adware and infected file problems, files keep propagating ..

Archived from groups: microsoft.public.win2000.setup (More info?)

Hi all,

got called to a friends house who has win2k SP4 installed and was having
trouble with adware, and virus infections. When I first got there I
used McAfee's Stinger file for a quick check of major/common infections,
None were found. I even tried "fprotdos" run in safe mode, but it found
nothing either. (I wasn't sure it would even run since it's a DOS
program, but it "appeared" to run, but didn't find anything) I then
updated and ran Spybot Search and Destroy, and Adaware 6, Norton 2004,
with latest updates, and finally I installed Trojan Hunter 3.8 with
latest defs.

All those programs found several hundred "at risk" files.

Some of the files resided in the "RECYCLER" folder, and while most could
be manually deleted (in Windows Explorer), a few couldn't, one was
named: S-1-5-21-220523388-152049171-854245398-1001

the other files that Norton lists that refer back to that file are:

Dc11.exe Adware Ezula
Dc12.exe Adware Incredifind
Dc13.exe Adware StatBlaster
Dc14.exe Adware StatBlaster
Dc15.exe Adware StatBlaster

C:\WINNT\SYSTEM32\Gay1ZPSb.exe (I was able to manually delete this one
in Windows Explorer)


Ran another Norton scan of the system32 folder and came up with several
different files showing as "at risk", Norton deleted all but 2 this time,

RtaWJ.exe and SczOOJ3.exe were the ones left and couldn't be deleted.

Is there no DOS in Win2000??????? How do I manually remove these
without starting windows???? She is using NTFS. There is a 31M
partition (?) that is FAT or FAT32, though I only see it when
defragging, I don't know how to 'use' it. ???

When Norton showed me the infected or at risk files, I deleted them,
then the ones it couldn't remove I chose to "skip" instead of "Exclude"
them at the final window..
I assume "excluding" them means they would be ignored on the next scan.
I rescanned immediately and the

3rd time found 5 new 'infected' files, deleted most, but still left the
SczOOJ3.exe file.

4th time: found 9 new files, left Vbcv2.exe behind. ??

5th time: found 9 new files, left 2: MuwqK7ev.exe and Usd13Q.exe

Help!!! these scans were run one right after the other, so these files
are propagating faster than I can remove them. ???

Is there another program that will clean these? or some way to access
them without having them "run" when booting up to windows? I've always
been able to get the HD clean before using the above combination of
programs in win98, but this one is baffling me as I'm not that versed in
win2000.

ANY ideas of what I can do now would be greatly appreciated. I spent 7
hours messing with these last night and just couldn't get past this.

thanks,
niteowl
15 answers Last reply
More about adware infected file problems files propagating
  1. Archived from groups: microsoft.public.win2000.setup (More info?)

    Some things to try;

    1.) You'll need to first stop the process that loads them. Natively you can;
    Start\Settings\Control Panel\Administrative Tools\Computer
    Management(Local)\System Information\Software Environment\Startup
    Programs|View|Advanced, then in the "Location" column, you'll find the path
    to the "Startup" location either in the "Startup" directories or from the
    registry's "Run" keys.

    %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    %USERPROFILE%\Start Menu\Programs\Startup

    You can delete the shortcuts that you no longer want to run.


    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    You can delete the string value for the program you no longer want to run.

    or copy msconfig from Windows XP

    2.) The recycle bin may contain a corrupt, or otherwise incorrect
    information file. If format is FAT, then from a command prompt change to the
    recycler directory, then do a dir to see what files you might find and
    delete any files found, then
    attrib -h info*
    this should unhide the info* file that stores the information about the
    original location of deleted files in the recycle bin. Delete this file.

    If format is NTFS then change to the recycler directory then change to the
    hidden directory named for your SID (this can be found from within Explorer,
    (by expanding the recycler folder). Then
    attrib -h info*
    this should unhide the info* file that stores the information about the
    original location of deleted files in the recycle bin. Delete this file

    Then the next time you move files to the recycle bin another hidden info
    file will be created.

    Another option is to delete only the info or info2 file (in the recycler
    dir) and then restart the pc, then a new and correct information file will
    be created in the recycler directory.

    3.) From a command prompt try;

    del \\.\Drive:\directory\filename
    (Note: the period between \\ and \)

    Also

    dir /x
    and try deleting them using their 8.3 short names.

