Operation Temporarily Freezes (Often)

Discussion in 'other software & services' started by Jim M, Feb 8, 2004.

Thread Status:
Not open for further replies.
  1. Jim M

    Jim M Guest

    :mad:

    I hope someone can help me with this problem. I tried searching first, but couldn't find a post on this problem (doesn't mean it's not there!). If I'm at the wrong place in Wilders Forum, please feel free to forward me on.

    My problem -- when I'm working online or even offline, I'm experiencing frequent temporary "freezes" where everything comes to a quick halt of maybe 5 seconds, and then starts again suddenly. This can happen when I'm working on Quicken offline (and even when using the Start Menu), or can happen when I'm surfing the net. In typing this message, it has already occurred on at least 10 occasions. In typing this message, if I keep on typing during a freeze the letters typed will show up once the freeze is over. I also notice that my mouse pointer will freeze on the screen, and after the freeze then reappear suddenly no doubt in the place where my hand had moved it to during the freeze itself. There doesn't seem to be any rythym to the occurence. It can happen at 3 second intervals or at 10 second intervals (or in this most recent case at a very long 45 second interval). The freeze never seems to last more than 3 or 5 seconds.

    Last night I ran Spy Bot and Ad-aware and they picked up a dialer (Spy Bot) and a BHO (Ad-aware). They both were removed. Brower Hijack Blaster also picked up an attempted Browser Hijack. All of these were corrected through those programs.

    Right now my daughter has a lot of downloaded music and picture files in the hard drive. If I run DriveSpace on my computer, my 2.0 GB capacity is 586 MB free, 1.43 GB used. This is much higher used space than we usually run -- could this be part of the problem?

    Any help or thoughts would be appreciated.

    Thanks!
     
  2. Jim M.

    Jim M. Guest

    In reviewing my post, I realized I had failed to provide some basic information:

    I run Windows 98 SE and IE 6.0

    The trouble seemed to start a couple of days ago. Everything up til then seemed fine. Neither my daughter or I can think of any one strange event that would have set it off.

    Also, it causes delays in the loading of web pages, etc. Same type of freezes going on, I guess.

    Thanks.
     
  3. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    This is sometimes due to hardware degrading (usually with PS2 keyboard/mouse ports on the motherboard) but might also be software.

    Perhaps if you were to follow the steps outlined here

    https://www.wilderssecurity.com/showthread.php?t=15913

    we might find something in your hijackthis log. Since you have already run the Spybot and AdAware scans just follow the steps for Hijackthis.
     
  4. Jim M.

    Jim M. Guest

    Dan, thanks for taking a look at this logfile. Hope you find something suspicious, but it sounds like the hardware degrading may be a possibility. I appreciate your help regardless the outcome.

    Thanks a lot!



    Logfile of HijackThis v1.97.7
    Scan saved at 8:14:43 AM, on 2/9/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SVCHOST32.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\ZIPITFAST\ZIPITFAST.EXE
    C:\PROGRAM FILES\HIJACKTHIS204.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = ,
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
    O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - c:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - c:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SvcHost32] C:\WINDOWS\svchost32.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
    O9 - Extra button: Instant Messenger (SM) (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37902.6917824074
    O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: DigiChat Applet - http://host7.digichat.com/DigiChat/DigiClasses/Client_IE.cab
    O19 - User stylesheet: (file missing)
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Jim,

    Bad news I'm afraid.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [SvcHost32] C:\WINDOWS\svchost32.exe

    O19 - User stylesheet: (file missing)

    Then boot into safe mode
    and replace C:\EXPLORER.EXE
    with C:\WINDOWS\EXPLORER.EXE
    and delete: C:\WINDOWS\svchost32.exe

    Then boot normally and post a new log please.

    Regards,

    Pieter
     
  6. Jim M.

    Jim M. Guest

    Pieter, I should have told you and Dan up front that I'm not too computer literate. So....what follows will be a request you don't get too often.

