Can't open any .exe

January 14, 2006 at 17:18:21
Specs: Win2K, AMD 64 3000/512 DDR400

I can't open any .exe file by clicking on it. The icons are gone from the desktop and replaced with the windows flag icon. I went to a post from 2002 that sounded exactly what I needed but housecall loaded the page with errors and it wouldn't scan my computer. Anything I download, downloads but I can't open it or set it up. I ran Systemsuite, Norton, AVG, Ad-aware, Counterspy, Spyware Doctor, which were all running in the background when whatever this is happened. I hate to reformat. Can you please help?

See More: Cant open any .exe

Report •


#1
January 14, 2006 at 17:27:28

Go to this link http://dougknox.com/xp/file_assoc.htm and run these file association fixes:

EXE File Association Fix

ZIP Folder Association Fix

VBS File Association Fix

If possible please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed.

Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor at this forum.

Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.


Report •

#2
January 14, 2006 at 17:35:28

Well, I downloaded all of the above, but I can't get anything to open when I click on it. If I right click on it the open or open with isn't even there. Once in awhile I get the box from Windows for what program I want to use to open the file. I don't know which program to use.

Report •

#3
January 14, 2006 at 17:46:43

Don't download them just click "open" and try that but do .zip first.

Report •

Related Solutions

#4
January 14, 2006 at 17:48:28

Logfile of HijackThis v1.99.1
Scan saved at 7:46:19 PM, on 1/14/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\VCOM\SYSTEM~1\SSuite.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\Rhonda Bully\Desktop\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINNT\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Corel Print House Registration.lnk = C:\Program Files\Corel\Print House 2000\Register\Remind32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Family and Friends Reminders.LNK = C:\Corel\Print House Magic\cffrem.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: GhostSurf.lnk = C:\Program Files\GhostSurf\GhostSurf.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131683511968
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SystemSuite Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe


My son managed to get hijack this to work.


Report •

#5
January 14, 2006 at 17:56:39

Tried opening from location and I get the box for what program do I want to use to open this file. What program should I use?

Report •

#6
January 14, 2006 at 18:06:04

You should only run one antivirus.They can conflict causing major problems.

The only problem file I see is weatherbug.To remove it run HT again,close all windows and browsers except HT, then place a check to the left of the follow items and press "fix checked":

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

Then eet up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.

Navigate to and delete this file:

C:\Program Files\AWS

Download Ewido Security Suite then set it up this way Ewido Setup Instructions reboot into Safe Mode and run Ewido

When the scan has completed, Ewido will create a report.txt file. Click the "Save Report" button on the bottom of the screen and save the log to your desktop in case you need it later.

Please reboot into normal mode and post the ewido log.


Report •

#7
January 14, 2006 at 19:40:58

Here's the Ewido log. Nothing has changed pertaining to my problems so far. Will probably call it a day in about an hour.


ewido anti-malware - Scan report


+ Created on: 9:32:39 PM, 1/14/2006
+ Report-Checksum: 34F41316

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{9527D42F-D666-11D3-B8DD-00600838CD5F} -> Spyware.GhostSurf : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9527D42F-D666-11D3-B8DD-00600838CD5F} -> Spyware.GhostSurf : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Rhonda Bully\Application Data\Mozilla\Firefox\Profiles\b2mlevqp.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Rhonda Bully\Application Data\Mozilla\Firefox\Profiles\b2mlevqp.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Rhonda Bully\Application Data\Mozilla\Firefox\Profiles\b2mlevqp.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Rhonda Bully\Application Data\Mozilla\Firefox\Profiles\b2mlevqp.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Rhonda Bully\Application Data\Mozilla\Firefox\Profiles\b2mlevqp.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\Rhonda Bully\Cookies\rhonda bully@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Rhonda Bully\Cookies\rhonda bully@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Rhonda Bully\Cookies\rhonda bully@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Rhonda Bully\Cookies\rhonda bully@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Rhonda Bully\Cookies\rhonda bully@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Rhonda Bully\Cookies\rhonda bully@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\RECYCLER\NPROTECT\00084473.003 -> Spyware.Chitika : Cleaned with backup
C:\RECYCLER\NPROTECT\00084819 -> Spyware.Cookie.Falkag : Cleaned with backup
C:\RECYCLER\NPROTECT\00084833 -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\RECYCLER\NPROTECT\00084847 -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\RECYCLER\NPROTECT\00084861 -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00084875 -> Spyware.Cookie.Com : Cleaned with backup
C:\RECYCLER\NPROTECT\00084889 -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\RECYCLER\NPROTECT\00084903 -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\RECYCLER\NPROTECT\00084917 -> Spyware.Cookie.Tribalfusion : Cleaned with backup


::Report End


Report •

#8
January 14, 2006 at 20:04:48

Go to the file association fix link and double click the zip file association fix>click save>in the file name box type zipfolder_fix.reg>save to the desktop.Open it click merge.

