Sign in with
Sign up | Sign in
Your question

adware and infected file problems, files keep propagating ..

Tags:
Last response: in Windows 2000/NT
Share
Anonymous
May 1, 2004 11:06:05 AM

Archived from groups: microsoft.public.win2000.setup (More info?)

Hi all,

got called to a friends house who has win2k SP4 installed and was having
trouble with adware, and virus infections. When I first got there I
used McAfee's Stinger file for a quick check of major/common infections,
None were found. I even tried "fprotdos" run in safe mode, but it found
nothing either. (I wasn't sure it would even run since it's a DOS
program, but it "appeared" to run, but didn't find anything) I then
updated and ran Spybot Search and Destroy, and Adaware 6, Norton 2004,
with latest updates, and finally I installed Trojan Hunter 3.8 with
latest defs.

All those programs found several hundred "at risk" files.

Some of the files resided in the "RECYCLER" folder, and while most could
be manually deleted (in Windows Explorer), a few couldn't, one was
named: S-1-5-21-220523388-152049171-854245398-1001

the other files that Norton lists that refer back to that file are:

Dc11.exe Adware Ezula
Dc12.exe Adware Incredifind
Dc13.exe Adware StatBlaster
Dc14.exe Adware StatBlaster
Dc15.exe Adware StatBlaster

C:\WINNT\SYSTEM32\Gay1ZPSb.exe (I was able to manually delete this one
in Windows Explorer)


Ran another Norton scan of the system32 folder and came up with several
different files showing as "at risk", Norton deleted all but 2 this time,

RtaWJ.exe and SczOOJ3.exe were the ones left and couldn't be deleted.

Is there no DOS in Win2000??????? How do I manually remove these
without starting windows???? She is using NTFS. There is a 31M
partition (?) that is FAT or FAT32, though I only see it when
defragging, I don't know how to 'use' it. ???

When Norton showed me the infected or at risk files, I deleted them,
then the ones it couldn't remove I chose to "skip" instead of "Exclude"
them at the final window..
I assume "excluding" them means they would be ignored on the next scan.
I rescanned immediately and the

3rd time found 5 new 'infected' files, deleted most, but still left the
SczOOJ3.exe file.

4th time: found 9 new files, left Vbcv2.exe behind. ??

5th time: found 9 new files, left 2: MuwqK7ev.exe and Usd13Q.exe

Help!!! these scans were run one right after the other, so these files
are propagating faster than I can remove them. ???

Is there another program that will clean these? or some way to access
them without having them "run" when booting up to windows? I've always
been able to get the HD clean before using the above combination of
programs in win98, but this one is baffling me as I'm not that versed in
win2000.

ANY ideas of what I can do now would be greatly appreciated. I spent 7
hours messing with these last night and just couldn't get past this.

thanks,
niteowl

More about : adware infected file problems files propagating

Anonymous
May 1, 2004 11:56:56 AM

Archived from groups: microsoft.public.win2000.setup (More info?)

Some things to try;

1.) You'll need to first stop the process that loads them. Natively you can;
Start\Settings\Control Panel\Administrative Tools\Computer
Management(Local)\System Information\Software Environment\Startup
Programs|View|Advanced, then in the "Location" column, you'll find the path
to the "Startup" location either in the "Startup" directories or from the
registry's "Run" keys.

%ALLUSERSPROFILE%\Start Menu\Programs\Startup
%USERPROFILE%\Start Menu\Programs\Startup

You can delete the shortcuts that you no longer want to run.


HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

You can delete the string value for the program you no longer want to run.

or copy msconfig from Windows XP

2.) The recycle bin may contain a corrupt, or otherwise incorrect
information file. If format is FAT, then from a command prompt change to the
recycler directory, then do a dir to see what files you might find and
delete any files found, then
attrib -h info*
this should unhide the info* file that stores the information about the
original location of deleted files in the recycle bin. Delete this file.

If format is NTFS then change to the recycler directory then change to the
hidden directory named for your SID (this can be found from within Explorer,
(by expanding the recycler folder). Then
attrib -h info*
this should unhide the info* file that stores the information about the
original location of deleted files in the recycle bin. Delete this file

Then the next time you move files to the recycle bin another hidden info
file will be created.

