adware and infected file problems, files keep propagating themselves,no DOS ??

[niteowl]

Hi all,

got called to a friends house who has win2k SP4 installed and was having
trouble with adware, and virus infections. When I first got there I
used McAfee's Stinger file for a quick check of major/common infections,
None were found. I even tried "fprotdos" run in safe mode, but it found
nothing either. (I wasn't sure it would even run since it's a DOS
program, but it "appeared" to run, but didn't find anything) I then
updated and ran Spybot Search and Destroy, and Adaware 6, Norton 2004,
with latest updates, and finally I installed Trojan Hunter 3.8 with
latest defs.

All those programs found several hundred "at risk" files.

Some of the files resided in the "RECYCLER" folder, and while most could
be manually deleted (in Windows Explorer), a few couldn't, one was
named: S-1-5-21-220523388-152049171-854245398-1001

the other files that Norton lists that refer back to that file are:

Dc11.exe Adware Ezula
Dc12.exe Adware Incredifind
Dc13.exe Adware StatBlaster
Dc14.exe Adware StatBlaster
Dc15.exe Adware StatBlaster

C:\WINNT\SYSTEM32\Gay1ZPSb.exe (I was able to manually delete this one
in Windows Explorer)


Ran another Norton scan of the system32 folder and came up with several
different files showing as "at risk", Norton deleted all but 2 this time,

RtaWJ.exe and SczOOJ3.exe were the ones left and couldn't be deleted.

Is there no DOS in Win2000??????? How do I manually remove these
without starting windows???? She is using NTFS. There is a 31M
partition (?) that is FAT or FAT32, though I only see it when
defragging, I don't know how to 'use' it. ???

When Norton showed me the infected or at risk files, I deleted them,
then the ones it couldn't remove I chose to "skip" instead of "Exclude"
them at the final window..
I assume "excluding" them means they would be ignored on the next scan.
I rescanned immediately and the

3rd time found 5 new 'infected' files, deleted most, but still left the
SczOOJ3.exe file.

4th time: found 9 new files, left Vbcv2.exe behind. ??

5th time: found 9 new files, left 2: MuwqK7ev.exe and Usd13Q.exe

Help!!! these scans were run one right after the other, so these files
are propagating faster than I can remove them. ???

Is there another program that will clean these? or some way to access
them without having them "run" when booting up to windows? I've always
been able to get the HD clean before using the above combination of
programs in win98, but this one is baffling me as I'm not that versed in
win2000.

ANY ideas of what I can do now would be greatly appreciated. I spent 7
hours messing with these last night and just couldn't get past this.

thanks,
niteowl

 

[Dave Patrick]

Some things to try;

1.) You'll need to first stop the process that loads them. Natively you can;
Start\Settings\Control Panel\Administrative Tools\Computer
Management(Local)\System Information\Software Environment\Startup
Programs|View|Advanced, then in the "Location" column, you'll find the path
to the "Startup" location either in the "Startup" directories or from the
registry's "Run" keys.

%ALLUSERSPROFILE%\Start Menu\Programs\Startup
%USERPROFILE%\Start Menu\Programs\Startup

You can delete the shortcuts that you no longer want to run.


HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

You can delete the string value for the program you no longer want to run.

or copy msconfig from Windows XP

2.) The recycle bin may contain a corrupt, or otherwise incorrect
information file. If format is FAT, then from a command prompt change to the
recycler directory, then do a dir to see what files you might find and
delete any files found, then
attrib -h info*
this should unhide the info* file that stores the information about the
original location of deleted files in the recycle bin. Delete this file.

If format is NTFS then change to the recycler directory then change to the
hidden directory named for your SID (this can be found from within Explorer,
(by expanding the recycler folder). Then
attrib -h info*
this should unhide the info* file that stores the information about the
original location of deleted files in the recycle bin. Delete this file

Then the next time you move files to the recycle bin another hidden info
file will be created.

Another option is to delete only the info or info2 file (in the recycler
dir) and then restart the pc, then a new and correct information file will
be created in the recycler directory.