    When you say "replace C:\EXPLORER.EXE" with "C:\WINDOWS\EXPLORER.EXE" and then delete
    "C:\WINDOWS\svchost32.exe" , where do I access these files to take the recommended action? I see them shown on the HijackThis logfile, and also find them in the Windows Explorer window when I run FIND from the START menu. I want to ask before I (as an elderly neighbor from my childhood used to say) "Mess up the plan of salvation!" I find that easy to do with computers. Can you walk me through the steps?

    I've already had HijackThis "fix" the first two items in your message. I'll follow your instructions when received and then post another HijackThis logfile as requested.

    Thanks Pieter! I appreciate your patience more than you'll ever know.

    Jim
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Jim,

    No problem.

    I hope you noticed that the words safe mode in my previous post were a link to a site, where you can find how to boot into safe mode.

    Once you are there, doubleclick "My Computer", Doubleclick the C: drive, doubleclick the Windows folder and find explorer.exe.
    Rightclick that file and choose copy.

    Then open a new explorer windows by doubleclicking "My Computer", doubleclicking C: drive, then rightclick in an empty space on the righthand-side and choose "Paste"
    You will be prompted that there already is a file with that name and if you want to replace it. Choose "Yes"

    Now in the explorer window where you copied explorer.exe (the one that is open in the Windows folder) find svchost32.exe, rightclick it and choose "Delete"

    After that is done you can reboot normally and you should be fine.

    Regards,

    Pieter
     
  8. Jim M.

    Jim M. Guest

    Pieter,

    Thanks for the additional help! No problem with getting into safe mode, and your instructions were very clear.

    However, when I go to paste "explorer.exe" into the new explorer window, I get the following alert:

    Error Copying File

    Cannot create or replace EXPLORER. The specified file is being used by Windows.

    Hope this makes sense to you. Anyway around this?

    Jim
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Jim,

    That would mean that file is even being used in safe mode.
    That was even after you removed svchost32.exe?
    This is going to be tricky.
    Boot into safe mode once more.
    Open a Command Prompt window and leave it open.
    (You can find the command prompt under Start > Programs > Accessories)
    Close all open programs.

    You now need to close EXPLORER.EXE. The proper way to shutdown Explorer is to raise the "Shut Down Windows" dialog (select "Shut Down..." from the start menu), hold down CTRL+SHIFT+ALT and press the CANCEL button. Explorer will exit cleanly.

    Note: The <CTRL+ALT+DEL> at the 'Shut Down Windows' dialog method of closing Explorer is built into Explorer. (It was specifically designed so that developers writing Shell Extensions could get Explorer to release their Shell Extension DLLs while debugging them).

    Go back to the Command Prompt window and change to the directory where the undeletable file is located in. At the command prompt type DEL EXPLORER.EXE and make sure you are in the C: (see attachment)

    Go back to Task Manager, click File, New Task and enter C:\WINDOWS\EXPLORER.EXE to restart the GUI shell.

    Close Task Manager.

    Then copy explorer.exe to C:. We have to do this since I have no idea why it is started from that directory, so can't change it either.
    Now we have accomplished that it will be starting the original, clean file.

    Regards,

    Pieter
     

    Attached Files:

  10. Jim M.

    Jim M. Guest

    :)
    Pieter,

    The problem seems to be corrected. Both my daughter and I have used the computer extensively over the past few days, and we haven't had any further problems with it. Incidentally, I was able to delete svchost32.exe while in safe mode, although I got a little shaky when I started to close explorer. I decided to stop for a long cup of coffee, and (thankfully) my daughter told me the problem seemed to have been corrected before I resumed.
    As such, I haven't tackled the other procedures recommended in your last post. Should I be concerned with any of the other things you were trying to correct (for example: explorer.exe)?

    I guess the question is: how long will it last? I'll probably be contacting you again, I have a feeling.

    Pieter, thanks for the help!