Another option is to delete only the info or info2 file (in the recycler
dir) and then restart the pc, then a new and correct information file will
be created in the recycler directory.

3.) From a command prompt try;

del \\.\Drive:\directory\filename
(Note: the period between \\ and \)

Also

dir /x
and try deleting them using their 8.3 short names.

4.) Try deleting them from the recovery console. First you'll need to
Control Panel|Admin Tools|Local Security Policy Recovery console:"Allow
floppy copy and access to all drives/folders" set to enabled


To start the Recovery Console, start the computer from the Windows 2000
Setup CD or the Windows 2000 Setup floppy disks. If you do not have Setup
floppy disks and your computer cannot start from the Windows 2000 Setup CD,
use another Windows 2000-based computer to create the Setup floppy disks.
Press ENTER at the "Setup Notification" screen. Press R to repair a Windows
2000 installation, and then press C to use the Recovery Console. The
Recovery Console then prompts you for the administrator password. If you do
not have the correct password, Recovery Console does not allow access to the
computer. If an incorrect password is entered three times, the Recovery
Console quits and restarts the computer. Once the password has been
validated, you have full access to the Recovery Console, but limited access
to the hard disk. You can only access the following folders on your
computer: %systemroot% and %windir%

Then from the recovery console command line;
SET allowallpaths = TRUE

to gain access to all folders and try deleting from here.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect


"niteowl" wrote:
|
| Hi all,
|
| got called to a friends house who has win2k SP4 installed and was having
| trouble with adware, and virus infections. When I first got there I
| used McAfee's Stinger file for a quick check of major/common infections,
| None were found. I even tried "fprotdos" run in safe mode, but it found
| nothing either. (I wasn't sure it would even run since it's a DOS
| program, but it "appeared" to run, but didn't find anything) I then
| updated and ran Spybot Search and Destroy, and Adaware 6, Norton 2004,
| with latest updates, and finally I installed Trojan Hunter 3.8 with
| latest defs.
|
| All those programs found several hundred "at risk" files.
|
| Some of the files resided in the "RECYCLER" folder, and while most could
| be manually deleted (in Windows Explorer), a few couldn't, one was
| named: S-1-5-21-220523388-152049171-854245398-1001
|
| the other files that Norton lists that refer back to that file are:
|
| Dc11.exe Adware Ezula
| Dc12.exe Adware Incredifind
| Dc13.exe Adware StatBlaster
| Dc14.exe Adware StatBlaster
| Dc15.exe Adware StatBlaster
|
| C:\WINNT\SYSTEM32\Gay1ZPSb.exe (I was able to manually delete this one
| in Windows Explorer)
|
|
| Ran another Norton scan of the system32 folder and came up with several
| different files showing as "at risk", Norton deleted all but 2 this time,
|
| RtaWJ.exe and SczOOJ3.exe were the ones left and couldn't be deleted.
|
| Is there no DOS in Win2000??????? How do I manually remove these
| without starting windows???? She is using NTFS. There is a 31M
| partition (?) that is FAT or FAT32, though I only see it when
| defragging, I don't know how to 'use' it. ???
|
| When Norton showed me the infected or at risk files, I deleted them,
| then the ones it couldn't remove I chose to "skip" instead of "Exclude"
| them at the final window..
| I assume "excluding" them means they would be ignored on the next scan.
| I rescanned immediately and the
|
| 3rd time found 5 new 'infected' files, deleted most, but still left the
| SczOOJ3.exe file.
|
| 4th time: found 9 new files, left Vbcv2.exe behind. ??
|
| 5th time: found 9 new files, left 2: MuwqK7ev.exe and Usd13Q.exe
|
| Help!!! these scans were run one right after the other, so these files
| are propagating faster than I can remove them. ???
|
| Is there another program that will clean these? or some way to access
| them without having them "run" when booting up to windows? I've always
| been able to get the HD clean before using the above combination of
| programs in win98, but this one is baffling me as I'm not that versed in
| win2000.
|
| ANY ideas of what I can do now would be greatly appreciated. I spent 7
| hours messing with these last night and just couldn't get past this.
|
| thanks,
| niteowl
|
Anonymous
May 1, 2004 3:05:20 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

Thanks Dave... I'll give it a go.. I'm going back over there shortly..