3.) From a command prompt try;

del \\.\Drive:\directory\filename
(Note: the period between \\ and \)

Also

dir /x
and try deleting them using their 8.3 short names.

4.) Try deleting them from the recovery console. First you'll need to
Control Panel|Admin Tools|Local Security Policy Recovery console:"Allow
floppy copy and access to all drives/folders" set to enabled


To start the Recovery Console, start the computer from the Windows 2000
Setup CD or the Windows 2000 Setup floppy disks. If you do not have Setup
floppy disks and your computer cannot start from the Windows 2000 Setup CD,
use another Windows 2000-based computer to create the Setup floppy disks.
Press ENTER at the "Setup Notification" screen. Press R to repair a Windows
2000 installation, and then press C to use the Recovery Console. The
Recovery Console then prompts you for the administrator password. If you do
not have the correct password, Recovery Console does not allow access to the
computer. If an incorrect password is entered three times, the Recovery
Console quits and restarts the computer. Once the password has been
validated, you have full access to the Recovery Console, but limited access
to the hard disk. You can only access the following folders on your
computer: %systemroot% and %windir%

Then from the recovery console command line;
SET allowallpaths = TRUE

to gain access to all folders and try deleting from here.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect


:
|
| Hi all,
|
| got called to a friends house who has win2k SP4 installed and was having
| trouble with adware, and virus infections. When I first got there I
| used McAfee's Stinger file for a quick check of major/common infections,
| None were found. I even tried "fprotdos" run in safe mode, but it found
| nothing either. (I wasn't sure it would even run since it's a DOS
| program, but it "appeared" to run, but didn't find anything) I then
| updated and ran Spybot Search and Destroy, and Adaware 6, Norton 2004,
| with latest updates, and finally I installed Trojan Hunter 3.8 with
| latest defs.
|
| All those programs found several hundred "at risk" files.
|
| Some of the files resided in the "RECYCLER" folder, and while most could
| be manually deleted (in Windows Explorer), a few couldn't, one was
| named: S-1-5-21-220523388-152049171-854245398-1001
|
| the other files that Norton lists that refer back to that file are:
|
| Dc11.exe Adware Ezula
| Dc12.exe Adware Incredifind
| Dc13.exe Adware StatBlaster
| Dc14.exe Adware StatBlaster
| Dc15.exe Adware StatBlaster
|
| C:\WINNT\SYSTEM32\Gay1ZPSb.exe (I was able to manually delete this one
| in Windows Explorer)
|
|
| Ran another Norton scan of the system32 folder and came up with several
| different files showing as "at risk", Norton deleted all but 2 this time,
|
| RtaWJ.exe and SczOOJ3.exe were the ones left and couldn't be deleted.
|
| Is there no DOS in Win2000??????? How do I manually remove these
| without starting windows???? She is using NTFS. There is a 31M
| partition (?) that is FAT or FAT32, though I only see it when
| defragging, I don't know how to 'use' it. ???
|
| When Norton showed me the infected or at risk files, I deleted them,
| then the ones it couldn't remove I chose to "skip" instead of "Exclude"
| them at the final window..
| I assume "excluding" them means they would be ignored on the next scan.
| I rescanned immediately and the
|
| 3rd time found 5 new 'infected' files, deleted most, but still left the
| SczOOJ3.exe file.
|
| 4th time: found 9 new files, left Vbcv2.exe behind. ??
|
| 5th time: found 9 new files, left 2: MuwqK7ev.exe and Usd13Q.exe
|
| Help!!! these scans were run one right after the other, so these files
| are propagating faster than I can remove them. ???
|
| Is there another program that will clean these? or some way to access
| them without having them "run" when booting up to windows? I've always
| been able to get the HD clean before using the above combination of
| programs in win98, but this one is baffling me as I'm not that versed in
| win2000.
|
| ANY ideas of what I can do now would be greatly appreciated. I spent 7
| hours messing with these last night and just couldn't get past this.
|
| thanks,
| niteowl
|

 

[niteowl]

Thanks Dave... I'll give it a go.. I'm going back over there shortly..

