System information for windows. It's free and has a lot of information
http://www.majorgeeks.com/download4387.html
I am pretty sure it has temp sensors included if you MB supports it.

[soybean]

Well, we've mentioned three programs now for the purpose of getting temperature readings.  I'm not sure this is helpful.  If his primary objective is to get temperature readings and perhaps monitor temperatures, not just take a snap shot at a particular moment, then SpeedFan is a very good tool.  It's designed to control fan speed, in systems that will allow it, and provide temperature info.  And, it can provide continuous monitoring of temperatures; it gives a temperature reading in the system tray and can provide a continuous reading there.  That's nice if you want to observe your system temps under different workloads.

PC WIZARD that CBMatt mentioned looked like a very good tool for obtaining system information but it goes far beyond temperature info; it's really more comparable to Everest Free, Belarc advisor, and such system information tools.  So, if you want a more comprehensive system information tool, it looks like a good choice.

SIW (System Info) has 83,934 downloads from majorgeeks.com vs. 485,682 for SpeedFan.  And, the description at http://www.majorgeeks.com/download4387.html makes no mention of temperatures. 

[TrapperX]

Well, we've mentioned three programs now for the purpose of getting temperature readings.  I'm not sure this is helpful.  If his primary objective is to get temperature readings and perhaps monitor temperatures, not just take a snap shot at a particular moment, then SpeedFan is a very good tool.  It's designed to control fan speed, in systems that will allow it, and provide temperature info.  And, it can provide continuous monitoring of temperatures; it gives a temperature reading in the system tray and can provide a continuous reading there.  That's nice if you want to observe your system temps under different workloads.

PC WIZARD that CBMatt mentioned looked like a very good tool for obtaining system information but it goes far beyond temperature info; it's really more comparable to Everest Free, Belarc advisor, and such system information tools.  So, if you want a more comprehensive system information tool, it looks like a good choice.

SIW (System Info) has 83,934 downloads from majorgeeks.com vs. 485,682 for SpeedFan.  And, the description at http://www.majorgeeks.com/download4387.html makes no mention of temperatures. 

I am not in an competition on who's product was better or what it does better.
I saw he wasn't finding the cpu temp and I have used this program before with little effort or learning cure, it is a easy to use app and good for beginners because it doesn't have to be installed and can even be run from a USB.
And as far as downloads go, numbers can easily be fudged and just because more people download something IMO doesn't make it better.
I was thinking of the person trying to fix his computer not who has or who does what. I am here to help individuals as I believe we are all trying to do.
I don't know everything nor does anyone individual, so we are all here to learn from each other, at least I am  
TrapperX

PS I just download both programs.
Speed Fan has a big learning curve right out of the box, and looks like it is designed towards over clockers in mind .
PC Wizard is about the same as SIW with a nicer look and more features, I will probably use PC Wizard now.   
Thank you CBMatt!!!
This is what I am talking about learning from others