I have some questions between the paragraphs:::

On 5/1/04 9:56 AM Dave Patrick shared with me these great words of wisdom...

> Some things to try;
>
> 1.) You'll need to first stop the process that loads them. Natively you can;
> Start\Settings\Control Panel\Administrative Tools\Computer
> Management(Local)\System Information\Software Environment\Startup
> Programs|View|Advanced, then in the "Location" column, you'll find the path
> to the "Startup" location either in the "Startup" directories or from the
> registry's "Run" keys.

What is the minimum that has to be left running for win2k to operate? I
know in win98 I only have to leave explorer and systray on.

>
> %ALLUSERSPROFILE%\Start Menu\Programs\Startup
> %USERPROFILE%\Start Menu\Programs\Startup
>
> You can delete the shortcuts that you no longer want to run.
>
>
> HKLM\Software\Microsoft\Windows\CurrentVersion\Run
> HKCU\Software\Microsoft\Windows\CurrentVersion\Run
>
> You can delete the string value for the program you no longer want to run.
>
> or copy msconfig from Windows XP

XP?? this a windows 2000 SP4 machine... is that a typo??

>
> 2.) The recycle bin may contain a corrupt, or otherwise incorrect
> information file. If format is FAT, then from a command prompt change to the
> recycler directory, then do a dir to see what files you might find and
> delete any files found, then
> attrib -h info*
> this should unhide the info* file that stores the information about the
> original location of deleted files in the recycle bin. Delete this file.
>
> If format is NTFS then change to the recycler directory then change to the
> hidden directory named for your SID (this can be found from within Explorer,
> (by expanding the recycler folder).

what's an SID? and how do I "expand" the folder???? Why is there a
"RECYCLER" and a "Recycle Bin" folder??

>Then
> attrib -h info*
> this should unhide the info* file that stores the information about the
> original location of deleted files in the recycle bin. Delete this file
>
> Then the next time you move files to the recycle bin another hidden info
> file will be created.
>
> Another option is to delete only the info or info2 file (in the recycler
> dir) and then restart the pc, then a new and correct information file will
> be created in the recycler directory.
>
> 3.) From a command prompt try;
>
> del \\.\Drive:\directory\filename
> (Note: the period between \\ and \)
>
> Also
>
> dir /x
> and try deleting them using their 8.3 short names.
>
> 4.) Try deleting them from the recovery console. First you'll need to
> Control Panel|Admin Tools|Local Security Policy Recovery console:"Allow
> floppy copy and access to all drives/folders" set to enabled
>
>
> To start the Recovery Console, start the computer from the Windows 2000
> Setup CD or the Windows 2000 Setup floppy disks. If you do not have Setup
> floppy disks and your computer cannot start from the Windows 2000 Setup CD,
> use another Windows 2000-based computer to create the Setup floppy disks.
> Press ENTER at the "Setup Notification" screen. Press R to repair a Windows
> 2000 installation, and then press C to use the Recovery Console. The
> Recovery Console then prompts you for the administrator password. If you do
> not have the correct password, Recovery Console does not allow access to the
> computer. If an incorrect password is entered three times, the Recovery
> Console quits and restarts the computer. Once the password has been
> validated, you have full access to the Recovery Console, but limited access
> to the hard disk. You can only access the following folders on your
> computer: %systemroot% and %windir%
>
> Then from the recovery console command line;
> SET allowallpaths = TRUE
>
> to gain access to all folders and try deleting from here.
>


--

"You can't change the surf,
but you can learn to ride the waves!"

