Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP cannot open anything


  • This topic is locked This topic is locked
39 replies to this topic

#1 Johnnyspam

Johnnyspam

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE US
  • Local time:09:58 PM

Posted 09 March 2010 - 04:48 PM

Have a friends laptop. "Windows cannot open this file" is displayed for everthing. All icons on desktop are changed. EXE's will not open. Any help would be much appreciated.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 PM

Posted 09 March 2010 - 04:50 PM

Probably a virus. Have you tried running an anti-virus scan in Safe Mode.

How to start Windows in Safe Mode
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Johnnyspam

Johnnyspam
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE US
  • Local time:09:58 PM

Posted 09 March 2010 - 05:07 PM

Yes. No different. Everything I try to open says "filename.INK" Windows cannot open this file.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 PM

Posted 09 March 2010 - 05:17 PM

Try running the "EXE File Association Fix" given here: http://www.dougknox.com/xp/file_assoc.htm
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 Johnnyspam

Johnnyspam
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE US
  • Local time:09:58 PM

Posted 10 March 2010 - 04:20 AM

Thanks, I'll give it a try.

#6 Johnnyspam

Johnnyspam
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE US
  • Local time:09:58 PM

Posted 13 March 2010 - 07:53 AM

To Budapest, I downloaded the XP EXE fix file but can't open it. I'm not familiar with the procedure if I have to go in and manually enter into the registry. Any suggestions on how to do it would be appreciated very much. Thanks for your help.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:58 AM

Posted 13 March 2010 - 08:32 AM

Hello,

Please download FixExe.reg

Once its downloaded, double click on it to run it.

Let me know if that fixes the issue.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 Johnnyspam

Johnnyspam
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE US
  • Local time:09:58 PM

Posted 14 March 2010 - 07:32 AM

Tried FixExe.reg. Can't open it. Asked for program . Tried regedit, regeditor. Nothing.

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:58 AM

Posted 14 March 2010 - 08:23 AM

Hi again,

Do you know if this computer was infected somehow?

We can attempt to fix this from a PE environment. However that will require you download/burn a 270 MB file. Let me know if you wish to try that.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Johnnyspam

Johnnyspam
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE US
  • Local time:09:58 PM

Posted 14 March 2010 - 10:44 AM

Elise025, I'm sure this machine was infected. I was going to try virus scans, Hijack this, etc, but can't open anything. I'm interested in trying your ideas but don't know much about what you're suggesting. I appreciate your help big time. Thanks

#11 ArmyofOne

ArmyofOne

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Location:Salman Pak, Iraq
  • Local time:10:58 PM

Posted 14 March 2010 - 11:03 AM

Could be jumping the gun here...but would a harddrive reformat fix this? it would restore windows to its factory state (however all data would be lost).
KILL WINDOWS VISTA!!!
2010 ASUStek K50I-RBBGR05 Notebook-Win 7, 4gb Ram (upgraded), Intel Pentium T4400 @2.2ghz
2007 Gateway MT3707 Notebook-Vista SP2, 1gb Ram, Intel Pentium D/C T2060 @ 1.60ghz, CONSTANT problems.
2005 Toshiba Satellite A105-WinXP Home, 1gb Ram (upgraded), Intel Celeron M @1.60ghz, Not a problem yet.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:58 AM

Posted 14 March 2010 - 11:41 AM

Hi Johnnyspam, see instructions below. I am moving this topic to the correct forum.

OK this file is big Print these instruction out so that you know what you are doing

Two programs to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Use Safelist
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Johnnyspam

Johnnyspam
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE US
  • Local time:09:58 PM

Posted 14 March 2010 - 04:26 PM

Hey Elise025, thanks, here's the log.