Do the same for .vbs and .exe after that you may can just run the files from the link by clicking "open".Run them all except "directory".

When you click on each file association fix inside the "file download box" to the right of "name" is the file name for each fix.



Report •

#9
January 14, 2006 at 20:26:08

Thanks, I'll try this in the morning and let you know how it goes.

Report •

#10
January 15, 2006 at 07:47:15

Well' I tried this and it doesn't work. When I download to the desktop and click to open, it asks what program I want to use to open it. There is no merge option. Are these XP fixes going to work on Win2k? Also, now I can't use my computer to reply to you. It tells me to log in, which I already was logged in, and when I try to log in again it just keeps telling me to log in again.

Report •

#11
January 15, 2006 at 10:03:25

I don't think I was clear on that.When you click save to download the file a "save as" box pops up. In bottom of that box in "file name"space rename the file from

xp_exe_fix.zip

to

xp_exe_fix.reg

then click save.

Then open the file and click merge.



Report •

#12
January 15, 2006 at 16:19:04

Sorry it took so long to get back to you. I had a log in issue. I did the above but I still can't open it. When I click on the file, I get the box popup that asks me what program I want to use to open it. What program should I use? If I don't pick the right program, it won't open the file, so I can't merge anything until I can figure out how to open the file.

Report •

#13
January 15, 2006 at 16:33:06

Chipper, Try the following and hope that whatever messed up your File Associations didn't mess up the .inf file association.
Go to the link below and download & run the Fixsewn.inf file. If you can't access the Internet with the problem computer use another computer to download the Fixswen.inf file onto a floppy disk or CD. Transfer the floppy disk or CD to the problem computer then save the fixswen.inf file to your local hard disk, right-click on the file and choose install.

Fixswen Tool

Tufenuf


Report •

#14
January 15, 2006 at 17:49:04

I did that. Don't know if it worked or not. What am I supposed to do after I clicked on the install for Fixswen?

Report •

#15
January 15, 2006 at 18:10:36

Once you download the file to the desktop>right click>click install.

Report •

#16
January 15, 2006 at 18:20:40

Misread your post. Try opening some .exe files and see if you can open the file association fixes.


Report •

#17
January 15, 2006 at 18:27:30

No .exe files open. Some I can open in a roundabout way with the choose a program box. I still can't get any of the fixes to open. I'd have to find a program to open them with. I tried searching for the program and choosing that same program to open itself, but it didn't work. It works on some programs though.

Report •

#18
January 15, 2006 at 18:31:11

OPen the .zip program and see if it will work. Just click zip asso.fix>run>yes.

Report •

#19
January 15, 2006 at 19:12:52

The zip folder fix comes as a .reg file not a .zip file. I can't get the files to open. What zip program do you prefer? I use just zip it.

Report •

#20
January 15, 2006 at 19:43:09

Zip it should be just fine. Go to this link http://www.mvps.org/PracticallyNerded/SoftFixes.htm then click on FixEXE.com ,click run,click run again and see if that file association will work.

Report •

#21
January 15, 2006 at 19:52:25

The program seems to be only designed for win95/98 and it couldn't find the files it needed in win2000.

Report •

#22
January 16, 2006 at 06:33:19

Chipper, Try the following: Locate a zip file that you just downloaded from the dougknox site, right click it and choose "open with" then locate "Zip it" and click it to hilite it, put a checkmark in the "allways use this program etc." box and click OK. This should reassociate your .zip files with "Zip it" and then try opening a zip file. Post back with the results and if this worked we'll try a different route to get the unzipped .reg files to be merged into your registry,

Tufenuf


Report •

#23
January 16, 2006 at 11:17:04

I can get them unzipped to a .reg file but that's it. Still can't open the .reg. Might have problems responding. I think my laptop died, too. When it rains, it pours.

Report •

#24
January 16, 2006 at 17:30:24

I think I fixed some of it by sheer luck. I was looking around in control panel and clicked on folder options. I noticed that the EXE file type was missing. So I added it and associated it with applications. Now the icons for somethings on the desktop are right now. But my shortcuts are still messed up and I don't know what the extension should be or what to associate it with. I added REG to the file type because it was missing, too. But I don't know what to associate it with either. It permanently killed AVG antivirus I don't know what else got permanently ruined yet. Can you tell me what to do for the REG and shortcuts please?

