11 replies to this topic

[NB1700]

Hello, below is the problem I encountered (which was wrongly posted in the CCleaner Discussion Subforum):

Today, I started my computer and Windows Explorer popped up (showing the contents in C:/Program Files/Intel/) which I didn't suppose it to do. I checked my hard drive for viruses and ad-wares and none was found. I would like to know what happened and if possible, to disable the process from being ran on startup. I have looked into the Startup folder, the relevant sections of the regedit and msconfig but unfortunately could not find a clue.

Here is the HijackThis Log Analysis my computer generated:

Logfile of HijackThis v1.99.1
Scan saved at 21:18:57, on 10/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Documents and Settings\miaou\桌面\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton

AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton

AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] C:\Program Files\Intel Desktop Boards\Audio\DISK1\STACGUI\sttray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: HKJC Applet - https://bet.hongkong.../ib/ch/HKJC.cab
O16 - DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} (SKeyHelper Class) -

https://bet.hongkongjockeyclub.com/ib/SKey/...ab/EWinSKey.CAB
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) -

http://txn.hkjc.com/.../HKJCSecKey.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/...b?1153043676687
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Norton AntiVirus 自動防護服務 (navapsvc) - Symantec Corporation - C:\Program Files\Norton

SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton

SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1

\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

[TonyKlein]

Hi again.

Would you first please try the following for me:

Go to Start > Run > msconfig

In MSconfig, go to the Startup tab.

You'll find a startup item called "SigmatelSysTrayApp" pointing to C:\Program Files\Intel Desktop Boards\Audio\DISK1\STACGUI\sttray.exe

Uncheck that item, then press OK, and close Msconfig.

You'll be asked whether you want to restart your computer. Do that and tell us whether you still get that Program Files\Intel folder at boot.

[NB1700]

TonyKlein, on Sep 10 2006, 09:31 PM, said:

Hi again.

Would you first please try the following for me:

Go to Start > Run > msconfig

In MSconfig, go to the Startup tab.

You'll find a startup item called "SigmatelSysTrayApp" pointing to C:\Program Files\Intel Desktop Boards\Audio\DISK1\STACGUI\sttray.exe

Uncheck that item, then press OK, and close Msconfig.

You'll be asked whether you want to restart your computer. Do that and tell us whether you still get that Program Files\Intel folder at boot.

Hi Tony,
I followed your instructions and well it worked. Thank you. The Program Files\Intel folder didn't show up at boot again. However, I wonder what happeded.....the sttray.exe has long existed in Msconfig's Startup tab and was always checked (means it's always loaded at startup before I disabled it).

[TonyKlein]

NB1700, on Sep 10 2006, 03:49 PM, said:

However, I wonder what happeded.....the sttray.exe has long existed in Msconfig's Startup tab and was always checked (means it's always loaded at startup before I disabled it).

Either the registry value in question has for some reason become corrupted, or the file is no longer present in that exact location.

Have a look: is the C:\Program Files\Intel Desktop Boards\Audio\DISK1\STACGUI folder still present, and do you have that sttray.exe file in there??

[NB1700]

TonyKlein, on Sep 10 2006, 10:07 PM, said:

Either the registry value in question has for some reason become corrupted, or the file is no longer present in that exact location.

Have a look: is the C:\Program Files\Intel Desktop Boards\Audio\DISK1\STACGUI folder still present, and do you have that sttray.exe file in there??

Hi Tony,
The file still exists in the name folder.

[TonyKlein]

First, browse to that sstray.exe file, rightclick it, and choose 'properties'.

Copy exactly what it says under "Location', and paste that in your reply.

Next, go to Start > Run, and paste the following into the box, then click OK:

regedit /e C:\run.txt HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


That will export the contents of the Registry Machine Run key to a C:\Run.txt file

Do a copy and paste of the contents of the Run.txt file here as well.

[NB1700]

TonyKlein, on Sep 10 2006, 10:23 PM, said:

First, browse to that sstray.exe file, rightclick it, and choose 'properties'.

Copy exactly what it says under "Location', and paste that in your reply.

Next, go to Start > Run, and paste the following into the box, then click OK:

regedit /e C:\run.txt HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
That will export the contents of the Registry Machine Run key to a C:\Run.txt file

Do a copy and paste of the contents of the Run.txt file here as well.

Location of sstray.exe in my hard drive:
C:\Program Files\Intel Desktop Boards\Audio\DISK1\STACGUI

Content of run.txt:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NORTON~1\\navapw32.exe"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[TonyKlein]

Allrighty.

Copy the text inside the 'Quote' box to Notepad, and save in a location of your choice as Fix.reg (make sure you save as type: 'all files')

Doubleclick Fix.reg, and answer yes when prompted to add its contents to the Registry. Restart your computer, and tell us what happens.

Ideally sstray.exe should launch, but you shouldn't get that popup any longer.

Quote

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\SigmatelSysTrayApp]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NORTON~1\\navapw32.exe"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SigmatelSysTrayApp"="\"C:\\Program Files\\Intel Desktop Boards\\Audio\\DISK1\\STACGUI\\sstray.exe\""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[NB1700]

You mean to copy the below in bold to fix.reg, Tony?

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NORTON~1\\navapw32.exe"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

And do I have to export my registry first? and how your method works? Sorry if I asked too much cos I feel a bit nervous to add something to the registry. Thanks.

And i asked "and how your method works" because I realised that the bolded words are already part of the registry. Am I correct?

[TonyKlein]

NB1700, on Sep 10 2006, 05:09 PM, said:

You mean to copy the below in bold to fix.reg, Tony?

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NORTON~1\\navapw32.exe"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

You forgot to include the first line (the header)

This is what will constitute the regfile:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\SigmatelSysTrayApp]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\NORTON~1\\navapw32.exe"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SigmatelSysTrayApp"="\"C:\\Program Files\\Intel Desktop Boards\\Audio\\DISK1\\STACGUI\\sstray.exe\""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Quote

And do I have to export my registry first? and how your method works? Sorry if I asked too much cos I feel a bit nervous to add something to the registry. Thanks.

You don't need to export the registry or even the key in question. In fact, you already did.

What we're doing is deleting the registry key in question, but immediately replacing it by itself with as only addition a value that should serve to add the correct startup information for sstray.exe

This is by far the safest way, as we're using the export from your OWN registry to rebuild the Run key.

There is no risk at all.

If it will reassure you, you can create a System Restore point before proceeding. That will back up the entire Registry.

[NB1700]

Great. I looked into Msconfig's Startup tab and found out that the sttray.exe process box was checked and now the Intel folder doesn't show up again at boot.

Thank you, Tony. You explained every step in details and are very very helpful.

[TonyKlein]

You're very welcome. Glad to hear that did the trick.

Happy surfing!