    Best wishes,

    Jim
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Jim,

    I would feel a lot better if it would show in your log that the normal explorer.exe was running.
    Or if you could mail me a copy of your C:\EXPLORER.EXE
    Maybe I can check if there are any differences compared to the original and if so which ones.
    Use the address in my profile to send the file to, please.

    I can imagine you needed something stronger before tackling that procedure. I'm not sure if I would have made it all dry. :)

    Regards,

    Pieter
     
  12. Jim M.

    Jim M. Guest

    Pieter,

    I'll be happy to send you a copy of C:\EXPLORER.EXE (and appreciative for the extra help). However, when you say e-mail you a copy, how exactly do I do that? Bear with me, but some more of those very simple step by step directions would be helpful. Sorry you have to explain so much.

    Incidentally, I don't know if I told you, but my system is Windows 98 SE.

    Thanks. I'll look forward to your response.

    Jim
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  14. Jim M

    Jim M Guest

    Pieter,

    Sorry, I know you think I have forgotten about forwarding the copy of C:\EXPLORER.EXE. However, I have been away on a rather extended business trip and only now am getting around to so many neglected details.

    I did try to e-mail you a copy of the above file. However, when I tried to attach it I got a box labeled "Mailbox" and saying "One or more of the files you selected cannot be opened. They may be in use by another application."

    This sounds like we're back at step 2 or 3. Any suggestions?

    Thanks!

    Jim M

    o_O
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Let's see if it really is running first.

    Please post a new HijackThis log.

    Regards,

    Pieter
     
  16. Jim M.

    Jim M. Guest

    Pieter,

    Here it is:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:48:42 PM, on 3/3/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = ,
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
    O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEINT.DLL
    O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - c:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - c:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
    O9 - Extra button: Instant Messenger (SM) (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37902.6917824074
    O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: DigiChat Applet - http://host7.digichat.com/DigiChat/DigiClasses/Client_IE.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab



    Thank you!

    Jim M.

    :)
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Jim M,

    Please surf to http://www.billsway.com/vbspage/ and scroll down to
    Registry Search Tool
    Download, unzip and run RegSrch.vbs
    Copy and paste this in the dialog box: explorer.exe

    After a while a prompt will come up. Click OK to write the results to wordpad and post them.

    Reagrds,

    Pieter
     
  18. Jim M.

    Jim M. Guest

    Pieter,

    Here's the result of running the registry search tool:

    REGEDIT4
    ; RegSrch.vbs © Bill James

    ; Registry search results for string "explorer.exe" 3/7/04 2:42:33 PM

    ; NOTE: This file will be deleted when you close WordPad.
    ; You must manually save this file to a new location if you want to refer to it again later.
    ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
    "Icon"="explorer.exe#0100"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\International]
    "explorer.exe"="6.0.2600.0-6.0.9999.9999"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\MSInfo\Clients]
    "c:\\windows\\Explorer.EXE"=""

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Direct3D\MostRecentApplication]
    "Name"="EXPLORER.EXE"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw\MostRecentApplication]
    "Name"="EXPLORER.EXE"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\shell\find\command]
    @="c:\\windows\\Explorer.exe"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon]
    @="explorer.exe,0"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\find\command]
    @="c:\\windows\\Explorer.exe"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}\DefaultIcon]
    @="C:\\WINDOWS\\explorer.exe,-103"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\AllSpecialItems\shell\explore\command]
    @="Explorer.exe /e,/idlist,%I,/L"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\AllSpecialItems\shell\open\command]
    @="Explorer.Exe /idlist,%I,/L"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\Drive\shell\find\command]
    @="c:\\windows\\Explorer.exe"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\Folder\shell\open\command]
    @="c:\\windows\\Explorer.exe /idlist,%I,%L"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\Folder\shell\explore\command]
    @="c:\\windows\\Explorer.exe /e,/idlist,%I,%L"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\Directory\shell\find\command]
    @="c:\\windows\\Explorer.exe"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\fndfile\shell\open\command]
    @="c:\\windows\\Explorer.exe"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\Publishing Folder\shell\explore\command]
    @="Explorer.exe /e,/idlist,%I,%L"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\Publishing Folder\shell\open\command]
    @="Explorer.exe /idlist,%I,%L"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\Briefcase\shell\open\command]
    @="explorer.exe %1"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\SHCmdFile\shell\open\command]
    @="explorer.exe"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\ZIP_auto_file\shell\open\command]
    @="c:\\windows\\Explorer.exe \"%1\""