    4.) Try deleting them from the recovery console. First you'll need to
    Control Panel|Admin Tools|Local Security Policy Recovery console:"Allow
    floppy copy and access to all drives/folders" set to enabled


    To start the Recovery Console, start the computer from the Windows 2000
    Setup CD or the Windows 2000 Setup floppy disks. If you do not have Setup
    floppy disks and your computer cannot start from the Windows 2000 Setup CD,
    use another Windows 2000-based computer to create the Setup floppy disks.
    Press ENTER at the "Setup Notification" screen. Press R to repair a Windows
    2000 installation, and then press C to use the Recovery Console. The
    Recovery Console then prompts you for the administrator password. If you do
    not have the correct password, Recovery Console does not allow access to the
    computer. If an incorrect password is entered three times, the Recovery
    Console quits and restarts the computer. Once the password has been
    validated, you have full access to the Recovery Console, but limited access
    to the hard disk. You can only access the following folders on your
    computer: %systemroot% and %windir%

    Then from the recovery console command line;
    SET allowallpaths = TRUE

    to gain access to all folders and try deleting from here.

    --
    Regards,

    Dave Patrick ....Please no email replies - reply in newsgroup.
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    http://www.microsoft.com/protect


    "niteowl" wrote:
    |
    | Hi all,
    |
    | got called to a friends house who has win2k SP4 installed and was having
    | trouble with adware, and virus infections. When I first got there I
    | used McAfee's Stinger file for a quick check of major/common infections,
    | None were found. I even tried "fprotdos" run in safe mode, but it found
    | nothing either. (I wasn't sure it would even run since it's a DOS
    | program, but it "appeared" to run, but didn't find anything) I then
    | updated and ran Spybot Search and Destroy, and Adaware 6, Norton 2004,
    | with latest updates, and finally I installed Trojan Hunter 3.8 with
    | latest defs.
    |
    | All those programs found several hundred "at risk" files.
    |
    | Some of the files resided in the "RECYCLER" folder, and while most could
    | be manually deleted (in Windows Explorer), a few couldn't, one was
    | named: S-1-5-21-220523388-152049171-854245398-1001
    |
    | the other files that Norton lists that refer back to that file are:
    |
    | Dc11.exe Adware Ezula
    | Dc12.exe Adware Incredifind
    | Dc13.exe Adware StatBlaster
    | Dc14.exe Adware StatBlaster
    | Dc15.exe Adware StatBlaster
    |
    | C:\WINNT\SYSTEM32\Gay1ZPSb.exe (I was able to manually delete this one
    | in Windows Explorer)
    |
    |
    | Ran another Norton scan of the system32 folder and came up with several
    | different files showing as "at risk", Norton deleted all but 2 this time,
    |
    | RtaWJ.exe and SczOOJ3.exe were the ones left and couldn't be deleted.
    |
    | Is there no DOS in Win2000??????? How do I manually remove these
    | without starting windows???? She is using NTFS. There is a 31M
    | partition (?) that is FAT or FAT32, though I only see it when
    | defragging, I don't know how to 'use' it. ???
    |
    | When Norton showed me the infected or at risk files, I deleted them,
    | then the ones it couldn't remove I chose to "skip" instead of "Exclude"
    | them at the final window..
    | I assume "excluding" them means they would be ignored on the next scan.
    | I rescanned immediately and the
    |
    | 3rd time found 5 new 'infected' files, deleted most, but still left the
    | SczOOJ3.exe file.
    |
    | 4th time: found 9 new files, left Vbcv2.exe behind. ??
    |
    | 5th time: found 9 new files, left 2: MuwqK7ev.exe and Usd13Q.exe
    |
    | Help!!! these scans were run one right after the other, so these files
    | are propagating faster than I can remove them. ???
    |
    | Is there another program that will clean these? or some way to access
    | them without having them "run" when booting up to windows? I've always
    | been able to get the HD clean before using the above combination of
    | programs in win98, but this one is baffling me as I'm not that versed in
    | win2000.
    |
    | ANY ideas of what I can do now would be greatly appreciated. I spent 7
    | hours messing with these last night and just couldn't get past this.
    |
    | thanks,
    | niteowl
    |
  2. Archived from groups: microsoft.public.win2000.setup (More info?)

    Thanks Dave... I'll give it a go.. I'm going back over there shortly..

    I have some questions between the paragraphs:::

    On 5/1/04 9:56 AM Dave Patrick shared with me these great words of wisdom...