OTL logfile created on: 3/14/2010 6:04:11 PM - Run
OTLPE by OldTimer - Version 3.1.35.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.00 Mb Total Physical Memory | 303.00 Mb Available Physical Memory | 60.00% Memory free
454.00 Mb Paging File | 332.00 Mb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.88 Gb Total Space | 28.19 Gb Free Space | 50.44% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 276.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet001

========== Win32 Services (SafeList) ==========

SRV - [2009/11/25 16:42:18 | 000,583,640 | ---- | M] (PC Tools) [Auto] -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe -- (PCToolsSSDMonitorSvc)
SRV - [2007/10/02 17:27:12 | 001,415,496 | ---- | M] (PC Tools) [On_Demand] -- C:\Program Files\Spyware Doctor\swdsvc.exe -- (sdCoreService)
SRV - [2007/10/02 17:27:06 | 000,742,216 | ---- | M] (PC Tools) [On_Demand] -- C:\Program Files\Spyware Doctor\svcntaux.exe -- (sdAuxService)
SRV - [2007/07/25 19:41:42 | 000,647,168 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2007/07/25 19:32:34 | 000,294,912 | ---- | M] (Intel® Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel®
SRV - [2007/07/25 19:29:38 | 000,987,136 | ---- | M] (Intel Corporation ) [Auto] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2007/07/25 19:22:44 | 000,327,680 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2005/11/11 17:43:04 | 000,548,864 | ---- | M] (McAfee Corporation) [Auto] -- C:\Program Files\McAfee.com\Personal Firewall\MpfService.exe -- (MpfService)
SRV - [2005/10/13 20:56:16 | 000,126,976 | ---- | M] (McAfee, Inc) [Auto] -- c:\Program Files\McAfee.com\Agent\Mcdetect.exe -- (McDetect.exe)
SRV - [2005/08/24 19:01:04 | 000,122,368 | ---- | M] (McAfee, Inc) [Auto] -- c:\Program Files\McAfee.com\Agent\McTskshd.exe -- (McTskshd.exe)
SRV - [2005/08/10 14:22:02 | 000,221,184 | ---- | M] (McAfee Inc.) [Auto] -- c:\Program Files\McAfee.com\VSO\McShield.exe -- (McShield)
SRV - [2005/07/12 21:10:18 | 000,963,072 | ---- | M] (McAfee Inc.) [Auto] -- C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe -- (MskService)
SRV - [2005/07/01 22:22:50 | 000,245,760 | ---- | M] (McAfee, Inc) [On_Demand] -- C:\Program Files\McAfee.com\Agent\mcupdmgr.exe -- (mcupdmgr.exe)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (UIUSys)
DRV - File not found [Kernel | On_Demand] -- -- (PNDIS5)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/10/04 18:10:58 | 000,079,688 | ---- | M] (PCTools Research Pty Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\iksyssec.sys -- (IKSysSec)
DRV - [2007/10/04 18:10:54 | 000,062,280 | ---- | M] (PCTools Research Pty Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\iksysflt.sys -- (IKSysFlt)
DRV - [2007/10/04 18:10:52 | 000,041,288 | ---- | M] (PCTools Research Pty Ltd.) [File_System | On_Demand] -- C:\WINDOWS\system32\drivers\ikfilesec.sys -- (IKFileSec)
DRV - [2007/08/08 11:17:54 | 002,211,456 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®
DRV - [2007/05/29 18:29:30 | 000,012,416 | ---- | M] (Intel Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/03/31 00:34:14 | 005,704,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2006/11/21 07:25:44 | 000,045,568 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/11/15 03:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/14 22:42:46 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/14 20:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/03/24 20:34:30 | 001,156,648 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/12/01 04:40:56 | 000,936,960 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2005/12/01 04:40:12 | 000,192,512 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2005/12/01 04:40:08 | 000,669,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2005/11/11 17:43:52 | 000,080,640 | ---- | M] (McAfee) [Kernel | System] -- C:\WINDOWS\system32\drivers\MpFirewall.sys -- (MPFIREWL)
DRV - [2005/08/10 14:22:10 | 000,114,464 | ---- | M] (McAfee Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\naiavf5x.sys -- (NaiAvFilter1)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\Tarabear_ON_C\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\Tarabear_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\Tarabear_ON_C\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\Tarabear_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\Tarabear_ON_C\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\Tarabear_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Tarabear_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2007/09/09 20:01:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/27 17:57:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/27 17:57:23 | 000,000,000 | ---D | M]