Report •

#25
January 16, 2006 at 19:25:36

Chipper, I'm running Windows XP which is different than Windows 2000. On my XP machine the file that open .reg files is regedit.exe but on Windows 2000 it may be something different. As far as the shortcuts they could be several extensions (.Lnk, .URL). Once you get the .reg file association corrected you could then use the File Association Fixes from the dougknox site to fix the shortcuts. Keep us posted and good luck.

Tufenuf


Report •

#26
January 22, 2006 at 09:57:14

Well, I had everything woking again, got the .LNK associated with shortcuts and the .REG associated with registry editor and the .EXE associated with applications. But now whatever did it the first time is doing it again. I had to go back in this AM and redo all the file extensions in folder options. Something is making my .exe stop working and the file extension keeps disappearing in folder options. What else is weird is when Spyware doctor runs, I see BonziBuddy, Ezula, trojan downloaders, keyloggers and a bunch of other stuff listed in the registry, that all of my programs keep skipping over. Why? There's something in my computer that keeps doing this, but no program can find it.

Report •

#27
January 22, 2006 at 12:10:35

Hello chipper, Depending on the location of those spyware items you mention they could be legit as different spyware tools use their name to block the culprits.

We never had a chance to look into your system because of the file association problem and I don't know what anti spyware programs you have run or online virus scanners you have run.

These searches get lenghty sometimes. Here are three good tool to start with for spyware but online virus scan need to be made although you have a good antivirus.

Try running this root kit tool to see what it finds,please download BlackLight by F-Secure from this link http://www.f-secure.com/blacklight/

The log should be on your desktop or root directory (C:\). This is the format for the log file name:
fsbl-<date-and-time>.log

If you have any trouble finding it do a search for fsbl*.log.

Next run this to help seacrh by pattern, download http://www.bleepingcomputer.com/files/winpfind.php

Extract WinPFind.zip to your c:\ folder.
Please print these instructions as you will be going into safe mode.
Reboot your computer into Safe Mode by following the following steps:

Reboot.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt

Download this to check for invisible programs running in the background,http://www.silentrunners.org/Silent%20Runners.zip

Run the SilentRunners.vbs file.

You will receive a prompt: "Do you want to skip supplementary searches?" - click NO

If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run.
This script is not malicious so please allow it.

A text file will appear in the folder - it's not done, let it run (it won't appear to be doing anything!)

Once the "All Done!" prompt flashes up, open the text file and copy & paste it in your next reply.


Report •

#28
January 22, 2006 at 19:31:43

I ran backlight and it didn't find anything. Here's the log from WinPFind. I'll do silentrunners next and get back to you.WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 5.00.3700.1000

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP
FSG! 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP
PEC2 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP
PECompact2 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP
Umonitor 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP
qoologic 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP
aspack 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP
PTech 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP
_rtneg3 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP
SAHAgent 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP
buddy.exe 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP
ZepMon 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP
aurora.exe 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP
KavSvc 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP
abetterinternet.com 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP
testpopup 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP
web-nex 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP
winsync 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP
WinShutDown 1/16/2006 6:56:42 PM 536399872 C:\WINNT\MEMORY.DMP