    [HKEY_LOCAL_MACHINE\Software\CLASSES\smi_auto_file\shell\open\command]
    @="c:\\windows\\Explorer.exe \"%1\""

    [HKEY_LOCAL_MACHINE\Software\CLASSES\5;sz=468x60;ord=979066952_auto_file\shell\open\command]
    @="c:\\windows\\Explorer.exe \"%1\""

    [HKEY_LOCAL_MACHINE\Software\CLASSES\tmp_auto_file\shell\open\command]
    @="c:\\windows\\Explorer.exe \"%1\""

    [HKEY_LOCAL_MACHINE\Software\CLASSES\pps_auto_file\shell\open\command]
    @="c:\\windows\\Explorer.exe \"%1\""

    [HKEY_LOCAL_MACHINE\Software\CLASSES\dbb_auto_file\shell\open\command]
    @="c:\\windows\\Explorer.exe \"%1\""

    [HKEY_LOCAL_MACHINE\Software\CLASSES\mim_auto_file\shell\open\command]
    @="c:\\windows\\Explorer.exe \"%1\""

    [HKEY_LOCAL_MACHINE\Software\CLASSES\QB1_auto_file\shell\open\command]
    @="c:\\windows\\Explorer.exe \"%1\""

    [HKEY_LOCAL_MACHINE\Software\Symantec\Norton CleanSweep Deluxe]
    "Shell"="Explorer.exe"

    [HKEY_LOCAL_MACHINE\Software\Greatis\Regrun2\Save\Winini]
    "Shell"="Explorer.exe"

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
    "Icon"="explorer.exe#0100"

    Thanks! :)
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Stranger and stranger. o_O

    Can you find the file win.ini, open it in notepad and post the content please?

    Regards,

    Pieter
     
  20. Jim M.

    Jim M. Guest

    Pieter,

    Found the file "win.ini" in C:\WINDOWS. Here's the post.

    windows]
    NullPort=None
    device=Canon i250,CJPDRV50,USBPRN01
    noload=ptsnoop.exe
    ;Rem TShoot: norun=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe
    norun=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\msinfo.exe
    load=
    run=

    [Desktop]
    Wallpaper=C:\WINDOWS\CLOUDS.BMP
    TileWallpaper=0
    WallpaperStyle=2
    Pattern=(None)

    [intl]
    iCountry=1
    ICurrDigits=2
    iCurrency=0
    iDate=0
    iDigits=2
    iLZero=1
    iMeasure=1
    iNegCurr=0
    iTime=0
    iTLZero=0
    s1159=AM
    s2359=PM
    sCountry=United States
    sCurrency=$
    sDate=/
    sDecimal=.
    sLanguage=enu
    sList=,
    sLongDate=dddd, MMMM dd, yyyy
    sShortDate=M/d/yy
    sThousand=,
    sTime=:

    [Fonts]

    [FontSubstitutes]
    Helv=MS Sans Serif
    Tms Rmn=MS Serif
    Times=Times New Roman
    Helvetica=Arial
    MS Shell Dlg=MS Sans Serif
    MS Shell Dlg 2=MS Sans Serif

