>:(

I hope someone can help me with this problem. I tried searching first, but couldn't find a post on this problem (doesn't mean it's not there!). If I'm at the wrong place in Wilders Forum, please feel free to forward me on.

My problem -- when I'm working online or even offline, I'm experiencing frequent temporary "freezes" where everything comes to a quick halt of maybe 5 seconds, and then starts again suddenly. This can happen when I'm working on Quicken offline (and even when using the Start Menu), or can happen when I'm surfing the net. In typing this message, it has already occurred on at least 10 occasions. In typing this message, if I keep on typing during a freeze the letters typed will show up once the freeze is over. I also notice that my mouse pointer will freeze on the screen, and after the freeze then reappear suddenly no doubt in the place where my hand had moved it to during the freeze itself. There doesn't seem to be any rythym to the occurence. It can happen at 3 second intervals or at 10 second intervals (or in this most recent case at a very long 45 second interval). The freeze never seems to last more than 3 or 5 seconds.

Last night I ran Spy Bot and Ad-aware and they picked up a dialer (Spy Bot) and a BHO (Ad-aware). They both were removed. Brower Hijack Blaster also picked up an attempted Browser Hijack. All of these were corrected through those programs.

Right now my daughter has a lot of downloaded music and picture files in the hard drive. If I run DriveSpace on my computer, my 2.0 GB capacity is 586 MB free, 1.43 GB used. This is much higher used space than we usually run -- could this be part of the problem?

Any help or thoughts would be appreciated.

Thanks!

In reviewing my post, I realized I had failed to provide some basic information:

I run Windows 98 SE and IE 6.0

The trouble seemed to start a couple of days ago. Everything up til then seemed fine. Neither my daughter or I can think of any one strange event that would have set it off.

Also, it causes delays in the loading of web pages, etc. Same type of freezes going on, I guess.

Thanks.

This is sometimes due to hardware degrading (usually with PS2 keyboard/mouse ports on the motherboard) but might also be software.

Perhaps if you were to follow the steps outlined here

http://www.wilderssecurity.com/showthread.php?t=15913

we might find something in your hijackthis log. Since you have already run the Spybot and AdAware scans just follow the steps for Hijackthis.

Dan, thanks for taking a look at this logfile. Hope you find something suspicious, but it sounds like the hardware degrading may be a possibility. I appreciate your help regardless the outcome.

Thanks a lot!



Logfile of HijackThis v1.97.7
Scan saved at 8:14:43 AM, on 2/9/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SVCHOST32.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\ZIPITFAST\ZIPITFAST.EXE
C:\PROGRAM FILES\HIJACKTHIS204.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - c:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - c:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SvcHost32] C:\WINDOWS\svchost32.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
O9 - Extra button: Instant Messenger (SM) (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37902.6917824074
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: DigiChat Applet - http://host7.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O19 - User stylesheet: (file missing)

Hi Jim,

Bad news I'm afraid.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [SvcHost32] C:\WINDOWS\svchost32.exe

O19 - User stylesheet: (file missing)

Then boot into safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
and replace C:\EXPLORER.EXE
with C:\WINDOWS\EXPLORER.EXE
and delete: C:\WINDOWS\svchost32.exe

Then boot normally and post a new log please.

Regards,

Pieter

Pieter, I should have told you and Dan up front that I'm not too computer literate. So....what follows will be a request you don't get too often.

When you say "replace C:\EXPLORER.EXE" with "C:\WINDOWS\EXPLORER.EXE" and then delete
"C:\WINDOWS\svchost32.exe" , where do I access these files to take the recommended action? I see them shown on the HijackThis logfile, and also find them in the Windows Explorer window when I run FIND from the START menu. I want to ask before I (as an elderly neighbor from my childhood used to say) "Mess up the plan of salvation!" I find that easy to do with computers. Can you walk me through the steps?

I've already had HijackThis "fix" the first two items in your message. I'll follow your instructions when received and then post another HijackThis logfile as requested.

Thanks Pieter! I appreciate your patience more than you'll ever know.

Jim

Hi Jim,

No problem.

I hope you noticed that the words safe mode in my previous post were a link to a site, where you can find how to boot into safe mode.

Once you are there, doubleclick "My Computer", Doubleclick the C: drive, doubleclick the Windows folder and find explorer.exe.
Rightclick that file and choose copy.

Then open a new explorer windows by doubleclicking "My Computer", doubleclicking C: drive, then rightclick in an empty space on the righthand-side and choose "Paste"
You will be prompted that there already is a file with that name and if you want to replace it. Choose "Yes"

Now in the explorer window where you copied explorer.exe (the one that is open in the Windows folder) find svchost32.exe, rightclick it and choose "Delete"

After that is done you can reboot normally and you should be fine.