% %
(@)(@)
() V ()
((( )))
(((( ))))
((( )))
--#---#--
NITEOWL
Related resources
Anonymous
May 1, 2004 3:05:21 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

"niteowl" wrote:
| Thanks Dave... I'll give it a go.. I'm going back over there shortly..
|
| I have some questions between the paragraphs:::
|
| What is the minimum that has to be left running for win2k to operate? I
| know in win98 I only have to leave explorer and systray on.
* Probably almost all of these 'Startup' and 'Run' key entries are not
necessary for the core operating system. The idea here was to look for those
that are of a suspicious nature and stop them from loading at startup which
in turn would allow you to delete the 'inuse' files.


| what's an SID? and how do I "expand" the folder???? Why is there a
| "RECYCLER" and a "Recycle Bin" folder??
* 1.) An SID would be something along the line of
S-1-5-21-234630671-1917268844-666385194-500. With the 'Recycler' highlighted
in the left pane the hidden system folder with a user SID for name should be
displayed. If you don't see it then Explorer|Tools|Folder Options|View, then
radio button for "Show hidden files and folders", then uncheck the box for
"Hide protected operating system files"
2.) The additional folder may be a result of norton system works (or some
variant) taking control of the recycle bin.


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect
Anonymous
May 1, 2004 3:05:21 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

Missed one.

No not a typo XP's msconfig will work fine on Windows 2000

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect


"niteowl" wrote:
| > or copy msconfig from Windows XP
|
| XP?? this a windows 2000 SP4 machine... is that a typo??
Anonymous
May 1, 2004 3:40:01 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

Partial quick answer in case Dave doesn't see this for a while:

niteowl wrote:

> Thanks Dave... I'll give it a go.. I'm going back over there shortly..
>
> I have some questions between the paragraphs:::

>> or copy msconfig from Windows XP
>
>
> XP?? this a windows 2000 SP4 machine... is that a typo??
>

msconfig is not included in W2k, but is distributed with XP and works
with W2k just fine. Get msconfig from a copy of XP, or from the web,
where it's downloadable from several sites. It's a user-friendly tool
for manipulating the startup list.
Anonymous
May 1, 2004 5:06:02 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

okay, great!

thanks Dave and Dan for the info, am heading over there now to try these
out.

I'll do a google on the XP msconfig and hopefully be able to download it
when I get over there...

one step at a time.. huh? ;-)

thanks again,
niteowl (gary)


On 5/1/04 11:52 AM Dave Patrick shared with me these great words of
wisdom...

> Missed one.
>
> No not a typo XP's msconfig will work fine on Windows 2000
>


--

"You can't change the surf,
but you can learn to ride the waves!"

% %
(@)(@)
() V ()
((( )))
(((( ))))
((( )))
--#---#--
NITEOWL
Anonymous
May 1, 2004 7:36:18 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

--
Photographic Images
Tel. 941-475-5148
Heidemarie@heidemariephoto.com
www.heidemariephoto.com
Fax. 941-475-2128
"Dave Patrick" <mail@NoSpam.DSPatrick.com> wrote in message
news:eYZnFG5LEHA.556@TK2MSFTNGP10.phx.gbl...
> "niteowl" wrote:
> | Thanks Dave... I'll give it a go.. I'm going back over there shortly..
> |
> | I have some questions between the paragraphs:::
> |
> | What is the minimum that has to be left running for win2k to operate? I
> | know in win98 I only have to leave explorer and systray on.
> * Probably almost all of these 'Startup' and 'Run' key entries are not
> necessary for the core operating system. The idea here was to look for
those
> that are of a suspicious nature and stop them from loading at startup
which
> in turn would allow you to delete the 'inuse' files.

I undchecked several that looked suspicious, but on reboot they showed up
checked again. ????

> | what's an SID? and how do I "expand" the folder???? Why is there a
> | "RECYCLER" and a "Recycle Bin" folder??
> * 1.) An SID would be something along the line of
> S-1-5-21-234630671-1917268844-666385194-500. With the 'Recycler'
highlighted
> in the left pane the hidden system folder with a user SID for name should
be
> displayed. If you don't see it then Explorer|Tools|Folder Options|View,
then
> radio button for "Show hidden files and folders", then uncheck the box for
> "Hide protected operating system files"
> 2.) The additional folder may be a result of norton system works (or some
> variant) taking control of the recycle bin.