    > Some things to try;
    >
    > 1.) You'll need to first stop the process that loads them. Natively you can;
    > Start\Settings\Control Panel\Administrative Tools\Computer
    > Management(Local)\System Information\Software Environment\Startup
    > Programs|View|Advanced, then in the "Location" column, you'll find the path
    > to the "Startup" location either in the "Startup" directories or from the
    > registry's "Run" keys.

    What is the minimum that has to be left running for win2k to operate? I
    know in win98 I only have to leave explorer and systray on.

    >
    > %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    > %USERPROFILE%\Start Menu\Programs\Startup
    >
    > You can delete the shortcuts that you no longer want to run.
    >
    >
    > HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    > HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    >
    > You can delete the string value for the program you no longer want to run.
    >
    > or copy msconfig from Windows XP

    XP?? this a windows 2000 SP4 machine... is that a typo??

    >
    > 2.) The recycle bin may contain a corrupt, or otherwise incorrect
    > information file. If format is FAT, then from a command prompt change to the
    > recycler directory, then do a dir to see what files you might find and
    > delete any files found, then
    > attrib -h info*
    > this should unhide the info* file that stores the information about the
    > original location of deleted files in the recycle bin. Delete this file.
    >
    > If format is NTFS then change to the recycler directory then change to the
    > hidden directory named for your SID (this can be found from within Explorer,
    > (by expanding the recycler folder).

    what's an SID? and how do I "expand" the folder???? Why is there a
    "RECYCLER" and a "Recycle Bin" folder??

    >Then
    > attrib -h info*
    > this should unhide the info* file that stores the information about the
    > original location of deleted files in the recycle bin. Delete this file
    >
    > Then the next time you move files to the recycle bin another hidden info
    > file will be created.
    >
    > Another option is to delete only the info or info2 file (in the recycler
    > dir) and then restart the pc, then a new and correct information file will
    > be created in the recycler directory.
    >
    > 3.) From a command prompt try;
    >
    > del \\.\Drive:\directory\filename
    > (Note: the period between \\ and \)
    >
    > Also
    >
    > dir /x
    > and try deleting them using their 8.3 short names.
    >
    > 4.) Try deleting them from the recovery console. First you'll need to
    > Control Panel|Admin Tools|Local Security Policy Recovery console:"Allow
    > floppy copy and access to all drives/folders" set to enabled
    >
    >
    > To start the Recovery Console, start the computer from the Windows 2000
    > Setup CD or the Windows 2000 Setup floppy disks. If you do not have Setup
    > floppy disks and your computer cannot start from the Windows 2000 Setup CD,
    > use another Windows 2000-based computer to create the Setup floppy disks.
    > Press ENTER at the "Setup Notification" screen. Press R to repair a Windows
    > 2000 installation, and then press C to use the Recovery Console. The
    > Recovery Console then prompts you for the administrator password. If you do
    > not have the correct password, Recovery Console does not allow access to the
    > computer. If an incorrect password is entered three times, the Recovery
    > Console quits and restarts the computer. Once the password has been
    > validated, you have full access to the Recovery Console, but limited access
    > to the hard disk. You can only access the following folders on your
    > computer: %systemroot% and %windir%
    >
    > Then from the recovery console command line;
    > SET allowallpaths = TRUE
    >
    > to gain access to all folders and try deleting from here.
    >


    --

    "You can't change the surf,
    but you can learn to ride the waves!"

    % %
    (@)(@)
    () V ()
    ((( )))
    (((( ))))
    ((( )))
    --#---#--
    NITEOWL
  3. Archived from groups: microsoft.public.win2000.setup (More info?)

    "niteowl" wrote:
    | Thanks Dave... I'll give it a go.. I'm going back over there shortly..
    |
    | I have some questions between the paragraphs:::
    |
    | What is the minimum that has to be left running for win2k to operate? I
    | know in win98 I only have to leave explorer and systray on.
    * Probably almost all of these 'Startup' and 'Run' key entries are not
    necessary for the core operating system. The idea here was to look for those
    that are of a suspicious nature and stop them from loading at startup which
    in turn would allow you to delete the 'inuse' files.


    | what's an SID? and how do I "expand" the folder???? Why is there a
    | "RECYCLER" and a "Recycle Bin" folder??
    * 1.) An SID would be something along the line of
    S-1-5-21-234630671-1917268844-666385194-500. With the 'Recycler' highlighted
    in the left pane the hidden system folder with a user SID for name should be
    displayed. If you don't see it then Explorer|Tools|Folder Options|View, then
    radio button for "Show hidden files and folders", then uncheck the box for
    "Hide protected operating system files"
    2.) The additional folder may be a result of norton system works (or some
    variant) taking control of the recycle bin.