    [Compatibility]
    _3DPC=0x00400000
    _BNOTES=0x224000
    _LNOTES=0x00100000
    ACAD=0x8000
    ACT!=0x400004
    ACROBAT=0x04000000
    AD=0x10000000
    ADW30=0x10000000
    ALARMMGR=0x0040000
    ALDSETUP=0x00400000
    AMIPRINT=0x04000000
    AMIPRO=0x04000010
    APORIA=0x0100
    APPROACH=0x0004
    BALER=0x08000000
    BMAPP=0x0004
    CASMONEY=0x00200000
    CAVOIDE=0x00200000
    CCMAIL=0x00200000
    CCMCWFY=0x80
    CHARISMA=0x2000
    CONFIG=0x00400000
    CORELDRW=0x48000
    CORELPNT=0x08000000
    COSTAR=0x0004
    CP=0x0040
    CROSSTIE=0x00000400
    DARCH=0x80
    DESIGNER=0x00002000
    DIRECTOR=0x00800000
    DPLANNER=0x00200000
    DRAW=0x2000
    DS40=0x8000
    DTWIN20=0x00000400
    EAP=0x0004
    ED=0x00010000
    EXCEL=0x1000
    EXPASTRO=0x04000000
    EXTYPWND=0x00200000
    FAXVIEW=0x04000000
    FAXWORKS=0x00000400
    FH4=0x00E08000
    FLW2=0x8000
    FMPRO=0x00200000
    FREEHAND=0x8000
    FULLTEXT=0x20000000
    GIFTMAKE=0x20000000
    GUIDE=0x1000
    HDW=0x04800000
    HGW=0x8000
    HGW2EXE=0x8000
    HGW3EXE=0x8000
    HJDRAW=0x00400000
    IDAPICFG=0x00400000
    IDRAW=0x04008000
    ILLUSTRATOR=0x8000
    IMPROV2=0x00000000
    INFOCENT=0x04000000
    INSIGHT=0x00000400
    INSTAL1=0x00400000
    INSTALL=0x00400000
    INTERMIS=0x10000000
    IS20INST=0x00000000
    IVIHEALT=0x00400000
    JEOPARDY=0x00200000
    JW=0x00000000
    KALOAD2=0x00400000
    KEYCAD=0x8000
    LE_ADMIN=0x00400000
    LUI=0x20000000
    MAILSPL=0x10000000
    MAKER=0x00200000
    MAPS1=0x04008022
    MATH=0x00000001
    MAVIS=0x00200000
    MCOURIER=0x0800
    MFWIN20=0x02000000
    MILESV3=0x1000
    MILESV40=0x4
    MOZART=0x40000000
    MSARTIST=0x00100000
    MSBHUMAN=0x4
    MSREMIND=0x10000000
    MVIEWER2=0x40200000
    MYINV=0x00200000
    MYST=0x08000000
    NAFTA1=0x4008022
    NBAMW4V4=0x04000000
    NETSET2=0x0100
    NOTES=0x200000
    NOTSHELL=0x0001
    OPERATOR=0x02000000
    OUTPOST=0x00000000
    OWLAPP=0x00400000
    PACKRAT=0x0800
    PAINTER=0x00000000
    PAWC8DC3=0x00400000
    PAWIN=0x4
    PEACHW=0x04800004
    PIXIE=0x0040
    PLANIT=0x0004
    PLANNER=0x2000
    PLUS=0x1000
    PM4=0xA000
    PM5APP=0x8000
    PP4=0x00000000
    PR2=0x2000
    PRINTHLP=0x0004
    QAPLUSW=0x0004
    QLIIFAX=0x00400000
    QUAKE=0x80
    QW=0x08000000
    RELAY=0x20000000
    REM=0x8022
    RR2CD=0x00200000
    RX=0x00000400
    RXL=0x00000400
    SETUP=0x00000000
    SIDEKICK=0x0004
    SLEEPER=0x10000000
    SOL=0x00400000
    SPCB=0x04008000
    SPORTJEP=0x00200000
    SPWIN20=0x00400000
    ST2=0x4008022
    STRAUSS=0x40000000
    STRAV=0x40000000
    SCHUBERT=0x40000000
    SSBWIN=0x00200000
    SWCWIN=0x00800004
    TCVWIN=0x00200000
    TCW=0x00400000
    TCWIN=0x0004
    TERRAIN=0x00400000
    TISETUP=0x00200000
    TL6=0x08000000
    TME=0x0100
    TMSWIN=0x20000000
    TMTWIN=0x00200000
    TMTWINCD=0x00200000
    TOUCHUP=0x00400000
    TURBOTAX=0x00080000
    VB=0x0200
    VEWINFIL=0x00400000
    VISIO=0x00000004
    VISIOHM=0x00000004
    VISION=0x0040
    W4GL=0x4000
    W4GLR=0x4000
    WGW=0x00440000
    WIN2WRS=0x1210
    WINCIM=0x4
    WINLINK=0x20000000
    WINPHONE=0x0004
    WINSIM=0x2000
    WINTACH=0x00200000
    WORDSCAN=0x02200000
    WPWINFIL=0x00000006
    WPWIN60=0x00000400
    WPWIN61=0x02000400
    WSETUP=0x00200000
    XPRESS=0x00000008
    ZETA01=0x00400000
    ZIFFBOOK=0x00200000
    NOTIFIER=0x400000