Okay, this was already set this way, I could see that "folder", the icon is
a trash can, but can't delete it, and can't "see" anything about it. I can't
find a way to get a command prompt, and I don't see any "info*" file unless
that SID is the file you are referring to. ??





>
>
> --
> Regards,
>
> Dave Patrick ....Please no email replies - reply in newsgroup.
> Microsoft Certified Professional
> Microsoft MVP [Windows]
> http://www.microsoft.com/protect
>
>
>
Anonymous
May 1, 2004 7:36:19 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

"heidemarie" wrote:
| I undchecked several that looked suspicious, but on reboot they showed up
| checked again. ????
* What were the file names of the executables?

|
| Okay, this was already set this way, I could see that "folder", the icon
is
| a trash can, but can't delete it, and can't "see" anything about it. I
can't
| find a way to get a command prompt, and I don't see any "info*" file
unless
| that SID is the file you are referring to. ??

* Start|Run|cmd.exe
then as an example
cd D:\RECYCLER\S-1-5-21-234630671-1917268844-666385194-500


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect
Anonymous
May 1, 2004 10:53:17 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

Dave and Dan,

I was finally (after 11 hours) able to get this system clean. (whew!!)

your help was what made it possible, THANK YOU!!

it checks clean now with Norton, Adaware, and Spybot-Search & Destroy, and
am now running Trojan Hunter.

Here is a list made from the startup list: anything look hinkey to you? I
put a "*" in front of the ones I don't know about.

thanks.
niteowl

System Information report written at: 05/01/2004 06:49:01 PM
[Startup Programs]

Program Command User Name Location
ClipMate5 d:\progra~1\clipma~1\clipmt51.exe BURKE\Burke1 Startup
ctfmon.exe ctfmon.exe BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
PopUpStopperFreeEdition "d:\progra~1\panicw~1\pop-up~1\psfree.exe"
BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
*Brct c:\documents and settings\burke1\application data\oeet.exe
BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
LDM \program\backweb-8876480.exe BURKE\Burke1
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run
Adobe Gamma Loader.exe c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe All
Users Common Startup
*EM_EXEC c:\progra~1\logitech\mousew~1\system\em_exec.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Dimension4 d:\program files\d4\d4.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tb2initPath "d:\program files\timbuktu pro\tb2init.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tweak UI rundll32.exe tweakui.cpl,tweakmeup All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApp "c:\program files\common files\symantec shared\ccapp.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus C84 Series
c:\winnt\system32\spool\drivers\w32x86\3\e_s4i2d1.exe /p23 "epson stylus c84
series" /o5 "lpt1:" /m "stylus c84" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
THGuard "d:\program files\trojanhunter 3.8\thguard.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Synchronization Manager mobsync.exe /logon All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe "c:\program files\common
files\real\update_ob\realsched.exe" -osboot All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
*TCASUTIEXE tcaudiag -off All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mirabilis ICQ d:\program files\icq\icqnet.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DataCaching c:\progra~1\dataca~1\flashksk.exe All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CreateCD50 "c:\program files\common files\adaptec
shared\createcd\createcd50.exe" -r All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AdaptecDirectCD "c:\program files\roxio\easy cd creator
5\directcd\directcd.exe" All Users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Anonymous
May 1, 2004 10:53:18 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

Nothing there jumps out at me but try quoting the file name of the EXE (with
extension) and search them out here.
http://www.google.com/