I have some questions between the paragraphs:::

On 5/1/04 9:56 AM Dave Patrick shared with me these great words of wisdom...

Some things to try;

1.) You'll need to first stop the process that loads them. Natively you can;
Start\Settings\Control Panel\Administrative Tools\Computer
Management(Local)\System Information\Software Environment\Startup
Programs|View|Advanced, then in the "Location" column, you'll find the path
to the "Startup" location either in the "Startup" directories or from the
registry's "Run" keys.

What is the minimum that has to be left running for win2k to operate? I
know in win98 I only have to leave explorer and systray on.

%ALLUSERSPROFILE%\Start Menu\Programs\Startup
%USERPROFILE%\Start Menu\Programs\Startup

You can delete the shortcuts that you no longer want to run.


HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

You can delete the string value for the program you no longer want to run.

or copy msconfig from Windows XP

XP?? this a windows 2000 SP4 machine... is that a typo??

2.) The recycle bin may contain a corrupt, or otherwise incorrect
information file. If format is FAT, then from a command prompt change to the
recycler directory, then do a dir to see what files you might find and
delete any files found, then
attrib -h info*
this should unhide the info* file that stores the information about the
original location of deleted files in the recycle bin. Delete this file.

If format is NTFS then change to the recycler directory then change to the
hidden directory named for your SID (this can be found from within Explorer,
(by expanding the recycler folder).

what's an SID? and how do I "expand" the folder???? Why is there a
"RECYCLER" and a "Recycle Bin" folder??

Then
attrib -h info*
this should unhide the info* file that stores the information about the
original location of deleted files in the recycle bin. Delete this file

Then the next time you move files to the recycle bin another hidden info
file will be created.

Another option is to delete only the info or info2 file (in the recycler
dir) and then restart the pc, then a new and correct information file will
be created in the recycler directory.

3.) From a command prompt try;

del \\.\Drive:\directory\filename
(Note: the period between \\ and \)

Also

dir /x
and try deleting them using their 8.3 short names.

4.) Try deleting them from the recovery console. First you'll need to
Control Panel|Admin Tools|Local Security Policy Recovery console:"Allow
floppy copy and access to all drives/folders" set to enabled


To start the Recovery Console, start the computer from the Windows 2000
Setup CD or the Windows 2000 Setup floppy disks. If you do not have Setup
floppy disks and your computer cannot start from the Windows 2000 Setup CD,
use another Windows 2000-based computer to create the Setup floppy disks.
Press ENTER at the "Setup Notification" screen. Press R to repair a Windows
2000 installation, and then press C to use the Recovery Console. The
Recovery Console then prompts you for the administrator password. If you do
not have the correct password, Recovery Console does not allow access to the
computer. If an incorrect password is entered three times, the Recovery
Console quits and restarts the computer. Once the password has been
validated, you have full access to the Recovery Console, but limited access
to the hard disk. You can only access the following folders on your
computer: %systemroot% and %windir%

Then from the recovery console command line;
SET allowallpaths = TRUE

to gain access to all folders and try deleting from here.

--

"You can't change the surf,
but you can learn to ride the waves!"

% %
(@)(@)
() V ()
((( )))
(((( ))))
((( )))
--#---#--
NITEOWL

 

[Dave Patrick]

:
| Thanks Dave... I'll give it a go.. I'm going back over there shortly..
|
| I have some questions between the paragraphs:::
|
| What is the minimum that has to be left running for win2k to operate? I
| know in win98 I only have to leave explorer and systray on.
* Probably almost all of these 'Startup' and 'Run' key entries are not
necessary for the core operating system. The idea here was to look for those
that are of a suspicious nature and stop them from loading at startup which
in turn would allow you to delete the 'inuse' files.


| what's an SID? and how do I "expand" the folder???? Why is there a
| "RECYCLER" and a "Recycle Bin" folder??
* 1.) An SID would be something along the line of
S-1-5-21-234630671-1917268844-666385194-500. With the 'Recycler' highlighted
in the left pane the hidden system folder with a user SID for name should be
displayed. If you don't see it then Explorer|Tools|Folder Options|View, then
radio button for "Show hidden files and folders", then uncheck the box for
"Hide protected operating system files"
2.) The additional folder may be a result of norton system works (or some
variant) taking control of the recycle bin.