Checking %System% folder...
PTech 11/4/2005 4:27:24 PM 534280 C:\WINNT\SYSTEM32\LegitCheckControl.DLL
PECompact2 1/4/2006 9:41:02 PM 2827616 C:\WINNT\SYSTEM32\MRT.exe
aspack 1/4/2006 9:41:02 PM 2827616 C:\WINNT\SYSTEM32\MRT.exe
Umonitor 6/20/2003 6:00:00 AM 529168 C:\WINNT\SYSTEM32\rasdlg.dll
winsync 6/20/2003 6:00:00 AM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 12/6/2005 9:41:32 AM 749600 C:\WINNT\SYSTEM32\drivers\avg7core.sys
FSG! 12/6/2005 9:41:32 AM 749600 C:\WINNT\SYSTEM32\drivers\avg7core.sys
PEC2 12/6/2005 9:41:32 AM 749600 C:\WINNT\SYSTEM32\drivers\avg7core.sys
aspack 12/6/2005 9:41:32 AM 749600 C:\WINNT\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/14/2006 4:34:50 PM H 271 C:\WINNT\desktop.ini
1/14/2006 4:34:50 PM H 21692 C:\WINNT\folder.htt
1/22/2006 10:29:00 AM H 54156 C:\WINNT\QTFont.qfn
1/20/2006 5:04:28 PM H 1373030 C:\WINNT\ShellIconCache
1/22/2006 3:15:34 PM S 64 C:\WINNT\CSC\00000001
1/16/2006 6:55:24 PM S 64 C:\WINNT\CSC\00000002
1/14/2006 4:44:16 PM S 64 C:\WINNT\CSC\csc1.tmp
1/14/2006 4:34:48 PM H 65 C:\WINNT\Downloaded Program Files\desktop.ini
1/14/2006 4:35:40 PM HS 67 C:\WINNT\Fonts\desktop.ini
1/2/2006 9:20:32 AM H 10820 C:\WINNT\Help\nocontnt.GID
1/14/2006 4:34:48 PM H 65 C:\WINNT\Offline Web Pages\desktop.ini
1/14/2006 4:37:26 PM H 155648 C:\WINNT\repair\ntuser.dat
1/14/2006 4:34:50 PM H 271 C:\WINNT\system32\desktop.ini
1/14/2006 4:34:50 PM H 21692 C:\WINNT\system32\folder.htt
1/22/2006 11:32:48 AM H 1024 C:\WINNT\system32\config\default.LOG
1/14/2006 9:37:42 AM H 0 C:\WINNT\system32\config\default.tmp.LOG
1/22/2006 3:19:04 PM H 1024 C:\WINNT\system32\config\SAM.LOG
1/22/2006 3:17:16 PM H 1024 C:\WINNT\system32\config\SECURITY.LOG
1/22/2006 3:31:24 PM H 1024 C:\WINNT\system32\config\software.LOG
1/14/2006 9:37:42 AM H 0 C:\WINNT\system32\config\software.tmp.LOG
1/14/2006 9:37:44 AM H 1024 C:\WINNT\system32\config\system.LOG
1/14/2006 9:37:42 AM H 0 C:\WINNT\system32\config\system.tmp.LOG
1/14/2006 9:37:44 AM H 1024 C:\WINNT\system32\config\userdiff.LOG
1/14/2006 4:37:34 PM H 1024 C:\WINNT\system32\config\userdifr.LOG
1/22/2006 3:15:36 PM H 6 C:\WINNT\Tasks\SA.DAT
1/14/2006 4:34:52 PM H 842 C:\WINNT\Web\bullet.gif
1/14/2006 4:34:50 PM H 90056 C:\WINNT\Web\classic.bmp
1/14/2006 4:34:50 PM H 634 C:\WINNT\Web\classic.htt
1/14/2006 4:34:50 PM H 4659 C:\WINNT\Web\controlp.htt
1/14/2006 4:34:50 PM H 5296 C:\WINNT\Web\default.htt
1/14/2006 4:34:50 PM H 830 C:\WINNT\Web\deskmovr.htt
1/14/2006 4:34:50 PM H 8898 C:\WINNT\Web\dialup.htt
1/14/2006 4:34:52 PM H 2642 C:\WINNT\Web\exclam.gif
1/14/2006 4:34:50 PM H 31080 C:\WINNT\Web\folder.bmp
1/14/2006 4:34:50 PM H 3210 C:\WINNT\Web\folder.htt
1/14/2006 4:34:52 PM H 19355 C:\WINNT\Web\fsresult.htt
1/14/2006 4:34:52 PM H 11009 C:\WINNT\Web\ftp.htt
1/14/2006 4:34:50 PM H 16981 C:\WINNT\Web\imgview.htt
1/14/2006 4:34:52 PM H 56 C:\WINNT\Web\mincold.gif
1/14/2006 4:34:52 PM H 77 C:\WINNT\Web\minhot.gif
1/14/2006 4:34:50 PM H 13280 C:\WINNT\Web\nethood.htt
1/14/2006 4:34:52 PM H 59 C:\WINNT\Web\pluscold.gif
1/14/2006 4:34:52 PM H 80 C:\WINNT\Web\plushot.gif
1/14/2006 4:34:50 PM H 31080 C:\WINNT\Web\preview.bmp
1/14/2006 4:34:50 PM H 13798 C:\WINNT\Web\printers.htt
1/14/2006 4:34:50 PM H 11149 C:\WINNT\Web\recycle.htt
1/14/2006 4:34:52 PM H 2913 C:\WINNT\Web\safemode.htt
1/14/2006 4:34:50 PM H 6489 C:\WINNT\Web\schedule.htt
1/14/2006 4:34:52 PM H 28565 C:\WINNT\Web\standard.htt
1/14/2006 4:34:50 PM H 31080 C:\WINNT\Web\starter.bmp
1/14/2006 4:34:50 PM H 1024 C:\WINNT\Web\starter.htt
1/14/2006 4:34:50 PM H 1316 C:\WINNT\Web\webview.css
1/14/2006 4:34:52 PM H 31438 C:\WINNT\Web\webview.js
1/14/2006 4:34:50 PM H 8248 C:\WINNT\Web\wvleft.bmp
1/14/2006 4:34:50 PM H 54 C:\WINNT\Web\wvline.gif
1/14/2006 4:34:50 PM H 14865 C:\WINNT\Web\wvlogo.gif
1/14/2006 4:34:52 PM H 12403 C:\WINNT\Web\wvnet.gif