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect


"heidemarie" wrote:
| Dave and Dan,
|
| I was finally (after 11 hours) able to get this system clean. (whew!!)
|
| your help was what made it possible, THANK YOU!!
|
| it checks clean now with Norton, Adaware, and Spybot-Search & Destroy, and
| am now running Trojan Hunter.
|
| Here is a list made from the startup list: anything look hinkey to you? I
| put a "*" in front of the ones I don't know about.
|
| thanks.
| niteowl
|
| System Information report written at: 05/01/2004 06:49:01 PM
| [Startup Programs]
|
| Program Command User Name Location
| ClipMate5 d:\progra~1\clipma~1\clipmt51.exe BURKE\Burke1 Startup
| ctfmon.exe ctfmon.exe BURKE\Burke1
|
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
| urrentVersion\Run
| PopUpStopperFreeEdition "d:\progra~1\panicw~1\pop-up~1\psfree.exe"
| BURKE\Burke1
|
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
| urrentVersion\Run
| *Brct c:\documents and settings\burke1\application data\oeet.exe
| BURKE\Burke1
|
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
| urrentVersion\Run
| LDM \program\backweb-8876480.exe BURKE\Burke1
|
HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
| urrentVersion\Run
| Adobe Gamma Loader.exe c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe
All
| Users Common Startup
| *EM_EXEC c:\progra~1\logitech\mousew~1\system\em_exec.exe All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| Dimension4 d:\program files\d4\d4.exe All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| Tb2initPath "d:\program files\timbuktu pro\tb2init.exe" All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| Tweak UI rundll32.exe tweakui.cpl,tweakmeup All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| ccApp "c:\program files\common files\symantec shared\ccapp.exe" All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| EPSON Stylus C84 Series
| c:\winnt\system32\spool\drivers\w32x86\3\e_s4i2d1.exe /p23 "epson stylus
c84
| series" /o5 "lpt1:" /m "stylus c84" All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| THGuard "d:\program files\trojanhunter 3.8\thguard.exe" All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| Synchronization Manager mobsync.exe /logon All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| TkBellExe "c:\program files\common
| files\real\update_ob\realsched.exe" -osboot All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| *TCASUTIEXE tcaudiag -off All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All
Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| Mirabilis ICQ d:\program files\icq\icqnet.exe All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| DataCaching c:\progra~1\dataca~1\flashksk.exe All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| CreateCD50 "c:\program files\common files\adaptec
| shared\createcd\createcd50.exe" -r All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
| AdaptecDirectCD "c:\program files\roxio\easy cd creator
| 5\directcd\directcd.exe" All Users
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
|
|
|
Anonymous
May 2, 2004 12:37:19 AM

Archived from groups: microsoft.public.win2000.setup (More info?)

Dave Patrick <mail@nospam.dspatrick.com> wrote:
> | Okay, this was already set this way, I could see that "folder", the icon
> is
> | a trash can, but can't delete it, and can't "see" anything about it. I
> can't
> | find a way to get a command prompt, and I don't see any "info*" file
> unless
> | that SID is the file you are referring to. ??

> * Start|Run|cmd.exe
> then as an example
> cd D:\RECYCLER\S-1-5-21-234630671-1917268844-666385194-500

It's far easier and cleaner to delete the entire Recycle Bin and let
Windows start over. After opening the comand prompt, type

RD /s \Recycler

--
Gary L. Smith gls432@yahoo.com
Columbus, Ohio
Anonymous
May 2, 2004 12:39:23 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

Instead of ploughing through the Registry looking for stuff run/initiated at
bootup, you might want to get a little freeware program called
StartUpManager by Brad Stowers (Creative Gaffers Software). That will let
you easily see and control all sources of boot-time program invocation.

Do a Google search to find a downlaod location.

On Sat, 1 May 2004 18:53:17 -0400, "heidemarie"
<heidemarie@heidemariephoto.com> wrote:

> Dave and Dan,
>
> I was finally (after 11 hours) able to get this system clean. (whew!!)
>
> your help was what made it possible, THANK YOU!!
>
> it checks clean now with Norton, Adaware, and Spybot-Search & Destroy, and
> am now running Trojan Hunter.
>
> Here is a list made from the startup list: anything look hinkey to you? I
> put a "*" in front of the ones I don't know about.
>
> thanks.
> niteowl
>
> System Information report written at: 05/01/2004 06:49:01 PM
> [Startup Programs]
>
> Program Command User Name Location
> ClipMate5 d:\progra~1\clipma~1\clipmt51.exe BURKE\Burke1 Startup
> ctfmon.exe ctfmon.exe BURKE\Burke1
> HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
> urrentVersion\Run
> PopUpStopperFreeEdition "d:\progra~1\panicw~1\pop-up~1\psfree.exe"
> BURKE\Burke1
> HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
> urrentVersion\Run
> *Brct c:\documents and settings\burke1\application data\oeet.exe
> BURKE\Burke1
> HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
> urrentVersion\Run
> LDM \program\backweb-8876480.exe BURKE\Burke1
> HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
> urrentVersion\Run
> Adobe Gamma Loader.exe c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe All
> Users Common Startup
> *EM_EXEC c:\progra~1\logitech\mousew~1\system\em_exec.exe All Users
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> Dimension4 d:\program files\d4\d4.exe All Users
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> Tb2initPath "d:\program files\timbuktu pro\tb2init.exe" All Users
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> Tweak UI rundll32.exe tweakui.cpl,tweakmeup All Users
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> ccApp "c:\program files\common files\symantec shared\ccapp.exe" All Users
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> EPSON Stylus C84 Series
> c:\winnt\system32\spool\drivers\w32x86\3\e_s4i2d1.exe /p23 "epson stylus c84
> series" /o5 "lpt1:" /m "stylus c84" All Users
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> THGuard "d:\program files\trojanhunter 3.8\thguard.exe" All Users
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> Synchronization Manager mobsync.exe /logon All Users
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> TkBellExe "c:\program files\common
> files\real\update_ob\realsched.exe" -osboot All Users
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> *TCASUTIEXE tcaudiag -off All Users
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All Users
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> Mirabilis ICQ d:\program files\icq\icqnet.exe All Users
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> DataCaching c:\progra~1\dataca~1\flashksk.exe All Users
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> CreateCD50 "c:\program files\common files\adaptec
> shared\createcd\createcd50.exe" -r All Users
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> AdaptecDirectCD "c:\program files\roxio\easy cd creator
> 5\directcd\directcd.exe" All Users
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>
>
Anonymous
May 3, 2004 11:35:55 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

Jay,

Startup Manager v1.1 (1.1.3.3) (598 Kbyte)
Startup Manager v1.5 (1.5.2.25) (614 Kbyte)

were the two links I could find on google, but it also says the author
and his related pages are now defunct.

I downloaded them but have not tried them yet. Are you familiar with
either of these versions? Do you have any other more current links?

thanks,
niteowl

On 5/2/04 8:39 AM Jay Somerset shared with me these great words of wisdom...