Regards,

Pieter

Pieter,

Thanks for the additional help! No problem with getting into safe mode, and your instructions were very clear.

However, when I go to paste "explorer.exe" into the new explorer window, I get the following alert:

Error Copying File

Cannot create or replace EXPLORER. The specified file is being used by Windows.

Hope this makes sense to you. Anyway around this?

Jim

Hi Jim,

That would mean that file is even being used in safe mode.
That was even after you removed svchost32.exe?
This is going to be tricky.
Boot into safe mode once more.
Open a Command Prompt window and leave it open.
(You can find the command prompt under Start > Programs > Accessories)
Close all open programs.

You now need to close EXPLORER.EXE. The proper way to shutdown Explorer is to raise the "Shut Down Windows" dialog (select "Shut Down..." from the start menu), hold down CTRL+SHIFT+ALT and press the CANCEL button. Explorer will exit cleanly.

Note: The <CTRL+ALT+DEL> at the 'Shut Down Windows' dialog method of closing Explorer is built into Explorer. (It was specifically designed so that developers writing Shell Extensions could get Explorer to release their Shell Extension DLLs while debugging them).

Go back to the Command Prompt window and change to the directory where the undeletable file is located in. At the command prompt type DEL EXPLORER.EXE and make sure you are in the C: (see attachment)

Go back to Task Manager, click File, New Task and enter C:\WINDOWS\EXPLORER.EXE to restart the GUI shell.

Close Task Manager.

Then copy explorer.exe to C:. We have to do this since I have no idea why it is started from that directory, so can't change it either.
Now we have accomplished that it will be starting the original, clean file.

Regards,

Pieter

:)
Pieter,

The problem seems to be corrected. Both my daughter and I have used the computer extensively over the past few days, and we haven't had any further problems with it. Incidentally, I was able to delete svchost32.exe while in safe mode, although I got a little shaky when I started to close explorer. I decided to stop for a long cup of coffee, and (thankfully) my daughter told me the problem seemed to have been corrected before I resumed.
As such, I haven't tackled the other procedures recommended in your last post. Should I be concerned with any of the other things you were trying to correct (for example: explorer.exe)?

I guess the question is: how long will it last? I'll probably be contacting you again, I have a feeling.

Pieter, thanks for the help!

Best wishes,

Jim

Hi Jim,

I would feel a lot better if it would show in your log that the normal explorer.exe was running.
Or if you could mail me a copy of your C:\EXPLORER.EXE
Maybe I can check if there are any differences compared to the original and if so which ones.
Use the address in my profile to send the file to, please.

I can imagine you needed something stronger before tackling that procedure. I'm not sure if I would have made it all dry. :)

Regards,

Pieter

Pieter,

I'll be happy to send you a copy of C:\EXPLORER.EXE (and appreciative for the extra help). However, when you say e-mail you a copy, how exactly do I do that? Bear with me, but some more of those very simple step by step directions would be helpful. Sorry you have to explain so much.

Incidentally, I don't know if I told you, but my system is Windows 98 SE.

Thanks. I'll look forward to your response.

Jim

Hi Jim,

This site explains it pretty well:
How to mail attachments (http://www.freeserve.com/help/beginnerguides/emailmadeeasy/emailattachfile.htm)

Regards,

Pieter

Pieter,

Sorry, I know you think I have forgotten about forwarding the copy of C:\EXPLORER.EXE. However, I have been away on a rather extended business trip and only now am getting around to so many neglected details.

I did try to e-mail you a copy of the above file. However, when I tried to attach it I got a box labeled "Mailbox" and saying "One or more of the files you selected cannot be opened. They may be in use by another application."

This sounds like we're back at step 2 or 3. Any suggestions?

Thanks!

Jim M

???

Let's see if it really is running first.

Please post a new HijackThis log.

Regards,

Pieter

Pieter,

Here it is:

Logfile of HijackThis v1.97.7
Scan saved at 6:48:42 PM, on 3/3/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEINT.DLL
O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - c:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - c:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
O9 - Extra button: Instant Messenger (SM) (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37902.6917824074
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: DigiChat Applet - http://host7.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab



Thank you!

Jim M.

:)

Hi Jim M,

Please surf to http://www.billsway.com/vbspage/ and scroll down to
Registry Search Tool
Download, unzip and run RegSrch.vbs
Copy and paste this in the dialog box: explorer.exe

After a while a prompt will come up. Click OK to write the results to wordpad and post them.