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

[Dan Seur]

Partial quick answer in case Dave doesn't see this for a while:

Thanks Dave... I'll give it a go.. I'm going back over there shortly..

I have some questions between the paragraphs:::


XP?? this a windows 2000 SP4 machine... is that a typo??

msconfig is not included in W2k, but is distributed with XP and works
with W2k just fine. Get msconfig from a copy of XP, or from the web,
where it's downloadable from several sites. It's a user-friendly tool
for manipulating the startup list.

 

[Dave Patrick]

Missed one.

No not a typo XP's msconfig will work fine on Windows 2000

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect


:
| > or copy msconfig from Windows XP
|
| XP?? this a windows 2000 SP4 machine... is that a typo??

 

[niteowl]

okay, great!

thanks Dave and Dan for the info, am heading over there now to try these
out.

I'll do a google on the XP msconfig and hopefully be able to download it
when I get over there...

one step at a time.. huh? ;-)

thanks again,
niteowl (gary)


On 5/1/04 11:52 AM Dave Patrick shared with me these great words of
wisdom...

Missed one.

No not a typo XP's msconfig will work fine on Windows 2000

--

"You can't change the surf,
but you can learn to ride the waves!"

% %
(@)(@)
() V ()
((( )))
(((( ))))
((( )))
--#---#--
NITEOWL

 

[heidemarie]

--
Photographic Images
Tel. 941-475-5148
(e-mail address removed)
www.heidemariephoto.com
Fax. 941-475-2128

:
| Thanks Dave... I'll give it a go.. I'm going back over there shortly..
|
| I have some questions between the paragraphs:::
|
| What is the minimum that has to be left running for win2k to operate? I
| know in win98 I only have to leave explorer and systray on.
* Probably almost all of these 'Startup' and 'Run' key entries are not
necessary for the core operating system. The idea here was to look for those
that are of a suspicious nature and stop them from loading at startup which
in turn would allow you to delete the 'inuse' files.

I undchecked several that looked suspicious, but on reboot they showed up
checked again. ????

| what's an SID? and how do I "expand" the folder???? Why is there a
| "RECYCLER" and a "Recycle Bin" folder??
* 1.) An SID would be something along the line of
S-1-5-21-234630671-1917268844-666385194-500. With the 'Recycler' highlighted
in the left pane the hidden system folder with a user SID for name should be
displayed. If you don't see it then Explorer|Tools|Folder Options|View, then
radio button for "Show hidden files and folders", then uncheck the box for
"Hide protected operating system files"
2.) The additional folder may be a result of norton system works (or some
variant) taking control of the recycle bin.

Okay, this was already set this way, I could see that "folder", the icon is
a trash can, but can't delete it, and can't "see" anything about it. I can't
find a way to get a command prompt, and I don't see any "info*" file unless
that SID is the file you are referring to. ??

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

[Dave Patrick]

:
| I undchecked several that looked suspicious, but on reboot they showed up
| checked again. ????
* What were the file names of the executables?

|
| Okay, this was already set this way, I could see that "folder", the icon
is
| a trash can, but can't delete it, and can't "see" anything about it. I
can't
| find a way to get a command prompt, and I don't see any "info*" file
unless
| that SID is the file you are referring to. ??

* Start|Run|cmd.exe
then as an example
cd D:\RECYCLER\S-1-5-21-234630671-1917268844-666385194-500


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

[heidemarie]

Dave and Dan,

I was finally (after 11 hours) able to get this system clean. (whew!!)

your help was what made it possible, THANK YOU!!

it checks clean now with Norton, Adaware, and Spybot-Search & Destroy, and
am now running Trojan Hunter.