> Instead of ploughing through the Registry looking for stuff run/initiated at
> bootup, you might want to get a little freeware program called
> StartUpManager by Brad Stowers (Creative Gaffers Software). That will let
> you easily see and control all sources of boot-time program invocation.
>
> Do a Google search to find a downlaod location.
>
> On Sat, 1 May 2004 18:53:17 -0400, "heidemarie"
> <heidemarie@heidemariephoto.com> wrote:
>
>> Dave and Dan,
>>
>> I was finally (after 11 hours) able to get this system clean. (whew!!)
>>
>> your help was what made it possible, THANK YOU!!
>>
>> it checks clean now with Norton, Adaware, and Spybot-Search & Destroy, and
>> am now running Trojan Hunter.
>>
>> Here is a list made from the startup list: anything look hinkey to you? I
>> put a "*" in front of the ones I don't know about.
>>
>> thanks.
>> niteowl
>>
>> System Information report written at: 05/01/2004 06:49:01 PM
>> [Startup Programs]
>>
>> Program Command User Name Location
>> ClipMate5 d:\progra~1\clipma~1\clipmt51.exe BURKE\Burke1 Startup
>> ctfmon.exe ctfmon.exe BURKE\Burke1
>> HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
>> urrentVersion\Run
>> PopUpStopperFreeEdition "d:\progra~1\panicw~1\pop-up~1\psfree.exe"
>> BURKE\Burke1
>> HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
>> urrentVersion\Run
>> *Brct c:\documents and settings\burke1\application data\oeet.exe
>> BURKE\Burke1
>> HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
>> urrentVersion\Run
>> LDM \program\backweb-8876480.exe BURKE\Burke1
>> HKU\S-1-5-21-220523388-152049171-854245398-1001\SOFTWARE\Microsoft\Windows\C
>> urrentVersion\Run
>> Adobe Gamma Loader.exe c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe All
>> Users Common Startup
>> *EM_EXEC c:\progra~1\logitech\mousew~1\system\em_exec.exe All Users
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> Dimension4 d:\program files\d4\d4.exe All Users
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> Tb2initPath "d:\program files\timbuktu pro\tb2init.exe" All Users
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> Tweak UI rundll32.exe tweakui.cpl,tweakmeup All Users
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> ccApp "c:\program files\common files\symantec shared\ccapp.exe" All Users
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> EPSON Stylus C84 Series
>> c:\winnt\system32\spool\drivers\w32x86\3\e_s4i2d1.exe /p23 "epson stylus c84
>> series" /o5 "lpt1:" /m "stylus c84" All Users
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> THGuard "d:\program files\trojanhunter 3.8\thguard.exe" All Users
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> Synchronization Manager mobsync.exe /logon All Users
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> TkBellExe "c:\program files\common
>> files\real\update_ob\realsched.exe" -osboot All Users
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> *TCASUTIEXE tcaudiag -off All Users
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> QuickTime Task "c:\program files\quicktime\qttask.exe" -atboottime All Users
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> Mirabilis ICQ d:\program files\icq\icqnet.exe All Users
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> DataCaching c:\progra~1\dataca~1\flashksk.exe All Users
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> CreateCD50 "c:\program files\common files\adaptec
>> shared\createcd\createcd50.exe" -r All Users
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> AdaptecDirectCD "c:\program files\roxio\easy cd creator
>> 5\directcd\directcd.exe" All Users
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>>
>>
>


--

"You can't change the surf,
but you can learn to ride the waves!"

% %
(@)(@)
() V ()
((( )))
(((( ))))
((( )))
--#---#--
NITEOWL
Anonymous
May 3, 2004 11:40:59 PM

Archived from groups: microsoft.public.win2000.setup (More info?)

Gary,

> RD /s \Recycler

what is this command actually doing? I assume RD is "remove directory",
but what's the "/s \Recycler" doing?

thanks,
niteowl

On 5/1/04 11:37 PM Gary Smith shared with me these great words of wisdom...

> Dave Patrick <mail@nospam.dspatrick.com> wrote:
>> | Okay, this was already set this way, I could see that "folder", the icon
>> is
>> | a trash can, but can't delete it, and can't "see" anything about it. I
>> can't
>> | find a way to get a command prompt, and I don't see any "info*" file
>> unless
>> | that SID is the file you are referring to. ??
>
>> * Start|Run|cmd.exe
>> then as an example
>> cd D:\RECYCLER\S-1-5-21-234630671-1917268844-666385194-500
>
> It's far easier and cleaner to delete the entire Recycle Bin and let
> Windows start over. After opening the comand prompt, type
>
> RD /s \Recycler
>


--

"You can't change the surf,
but you can learn to ride the waves!"

% %
(@)(@)
() V ()
((( )))
(((( ))))
((( )))
--#---#--
NITEOWL
Anonymous
May 4, 2004 2:22:03 AM

Archived from groups: microsoft.public.win2000.setup (More info?)

niteowl <niteowl@niteowlproductions.com> wrote:

> > RD /s \Recycler

> what is this command actually doing? I assume RD is "remove directory",
> but what's the "/s \Recycler" doing?

Yes, RD is Remove Directory. The /s option tells it to remove the
specified folder and all of its contents. \Recycler is the actaul name of
the folder that Win2K uses for Recycle Bin operations. It's typically
hidden, so you won't see it in Explorer unless you've set the option to
display hidden files and folders (which I recommend doing).

Deleting that folder clears all Recycle Bin information on the current
drive for all users. Windows will create a brand new folder when it's
next needed.

--
Gary L. Smith gls432@yahoo.com
Columbus, Ohio
!