Reagrds,

Pieter

Pieter,

Here's the result of running the registry search tool:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "explorer.exe" 3/7/04 2:42:33 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"Icon"="explorer.exe#0100"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\International]
"explorer.exe"="6.0.2600.0-6.0.9999.9999"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\MSInfo\Clients]
"c:\\windows\\Explorer.EXE"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Direct3D\MostRecentApplication]
"Name"="EXPLORER.EXE"

[HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw\MostRecentApplication]
"Name"="EXPLORER.EXE"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\shell\find\command]
@="c:\\windows\\Explorer.exe"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon]
@="explorer.exe,0"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\find\command]
@="c:\\windows\\Explorer.exe"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}\DefaultIcon]
@="C:\\WINDOWS\\explorer.exe,-103"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\AllSpecialItems\shell\explore\command]
@="Explorer.exe /e,/idlist,%I,/L"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\AllSpecialItems\shell\open\command]
@="Explorer.Exe /idlist,%I,/L"

[HKEY_LOCAL_MACHINE\Software\CLASSES\Drive\shell\find\command]
@="c:\\windows\\Explorer.exe"

[HKEY_LOCAL_MACHINE\Software\CLASSES\Folder\shell\open\command]
@="c:\\windows\\Explorer.exe /idlist,%I,%L"

[HKEY_LOCAL_MACHINE\Software\CLASSES\Folder\shell\explore\command]
@="c:\\windows\\Explorer.exe /e,/idlist,%I,%L"

[HKEY_LOCAL_MACHINE\Software\CLASSES\Directory\shell\find\command]
@="c:\\windows\\Explorer.exe"

[HKEY_LOCAL_MACHINE\Software\CLASSES\fndfile\shell\open\command]
@="c:\\windows\\Explorer.exe"

[HKEY_LOCAL_MACHINE\Software\CLASSES\Publishing Folder\shell\explore\command]
@="Explorer.exe /e,/idlist,%I,%L"

[HKEY_LOCAL_MACHINE\Software\CLASSES\Publishing Folder\shell\open\command]
@="Explorer.exe /idlist,%I,%L"

[HKEY_LOCAL_MACHINE\Software\CLASSES\Briefcase\shell\open\command]
@="explorer.exe %1"

[HKEY_LOCAL_MACHINE\Software\CLASSES\SHCmdFile\shell\open\command]
@="explorer.exe"

[HKEY_LOCAL_MACHINE\Software\CLASSES\ZIP_auto_file\shell\open\command]
@="c:\\windows\\Explorer.exe \"%1\""

[HKEY_LOCAL_MACHINE\Software\CLASSES\smi_auto_file\shell\open\command]
@="c:\\windows\\Explorer.exe \"%1\""

[HKEY_LOCAL_MACHINE\Software\CLASSES\5;sz=468x60;ord=979066952_auto_file\shell\open\command]
@="c:\\windows\\Explorer.exe \"%1\""

[HKEY_LOCAL_MACHINE\Software\CLASSES\tmp_auto_file\shell\open\command]
@="c:\\windows\\Explorer.exe \"%1\""

[HKEY_LOCAL_MACHINE\Software\CLASSES\pps_auto_file\shell\open\command]
@="c:\\windows\\Explorer.exe \"%1\""

[HKEY_LOCAL_MACHINE\Software\CLASSES\dbb_auto_file\shell\open\command]
@="c:\\windows\\Explorer.exe \"%1\""

[HKEY_LOCAL_MACHINE\Software\CLASSES\mim_auto_file\shell\open\command]
@="c:\\windows\\Explorer.exe \"%1\""

[HKEY_LOCAL_MACHINE\Software\CLASSES\QB1_auto_file\shell\open\command]
@="c:\\windows\\Explorer.exe \"%1\""

[HKEY_LOCAL_MACHINE\Software\Symantec\Norton CleanSweep Deluxe]
"Shell"="Explorer.exe"

[HKEY_LOCAL_MACHINE\Software\Greatis\Regrun2\Save\Winini]
"Shell"="Explorer.exe"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"Icon"="explorer.exe#0100"

Thanks! :)

Stranger and stranger. ???

Can you find the file win.ini, open it in notepad and post the content please?

Regards,

Pieter

Pieter,

Found the file "win.ini" in C:\WINDOWS. Here's the post.

windows]
NullPort=None
device=Canon i250,CJPDRV50,USBPRN01
noload=ptsnoop.exe
;Rem TShoot: norun=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe
norun=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\msinfo.exe
load=
run=

[Desktop]
Wallpaper=C:\WINDOWS\CLOUDS.BMP
TileWallpaper=0
WallpaperStyle=2
Pattern=(None)

[intl]
iCountry=1
ICurrDigits=2
iCurrency=0
iDate=0
iDigits=2
iLZero=1
iMeasure=1
iNegCurr=0
iTime=0
iTLZero=0
s1159=AM
s2359=PM
sCountry=United States
sCurrency=$
sDate=/
sDecimal=.
sLanguage=enu
sList=,
sLongDate=dddd, MMMM dd, yyyy
sShortDate=M/d/yy
sThousand=,
sTime=:

[Fonts]

[FontSubstitutes]
Helv=MS Sans Serif
Tms Rmn=MS Serif
Times=Times New Roman
Helvetica=Arial
MS Shell Dlg=MS Sans Serif
MS Shell Dlg 2=MS Sans Serif

[Compatibility]
_3DPC=0x00400000
_BNOTES=0x224000
_LNOTES=0x00100000
ACAD=0x8000
ACT!=0x400004
ACROBAT=0x04000000
AD=0x10000000
ADW30=0x10000000
ALARMMGR=0x0040000
ALDSETUP=0x00400000
AMIPRINT=0x04000000
AMIPRO=0x04000010
APORIA=0x0100
APPROACH=0x0004
BALER=0x08000000
BMAPP=0x0004
CASMONEY=0x00200000
CAVOIDE=0x00200000
CCMAIL=0x00200000
CCMCWFY=0x80
CHARISMA=0x2000
CONFIG=0x00400000
CORELDRW=0x48000
CORELPNT=0x08000000
COSTAR=0x0004
CP=0x0040
CROSSTIE=0x00000400
DARCH=0x80
DESIGNER=0x00002000
DIRECTOR=0x00800000
DPLANNER=0x00200000
DRAW=0x2000
DS40=0x8000
DTWIN20=0x00000400
EAP=0x0004
ED=0x00010000
EXCEL=0x1000
EXPASTRO=0x04000000
EXTYPWND=0x00200000
FAXVIEW=0x04000000
FAXWORKS=0x00000400
FH4=0x00E08000
FLW2=0x8000
FMPRO=0x00200000
FREEHAND=0x8000
FULLTEXT=0x20000000
GIFTMAKE=0x20000000
GUIDE=0x1000
HDW=0x04800000
HGW=0x8000
HGW2EXE=0x8000
HGW3EXE=0x8000
HJDRAW=0x00400000
IDAPICFG=0x00400000
IDRAW=0x04008000
ILLUSTRATOR=0x8000
IMPROV2=0x00000000
INFOCENT=0x04000000
INSIGHT=0x00000400
INSTAL1=0x00400000
INSTALL=0x00400000
INTERMIS=0x10000000
IS20INST=0x00000000
IVIHEALT=0x00400000
JEOPARDY=0x00200000
JW=0x00000000
KALOAD2=0x00400000
KEYCAD=0x8000
LE_ADMIN=0x00400000
LUI=0x20000000
MAILSPL=0x10000000
MAKER=0x00200000
MAPS1=0x04008022
MATH=0x00000001
MAVIS=0x00200000
MCOURIER=0x0800
MFWIN20=0x02000000
MILESV3=0x1000
MILESV40=0x4
MOZART=0x40000000
MSARTIST=0x00100000
MSBHUMAN=0x4
MSREMIND=0x10000000
MVIEWER2=0x40200000
MYINV=0x00200000
MYST=0x08000000
NAFTA1=0x4008022
NBAMW4V4=0x04000000
NETSET2=0x0100
NOTES=0x200000
NOTSHELL=0x0001
OPERATOR=0x02000000
OUTPOST=0x00000000
OWLAPP=0x00400000
PACKRAT=0x0800
PAINTER=0x00000000
PAWC8DC3=0x00400000
PAWIN=0x4
PEACHW=0x04800004
PIXIE=0x0040
PLANIT=0x0004
PLANNER=0x2000
PLUS=0x1000
PM4=0xA000
PM5APP=0x8000
PP4=0x00000000
PR2=0x2000
PRINTHLP=0x0004
QAPLUSW=0x0004
QLIIFAX=0x00400000
QUAKE=0x80
QW=0x08000000
RELAY=0x20000000
REM=0x8022
RR2CD=0x00200000
RX=0x00000400
RXL=0x00000400
SETUP=0x00000000
SIDEKICK=0x0004
SLEEPER=0x10000000
SOL=0x00400000
SPCB=0x04008000
SPORTJEP=0x00200000
SPWIN20=0x00400000
ST2=0x4008022
STRAUSS=0x40000000
STRAV=0x40000000
SCHUBERT=0x40000000
SSBWIN=0x00200000
SWCWIN=0x00800004
TCVWIN=0x00200000
TCW=0x00400000
TCWIN=0x0004
TERRAIN=0x00400000
TISETUP=0x00200000
TL6=0x08000000
TME=0x0100
TMSWIN=0x20000000
TMTWIN=0x00200000
TMTWINCD=0x00200000
TOUCHUP=0x00400000
TURBOTAX=0x00080000
VB=0x0200
VEWINFIL=0x00400000
VISIO=0x00000004
VISIOHM=0x00000004
VISION=0x0040
W4GL=0x4000
W4GLR=0x4000
WGW=0x00440000
WIN2WRS=0x1210
WINCIM=0x4
WINLINK=0x20000000
WINPHONE=0x0004
WINSIM=0x2000
WINTACH=0x00200000
WORDSCAN=0x02200000
WPWINFIL=0x00000006
WPWIN60=0x00000400
WPWIN61=0x02000400
WSETUP=0x00200000
XPRESS=0x00000008
ZETA01=0x00400000
ZIFFBOOK=0x00200000
NOTIFIER=0x400000