Here is a list made from the startup list: anything look hinkey to you? I
put a "*" in front of the ones I don't know about.

thanks.
niteowl

System Information report written at: 05/01/2004 06:49:01 PM
[Startup Programs]

Program Command User Name Location
ClipMate5 d:\progra~1\clipma~1\clipmt51.exe BURKE\Burke1 Startup
ctfmon.exe ctfmon.exe BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
PopUpStopperFreeEdition "d:\progra~1\panicw~1\pop-up~1\psfree.exe"
BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
*Brct c:\documents and settings\burke1\application data\oeet.exe
BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
LDM \program\backweb-8876480.exe BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
Adobe Gamma Loader.exe c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe All
Users Common Startup
*EM_EXEC c:\progra~1\logitech\mousew~1\system\em_exec.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Dimension4 d:\program files\d4\d4.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tb2initPath "d:\program files\timbuktu pro\tb2init.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tweak UI rundll32.exe tweakui.cpl,tweakmeup All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp "c:\program files\common files\symantec shared\ccapp.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus C84 Series
c:\winnt\system32\spool\drivers\w32x86\3\e_s4i2d1.exe /p23 "epson stylus c84
series" /o5 "lpt1:" /m "stylus c84" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
THGuard "d:\program files\trojanhunter 3.8\thguard.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Synchronization Manager mobsync.exe /logon All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe "c:\program files\common
files\real\update_ob\realsched.exe" -osboot All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
*TCASUTIEXE tcaudiag -off All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mirabilis ICQ d:\program files\icq\icqnet.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DataCaching c:\progra~1\dataca~1\flashksk.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CreateCD50 "c:\program files\common files\adaptec
shared\createcd\createcd50.exe" -r All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AdaptecDirectCD "c:\program files\roxio\easy cd creator
5\directcd\directcd.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

[Dave Patrick]

Nothing there jumps out at me but try quoting the file name of the EXE (with
extension) and search them out here.
http://www.google.com/

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect


:
| Dave and Dan,
|
| I was finally (after 11 hours) able to get this system clean. (whew!!)
|
| your help was what made it possible, THANK YOU!!
|
| it checks clean now with Norton, Adaware, and Spybot-Search & Destroy, and
| am now running Trojan Hunter.
|
| Here is a list made from the startup list: anything look hinkey to you? I
| put a "*" in front of the ones I don't know about.
|
| thanks.
| niteowl
|
| System Information report written at: 05/01/2004 06:49:01 PM
| [Startup Programs]
|
| Program Command User Name Location
| ClipMate5 d:\progra~1\clipma~1\clipmt51.exe BURKE\Burke1 Startup
| ctfmon.exe ctfmon.exe BURKE\Burke1
|
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
| urrentVersion\Run
| PopUpStopperFreeEdition "d:\progra~1\panicw~1\pop-up~1\psfree.exe"
| BURKE\Burke1
|
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
| urrentVersion\Run
| *Brct c:\documents and settings\burke1\application data\oeet.exe
| BURKE\Burke1
|
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
| urrentVersion\Run
| LDM \program\backweb-8876480.exe BURKE\Burke1
|
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
| urrentVersion\Run
| Adobe Gamma Loader.exe c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe
All
| Users Common Startup
| *EM_EXEC c:\progra~1\logitech\mousew~1\system\em_exec.exe All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| Dimension4 d:\program files\d4\d4.exe All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| Tb2initPath "d:\program files\timbuktu pro\tb2init.exe" All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| Tweak UI rundll32.exe tweakui.cpl,tweakmeup All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| ccApp "c:\program files\common files\symantec shared\ccapp.exe" All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| EPSON Stylus C84 Series
| c:\winnt\system32\spool\drivers\w32x86\3\e_s4i2d1.exe /p23 "epson stylus
c84
| series" /o5 "lpt1:" /m "stylus c84" All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| THGuard "d:\program files\trojanhunter 3.8\thguard.exe" All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| Synchronization Manager mobsync.exe /logon All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| TkBellExe "c:\program files\common
| files\real\update_ob\realsched.exe" -osboot All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| *TCASUTIEXE tcaudiag -off All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All
Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| Mirabilis ICQ d:\program files\icq\icqnet.exe All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| DataCaching c:\progra~1\dataca~1\flashksk.exe All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| CreateCD50 "c:\program files\common files\adaptec
| shared\createcd\createcd50.exe" -r All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| AdaptecDirectCD "c:\program files\roxio\easy cd creator
| 5\directcd\directcd.exe" All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
|
|