Checking for CPL files...
Microsoft Corporation 6/20/2003 6:00:00 AM 67344 C:\WINNT\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 3/24/2005 9:10:48 PM 17899520 C:\WINNT\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 6/20/2003 6:00:00 AM 301328 C:\WINNT\SYSTEM32\appwiz.cpl
FotoNation inc. 3/26/1998 2:01:34 PM 27136 C:\WINNT\SYSTEM32\camcpl.cpl
Microsoft Corporation 6/20/2003 6:00:00 AM 237328 C:\WINNT\SYSTEM32\desk.cpl
Microsoft Corporation 6/20/2003 6:00:00 AM 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 6/20/2003 6:00:00 AM 257296 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 2/20/2001 1:09:54 PM 109056 C:\WINNT\SYSTEM32\INPUT.CPL
Microsoft Corporation 6/20/2003 6:00:00 AM 118032 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 6/20/2003 6:00:00 AM 36112 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINNT\SYSTEM32\joy.cpl
Microsoft Corporation 6/20/2003 6:00:00 AM 122128 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 6/20/2003 6:00:00 AM 303888 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 6/20/2003 6:00:00 AM 17168 C:\WINNT\SYSTEM32\ncpa.cpl
Nero AG 10/18/2005 3:31:40 PM 81920 C:\WINNT\SYSTEM32\NeroBurnRights.cpl
Microsoft Corporation 6/20/2003 6:00:00 AM 41232 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 6/20/2003 6:00:00 AM 41232 C:\WINNT\SYSTEM32\odbccp32.cpl
Sun Microsystems 11/30/2005 10:11:16 AM 45175 C:\WINNT\SYSTEM32\plugincpl131_17.cpl
Microsoft Corporation 6/20/2003 6:00:00 AM 90896 C:\WINNT\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 6:57:44 PM 323072 C:\WINNT\SYSTEM32\QuickTime.cpl
Microsoft Corporation 6/20/2003 6:00:00 AM 83216 C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation 6/20/2003 6:00:00 AM 125712 C:\WINNT\SYSTEM32\sysdm.cpl
Microsoft Corporation 6/20/2003 6:00:00 AM 5904 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 6/20/2003 6:00:00 AM 61200 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl
IBM Corporation 9/23/1999 6:44:36 PM 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl
Microsoft Corporation 6/20/2003 6:00:00 AM 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 6/20/2003 6:00:00 AM 41232 C:\WINNT\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 6/20/2003 6:00:00 AM 54272 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/7/2005 11:16:22 PM 780 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
1/7/2006 3:34:52 PM 1584 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
1/20/2006 2:54:04 PM 1458 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Corel Family and Friends Reminders.LNK
11/7/2005 10:23:34 PM 638 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
11/7/2005 11:04:12 PM 632 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GhostSurf.lnk
11/13/2005 11:16:32 AM 1696 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
11/13/2005 11:23:50 AM 1807 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
11/8/2005 5:56:58 PM 1581 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
11/8/2005 5:52:24 PM 850 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
1/17/2006 6:22:22 PM 718 C:\Documents and Settings\Rhonda Bully\Start Menu\Programs\Startup\Corel Print House Registration.lnk

Checking files in %USERPROFILE%\Application Data folder...
12/26/2005 8:29:50 AM 154784 C:\Documents and Settings\Rhonda Bully\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\7-Zip
{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zip.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Fix-It Menu
{A50302A0-8E15-11d2-887B-006008C1C087} = C:\Program Files\VCOM\SystemSuite\mxctxmnu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}
= C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip
{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zip.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Fix-It Menu
{A50302A0-8E15-11d2-887B-006008C1C087} = C:\Program Files\VCOM\SystemSuite\mxctxmnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\system32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882}
= C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\system32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
{8E718888-423F-11D2-876E-00A0C9082467} = @msdxmLC.dll,-1@1033,&Radio : C:\WINNT\system32\msdxm.ocx
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Microsoft SearchBand = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
SunServer C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
SymTray - Norton SystemWorks C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Spyware Doctor "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/22/2006 9:16:40 PM