[Compatibility32]
CLWORKS=0x00A00000
MCAD=0x00600000
PHOTOSHP=0x00208000
PODW=0x00200000
SPSSWIN=0x00200000
TYPSTRY2=0x00200000
V32VM20=0x02000000
VISIO=0x00000000
VISIOHM=0x00000000
WINPHONE=0x00000004
WRDART32=0x00400000
SHELL=0x80000000
USTATION=0x80000000

[Compatibility95]
CHAOS OV=0x80000000
CONF=0x00000002
MSDEV=0x00000002
IMAGE32=0x80000000
INST32=0x80000000
AGENTSVR=0x00000002

[ModuleCompatibility]
ACEROOBE=0x0004
AIRNFM=0x0002
ALDNCD=0x0002
AMRES=0x0002
ATM=0x0002
ARCHANGEL=0x0002
CSNOV=0x0002
DEFDEMO=0x0002
DIBWND=0x0002
DIB=0x0002
DS=0x0001
EMLIB=0x0002
EMSAVE=0x0002
FH4=0x0002
GEDIT=0x0002
GEORGE=0x0002
GVBSETUP=0x0002
HRWCD=0x0002
ISLFAXPR=0x0002
KIDDESK=0x0002
KIDSTYPE=0x0000
KNPS=0x0002
LIONKING=0x0002
MAUI_DRV=0x0002
MGXWMF=0x0002
MEMMAP=0x0002
MSARTIST=0x0002
MSCRWRTR=0x0002
MSCUISTF=0x0001
MVIEWER2=0x0002
MWAVSCAN=0x0002
MYINV=0x0002
OLESVR=0x0002
PDOXWIN=0x0002
PLANIT=0x0002
PP3=0x0002
PP4=0x0002
PPPP=0x0002
PXDSRV2=0x0002
REVIEWRT=0x0002
ROULETTE=0x0002
RRIRJ=0x0002
RR1=0x0002
RR2CD=0x0002
STL_DLG=0x0002
TECO=0x0001
TER=0x0002
TLW0LOC=0x0002
TMSWIN=0x0002
USA=0x0002
VOICE=0x0002
WFXVIEW=0x0004
WINFORM=0x0002
WPWIN61=0x0002

[TrueType]
FontSmoothing=1

[mci extensions]
mid=Sequencer
rmi=Sequencer
wav=waveaudio
avi=AVIVideo
cda=CDAudio
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
midi=Sequencer
mov=MPEGVideo
mp2=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
qt=MPEGVideo
snd=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
ivf=MPEGVideo2
lsf=MPEGVideo2
lsx=MPEGVideo2
mp2v=MPEGVideo
wax=MPEGVideo2
wvx=MPEGVideo2
wm=MPEGVideo2
wma=MPEGVideo2
wmv=MPEGVideo2

[MCICompatibility]
QTWVideo=0x0001
MCIXSND=0x0001
GDAnim=0x0001

[mciavi]

[Desktop_Shell]
Current=Win

[Pscript.Drv]
ATMWorkaround=1

[Ports]
LPT1:=
LPT2:=
LPT3:=
COM1:=9600,n,8,1,x
COM2:=9600,n,8,1,x
COM3:=9600,n,8,1,x
COM4:=9600,n,8,1,x
FILE:=

[embedding]
Package=Package,Package,packager.exe,picture
midfile=MIDI Sequence,MIDI Sequence,c:\windows\mplayer.exe /mid,picture
SoundRec=Wave Sound,Wave Sound,c:\windows\sndrec32.exe,picture
mplayer=Media Clip,Media Clip,c:\windows\mplayer.exe,picture
PBrush=Paintbrush Picture,Paintbrush Picture,C:\PROGRA~1\ACCESS~1\MSPAINT.EXE,picture
Paint.Picture=Bitmap Image,Bitmap Image,C:\PROGRA~1\ACCESS~1\MSPAINT.EXE,picture
Wordpad.Document.1=WordPad Document,WordPad Document,C:\PROGRA~1\ACCESS~1\WORDPAD.EXE,picture
ComicChat.Room.2=Microsoft Chat Room,Microsoft Chat Room,C:\PROGRA~1\Chat\CChat.exe,picture
Imaging.Document=Image Document,Image Document,C:\WINDOWS\KODAKIMG.EXE,picture
WangImage.Document=Image Document,Image Document,c:\windows\KodakImg.Exe,picture
avifile=Video Clip,Video Clip,c:\windows\mplayer.exe /avi,picture