    [Compatibility32]
    CLWORKS=0x00A00000
    MCAD=0x00600000
    PHOTOSHP=0x00208000
    PODW=0x00200000
    SPSSWIN=0x00200000
    TYPSTRY2=0x00200000
    V32VM20=0x02000000
    VISIO=0x00000000
    VISIOHM=0x00000000
    WINPHONE=0x00000004
    WRDART32=0x00400000
    SHELL=0x80000000
    USTATION=0x80000000

    [Compatibility95]
    CHAOS OV=0x80000000
    CONF=0x00000002
    MSDEV=0x00000002
    IMAGE32=0x80000000
    INST32=0x80000000
    AGENTSVR=0x00000002

    [ModuleCompatibility]
    ACEROOBE=0x0004
    AIRNFM=0x0002
    ALDNCD=0x0002
    AMRES=0x0002
    ATM=0x0002
    ARCHANGEL=0x0002
    CSNOV=0x0002
    DEFDEMO=0x0002
    DIBWND=0x0002
    DIB=0x0002
    DS=0x0001
    EMLIB=0x0002
    EMSAVE=0x0002
    FH4=0x0002
    GEDIT=0x0002
    GEORGE=0x0002
    GVBSETUP=0x0002
    HRWCD=0x0002
    ISLFAXPR=0x0002
    KIDDESK=0x0002
    KIDSTYPE=0x0000
    KNPS=0x0002
    LIONKING=0x0002
    MAUI_DRV=0x0002
    MGXWMF=0x0002
    MEMMAP=0x0002
    MSARTIST=0x0002
    MSCRWRTR=0x0002
    MSCUISTF=0x0001
    MVIEWER2=0x0002
    MWAVSCAN=0x0002
    MYINV=0x0002
    OLESVR=0x0002
    PDOXWIN=0x0002
    PLANIT=0x0002
    PP3=0x0002
    PP4=0x0002
    PPPP=0x0002
    PXDSRV2=0x0002
    REVIEWRT=0x0002
    ROULETTE=0x0002
    RRIRJ=0x0002
    RR1=0x0002
    RR2CD=0x0002
    STL_DLG=0x0002
    TECO=0x0001
    TER=0x0002
    TLW0LOC=0x0002
    TMSWIN=0x0002
    USA=0x0002
    VOICE=0x0002
    WFXVIEW=0x0004
    WINFORM=0x0002
    WPWIN61=0x0002