    --
    Regards,

    Dave Patrick ....Please no email replies - reply in newsgroup.
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    http://www.microsoft.com/protect
  4. Archived from groups: microsoft.public.win2000.setup (More info?)

    Missed one.

    No not a typo XP's msconfig will work fine on Windows 2000

    --
    Regards,

    Dave Patrick ....Please no email replies - reply in newsgroup.
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    http://www.microsoft.com/protect


    "niteowl" wrote:
    | > or copy msconfig from Windows XP
    |
    | XP?? this a windows 2000 SP4 machine... is that a typo??
  5. Archived from groups: microsoft.public.win2000.setup (More info?)

    Partial quick answer in case Dave doesn't see this for a while:

    niteowl wrote:

    > Thanks Dave... I'll give it a go.. I'm going back over there shortly..
    >
    > I have some questions between the paragraphs:::

    >> or copy msconfig from Windows XP
    >
    >
    > XP?? this a windows 2000 SP4 machine... is that a typo??
    >

    msconfig is not included in W2k, but is distributed with XP and works
    with W2k just fine. Get msconfig from a copy of XP, or from the web,
    where it's downloadable from several sites. It's a user-friendly tool
    for manipulating the startup list.
  6. Archived from groups: microsoft.public.win2000.setup (More info?)

    okay, great!

    thanks Dave and Dan for the info, am heading over there now to try these
    out.

    I'll do a google on the XP msconfig and hopefully be able to download it
    when I get over there...

    one step at a time.. huh? ;-)

    thanks again,
    niteowl (gary)


    On 5/1/04 11:52 AM Dave Patrick shared with me these great words of
    wisdom...

    > Missed one.
    >
    > No not a typo XP's msconfig will work fine on Windows 2000
    >


    --

    "You can't change the surf,
    but you can learn to ride the waves!"

    % %
    (@)(@)
    () V ()
    ((( )))
    (((( ))))
    ((( )))
    --#---#--
    NITEOWL
  7. Archived from groups: microsoft.public.win2000.setup (More info?)

    --
    Photographic Images
    Tel. 941-475-5148
    Heidemarie@heidemariephoto.com
    www.heidemariephoto.com
    Fax. 941-475-2128
    "Dave Patrick" <mail@NoSpam.DSPatrick.com> wrote in message
    news:eYZnFG5LEHA.556@TK2MSFTNGP10.phx.gbl...
    > "niteowl" wrote:
    > | Thanks Dave... I'll give it a go.. I'm going back over there shortly..
    > |
    > | I have some questions between the paragraphs:::
    > |
    > | What is the minimum that has to be left running for win2k to operate? I
    > | know in win98 I only have to leave explorer and systray on.
    > * Probably almost all of these 'Startup' and 'Run' key entries are not
    > necessary for the core operating system. The idea here was to look for
    those
    > that are of a suspicious nature and stop them from loading at startup
    which
    > in turn would allow you to delete the 'inuse' files.

    I undchecked several that looked suspicious, but on reboot they showed up
    checked again. ????

    > | what's an SID? and how do I "expand" the folder???? Why is there a
    > | "RECYCLER" and a "Recycle Bin" folder??
    > * 1.) An SID would be something along the line of
    > S-1-5-21-234630671-1917268844-666385194-500. With the 'Recycler'
    highlighted
    > in the left pane the hidden system folder with a user SID for name should
    be
    > displayed. If you don't see it then Explorer|Tools|Folder Options|View,
    then
    > radio button for "Show hidden files and folders", then uncheck the box for
    > "Hide protected operating system files"
    > 2.) The additional folder may be a result of norton system works (or some
    > variant) taking control of the recycle bin.


    Okay, this was already set this way, I could see that "folder", the icon is
    a trash can, but can't delete it, and can't "see" anything about it. I can't
    find a way to get a command prompt, and I don't see any "info*" file unless
    that SID is the file you are referring to. ??