[2010/02/16 00:44:30 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/09/09 20:01:42 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\google-cjk@partners.mozilla.com
[2009/07/09 17:07:35 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org
[2009/07/09 17:07:01 | 000,067,688 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2009/07/09 17:07:01 | 000,054,368 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2009/07/09 17:07:01 | 000,034,944 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\myspell.dll
[2009/07/09 17:07:07 | 000,046,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\spellchk.dll
[2009/07/09 17:07:08 | 000,172,136 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll
[2007/04/16 13:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2004/08/10 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (McBrwHelper Class) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\Program Files\McAfee.com\MPS\McBrHlpr.dll (McAfee, Inc.)
O2 - BHO: (McAfee Privacy Service Popup Blocker) - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\Program Files\McAfee.com\MPS\PopupKiller.dll (McAfee, Inc.)
O2 - BHO: (McAfee AntiPhishing Filter) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\Program Files\McAfee\SpamKiller\McApfBHO.dll (McAfee, Inc.)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (Browser Helper Object) - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Shared\_lib.dll ()
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (McAfee VirusScan) - {BA52B914-B692-46c4-B683-905236F6F655} - c:\Program Files\McAfee.com\VSO\mcvsshl.dll (McAfee, Inc.)
O3 - HKU\Tarabear_ON_C\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [MCAgentExe] c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc)
O4 - HKLM..\Run: [MCUpdateExe] c:\Program Files\McAfee.com\Agent\mcupdate.exe (McAfee, Inc)
O4 - HKLM..\Run: [MPFExe] C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe (McAfee Security)
O4 - HKLM..\Run: [MPSExe] c:\Program Files\McAfee.com\MPS\mscifapp.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSKAGENTEXE] c:\Program Files\McAfee\SpamKiller\MSKAgent.exe (McAfee Inc.)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
O4 - HKLM..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe File not found
O4 - HKLM..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe (McAfee, Inc.)
O4 - HKLM..\Run: [VSOCheckTask] C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe (McAfee, Inc.)
O4 - HKU\Tarabear_ON_C..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe (AOL LLC)
O4 - HKU\Tarabear_ON_C..\Run: [AWMON] C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe (Lavasoft Sweden)
O4 - HKU\Tarabear_ON_C..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Tarabear_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\Program Files\McAfee\SpamKiller\McApfBHO.dll (McAfee, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000037 - C:\WINDOWS\System32\mclsp.dll (McAfee, Inc.)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} http://asp.mathxl.com/books/_Players/MathPlayer.cab (Pearson MathXL Player)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 205.152.37.23 205.152.144.23
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/09/06 23:00:18 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/13 09:18:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tarabear\My Documents\xp_exe_fix
[2010/03/09 17:09:07 | 003,558,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2010/03/07 13:23:18 | 095,829,360 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Tarabear\My Documents\avg_free_stf_all_90_787a2721.exe
[2010/03/07 13:10:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tarabear\Local Settings\Application Data\Temp
[2010/02/16 00:15:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2005/05/11 23:36:48 | 000,012,288 | ---- | C] (Hewlett-Packard Co.) -- C:\WINDOWS\Fonts\RandFont.dll
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/14 18:04:31 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2010/03/14 16:54:41 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/03/14 16:54:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/14 16:54:36 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/14 16:54:32 | 004,194,304 | -H-- | M] () -- C:\Documents and Settings\Tarabear\NTUSER.DAT
[2010/03/14 16:54:32 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Tarabear\ntuser.ini
[2010/03/14 16:53:35 | 000,138,976 | ---- | M] () -- C:\WINDOWS\System32\Status.MPF
[2010/03/14 16:51:48 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/14 08:42:15 | 001,608,404 | -H-- | M] () -- C:\Documents and Settings\Tarabear\Local Settings\Application Data\IconCache.db
[2010/03/14 08:15:38 | 000,445,002 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/14 08:15:38 | 000,384,698 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/14 08:15:38 | 000,054,528 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/13 09:58:30 | 000,000,335 | ---- | M] () -- C:\Documents and Settings\Tarabear\My Documents\FixExe.reg
[2010/03/13 08:24:44 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/12 05:14:46 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/09 20:29:50 | 000,000,745 | ---- | M] () -- C:\Documents and Settings\Tarabear\My Documents\xp_exe_fix.zip
[2010/03/09 17:28:04 | 000,002,146 | ---- | M] () -- C:\Documents and Settings\Tarabear\My Documents\xp_fileassoc.zip
[2010/03/09 17:26:34 | 000,010,752 | ---- | M] () -- C:\exefix_xp.com
[2010/03/07 13:25:21 | 095,829,360 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Tarabear\My Documents\avg_free_stf_all_90_787a2721.exe
[2010/03/07 10:14:46 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Tarabear\Desktop\My Computer.lnk
[2010/02/26 15:05:03 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/24 00:35:01 | 000,000,356 | ---- | M] () -- C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (TARA-Tarabear).job
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/14 08:22:11 | 000,000,335 | ---- | C] () -- C:\Documents and Settings\Tarabear\My Documents\FixExe.reg
[2010/03/13 10:05:29 | 000,010,752 | ---- | C] () -- C:\exefix_xp.com
[2010/03/13 08:38:21 | 000,000,745 | ---- | C] () -- C:\Documents and Settings\Tarabear\My Documents\xp_exe_fix.zip
[2010/03/13 08:35:17 | 000,002,146 | ---- | C] () -- C:\Documents and Settings\Tarabear\My Documents\xp_fileassoc.zip
[2010/03/09 20:34:05 | 000,002,600 | ---- | C] () -- C:\xp_exe_fix.reg
[2010/03/07 10:14:46 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Tarabear\Desktop\My Computer.lnk
[2008/08/03 22:19:16 | 000,000,214 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2008/03/26 14:23:22 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\Tarabear\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/10/30 13:10:05 | 000,000,021 | ---- | C] () -- C:\WINDOWS\atid.ini
[2007/10/18 19:41:25 | 000,000,167 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2007/10/18 19:40:35 | 000,000,686 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2007/09/09 17:35:56 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/09/07 00:36:21 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4814.dll
[2007/09/07 00:35:40 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2007/09/07 00:07:30 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\Tarabear\Local Settings\Application Data\fusioncache.dat
[2005/08/05 17:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/08/10 07:00:00 | 000,020,580 | ---- | C] () -- C:\WINDOWS\batmeter16.dll
[2004/08/10 07:00:00 | 000,000,325 | ---- | C] () -- C:\WINDOWS\System32\ntnet.drv
[2001/07/06 15:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2007/10/30 14:16:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tarabear\Application Data\acccore
[2007/09/18 18:06:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tarabear\Application Data\HorizonWimba
[2008/06/29 16:53:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tarabear\Application Data\LimeWire
[2007/10/30 21:25:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tarabear\Application Data\Viewpoint