Report •

#29
January 22, 2006 at 19:37:33

Here's silent runner results."Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
----

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Spyware Doctor" = ""C:\Program Files\Spyware Doctor\swdoctor.exe" /Q" ["PC Tools Research Pty Ltd"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"SunServer" = "C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe" ["Sunbelt Software"]
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "CNavExtBho Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "My Digital Camera"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PhotoDeluxe HE 3.0\FotoNation Explorer\camview.dll" ["FotoNation Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Kodak\ifscore\KodakShX.dll" ["Eastman Kodak Company"]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{a5780613-492e-4a2a-a7fd-549610edf6cc}" = "***t>*a**************" (unwritable string)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL" [empty string]
INFECTION WARNING! "{076394AD-7FDD-44EF-A075-32C68DBAB99B}" = "***U**a****" (unwritable string)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunExecuteHook.dll" ["Sunbelt Software"]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * SsiEfr.e" [file not found], [MS], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Fix-It Menu\(Default) = "{A50302A0-8E15-11d2-887B-006008C1C087}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\VCOM\SystemSuite\mxctxmnu.dll" ["V Communications, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
Fix-It Menu\(Default) = "{A50302A0-8E15-11d2-887B-006008C1C087}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\VCOM\SystemSuite\mxctxmnu.dll" ["V Communications, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:


Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShareWallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"SCRNSAVE.EXE" = "C:\WINNT\system32\ssstars.scr" [MS]


Startup items in "Rhonda Bully" & "All Users" startup folders:
----

C:\Documents and Settings\Rhonda Bully\Start Menu\Programs\Startup
"Corel Print House Registration" -> shortcut to: "C:\Program Files\Corel\Print House 2000\Register\Remind32.exe" ["IntelliQuest Communications, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Corel Family and Friends Reminders" -> shortcut to: "C:\Corel\Print House Magic\cffrem.exe" ["Corel Coporation"]
"EPSON Status Monitor 3 Environment Check 2" -> shortcut to: "C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE" ["SEIKO EPSON CORPORATION"]
"GhostSurf" -> shortcut to: "C:\Program Files\GhostSurf\GhostSurf.exe" ["Tenebril Incorporated"]
"Kodak EasyShare software" -> shortcut to: "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe -hx" [null data]
"KODAK Software Updater" -> shortcut to: "C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe" [null data]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Rhonda Bully" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"Scheduled Checkpoint" -> launches: "C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -SNAP" ["imagine LAN, Inc."]
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" [null data]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"wrSpySweeperTrialSweep" -> launches: "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /ScheduleSweep=wrSpySweeperTrialSweep" ["Webroot Software, Inc."]


Winsock2 Service Provider DLLs:
--

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\VCOM\SystemSuite\MxAVLsp.dll ["V Communications, Inc."], 01 - 11, 17
%SystemRoot%\system32\msafd.dll [MS], 12 - 14, 18 - 30
%SystemRoot%\system32\rsvpsp.dll [MS], 15 - 16


Toolbars, Explorer Bars, Extensions:
-------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{AF6CABAB-61F9-4F12-A198-B7D41EF1CB52}\
"ButtonText" = "WeatherBug"
"CLSIDExtension" = "{AF6CABAB-61F9-4f12-A198-B7D41EF1CB52}"
"Exec" = "C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" ["AWS Convergence Technologies, Inc."]


Miscellaneous IE Hijack Points
-

C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")

Missing lines (compared with English-language version):
[DeleteAutosearch.reg]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
--------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE" ["Symantec Corporation"]
PC Tools Spyware Doctor, SDhelper, "C:\Program Files\Spyware Doctor\sdhelp.exe" ["PC Tools Research Pty Ltd"]
SAVScan, SAVScan, "C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe" ["Symantec Corporation"]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
SystemSuite Task Manager, SystemSuite Task Manager, "C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe -Service" ["V Communications, Inc."]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON Printer Port\Driver = "Eplpmx02.DLL" ["MK Systems CO.,LTD."]
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 59 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 5 seconds.
---------- (total run time: 87 seconds)


Report •

#30
January 23, 2006 at 20:05:09

Nothing jumps out at me Chipper.

Run this free online scan from Panda

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to the desktop, then copy/paste into the text editor and post it.