    >
    >
    > --
    > Regards,
    >
    > Dave Patrick ....Please no email replies - reply in newsgroup.
    > Microsoft Certified Professional
    > Microsoft MVP [Windows]
    > http://www.microsoft.com/protect
    >
    >
    >
  8. Archived from groups: microsoft.public.win2000.setup (More info?)

    "heidemarie" wrote:
    | I undchecked several that looked suspicious, but on reboot they showed up
    | checked again. ????
    * What were the file names of the executables?

    |
    | Okay, this was already set this way, I could see that "folder", the icon
    is
    | a trash can, but can't delete it, and can't "see" anything about it. I
    can't
    | find a way to get a command prompt, and I don't see any "info*" file
    unless
    | that SID is the file you are referring to. ??

    * Start|Run|cmd.exe
    then as an example
    cd D:\RECYCLER\S-1-5-21-234630671-1917268844-666385194-500


    --
    Regards,

    Dave Patrick ....Please no email replies - reply in newsgroup.
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    http://www.microsoft.com/protect
  9. Archived from groups: microsoft.public.win2000.setup (More info?)

    Dave and Dan,

    I was finally (after 11 hours) able to get this system clean. (whew!!)

    your help was what made it possible, THANK YOU!!

    it checks clean now with Norton, Adaware, and Spybot-Search & Destroy, and
    am now running Trojan Hunter.

    Here is a list made from the startup list: anything look hinkey to you? I
    put a "*" in front of the ones I don't know about.

    thanks.
    niteowl

    System Information report written at: 05/01/2004 06:49:01 PM
    [Startup Programs]

    Program Command User Name Location
    ClipMate5 d:\progra~1\clipma~1\clipmt51.exe BURKE\Burke1 Startup
    ctfmon.exe ctfmon.exe BURKE\Burke1
    HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
    urrentVersion\Run
    PopUpStopperFreeEdition "d:\progra~1\panicw~1\pop-up~1\psfree.exe"
    BURKE\Burke1
    HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
    urrentVersion\Run
    *Brct c:\documents and settings\burke1\application data\oeet.exe
    BURKE\Burke1
    HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
    urrentVersion\Run
    LDM \program\backweb-8876480.exe BURKE\Burke1
    HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
    urrentVersion\Run
    Adobe Gamma Loader.exe c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe All
    Users Common Startup
    *EM_EXEC c:\progra~1\logitech\mousew~1\system\em_exec.exe All Users
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Dimension4 d:\program files\d4\d4.exe All Users
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Tb2initPath "d:\program files\timbuktu pro\tb2init.exe" All Users
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Tweak UI rundll32.exe tweakui.cpl,tweakmeup All Users
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    ccApp "c:\program files\common files\symantec shared\ccapp.exe" All Users
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    EPSON Stylus C84 Series
    c:\winnt\system32\spool\drivers\w32x86\3\e_s4i2d1.exe /p23 "epson stylus c84
    series" /o5 "lpt1:" /m "stylus c84" All Users
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    THGuard "d:\program files\trojanhunter 3.8\thguard.exe" All Users
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Synchronization Manager mobsync.exe /logon All Users
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    TkBellExe "c:\program files\common
    files\real\update_ob\realsched.exe" -osboot All Users
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    *TCASUTIEXE tcaudiag -off All Users
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All Users
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Mirabilis ICQ d:\program files\icq\icqnet.exe All Users
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    DataCaching c:\progra~1\dataca~1\flashksk.exe All Users
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    CreateCD50 "c:\program files\common files\adaptec
    shared\createcd\createcd50.exe" -r All Users
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    AdaptecDirectCD "c:\program files\roxio\easy cd creator
    5\directcd\directcd.exe" All Users
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  10. Archived from groups: microsoft.public.win2000.setup (More info?)

    Nothing there jumps out at me but try quoting the file name of the EXE (with
    extension) and search them out here.
    http://www.google.com/

    --
    Regards,

    Dave Patrick ....Please no email replies - reply in newsgroup.
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    http://www.microsoft.com/protect