========== Purity Check ==========


< End of report >


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:58 AM

Posted 15 March 2010 - 01:07 PM

Well, it seems the whole exe file extension has disappeared from the registry.

Please re-run OTLPE and copy the text in the codebox below into the "custom scan/fix" field. Click "run fix".
CODE
:reg
[HKEY_CLASSES_ROOT\.exe]
""="exefile"
"Content Type"="application/x-msdownload"
[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
""="{098f2470-bae0-11cd-b579-08002b30bfeb}"
[HKEY_CLASSES_ROOT\exefile]
""="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"
[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
""="%1"
[HKEY_CLASSES_ROOT\exefile\shell]
[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
""="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\runas]
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
""="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shellex]
[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
""="{86C86720-42A0-1069-A2E8-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
""="{09A63660-16F9-11d0-B1DF-004F56001CA7}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
""="{86F19A00-42A0-1069-A2E9-08002B30309D}"
[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
""="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

Note, make sure you copied ALL text in the codebox!

Afterwards, let me know if the issue is fixed or not.

Edited by elise025, 17 March 2010 - 02:24 AM.
fixed the script

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Johnnyspam

Johnnyspam
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SE US
  • Local time:09:58 PM

Posted 15 March 2010 - 06:09 PM

Is there an easy way to copy and save so I don't miss anything? It won't let me save it. File type? Or is it all entered manually?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users