Stephen,
AVG & user32.dll, shell32.dll and ntoskrnl.exe Ignore it. Some Windows
Critical Updates install new versions of these files that's why you see
Change, this is normal.
As far as changes to wsock32.dll, partition table and boot sector C: I
honestly don't know.
With your Registry Editor at startup deal, regedit.exe is the Microsoft file
called Registry Editor. Malware can call a file anything and the more
official sounding the name is the better hidden the malware can be.
The legitimate regedit.exe file is normally in
C:\WINDOWS
with a backup copy in
C:\WINDOWS\system32\dllcache
<quote>
regedit.exe
This is an undesirable program.
This file has been identified as a program that is undesirable to have
running on your computer. This consists of programs that are misleading,
harmful, or undesirable.
If the description states that it is a piece of malware, you should
immediately run an antivirus and antispyware program.
Added by the BRID.A WORM! Note - resides in C:\Windows\System (Win9x/Me),
C:\Winnt\System32 (WinNT/2K), or C:\Windows\System32 (WinXP). The valid
"regedit.exe" resides in C:\Windows (Win9x/Me/XP) or C:\Winnt (WinNT/2K)
<quote>
http://www.bleepingcomputer.com/startups/regedit.exe-4453.html
Do a Search in C:\Windows\System32 for regedit.exe, there should NOT be one
there.
If you find a regedit.exe there, delete it.
HOW TO: Search For Hidden Or System Files In Windows XP
http://support.microsoft.com/kb/302347
<quote>
If a process named regedit.exe is running on your computer, you may have
been infected with a strain of the Brid.A worm.
regedit.exe is considered to be a security risk, not only because antivirus
programs flag Brid.A Worm as a virus, but also because a number of users
have complained about its performance.
Brid.A Worm is likely a virus and as such, presents a serious vulnerability
which should be fixed immediately! Delaying the removal of regedit.exe may
cause serious harm to your system and will likely cause a number of
problems, such as slow performance, loss of data or leaking private
information to websites.
<quote>
http://www.auditmypc.com/process/regedit.asp
Details of W32.Brid.A@mm
http://www.symantec.com/security_response/writeup.jsp?docid=2002-110417-1631-99
BTW, msconfig does not list all of the startup locations that there are in
Windows XP.
I would recommend getting StartMan and/or Startup Control Panel. They are
both free and pretty easy to use. To get rid of whatever startups that you
do not wnat or need.
[[StartMan is an extended 'msconfig' Startup Manager, designed to take
control of all those pesky programs and background services that load and
run at logon - most of which you probably don't need. As well as providing
the usual trouble-shooting options to enable or disable startups, StartMan
also permits the removal of startups.
Duplicate Detection and Removal, a unique feature of StartMan, can be
configured to remove all duplicates automatically, with or without
prompting.
Orphan Detection and Removal. As above, for orphaned startups.
Executable Detection and Removal. As above, for executables.
Includes a full range of sorting options to make it easier to locate a
specific startup - by name, by filename - even by command line parameter! ]]
StartMan v1.3.96
http://www.pt.lu/comnet/desc/startman.html
StartMan v1.3.96 Direct download
http://www.pt.lu/comnet/files/utils/startman10396.exe
-----
Startup Control Panel is another pretty good application.
[[Startup Control Panel is a nifty control panel applet that allows you to
easily configure which programs run when your computer starts. It's simple
to use and, like all my programs, is very small and won't burden your
system. A valuable tool for system administrators!]]
Download the EXE Version and just extract the executable wherever you want.
Startup Control Panel
http://www.mlin.net/StartupCPL.shtml
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In