    [TrueType]
    FontSmoothing=1

    [mci extensions]
    mid=Sequencer
    rmi=Sequencer
    wav=waveaudio
    avi=AVIVideo
    cda=CDAudio
    aif=MPEGVideo
    aifc=MPEGVideo
    aiff=MPEGVideo
    au=MPEGVideo
    m1v=MPEGVideo
    m3u=MPEGVideo
    midi=Sequencer
    mov=MPEGVideo
    mp2=MPEGVideo
    mp3=MPEGVideo
    mpa=MPEGVideo
    mpe=MPEGVideo
    mpeg=MPEGVideo
    mpg=MPEGVideo
    mpv2=MPEGVideo
    qt=MPEGVideo
    snd=MPEGVideo
    asf=MPEGVideo2
    asx=MPEGVideo2
    ivf=MPEGVideo2
    lsf=MPEGVideo2
    lsx=MPEGVideo2
    mp2v=MPEGVideo
    wax=MPEGVideo2
    wvx=MPEGVideo2
    wm=MPEGVideo2
    wma=MPEGVideo2
    wmv=MPEGVideo2

    [MCICompatibility]
    QTWVideo=0x0001
    MCIXSND=0x0001
    GDAnim=0x0001

    [mciavi]

    [Desktop_Shell]
    Current=Win

    [Pscript.Drv]
    ATMWorkaround=1

    [Ports]
    LPT1:=
    LPT2:=
    LPT3:=
    COM1:=9600,n,8,1,x
    COM2:=9600,n,8,1,x
    COM3:=9600,n,8,1,x
    COM4:=9600,n,8,1,x
    FILE:=

    [embedding]
    Package=Package,Package,packager.exe,picture
    midfile=MIDI Sequence,MIDI Sequence,c:\windows\mplayer.exe /mid,picture
    SoundRec=Wave Sound,Wave Sound,c:\windows\sndrec32.exe,picture
    mplayer=Media Clip,Media Clip,c:\windows\mplayer.exe,picture
    PBrush=Paintbrush Picture,Paintbrush Picture,C:\PROGRA~1\ACCESS~1\MSPAINT.EXE,picture
    Paint.Picture=Bitmap Image,Bitmap Image,C:\PROGRA~1\ACCESS~1\MSPAINT.EXE,picture
    Wordpad.Document.1=WordPad Document,WordPad Document,C:\PROGRA~1\ACCESS~1\WORDPAD.EXE,picture
    ComicChat.Room.2=Microsoft Chat Room,Microsoft Chat Room,C:\PROGRA~1\Chat\CChat.exe,picture
    Imaging.Document=Image Document,Image Document,C:\WINDOWS\KODAKIMG.EXE,picture
    WangImage.Document=Image Document,Image Document,c:\windows\KodakImg.Exe,picture
    avifile=Video Clip,Video Clip,c:\windows\mplayer.exe /avi,picture

    [Extensions]
    mov=C:\WINDOWS\PLAY32.EXE ^.mov
    pic=C:\WINDOWS\VIEW32.EXE ^.pic

    [Mail]
    MAPI=1
    MAPIX=1

    [Devices]
    Canon i250=CJPDRV50,USBPRN01

    [PrinterPorts]
    Canon i250=CJPDRV50,USBPRN01,15,45

    [Sounds]
    SystemDefault=,

    [MCI Extensions.BAK]
    aif=MPEGVideo
    aifc=MPEGVideo
    aiff=MPEGVideo
    au=MPEGVideo
    m1v=MPEGVideo
    m3u=MPEGVideo
    midi=MPEGVideo
    mov=MPEGVideo
    mp2=MPEGVideo
    mp3=MPEGVideo
    mpa=MPEGVideo
    mpe=MPEGVideo
    mpeg=MPEGVideo
    mpg=MPEGVideo
    mpv2=MPEGVideo
    qt=MPEGVideo
    snd=MPEGVideo
    asf=MPEGVideo2
    asx=MPEGVideo2
    ivf=MPEGVideo2
    lsf=MPEGVideo2
    lsx=MPEGVideo2
    mp2v=MPEGVideo
    wax=MPEGVideo2
    wvx=MPEGVideo2
    wm=MPEGVideo2
    wma=MPEGVideo2
    wmv=MPEGVideo2