Then download and run ccleaner to clean out all your temp files. Make sure there is not anything in the recycle bin that you need as ccleaner will delete recycle bin items unless checked not to do so.<


Report •

#31
January 24, 2006 at 18:04:12

Panda found things and couldn't complete the scan. Here's the report as far as it got.
Incident Status Location

Spyware:spyware/clearsearch Not disinfected C:\WINNT\SYSTEM32\IETie.dll
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Rhonda Bully\Cookies\rhonda bully@as-us.falkag[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Rhonda Bully\Application Data\Mozilla\Firefox\Profiles\b2mlevqp.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Rhonda Bully\Application Data\Mozilla\Firefox\Profiles\b2mlevqp.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Rhonda Bully\Application Data\Mozilla\Firefox\Profiles\b2mlevqp.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Rhonda Bully\Application Data\Mozilla\Firefox\Profiles\b2mlevqp.default\cookies.txt[]
Virus:Trj/Mitglieder.GB Disinfected C:\Documents and Settings\Rhonda Bully\Application Data\Thunderbird\Profiles\rlx901mo.default\Mail\Local Folders\Inbox[123.exe]
Virus:Trj/Mitglieder.GB Disinfected C:\Documents and Settings\Rhonda Bully\Application Data\Thunderbird\Profiles\rlx901mo.default\Mail\Local Folders\Junk[123.exe]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Rhonda Bully\Cookies\rhonda bully@as-us.falkag[1].txt


Report •

#32
January 24, 2006 at 19:28:51

Reboot into safe mode.

Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.

Navigate to and delete this file:

C:\WINNT\SYSTEM32\IETie.dll

If you have trouble deleting it Download killbox from this link Killbox
Double-click on Killbox.exe to run it.
Put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste the following:

C:\WINNT\SYSTEM32\IETie.dll


Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.

Run the panda scan again.


Report •

#33
January 25, 2006 at 04:25:26

I ran Panda again. It gets so far and stops, says it found malicious software. Here's the most recent report. The files hide theirselves even in safe mode. I have to run a search for them, because they're not listed where they're supposed to be. Probably because it keeps losing the file associations.
Incident Status Location

Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Rhonda Bully\Cookies\rhonda bully@as-us.falkag[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Rhonda Bully\Application Data\Mozilla\Firefox\Profiles\b2mlevqp.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Rhonda Bully\Application Data\Mozilla\Firefox\Profiles\b2mlevqp.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Rhonda Bully\Application Data\Mozilla\Firefox\Profiles\b2mlevqp.default\cookies.txt[]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Rhonda Bully\Cookies\rhonda bully@as-us.falkag[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\RECYCLER\S-1-5-21-796845957-1303643608-725345543-1000\Dc9.txt[]

I can't find these cookies. I've searched for them and still can't find them. I'm pretty sure the falkag cookie is the one that started all of this. Ad-aware had found it a couple weeks ago and said it had 658 hits to my computer.


Report •

#34
January 25, 2006 at 18:08:34

I might have made a bid mistake. I downloaded the trial version of Panda and installed it. It asked me to reboot the computer. Since then I haven't been able to reboot. At least I think I can't. I reboot and it gets to the loading personal settings screen and just sits there. Could it possibly be doing a scan? The Panda logo is in the bottom right corner of the screen. It's been like this for appro. 30 minutes. I don't think it's froze. Do you know of anyone who's had this problem before? Right now I have to use my son's computer.

Report •

#35
January 25, 2006 at 19:35:05

See if you can restart the computer in safe mode.Shut the computer down, wait 30 seconds,press the start button and press F8 at about 1 second intervals as it boots.

You should get an option screen,choose safe mode from the list with the arrow keys then press enter.

If you are able to get into safe mode go to start>control panel>add/remove programs>scroll down the list to the Panda free trial and uninstall it.


Report •

#36
January 25, 2006 at 19:54:27

And while you are at it(in add/remove programs) uninstall weatherbug and navigate to and delete this folder:

C:\Program Files\AWS


Report •

#37
January 26, 2006 at 11:37:02

I'm having the same problem, after attempting to install Norton Internet Security '06. NIS reported a fatal error, and since then, all of my desktop shortcuts are shown as the generic Windows shortcut (except IE), and I can't open any programs; no Control Panel, Mgmt Console, msconfig, no System Restore... Based on other articles, I looked at my Registry (I was able to open regedit.exe, by luck, by booting to Safe Mode with Command Prompt and typing regedit.exe. No other programs open this way) and noticed that the HKEY_CLASSES_ROOT key had an empty .exe and was missing exefile. I tried downloading the xp_exe_fix, but can't run the program. I tried to manually change the HKEY_CLASSES_ROOT key, but wasn't able to. I then opened up permissions to "Everyone". As soon as I did this, the .exe key was populated. The exefile key also appeared and was populated. Now I can run SOME .exes, but still no System Restore. I was able to reboot and run sfc /scannow. Some files were missing and replaced.