 

[Gary Smith]

| Okay, this was already set this way, I could see that "folder", the icon
is
| a trash can, but can't delete it, and can't "see" anything about it. I
can't
| find a way to get a command prompt, and I don't see any "info*" file
unless
| that SID is the file you are referring to. ??

* Start|Run|cmd.exe
then as an example
cd D:\RECYCLER\S-1-5-21-234630671-1917268844-666385194-500

It's far easier and cleaner to delete the entire Recycle Bin and let
Windows start over. After opening the comand prompt, type

RD /s \Recycler

 

[Jay Somerset]

Instead of ploughing through the Registry looking for stuff run/initiated at
bootup, you might want to get a little freeware program called
StartUpManager by Brad Stowers (Creative Gaffers Software). That will let
you easily see and control all sources of boot-time program invocation.

Do a Google search to find a downlaod location.

Dave and Dan,

I was finally (after 11 hours) able to get this system clean. (whew!!)

your help was what made it possible, THANK YOU!!

it checks clean now with Norton, Adaware, and Spybot-Search & Destroy, and
am now running Trojan Hunter.

Here is a list made from the startup list: anything look hinkey to you? I
put a "*" in front of the ones I don't know about.

thanks.
niteowl

System Information report written at: 05/01/2004 06:49:01 PM
[Startup Programs]

Program Command User Name Location
ClipMate5 d:\progra~1\clipma~1\clipmt51.exe BURKE\Burke1 Startup
ctfmon.exe ctfmon.exe BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
PopUpStopperFreeEdition "d:\progra~1\panicw~1\pop-up~1\psfree.exe"
BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
*Brct c:\documents and settings\burke1\application data\oeet.exe
BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
LDM \program\backweb-8876480.exe BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
Adobe Gamma Loader.exe c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe All
Users Common Startup
*EM_EXEC c:\progra~1\logitech\mousew~1\system\em_exec.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Dimension4 d:\program files\d4\d4.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tb2initPath "d:\program files\timbuktu pro\tb2init.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tweak UI rundll32.exe tweakui.cpl,tweakmeup All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp "c:\program files\common files\symantec shared\ccapp.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus C84 Series
c:\winnt\system32\spool\drivers\w32x86\3\e_s4i2d1.exe /p23 "epson stylus c84
series" /o5 "lpt1:" /m "stylus c84" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
THGuard "d:\program files\trojanhunter 3.8\thguard.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Synchronization Manager mobsync.exe /logon All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe "c:\program files\common
files\real\update_ob\realsched.exe" -osboot All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
*TCASUTIEXE tcaudiag -off All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mirabilis ICQ d:\program files\icq\icqnet.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DataCaching c:\progra~1\dataca~1\flashksk.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CreateCD50 "c:\program files\common files\adaptec
shared\createcd\createcd50.exe" -r All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AdaptecDirectCD "c:\program files\roxio\easy cd creator
5\directcd\directcd.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

[niteowl]

Jay,

Startup Manager v1.1 (1.1.3.3) (598 Kbyte)
Startup Manager v1.5 (1.5.2.25) (614 Kbyte)

were the two links I could find on google, but it also says the author
and his related pages are now defunct.

I downloaded them but have not tried them yet. Are you familiar with
either of these versions? Do you have any other more current links?

thanks,
niteowl

On 5/2/04 8:39 AM Jay Somerset shared with me these great words of wisdom...