    "heidemarie" wrote:
    | Dave and Dan,
    |
    | I was finally (after 11 hours) able to get this system clean. (whew!!)
    |
    | your help was what made it possible, THANK YOU!!
    |
    | it checks clean now with Norton, Adaware, and Spybot-Search & Destroy, and
    | am now running Trojan Hunter.
    |
    | Here is a list made from the startup list: anything look hinkey to you? I
    | put a "*" in front of the ones I don't know about.
    |
    | thanks.
    | niteowl
    |
    | System Information report written at: 05/01/2004 06:49:01 PM
    | [Startup Programs]
    |
    | Program Command User Name Location
    | ClipMate5 d:\progra~1\clipma~1\clipmt51.exe BURKE\Burke1 Startup
    | ctfmon.exe ctfmon.exe BURKE\Burke1
    |
    HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
    | urrentVersion\Run
    | PopUpStopperFreeEdition "d:\progra~1\panicw~1\pop-up~1\psfree.exe"
    | BURKE\Burke1
    |
    HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
    | urrentVersion\Run
    | *Brct c:\documents and settings\burke1\application data\oeet.exe
    | BURKE\Burke1
    |
    HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
    | urrentVersion\Run
    | LDM \program\backweb-8876480.exe BURKE\Burke1
    |
    HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
    | urrentVersion\Run
    | Adobe Gamma Loader.exe c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe
    All
    | Users Common Startup
    | *EM_EXEC c:\progra~1\logitech\mousew~1\system\em_exec.exe All Users
    | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    | Dimension4 d:\program files\d4\d4.exe All Users
    | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    | Tb2initPath "d:\program files\timbuktu pro\tb2init.exe" All Users
    | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    | Tweak UI rundll32.exe tweakui.cpl,tweakmeup All Users
    | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    | ccApp "c:\program files\common files\symantec shared\ccapp.exe" All Users
    | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    | EPSON Stylus C84 Series
    | c:\winnt\system32\spool\drivers\w32x86\3\e_s4i2d1.exe /p23 "epson stylus
    c84
    | series" /o5 "lpt1:" /m "stylus c84" All Users
    | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    | THGuard "d:\program files\trojanhunter 3.8\thguard.exe" All Users
    | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    | Synchronization Manager mobsync.exe /logon All Users
    | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    | TkBellExe "c:\program files\common
    | files\real\update_ob\realsched.exe" -osboot All Users
    | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    | *TCASUTIEXE tcaudiag -off All Users
    | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    | QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All
    Users
    | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    | Mirabilis ICQ d:\program files\icq\icqnet.exe All Users
    | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    | DataCaching c:\progra~1\dataca~1\flashksk.exe All Users
    | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    | CreateCD50 "c:\program files\common files\adaptec
    | shared\createcd\createcd50.exe" -r All Users
    | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    | AdaptecDirectCD "c:\program files\roxio\easy cd creator
    | 5\directcd\directcd.exe" All Users
    | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    |
    |
    |
  11. Archived from groups: microsoft.public.win2000.setup (More info?)

    Dave Patrick <mail@nospam.dspatrick.com> wrote:
    > | Okay, this was already set this way, I could see that "folder", the icon
    > is
    > | a trash can, but can't delete it, and can't "see" anything about it. I
    > can't
    > | find a way to get a command prompt, and I don't see any "info*" file
    > unless
    > | that SID is the file you are referring to. ??

    > * Start|Run|cmd.exe
    > then as an example
    > cd D:\RECYCLER\S-1-5-21-234630671-1917268844-666385194-500

    It's far easier and cleaner to delete the entire Recycle Bin and let
    Windows start over. After opening the comand prompt, type

    RD /s \Recycler

    --
    Gary L. Smith gls432@yahoo.com
    Columbus, Ohio
  12. Archived from groups: microsoft.public.win2000.setup (More info?)

    Instead of ploughing through the Registry looking for stuff run/initiated at
    bootup, you might want to get a little freeware program called
    StartUpManager by Brad Stowers (Creative Gaffers Software). That will let
    you easily see and control all sources of boot-time program invocation.

    Do a Google search to find a downlaod location.