[Extensions]
mov=C:\WINDOWS\PLAY32.EXE ^.mov
pic=C:\WINDOWS\VIEW32.EXE ^.pic

[Mail]
MAPI=1
MAPIX=1

[Devices]
Canon i250=CJPDRV50,USBPRN01

[PrinterPorts]
Canon i250=CJPDRV50,USBPRN01,15,45

[Sounds]
SystemDefault=,

[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
midi=MPEGVideo
mov=MPEGVideo
mp2=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
qt=MPEGVideo
snd=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
ivf=MPEGVideo2
lsf=MPEGVideo2
lsx=MPEGVideo2
mp2v=MPEGVideo
wax=MPEGVideo2
wvx=MPEGVideo2
wm=MPEGVideo2
wma=MPEGVideo2
wmv=MPEGVideo2

[PCDRWIN]
szCurrentCustomTest=C:\Program Files\PC-Doctor for Windows\DEFUSER.PCB
iShowStartupScreen=1
iVerticalButtonBar=1
iSaveWindowLayout=0
CurrentLanguage=0
16BitResourceStrings=
DWX=110
DWY=110
DWSZX=690
DWSZY=490

[WCS2000]
SharedPath=C:\WINDOWS\CSSHARE

[Lexmark 1000 - Status Monitor]
Mono LeftBidi Align=9
Mono RightBidi Align=-9
Col LeftBidi Align=9
Col RightBidi Align=-9
NON BIDI MODE=1
Current cartridge type=3
Pending new cartridge=0
Starboard cartridge type=1
JobUCT:LPT1:=1061757512
Yellow Dot Count=4208434
Magenta Dot Count=3599730
Cyan Dot Count=2972887
Min CMY Lev=7
Black Pigment Ink Level=7
Cyan Ink Level=7
Magenta Ink Level=7
Yellow Ink Level=7
Alignments Valid=1
Colour Bidi Align=15

[Indigo Rose]
C:\WINDOWS\iun3405.exe=1

[Twain]
Default Source=C:\WINDOWS\Twain_32\drvpower.ds

[DrawDib]
pnpdrvr.drv 800x600x32(0)=37,5,5,5

[MSCharMap]
Font=Symbol

[O/i PRIMAX Power TWAIN]
PixelType=2
Units=0
Autobright=0
Brightness=127
Brightnest=0
Contrast=0
Contrasu=0
Highlight=255
Highlighu=0
Shadow=0
Shadox=0
Xres=72
Xret=0
Yres=72
Yret=0
Xzoom=1
Xzoon=0
Yzoom=1
Yzoon=0
Pixel Flavor=0
Page Size Left=-3360
Page Size Lefu=73
Page Size Right=7982
Page Size Righu=30917
Page Size Top=-10358
Page Size Toq=73
Page Size Bottom=-10358
Page Size Botton=73

Thanks!

Jim

:)

Hi Jim,

Make copy of this win.ini and save it to another directory.
Then edit the one in the WINDOWS directory like this:

Remove this part entirely:
;Rem TShoot: norun=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe
norun=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\msinfo.exe

And change
[Desktop_Shell]
Current=Win

to

[Desktop_Shell]
Current=c:\windows\Explorer.exe

Then reboot and post a new HijackThis log please.

Regards,

Pieter

Pieter,

Good morning! :)

Will do tonight after work. Just to be safe, can you link me to a site describing how to edit windows as you describe? It's probably something very simple that I already do in some way or another, but better safe than sorry.

Again. . . . .THANKS for all the help, Pieter!

Jim M.

Hi Jim,

These are easy to edit. Open the file in notepad. Change what you need to change and then Save the File.

That's all there is to it. :)

Regards,

Pieter

:)

Logfile of HijackThis v1.97.7
Scan saved at 6:56:37 PM, on 3/10/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEINT.DLL
O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - c:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - c:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
O9 - Extra button: Instant Messenger (SM) (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37902.6917824074
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: DigiChat Applet - http://host7.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab


Thanks!

Jim

Hi Jim,

A few things I would like you to do.
Download WhatsHappening (http://www.turboware.com/WhatsHappening.htm).
Run the program and select explorer.exe
Then click Edit > Copy branch to clipboard.
Then paste the result into your next post.

When you doubleclick c:\windows\Explorer.exe
What happens?
If it runs, can you EndTask C:\Explorer.exe ?