Instead of ploughing through the Registry looking for stuff run/initiated at
bootup, you might want to get a little freeware program called
StartUpManager by Brad Stowers (Creative Gaffers Software). That will let
you easily see and control all sources of boot-time program invocation.

Do a Google search to find a downlaod location.

Dave and Dan,

I was finally (after 11 hours) able to get this system clean. (whew!!)

your help was what made it possible, THANK YOU!!

it checks clean now with Norton, Adaware, and Spybot-Search & Destroy, and
am now running Trojan Hunter.

Here is a list made from the startup list: anything look hinkey to you? I
put a "*" in front of the ones I don't know about.

thanks.
niteowl

System Information report written at: 05/01/2004 06:49:01 PM
[Startup Programs]

Program Command User Name Location
ClipMate5 d:\progra~1\clipma~1\clipmt51.exe BURKE\Burke1 Startup
ctfmon.exe ctfmon.exe BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
PopUpStopperFreeEdition "d:\progra~1\panicw~1\pop-up~1\psfree.exe"
BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
*Brct c:\documents and settings\burke1\application data\oeet.exe
BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
LDM \program\backweb-8876480.exe BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
Adobe Gamma Loader.exe c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe All
Users Common Startup
*EM_EXEC c:\progra~1\logitech\mousew~1\system\em_exec.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Dimension4 d:\program files\d4\d4.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tb2initPath "d:\program files\timbuktu pro\tb2init.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tweak UI rundll32.exe tweakui.cpl,tweakmeup All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp "c:\program files\common files\symantec shared\ccapp.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus C84 Series
c:\winnt\system32\spool\drivers\w32x86\3\e_s4i2d1.exe /p23 "epson stylus c84
series" /o5 "lpt1:" /m "stylus c84" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
THGuard "d:\program files\trojanhunter 3.8\thguard.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Synchronization Manager mobsync.exe /logon All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe "c:\program files\common
files\real\update_ob\realsched.exe" -osboot All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
*TCASUTIEXE tcaudiag -off All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mirabilis ICQ d:\program files\icq\icqnet.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DataCaching c:\progra~1\dataca~1\flashksk.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CreateCD50 "c:\program files\common files\adaptec
shared\createcd\createcd50.exe" -r All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AdaptecDirectCD "c:\program files\roxio\easy cd creator
5\directcd\directcd.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

--

"You can't change the surf,
but you can learn to ride the waves!"

% %
(@)(@)
() V ()
((( )))
(((( ))))
((( )))
--#---#--
NITEOWL

 

[niteowl]

Gary,

RD /s \Recycler

what is this command actually doing? I assume RD is "remove directory",
but what's the "/s \Recycler" doing?

thanks,
niteowl

| Okay, this was already set this way, I could see that "folder", the icon
is
| a trash can, but can't delete it, and can't "see" anything about it. I
can't
| find a way to get a command prompt, and I don't see any "info*" file
unless
| that SID is the file you are referring to. ??

* Start|Run|cmd.exe
then as an example
cd D:\RECYCLER\S-1-5-21-234630671-1917268844-666385194-500

It's far easier and cleaner to delete the entire Recycle Bin and let
Windows start over. After opening the comand prompt, type

RD /s \Recycler
[/QUOTE]


--

"You can't change the surf,
but you can learn to ride the waves!"

% %
(@)(@)
() V ()
((( )))
(((( ))))
((( )))
--#---#--
NITEOWL

 

[Gary Smith]

what is this command actually doing? I assume RD is "remove directory",
but what's the "/s \Recycler" doing?

Yes, RD is Remove Directory. The /s option tells it to remove the
specified folder and all of its contents. \Recycler is the actaul name of
the folder that Win2K uses for Recycle Bin operations. It's typically
hidden, so you won't see it in Explorer unless you've set the option to
display hidden files and folders (which I recommend doing).

Deleting that folder clears all Recycle Bin information on the current
drive for all users. Windows will create a brand new folder when it's
next needed.