    [PCDRWIN]
    szCurrentCustomTest=C:\Program Files\PC-Doctor for Windows\DEFUSER.PCB
    iShowStartupScreen=1
    iVerticalButtonBar=1
    iSaveWindowLayout=0
    CurrentLanguage=0
    16BitResourceStrings=
    DWX=110
    DWY=110
    DWSZX=690
    DWSZY=490

    [WCS2000]
    SharedPath=C:\WINDOWS\CSSHARE

    [Lexmark 1000 - Status Monitor]
    Mono LeftBidi Align=9
    Mono RightBidi Align=-9
    Col LeftBidi Align=9
    Col RightBidi Align=-9
    NON BIDI MODE=1
    Current cartridge type=3
    Pending new cartridge=0
    Starboard cartridge type=1
    JobUCT:LPT1:=1061757512
    Yellow Dot Count=4208434
    Magenta Dot Count=3599730
    Cyan Dot Count=2972887
    Min CMY Lev=7
    Black Pigment Ink Level=7
    Cyan Ink Level=7
    Magenta Ink Level=7
    Yellow Ink Level=7
    Alignments Valid=1
    Colour Bidi Align=15

    [Indigo Rose]
    C:\WINDOWS\iun3405.exe=1

    [Twain]
    Default Source=C:\WINDOWS\Twain_32\drvpower.ds

    [DrawDib]
    pnpdrvr.drv 800x600x32(0)=37,5,5,5

    [MSCharMap]
    Font=Symbol

    [O/i PRIMAX Power TWAIN]
    PixelType=2
    Units=0
    Autobright=0
    Brightness=127
    Brightnest=0
    Contrast=0
    Contrasu=0
    Highlight=255
    Highlighu=0
    Shadow=0
    Shadox=0
    Xres=72
    Xret=0
    Yres=72
    Yret=0
    Xzoom=1
    Xzoon=0
    Yzoom=1
    Yzoon=0
    Pixel Flavor=0
    Page Size Left=-3360
    Page Size Lefu=73
    Page Size Right=7982
    Page Size Righu=30917
    Page Size Top=-10358
    Page Size Toq=73
    Page Size Bottom=-10358
    Page Size Botton=73

    Thanks!

    Jim

    :)
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Jim,

    Make copy of this win.ini and save it to another directory.
    Then edit the one in the WINDOWS directory like this:

    Remove this part entirely:
    ;Rem TShoot: norun=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe
    norun=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\msinfo.exe

    And change
    [Desktop_Shell]
    Current=Win

    to

    [Desktop_Shell]
    Current=c:\windows\Explorer.exe

    Then reboot and post a new HijackThis log please.

    Regards,

    Pieter
     
  22. Jim M.

    Jim M. Guest

    Pieter,

    Good morning! :)

    Will do tonight after work. Just to be safe, can you link me to a site describing how to edit windows as you describe? It's probably something very simple that I already do in some way or another, but better safe than sorry.

    Again. . . . .THANKS for all the help, Pieter!

    Jim M.
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Jim,

    These are easy to edit. Open the file in notepad. Change what you need to change and then Save the File.

    That's all there is to it. :)

    Regards,

    Pieter
     
  24. Jim M.

    Jim M. Guest

    :)

    Logfile of HijackThis v1.97.7
    Scan saved at 6:56:37 PM, on 3/10/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = ,
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
    O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEINT.DLL
    O2 - BHO: (no name) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - c:\Program Files\EarthLink TotalAccess\PnEL.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
    O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - c:\Program Files\EarthLink TotalAccess\PnEL.dll
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
    O9 - Extra button: Instant Messenger (SM) (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37902.6917824074
    O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: DigiChat Applet - http://host7.digichat.com/DigiChat/DigiClasses/Client_IE.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab


    Thanks!

    Jim
     
  25. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Jim,

    A few things I would like you to do.
    Download WhatsHappening.
    Run the program and select explorer.exe
    Then click Edit > Copy branch to clipboard.
    Then paste the result into your next post.

    When you doubleclick c:\windows\Explorer.exe
    What happens?
    If it runs, can you EndTask C:\Explorer.exe ?

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.