Regards,

Pieter

EXPLORER.EXE (C:)<Microsoft Corporation-Microsoft(R) Windows NT(R) Operating System-4.72.3110.1>
RRSHELL.DLL (C:\PROGRAM FILES\GREATIS\REGRUNSUITE)
<Greatis Software, LLC-RRShell Module-1, 0, 0, 1>
SPYWAREGUARD.DLL (C:\PROGRAM FILES\SPYWAREGUARD)
<>
IEPEERS.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Windows® Operating System-6.00.2800.1106>
MSCORLD.DLL (C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322)
<Microsoft Corporation-Microsoft .NET Framework-1.1.4322.573>
MSCORIE.DLL (C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322)
<Microsoft Corporation-Microsoft .NET Framework-1.1.4322.573>
MSVCR71.DLL (C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322)
<Microsoft Corporation-Microsoft® Visual Studio .NET-7.10.3052.4>
MSCOREE.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft .NET Framework-1.1.4322.573>
SWSUPPORT.DLL (C:\WINDOWS\SYSTEM\MACROMED\COMMON)
<Macromedia, Inc.-Shockwave-8.5.1>
VBSCRIPT.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft (r) VBScript-5.6.0.8515>
MFC42.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft (R) Visual C++-6.0.400>
ACTXPRXY.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Windows® Operating System-6.00.2800.1106>
MONIDLE.DLL (C:\PROGRAM FILES\EARTHLINK TOTALACCESS)
<EarthLink, Inc.-EarthLink TotalAccess-2004.0.129.0>
MSHTMLED.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Windows® Operating System-6.00.2800.1106>
FLASH.OCX (C:\WINDOWS\SYSTEM\MACROMED\FLASH)
<Macromedia, Inc.-Shockwave Flash-6,0,79,0>
DLPROTECT.DLL (C:\PROGRAM FILES\SPYWAREGUARD)
<>
MSVBVM60.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Visual Basic-6.00.9237>
EAUTHMGR.DLL (C:\PROGRAM FILES\EARTHLINK TOTALACCESS)
<EarthLink, Inc.-EarthLink TotalAccess-2004.0.133.0>
RICHED20.DLL (C:\WINDOWS\SYSTEM)
<>
AUTHMGR.DLL (C:\PROGRAM FILES\EARTHLINK TOTALACCESS)
<EarthLink, Inc.-EarthLink TotalAccess-2004.0.133.0>
MSVCP70.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Visual Studio .NET-7.00.9466.0>
EVENTLOG.DLL (C:\PROGRAM FILES\EARTHLINK TOTALACCESS)
<EarthLink, Inc.-EarthLink TotalAccess-2004.0.133.0>
LOCATION.DLL (C:\PROGRAM FILES\EARTHLINK TOTALACCESS)
<EarthLink, Inc.-EarthLink TotalAccess-2004.0.133.0>
ZLIB.DLL (C:\PROGRAM FILES\EARTHLINK TOTALACCESS)
<>
WIN.DLL (C:\PROGRAM FILES\EARTHLINK TOTALACCESS)
<EarthLink, Inc.-EarthLink TotalAccess-2004.0.25.0>
MSVFW32.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows(R) Operating System-4.10.1998>
WOW32.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows(R) Operating System-4.10.1998>
DCIMAN32.DLL (C:\WINDOWS\SYSTEM)
<Intel(R) Corp., Microsoft Corp.-Microsoft Windows-4.03.1998>
ECRYPT.DLL (C:\PROGRAM FILES\EARTHLINK TOTALACCESS)
<EarthLink, Inc.-EarthLink TotalAccess-2004.0.129.0>
E60CMMON.DLL (C:\PROGRAM FILES\EARTHLINK TOTALACCESS)
<EarthLink, Inc.-EarthLink TotalAccess-2004.0.25.0>
UTILS.DLL (C:\PROGRAM FILES\EARTHLINK TOTALACCESS)
<EarthLink, Inc.-EarthLink TotalAccess-2004.0.25.0>
MFC70.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Visual Studio .NET-7.00.9466.0>
OLEACC.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft Active Accessibility-4.2.2209.0>
MSVCR70.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Visual Studio .NET-7.00.9466.0>
TAPI32.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows(R) Operating System-4.10.2222>
MSONSEXT.DLL (C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS)
<Microsoft Corporation-Microsoft Office-9.0.2612>
PNEL.DLL (C:\PROGRAM FILES\EARTHLINK TOTALACCESS)
<EarthLink, Inc.-EarthLink TotalAccess-2004.0.3.0>
PNEL_UI.DLL (C:\PROGRAM FILES\EARTHLINK TOTALACCESS)
<EarthLink, Inc.-EarthLink TotalAccess-2004.0.3.0>
IDLEMON.DLL (C:\PROGRAM FILES\EARTHLINKIM)
<America Online, Inc.-AOL Instant Messenger (SM)-4.7.2480>
SOFTPUB.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows NT(R) Operating System-5.131.1877.9>
RSABASE.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows NT(R) Operating System-5.00.1877.7>
RSAENH.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows NT(R) Operating System-5.00.1877.8>
SCHANNEL.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows NT(R) Operating System-5.00.1878.13>
HHCTRL.OCX (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-HTML Help-5.2.3735.0>
MSLS31.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Line Services-3.10>
IMM32.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows(R) Operating System-4.10.1998>
MSHTML.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Windows® Operating System-6.00.2800.1400>
WINTRUST.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows NT(R) Operating System-5.131.1877.5>
DDRAWEX.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® DirectX for Windows® 95 and 98-4.87.00.0700>
DDRAW.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® DirectX for Windows®-4.09.00.0900>
JSCRIPT.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft (r) JScript-5.6.0.8515>