    On Sat, 1 May 2004 18:53:17 -0400, "heidemarie"
    <heidemarie@heidemariephoto.com> wrote:

    > Dave and Dan,
    >
    > I was finally (after 11 hours) able to get this system clean. (whew!!)
    >
    > your help was what made it possible, THANK YOU!!
    >
    > it checks clean now with Norton, Adaware, and Spybot-Search & Destroy, and
    > am now running Trojan Hunter.
    >
    > Here is a list made from the startup list: anything look hinkey to you? I
    > put a "*" in front of the ones I don't know about.
    >
    > thanks.
    > niteowl
    >
    > System Information report written at: 05/01/2004 06:49:01 PM
    > [Startup Programs]
    >
    > Program Command User Name Location
    > ClipMate5 d:\progra~1\clipma~1\clipmt51.exe BURKE\Burke1 Startup
    > ctfmon.exe ctfmon.exe BURKE\Burke1
    > HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
    > urrentVersion\Run
    > PopUpStopperFreeEdition "d:\progra~1\panicw~1\pop-up~1\psfree.exe"
    > BURKE\Burke1
    > HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
    > urrentVersion\Run
    > *Brct c:\documents and settings\burke1\application data\oeet.exe
    > BURKE\Burke1
    > HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
    > urrentVersion\Run
    > LDM \program\backweb-8876480.exe BURKE\Burke1
    > HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
    > urrentVersion\Run
    > Adobe Gamma Loader.exe c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe All
    > Users Common Startup
    > *EM_EXEC c:\progra~1\logitech\mousew~1\system\em_exec.exe All Users
    > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > Dimension4 d:\program files\d4\d4.exe All Users
    > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > Tb2initPath "d:\program files\timbuktu pro\tb2init.exe" All Users
    > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > Tweak UI rundll32.exe tweakui.cpl,tweakmeup All Users
    > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > ccApp "c:\program files\common files\symantec shared\ccapp.exe" All Users
    > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > EPSON Stylus C84 Series
    > c:\winnt\system32\spool\drivers\w32x86\3\e_s4i2d1.exe /p23 "epson stylus c84
    > series" /o5 "lpt1:" /m "stylus c84" All Users
    > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > THGuard "d:\program files\trojanhunter 3.8\thguard.exe" All Users
    > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > Synchronization Manager mobsync.exe /logon All Users
    > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > TkBellExe "c:\program files\common
    > files\real\update_ob\realsched.exe" -osboot All Users
    > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > *TCASUTIEXE tcaudiag -off All Users
    > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All Users
    > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > Mirabilis ICQ d:\program files\icq\icqnet.exe All Users
    > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > DataCaching c:\progra~1\dataca~1\flashksk.exe All Users
    > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > CreateCD50 "c:\program files\common files\adaptec
    > shared\createcd\createcd50.exe" -r All Users
    > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > AdaptecDirectCD "c:\program files\roxio\easy cd creator
    > 5\directcd\directcd.exe" All Users
    > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    >
    >
  13. Archived from groups: microsoft.public.win2000.setup (More info?)

    Jay,

    Startup Manager v1.1 (1.1.3.3) (598 Kbyte)
    Startup Manager v1.5 (1.5.2.25) (614 Kbyte)

    were the two links I could find on google, but it also says the author
    and his related pages are now defunct.

    I downloaded them but have not tried them yet. Are you familiar with
    either of these versions? Do you have any other more current links?

    thanks,
    niteowl

    On 5/2/04 8:39 AM Jay Somerset shared with me these great words of wisdom...