That's where I'm at now, still trying to figure out what's wrong. I am 99.9% sure that this is caused by a virus, since it occurred while trying to install NIS '06. I also believe this because I cannot browse to any security-related sites. No Symantec, no McAfee, TrendMicro, Kaspersky...but I can browse to regular sites (msn, for example).


Report •

#38
January 26, 2006 at 18:32:31

Hi, Jabuck. My computer is back. I went to safe mode and deleted Panda. I also ran spyware doctor while in safe mode and it found a trojan. I wonder if it came from Panda? Remeber when I said that counterspy and spyware doctor listed things that I thought shouldn't be there that it would skip over? You wanted to know where they were located. They show up while it's scanning the registry. I don't know if my problem is fixed or not yet. Time will tell. Curious to know if my file extensions will disappear again. What virus program do you prefer? I have Norton 2004 installed and V-Com System Suite. AVG had issues with the problem I was having and had to be uninstalled. You said I should only have one anti-virus. I just don't know which one to use. Also, is there a way to stop V-Com from running at startup? I can't find a way to stop it and there's no way to shut it down without using task manager or system tools in Counterspy.

Report •

#39
January 26, 2006 at 20:19:15

I doubt that the virus came from Panda,but it may have reacted to it.The value of running those scans in safe mode is that many files are not active and can be removed in this state.

I am not familar with V-Com but ever which av is "up to date" will work,having two av's cause conflicts which can allow a virus to slip through the avs.

You should also do a google search for spywareblaster and install it. You will find it highly recommended it the spyware help forums.


Report •

#40
January 28, 2006 at 08:04:41

I downloaded spywareblaster and I almost had a heart attack when I saw the active X things it wanted to protect in internet explorer. There are over 1500 dialers, over 150 keen value (what's this?), plus a ton of other dialers and trojan horses and trojan downloaders and VX2's and a ton of other nasty stuff. How do I delete these things manually. I assume they're in the registry. How do I edit the registry where it will show me what the stuff is, not just the numbers? I tried to download registry mechanic from major geeks, but can't.

Report •

#41
January 28, 2006 at 13:31:37

There is no removal or edits to be made with spywareblaster.

Just click "internet explorer" then check the two boxes just beneath"configure spywareblaster's internet explorere protection" and all the active x items will be checked

Then click "restricted sites" and check the box beneath "configure spywareblaster's restricted sites protection and all those sites will be checked.

Then check for updates. The last one was 1/18/06 bringing the total number of protected items to 5440.Once the update complete click"enable all protection.


Report •

#42
January 28, 2006 at 15:37:30

Is there anywhere on the computer or any program to use to edit the registry, that will tell me more than just the number?

Report •

#43
January 28, 2006 at 16:19:19

There are programs to edit the registry and you can do it manually but from what I am reading out of your post is that you think that something in spywareblaster is showing you something in your computer that is bad. It is not.It is showing you spyware that it blocks. You check the boxes to do that then you are protected.

Editing the registry can crash the computer quicker than just about anything. Unless you know exactly what you are doing it should not be attempted.


Report •

#44
January 31, 2006 at 20:11:43

Well, the computer seems to be behaving for the moment. The reason I wanted to check the registry is because of the stuff Spyware Doctor skips over in the registry. Like those trojan downloaders and BonziBuddy and Ezula. I'm having a few issues with Norton. I've uninstaslled and reinstalled twice now. I also can't get quicktime to work on the internet. There are some sites I can't view because quicktime won't load the pic or whatever it's trying to load. Check back with me in a few days and see if I've replied that the problem is back.

Report •

#45
February 4, 2006 at 16:51:17

Well, I thought the computer was behaving, but I guess not. Every time there's a problem, I find something pertaining to falkag. I had totally blocked them with Ghostsurf. Then last night someone accessed one of my credit cards. Thank God that the credit card company called me. I look in Ghostsurf and falkag has disappeared. Everytime I found anything with falkag and I'd try to delete it, it would like become invisible. Since there is no program out there that can find all this stuff, I guess I'm going to have to reformat. Unless, you want to give it one more try.

Report •


Ask Question