RNR20.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows(R) Operating System-4.10.2222>
MSAFD.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows(R) Operating System-4.10.1998>
MLANG.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Windows® Operating System-6.00.2800.1106>
MSRATING.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Windows® Operating System-6.00.2800.1106>
MSRATELC.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Windows® Operating System-6.00.2800.1106>
SHDOCLC.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Windows® Operating System-6.00.2800.1106>
ACROIEHELPER.DLL (C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX)
<Adobe Systems Incorporated-AcroIEHelper Library-6, 0, 0, 0>
SDHELPER.DLL (C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY)
<>
OLEPRO32.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft Corporation-2.40>
CRTDLL.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Windows NT(TM) Operating System-3.50>
WSOCK32.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows(R) Operating System-4.10.1998>
MSWSOCK.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows(R) Operating System-4.10.2222>
WS2_32.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows(R) Operating System-4.10.2222>
WS2HELP.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows(R) Operating System-4.10.1998>
SDIEINT.DLL (C:\PROGRAM FILES\STAR DOWNLOADER)
<>
URLMON.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Windows® Operating System-6.00.2800.1400>
WINMM.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft Windows-4.03.1998>
BROWSELC.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Windows® Operating System-6.00.2800.1106>
SHFOLDER.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Windows® Operating System-6.00.2800.1106>
WININET.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Windows® Operating System-6.00.2800.1400>
CRYPT32.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows NT(R) Operating System-5.131.1878.12>
MSOSS.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows NT(R) Operating System-5.131.1877.3>
LINKINFO.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows(R) Operating System-4.10.1998>
MSI.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Windows Installer-2.0.2600.2>
SETUPAPI.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows NT(R) Operating System-5.00.1671.1>
RPCRT4.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows NT(TM) Operating System-4.71.2900>
MPR.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows(R) Operating System-4.10.1998>
CFGMGR32.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows(R) Operating System-4.10.1998>
WINSPOOL.DRV (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows(R) Operating System-4.10.1998>
VERSION.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows(R) Operating System-4.10.1998>
COMDLG32.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows NT(R) Operating System-4.72.3510.2300>
LZ32.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows(R) Operating System-4.10.1998>
NTDLL.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows(R) Operating System-4.10.1998>
WEBCHECK.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Windows® Operating System-6.00.2800.1106>
OLEAUT32.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft Corporation-2.40.4518>
MYDOCS.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows NT(R) Operating System-4.72.3510.2300>
SHD401LC.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows (R) 2000 Operating System-5.50.4914.1400>
BROWSEUI.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Windows® Operating System-6.00.2800.1400>
SHDOC401.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows (R) 2000 Operating System-5.50.4914.1400>
OLE32.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows NT(TM) Operating System-4.71.2900>
SHDOCVW.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Windows® Operating System-6.00.2800.1400>
SHELL32.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows NT(R) Operating System-4.72.3812.600>
COMCTL32.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows (R) 2000 Operating System-5.50.4916.400>
SHLWAPI.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft® Windows® Operating System-6.00.2800.1400>
MSVCRT.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft (R) Visual C++-6.00.8797.0>
ADVAPI32.DLL (C:\WINDOWS\SYSTEM)
<Microsoft Corporation-Microsoft(R) Windows(R) Operating System-4.80.1675>


Thanks Pieter!

Pieter,

You're gonna love this. Following your directions in Part 2 of your last post, I double-clicked on
c:\windows\Explorer.exe and it opened up the (C:) directory (yes, the one that contains the Windows folder along with Program Files, etc.). Both directory windows remain on the screen. And I can close both through EndTask.
Were you expecting this? I wasn't, but then I didn't know what to expect. . .

Jim

:o