    > Instead of ploughing through the Registry looking for stuff run/initiated at
    > bootup, you might want to get a little freeware program called
    > StartUpManager by Brad Stowers (Creative Gaffers Software). That will let
    > you easily see and control all sources of boot-time program invocation.
    >
    > Do a Google search to find a downlaod location.
    >
    > On Sat, 1 May 2004 18:53:17 -0400, "heidemarie"
    > <heidemarie@heidemariephoto.com> wrote:
    >
    >> Dave and Dan,
    >>
    >> I was finally (after 11 hours) able to get this system clean. (whew!!)
    >>
    >> your help was what made it possible, THANK YOU!!
    >>
    >> it checks clean now with Norton, Adaware, and Spybot-Search & Destroy, and
    >> am now running Trojan Hunter.
    >>
    >> Here is a list made from the startup list: anything look hinkey to you? I
    >> put a "*" in front of the ones I don't know about.
    >>
    >> thanks.
    >> niteowl
    >>
    >> System Information report written at: 05/01/2004 06:49:01 PM
    >> [Startup Programs]
    >>
    >> Program Command User Name Location
    >> ClipMate5 d:\progra~1\clipma~1\clipmt51.exe BURKE\Burke1 Startup
    >> ctfmon.exe ctfmon.exe BURKE\Burke1
    >> HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
    >> urrentVersion\Run
    >> PopUpStopperFreeEdition "d:\progra~1\panicw~1\pop-up~1\psfree.exe"
    >> BURKE\Burke1
    >> HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
    >> urrentVersion\Run
    >> *Brct c:\documents and settings\burke1\application data\oeet.exe
    >> BURKE\Burke1
    >> HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
    >> urrentVersion\Run
    >> LDM \program\backweb-8876480.exe BURKE\Burke1
    >> HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
    >> urrentVersion\Run
    >> Adobe Gamma Loader.exe c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe All
    >> Users Common Startup
    >> *EM_EXEC c:\progra~1\logitech\mousew~1\system\em_exec.exe All Users
    >> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    >> Dimension4 d:\program files\d4\d4.exe All Users
    >> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    >> Tb2initPath "d:\program files\timbuktu pro\tb2init.exe" All Users
    >> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    >> Tweak UI rundll32.exe tweakui.cpl,tweakmeup All Users
    >> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    >> ccApp "c:\program files\common files\symantec shared\ccapp.exe" All Users
    >> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    >> EPSON Stylus C84 Series
    >> c:\winnt\system32\spool\drivers\w32x86\3\e_s4i2d1.exe /p23 "epson stylus c84
    >> series" /o5 "lpt1:" /m "stylus c84" All Users
    >> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    >> THGuard "d:\program files\trojanhunter 3.8\thguard.exe" All Users
    >> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    >> Synchronization Manager mobsync.exe /logon All Users
    >> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    >> TkBellExe "c:\program files\common
    >> files\real\update_ob\realsched.exe" -osboot All Users
    >> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    >> *TCASUTIEXE tcaudiag -off All Users
    >> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    >> QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All Users
    >> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    >> Mirabilis ICQ d:\program files\icq\icqnet.exe All Users
    >> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    >> DataCaching c:\progra~1\dataca~1\flashksk.exe All Users
    >> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    >> CreateCD50 "c:\program files\common files\adaptec
    >> shared\createcd\createcd50.exe" -r All Users
    >> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    >> AdaptecDirectCD "c:\program files\roxio\easy cd creator
    >> 5\directcd\directcd.exe" All Users
    >> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    >>
    >>
    >


    --

    "You can't change the surf,
    but you can learn to ride the waves!"

    % %
    (@)(@)
    () V ()
    ((( )))
    (((( ))))
    ((( )))
    --#---#--
    NITEOWL
  14. Archived from groups: microsoft.public.win2000.setup (More info?)

    Gary,

    > RD /s \Recycler

    what is this command actually doing? I assume RD is "remove directory",
    but what's the "/s \Recycler" doing?

    thanks,
    niteowl

    On 5/1/04 11:37 PM Gary Smith shared with me these great words of wisdom...

    > Dave Patrick <mail@nospam.dspatrick.com> wrote:
    >> | Okay, this was already set this way, I could see that "folder", the icon
    >> is
    >> | a trash can, but can't delete it, and can't "see" anything about it. I
    >> can't
    >> | find a way to get a command prompt, and I don't see any "info*" file
    >> unless
    >> | that SID is the file you are referring to. ??
    >
    >> * Start|Run|cmd.exe
    >> then as an example
    >> cd D:\RECYCLER\S-1-5-21-234630671-1917268844-666385194-500
    >
    > It's far easier and cleaner to delete the entire Recycle Bin and let
    > Windows start over. After opening the comand prompt, type
    >
    > RD /s \Recycler
    >


    --

    "You can't change the surf,
    but you can learn to ride the waves!"

    % %
    (@)(@)
    () V ()
    ((( )))
    (((( ))))
    ((( )))
    --#---#--
    NITEOWL
  15. Archived from groups: microsoft.public.win2000.setup (More info?)

    niteowl <niteowl@niteowlproductions.com> wrote:

    > > RD /s \Recycler

    > what is this command actually doing? I assume RD is "remove directory",
    > but what's the "/s \Recycler" doing?

    Yes, RD is Remove Directory. The /s option tells it to remove the
    specified folder and all of its contents. \Recycler is the actaul name of
    the folder that Win2K uses for Recycle Bin operations. It's typically
    hidden, so you won't see it in Explorer unless you've set the option to
    display hidden files and folders (which I recommend doing).

    Deleting that folder clears all Recycle Bin information on the current
    drive for all users. Windows will create a brand new folder when it's
    next needed.

    --
    Gary L. Smith gls432@yahoo.com
    Columbus, Ohio
Ask a new question

Read More

Windows